보안 설정 Role 추가

2024-01-11 10:53:02 +09:00
parent bdce12d232
commit 4fedf1eb47
12 changed files with 111 additions and 87 deletions
--- a/ansible/security_check/README.md
+++ b/ansible/security_check/README.md
@@ -1,3 +1,3 @@
 | 이름 | 아이피 | 상태 요약 | 상세 보기 |
 | --- | --- | --- | --- |
-| cmoa-jaeger-master | 10.10.43.213 | 취약 | http://10.10.43.42:8080/cmoa-jaeger-master.10.10.43.213.txt |
+| cmoa-jaeger-master | 10.10.43.213 | 양호 | http://10.10.43.42:8080/cmoa-jaeger-master.10.10.43.213.txt |
--- a/ansible/security_check/roles/security_check/tasks/create_readme.yml
+++ b/ansible/security_check/roles/security_check/tasks/create_readme.yml
@@ -25,22 +25,22 @@
    dest: "{{ playbook_dir }}/README.md"
  delegate_to: 127.0.0.1
- name: git push
+#- name: git push
-  shell: |
+#  shell: |
-    pwd
+#    pwd
-    ls -al
+#    ls -al
-    git config --global user.email "sa_8001@ex-em.com"
+#    git config --global user.email "sa_8001@ex-em.com"
-    git config --global user.name "ByeonJungHun"
+#    git config --global user.name "ByeonJungHun"
-    git clone https://{{ git_user }}:{{ git_key }}github.com/CloudMOA/dsk-iac.git ~/dsk-iac
+#    git clone https://{{ git_user }}:{{ git_key }}github.com/CloudMOA/dsk-iac.git ~/dsk-iac
-    cp ./README.md ~/dsk-iac/ansible/security_check/README.md
+#    cp ./README.md ~/dsk-iac/ansible/security_check/README.md
-    cd ~/dsk-iac
+#    cd ~/dsk-iac
-    cat README.md
+#    cat README.md
-    pwd
+#    pwd
-    ls -al
+#    ls -al
-    git add .
+#    git add .
-    git commit -m "검사 결과 업데이트"
+#    git commit -m "검사 결과 업데이트"
-    git push
+#    git push
-  delegate_to: 127.0.0.1
+#  delegate_to: 127.0.0.1
 - debug:
    msg: "결과 확인 : https://github.com/CloudMOA/dsk-iac/tree/main/ansible/security_check"
--- a/ansible/security_settings/invenotry
+++ b/ansible/security_settings/invenotry
@@ -1,4 +1,5 @@
 [all]
 10.10.43.43 ansible_port=2222 ansible_user=dev2
 10.10.43.100 ansible_port=2222 ansible_user=dev2 
 10.10.43.101 ansible_port=2222 ansible_user=dev2
 10.10.43.105 ansible_port=2222 ansible_user=dev2
@@ -101,4 +102,4 @@
 10.10.43.228 ansible_port=2222 ansible_user=dev2
 10.10.43.235 ansible_port=2222 ansible_user=dev2
 10.10.43.236 ansible_port=2222 ansible_user=dev2
-10.10.43.252 ansible_port=2222 ansible_user=dev2
+10.10.43.252 ansible_port=2222 ansible_user=dev2
--- a/ansible/security_settings/roles/security_settings/tasks/all_setting_device_organize.yml
+++ b/ansible/security_settings/roles/security_settings/tasks/all_setting_device_organize.yml
@@ -0,0 +1,13 @@
 ---
 - name: search non-existent device
  shell: find /dev -type f -exec ls -l {} \; | awk '{print $NF}'
  register: search_result
 - debug:
    msg: "발견된 존재하지 않는 디바이스 {{ search_result.stdout_lines }}"
 - name: delete non-existent device
  file:
    path: "{{ item }}"
    state: absent
  with_items: "{{ search_result.stdout_lines }}"
--- a/ansible/security_settings/roles/security_settings/tasks/all_setting_mode_change.yml
