From 505fec4a05bc529b769824878ad7fd3b4e4f4929 Mon Sep 17 00:00:00 2001 From: ByeonJungHun Date: Tue, 9 Jan 2024 14:31:29 +0900 Subject: [PATCH] =?UTF-8?q?=EA=B2=80=EC=82=AC=20=EA=B2=B0=EA=B3=BC=20?= =?UTF-8?q?=EC=97=85=EB=8D=B0=EC=9D=B4=ED=8A=B8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ansible/security_check/README.md | 84 +------- ansible/security_check/checklist | 186 +++++++++--------- .../roles/security_check/files/rocky.sh | 186 +++++++++--------- .../security_check/tasks/create_readme.yml | 13 +- .../roles/security_check/tasks/main.yml | 1 + .../roles/security_check/tasks/start.yml | 22 ++- ansible/security_check/server_check.yml | 3 + 7 files changed, 221 insertions(+), 274 deletions(-) diff --git a/ansible/security_check/README.md b/ansible/security_check/README.md index b5e274b..07fb2ac 100644 --- a/ansible/security_check/README.md +++ b/ansible/security_check/README.md @@ -1,78 +1,10 @@ | 이름 | 아이피 | 상태 요약 | 상세 보기 | | --- | --- | --- | --- | -| cmoa-jaeger-master | 10.10.43.203 | 취약 | http://10.10.43.42:8080/cmoa-jaeger-master.10.10.43.203.txt | -| cmoa-jaeger-master | 10.10.43.213 | 취약 | http://10.10.43.42:8080/cmoa-jaeger-master.10.10.43.213.txt | -| cmoa-jaeger-worker1 | 10.10.43.204 | 취약 | http://10.10.43.42:8080/cmoa-jaeger-worker1.10.10.43.204.txt | -| cmoa-jaeger-worker1 | 10.10.43.214 | 취약 | http://10.10.43.42:8080/cmoa-jaeger-worker1.10.10.43.214.txt | -| cmoa-jaeger-worker2-crio | 10.10.43.205 | 취약 | http://10.10.43.42:8080/cmoa-jaeger-worker2-crio.10.10.43.205.txt | -| cmoa-jaeger-worker2 | 10.10.43.215 | 취약 | http://10.10.43.42:8080/cmoa-jaeger-worker2.10.10.43.215.txt | -| cmoa-jspd-master | 10.10.43.206 | 취약 | http://10.10.43.42:8080/cmoa-jspd-master.10.10.43.206.txt | -| cmoa-jspd-master | 10.10.43.216 | 취약 | http://10.10.43.42:8080/cmoa-jspd-master.10.10.43.216.txt | -| cmoa-jspd-worker1 | 10.10.43.207 | 취약 | http://10.10.43.42:8080/cmoa-jspd-worker1.10.10.43.207.txt | -| cmoa-jspd-worker1 | 10.10.43.217 | 취약 | http://10.10.43.42:8080/cmoa-jspd-worker1.10.10.43.217.txt | -| cmoa-jspd-worker2 | 10.10.43.208 | 취약 | http://10.10.43.42:8080/cmoa-jspd-worker2.10.10.43.208.txt | -| cmoa-jspd-worker2 | 10.10.43.218 | 취약 | http://10.10.43.42:8080/cmoa-jspd-worker2.10.10.43.218.txt | -| cmoa-master-1 | 10.10.43.200 | 취약 | http://10.10.43.42:8080/cmoa-master-1.10.10.43.200.txt | -| cmoa-master-2 | 10.10.43.210 | 취약 | http://10.10.43.42:8080/cmoa-master-2.10.10.43.210.txt | -| cmoa-worker1-1 | 10.10.43.201 | 취약 | http://10.10.43.42:8080/cmoa-worker1-1.10.10.43.201.txt | -| cmoa-worker1-2 | 10.10.43.211 | 취약 | http://10.10.43.42:8080/cmoa-worker1-2.10.10.43.211.txt | -| cmoa-worker2-1 | 10.10.43.202 | 취약 | http://10.10.43.42:8080/cmoa-worker2-1.10.10.43.202.txt | -| cmoa-worker2-2 | 10.10.43.212 | 취약 | http://10.10.43.42:8080/cmoa-worker2-2.10.10.43.212.txt | -| cmoamgmtmaster | 10.10.43.227 | 취약 | http://10.10.43.42:8080/cmoamgmtmaster.10.10.43.227.txt | -| cmoamgmtworker | 10.10.43.228 | 취약 | http://10.10.43.42:8080/cmoamgmtworker.10.10.43.228.txt | -| docker | 10.10.43.180 | 취약 | http://10.10.43.42:8080/docker.10.10.43.180.txt | -| dsk-dev-data-common-a1 | 10.10.43.133 | 취약 | http://10.10.43.42:8080/dsk-dev-data-common-a1.10.10.43.133.txt | -| dsk-dev-data-common-b1 | 10.10.43.134 | 취약 | http://10.10.43.42:8080/dsk-dev-data-common-b1.10.10.43.134.txt | -| dsk-dev-data-common-c1 | 10.10.43.135 | 취약 | http://10.10.43.42:8080/dsk-dev-data-common-c1.10.10.43.135.txt | -| dsk-dev-data-druid-a1 | 10.10.43.114 | 취약 | http://10.10.43.42:8080/dsk-dev-data-druid-a1.10.10.43.114.txt | -| dsk-dev-data-druid-a3 | 10.10.43.139 | 취약 | http://10.10.43.42:8080/dsk-dev-data-druid-a3.10.10.43.139.txt | -| dsk-dev-data-druid-b1 | 10.10.43.115 | 취약 | http://10.10.43.42:8080/dsk-dev-data-druid-b1.10.10.43.115.txt | -| dsk-dev-data-druid-c2 | 10.10.43.138 | 취약 | http://10.10.43.42:8080/dsk-dev-data-druid-c2.10.10.43.138.txt | -| dsk-dev-data-druid-n1 | 10.10.43.117 | 취약 | http://10.10.43.42:8080/dsk-dev-data-druid-n1.10.10.43.117.txt | -| dsk-dev-data-druid-n2 | 10.10.43.118 | 취약 | http://10.10.43.42:8080/dsk-dev-data-druid-n2.10.10.43.118.txt | -| dsk-dev-data-druid-n3 | 10.10.43.119 | 취약 | http://10.10.43.42:8080/dsk-dev-data-druid-n3.10.10.43.119.txt | -| dsk-dev-data-druid-small | 10.10.43.147 | 취약 | http://10.10.43.42:8080/dsk-dev-data-druid-small.10.10.43.147.txt | -| dsk-dev-data-kafka-a1 | 10.10.43.120 | 취약 | http://10.10.43.42:8080/dsk-dev-data-kafka-a1.10.10.43.120.txt | -| dsk-dev-data-kafka-b1 | 10.10.43.121 | 취약 | http://10.10.43.42:8080/dsk-dev-data-kafka-b1.10.10.43.121.txt | -| dsk-dev-data-kafka-c1 | 10.10.43.122 | 취약 | http://10.10.43.42:8080/dsk-dev-data-kafka-c1.10.10.43.122.txt | -| dsk-dev-data-kafka-n1 | 10.10.43.148 | 취약 | http://10.10.43.42:8080/dsk-dev-data-kafka-n1.10.10.43.148.txt | -| dsk-dev-demo-master | 10.10.43.105 | 취약 | http://10.10.43.42:8080/dsk-dev-demo-master.10.10.43.105.txt | -| dsk-dev-demo-worker | 10.10.43.106 | 취약 | http://10.10.43.42:8080/dsk-dev-demo-worker.10.10.43.106.txt | -| dsk-dev-master-a1 | 10.10.43.111 | 취약 | http://10.10.43.42:8080/dsk-dev-master-a1.10.10.43.111.txt | -| dsk-dev-master-b1 | 10.10.43.112 | 취약 | http://10.10.43.42:8080/dsk-dev-master-b1.10.10.43.112.txt | -| dsk-dev-master-c1 | 10.10.43.113 | 취약 | http://10.10.43.42:8080/dsk-dev-master-c1.10.10.43.113.txt | -| dsk-dev-process-a1 | 10.10.43.123 | 취약 | http://10.10.43.42:8080/dsk-dev-process-a1.10.10.43.123.txt | -| dsk-dev-process-a2 | 10.10.43.126 | 취약 | http://10.10.43.42:8080/dsk-dev-process-a2.10.10.43.126.txt | -| dsk-dev-process-a3 | 10.10.43.129 | 취약 | http://10.10.43.42:8080/dsk-dev-process-a3.10.10.43.129.txt | -| dsk-dev-process-a4 | 10.10.43.116 | 취약 | http://10.10.43.42:8080/dsk-dev-process-a4.10.10.43.116.txt | -| dsk-dev-process-b1 | 10.10.43.124 | 취약 | http://10.10.43.42:8080/dsk-dev-process-b1.10.10.43.124.txt | -| dsk-dev-process-b2 | 10.10.43.127 | 취약 | http://10.10.43.42:8080/dsk-dev-process-b2.10.10.43.127.txt | -| dsk-dev-process-b3 | 10.10.43.130 | 취약 | http://10.10.43.42:8080/dsk-dev-process-b3.10.10.43.130.txt | -| dsk-dev-process-b4 | 10.10.43.136 | 취약 | http://10.10.43.42:8080/dsk-dev-process-b4.10.10.43.136.txt | -| dsk-dev-process-c1 | 10.10.43.125 | 취약 | http://10.10.43.42:8080/dsk-dev-process-c1.10.10.43.125.txt | -| dsk-dev-process-c2 | 10.10.43.128 | 취약 | http://10.10.43.42:8080/dsk-dev-process-c2.10.10.43.128.txt | -| dsk-dev-process-c3 | 10.10.43.131 | 취약 | http://10.10.43.42:8080/dsk-dev-process-c3.10.10.43.131.txt | -| dsk-dev-process-c4 | 10.10.43.137 | 취약 | http://10.10.43.42:8080/dsk-dev-process-c4.10.10.43.137.txt | -| dsk-dev-prometheus | 10.10.43.142 | 취약 | http://10.10.43.42:8080/dsk-dev-prometheus.10.10.43.142.txt | -| dsk-dev-temp-a1 | 10.10.43.132 | 취약 | http://10.10.43.42:8080/dsk-dev-temp-a1.10.10.43.132.txt | -| dsk-dev-temp-b1 | 10.10.43.140 | 취약 | http://10.10.43.42:8080/dsk-dev-temp-b1.10.10.43.140.txt | -| dsk-dev-temp-c1 | 10.10.43.141 | 취약 | http://10.10.43.42:8080/dsk-dev-temp-c1.10.10.43.141.txt | -| dsk-minio-master1 | 10.10.43.235 | 취약 | http://10.10.43.42:8080/dsk-minio-master1.10.10.43.235.txt | -| dsk-minio-worker1 | 10.10.43.236 | 취약 | http://10.10.43.42:8080/dsk-minio-worker1.10.10.43.236.txt | -| infra-master | 10.10.43.224 | 취약 | http://10.10.43.42:8080/infra-master.10.10.43.224.txt | -| infra-worker001 | 10.10.43.225 | 취약 | http://10.10.43.42:8080/infra-worker001.10.10.43.225.txt | -| infra-worker002 | 10.10.43.226 | 취약 | http://10.10.43.42:8080/infra-worker002.10.10.43.226.txt | -| kafka-multi-0 | 10.10.43.151 | 취약 | http://10.10.43.42:8080/kafka-multi-0.10.10.43.151.txt | -| kafka-multi-1 | 10.10.43.152 | 취약 | http://10.10.43.42:8080/kafka-multi-1.10.10.43.152.txt | -| kafka-multi-2 | 10.10.43.153 | 취약 | http://10.10.43.42:8080/kafka-multi-2.10.10.43.153.txt | -| opensearch-data-0 | 10.10.43.144 | 취약 | http://10.10.43.42:8080/opensearch-data-0.10.10.43.144.txt | -| opensearch-data-1 | 10.10.43.145 | 취약 | http://10.10.43.42:8080/opensearch-data-1.10.10.43.145.txt | -| opensearch-master-0 | 10.10.43.143 | 취약 | http://10.10.43.42:8080/opensearch-master-0.10.10.43.