+++ b/ansible/security_settings/roles/security_settings/tasks/all_setting_mode_change.yml
@@ -40,3 +40,20 @@
    - /etc/cron.weekly/man-db
    - /etc/cron.weekly/update-notifier-common
    - /etc/cron.monthly/.placeholder
 - name: cron file owner change
  file: 
    path: /var/spool/cron/atjobs/.SEQ
    owner: root
 - name: at mode change
  file:
    path: /usr/bin/at
    mode: 640
 - name: create at.allow file
  file:
    path: /etc/at.allow
    state: touch
    mode: 0640
    owner: root
--- a/ansible/security_settings/roles/security_settings/tasks/debian_setting_banner.yml
+++ b/ansible/security_settings/roles/security_settings/tasks/debian_setting_banner.yml
@@ -5,4 +5,25 @@
    dest: /etc/update-motd.d/00-header
    mode: 0755
    owner: root
-    group: root
+    group: root
 - name: Setting Sysinfo
  template:
    src: sysinfo.j2
    dest: /usr/share/landscape/landscape-sysinfo.wrapper
    mode: 0755
    owner: root
    group: root
 - name: Delete ETC file
  file:
    path: "{{ item }}"
    state: absent
  with_items:
    - /etc/update-motd.d/10-help-text
    - /etc/update-motd.d/50-motd-news
    - /etc/update-motd.d/85-fwupd
    - /etc/update-motd.d/90-updates-available
    - /etc/update-motd.d/91-release-upgrade
    - /etc/update-motd.d/95-hwe-eol
    - /etc/update-motd.d/98-fsck-at-reboot
--- a/ansible/security_settings/roles/security_settings/tasks/main.yml
+++ b/ansible/security_settings/roles/security_settings/tasks/main.yml
@@ -1,12 +1,19 @@
 ---
 # SSH 접속 시 Banner 설정
 - include: debian_setting_banner.yml
  when: ansible_facts.os_family == 'Debian'
 # root 사용자를 사용한 ssh 접속 비활성화
 - include: all_setting_root_ssh.yml
 # 패스워드 정책 설정
 - include: debian_setting_password_rule.yml
  when: ansible_facts.os_family == 'Debian'
-#- include: all_setting_mode_change.yml
+# 일부 파일 권한 설정
-# crontab 관련 설정 작성중 U_22 항목
+- include: all_setting_mode_change.yml
 # 대부분 설정은 하였으나 '/var/spool/cron/atjobs/.SEQ' 파일에 대해서 소유자를 root로 변경해야하는데 해도 상관 없는지 확인중
 # /dev 경로의 불필요 디바이스 검색 및 제거
 - include: all_setting_device_organize.yml
--- a/ansible/security_settings/roles/security_settings/templates/banner.j2
+++ b/ansible/security_settings/roles/security_settings/templates/banner.j2
@@ -1,13 +1,13 @@
 #!/bin/sh
 echo "-------------------------------------------------------------------------------\n"
-echo  "    _╓g@DDKg╓_   \033[0;31m=╗╗╗╗,\033[0;0m     \033[0;34m,╗╗╗╗╤\033[0;0m    ,╔╗DDKg╔_        ╓g@DD╗╔_    ╓g@DD╗╔_"
+echo "    _╓g@DDKg╓_   \033[0;31m=╗╗╗╗,\033[0;0m     \033[0;34m,╗╗╗╗╤\033[0;0m    ,╔╗DDKg╔_        ╓g@DD╗╔_    ╓g@DD╗╔_"
-echo  "  ╓D╝╙\`    \`╠╠H   \033[0;31m╙╠╠╠╠▒\033[0;0m   \033[0;34mÆ╬╬╬╬╩\033[0;0m  _j╠╙\`     1╠R     j╠R^   \`╙╠▒,j╠R^   \`╙╠▒,"
+echo "  ╓D╝╙\`    \`╠╠H   \033[0;31m╙╠╠╠╠▒\033[0;0m   \033[0;34mÆ╬╬╬╬╩\033[0;0m  _j╠╙\`     1╠R     j╠R^   \`╙╠▒,j╠R^   \`╙╠▒,"
-echo  " 1╠^      ,╠╝       \033[0;31m╝╠R\033[0;0m  \033[0;34m╓▓╬╬╬╝\033[0;0m   j╠H       1╠^     ╠╠         ╚╠H         ╚╠H"
+echo " 1╠^      ,╠╝       \033[0;31m╝╠R\033[0;0m  \033[0;34m╓▓╬╬╬╝\033[0;0m   j╠H       1╠^     ╠╠         ╚╠H         ╚╠H"
-echo  "j╠⌐      j╠Γ         \033[0;31m'\033[0;0m  \033[0;34mÆ╬╬╬╬╙\033[0;0m    ╠H      ╔╠R       ╠╠          ╠╠          ╠╠"
+echo "j╠⌐      j╠Γ         \033[0;31m'\033[0;0m  \033[0;34mÆ╬╬╬╬╙\033[0;0m    ╠H      ╔╠R       ╠╠          ╠╠          ╠╠"
-echo  "╠╠     ╒╠R            \033[0;34m╔╣╬╬╬\033[0;33m╬▒\033[0;0m    j╠H    _D╝\`        ╠╠          ╠╠          ╠╠"
+echo "╠╠     ╒╠R            \033[0;34m╔╣╬╬╬\033[0;33m╬▒\033[0;0m    j╠H    _D╝\`        ╠╠          ╠╠          ╠╠"
-echo  "'╠H   1╠^      ..   \033[0;34m,╣╬╬╬╣\033[0;33m╬╣╣▓┐\033[0;0m   ╠D   ╔╚╙       ╔_ ╠╠          ╠╠          ╠╠"
+echo "'╠H   1╠^      ..   \033[0;34m,╣╬╬╬╣\033[0;33m╬╣╣▓┐\033[0;0m   ╠D   ╔╚╙       ╔_ ╠╠          ╠╠          ╠╠"
-echo  " '╠▒╓░╙      _╔╔^  \033[0;34m¢╬╬╬╬╩\033[0;33m ╚╣╣╣╣▌\033[0;0m   ╚▒╓░╙       ╔░H  ╠╠          ╠╠          ╠╠"
+echo " '╠▒╓░╙      _╔╔^  \033[0;34m¢╬╬╬╬╩\033[0;33m ╚╣╣╣╣▌\033[0;0m   ╚▒╓░╙       ╔░H  ╠╠          ╠╠          ╠╠"
-echo  "   ⁿ╚╠K≥╔╔╔1▒╝^  \033[0;34m╒▓╬╬╬╩^\033[0;33m   \`╣╣╣╣▓╕\033[0;0m  \`╚╠▒g╔╔╔gD╝╙    ╠╠          ╠╠          ╠╠\n"
+echo "   ⁿ╚╠K≥╔╔╔1▒╝^  \033[0;34m╒▓╬╬╬╩^\033[0;33m   \`╣╣╣╣▓╕\033[0;0m  \`╚╠▒g╔╔╔gD╝╙    ╠╠          ╠╠          ╠╠\n"
 echo "-------------------------------------------------------------------------------"
 echo ""
 echo "                             - 알              림 -                             "
--- a/ansible/security_settings/roles/security_settings/templates/sysinfo.j2
+++ b/ansible/security_settings/roles/security_settings/templates/sysinfo.j2
@@ -0,0 +1,19 @@
 #!/bin/sh
 # pam_motd does not carry the environment
 [ -f /etc/default/locale ] && . /etc/default/locale
 export LANG
 cores=$(grep -c ^processor /proc/cpuinfo 2>/dev/null)
 [ "$cores" -eq "0" ] && cores=1
 threshold="${cores:-1}.0"
 if [ $(echo "`cut -f1 -d ' ' /proc/loadavg` < $threshold" | bc) -eq 1 ]; then
    echo
    echo -n "  System information as of "
    /bin/date
    echo
    /usr/bin/landscape-sysinfo
 else
    echo
    echo " System information disabled due to load higher than $threshold"
 fi
 echo ""
--- a/ansible/security_settings/test
+++ b/ansible/security_settings/test
@@ -1,27 +1,2 @@
 [all]
-#10.10.43.195 ansible_user=dev2-iac ansible_port=2222
+10.10.43.213 ansible_user=dev2 ansible_port=2222
 #10.10.43.196 ansible_user=dev2-iac ansible_port=2222
 #10.10.43.197 ansible_user=dev2-iac ansible_port=2222
 #10.10.43.201 ansible_user=dev2-iac ansible_port=2222
 #10.10.43.202 ansible_user=dev2-iac ansible_port=2222
 #10.10.43.203 ansible_user=dev2-iac ansible_port=2222
 #10.10.43.204 ansible_user=dev2-iac ansible_port=2222
 #10.10.43.205 ansible_user=dev2-iac ansible_port=2222
 #10.10.43.206 ansible_user=dev2-iac ansible_port=2222
 #10.10.43.207 ansible_user=dev2-iac ansible_port=2222
 #10.10.43.208 ansible_user=dev2-iac ansible_port=2222
 #10.10.43.211 ansible_user=dev2-iac ansible_port=2222
 #10.10.43.212 ansible_user=dev2-iac ansible_port=2222
 10.10.43.213 ansible_user=dev2-iac ansible_port=2222
 #10.10.43.214 ansible_user=dev2-iac ansible_port=2222
 #10.10.43.215 ansible_user=dev2-iac ansible_port=2222
 #10.10.43.216 ansible_user=dev2-iac ansible_port=2222
 #10.10.43.217 ansible_user=dev2-iac ansible_port=2222
 #10.10.43.218 ansible_user=dev2-iac ansible_port=2222
 #10.10.43.224 ansible_user=dev2-iac ansible_port=2222
 #10.10.43.225 ansible_user=dev2-iac ansible_port=2222
 #10.10.43.226 ansible_user=dev2-iac ansible_port=2222
 #10.10.43.227 ansible_user=dev2-iac ansible_port=2222
 #10.10.43.228 ansible_user=dev2-iac ansible_port=2222
 #10.10.43.235 ansible_user=dev2-iac ansible_port=2222
 #10.10.43.236 ansible_user=dev2-iac ansible_port=2222
--- a/ansible/teleport_setting/teleport
+++ b/ansible/teleport_setting/teleport
@@ -11,10 +11,10 @@
 10.10.43.106 ansible_port=2222 ansible_user=dev2
 [saas_mgmt_master]
-10.10.43.240 ansible_port=2222 ansible_user=dev2
+10.10.43.240 ansible_port=2222 ansible_user=dev2-iac
 [saas_mgmt_node]
-10.10.43.[241:243] ansible_port=2222 ansible_user=dev2
+10.10.43.[241:243] ansible_port=2222 ansible_user=dev2-iac
 [dsk_dev_master]
 10.10.43.[111:113] ansible_port=2222 ansible_user=dev2
--- a/ansible/teleport_setting/teleport_etc
+++ b/ansible/teleport_setting/teleport_etc
@@ -1,31 +1,2 @@
 [all]
-#10.10.43.195 ansible_user=dev2 ansible_port=2222
+10.10.43.43 ansible_port=2222 ansible_user=dev2
 #10.10.43.196 ansible_user=dev2 ansible_port=2222
 #10.10.43.197 ansible_user=dev2 ansible_port=2222
 10.10.43.200 ansible_user=dev2 ansible_port=2222
 10.10.43.201 ansible_user=dev2 ansible_port=2222
 10.10.43.202 ansible_user=dev2 ansible_port=2222
 10.10.43.203 ansible_user=dev2 ansible_port=2222
 10.10.43.204 ansible_user=dev2 ansible_port=2222
 10.10.43.205 ansible_user=dev2 ansible_port=2222
 10.10.43.206 ansible_user=dev2 ansible_port=2222
 10.10.43.207 ansible_user=dev2 ansible_port=2222
 10.10.43.208 ansible_user=dev2 ansible_port=2222
 10.10.43.210 ansible_user=dev2 ansible_port=2222
 10.10.43.211 ansible_user=dev2 ansible_port=2222
 10.10.43.212 ansible_user=dev2 ansible_port=2222
 10.10.43.213 ansible_user=dev2 ansible_port=2222
 10.10.43.214 ansible_user=dev2 ansible_port=2222
 10.10.43.215 ansible_user=dev2 ansible_port=2222
 10.10.43.216 ansible_user=dev2 ansible_port=2222
 10.10.43.217 ansible_user=dev2 ansible_port=2222
 10.10.43.218 ansible_user=dev2 ansible_port=2222
 #10.10.43.224 ansible_user=dev2 ansible_port=2222
 #10.10.43.225 ansible_user=dev2 ansible_port=2222
 #10.10.43.226 ansible_user=dev2 ansible_port=2222
 #10.10.43.227 ansible_user=dev2 ansible_port=2222
 #10.10.43.228 ansible_user=dev2 ansible_port=2222
 #10.10.43.230 ansible_user=dev2 ansible_port=2222
 #10.10.43.235 ansible_user=dev2 ansible_port=2222
 #10.10.43.236 ansible_user=dev2 ansible_port=2222
 #10.10.43.252 ansible_user=dev2 ansible_port=2222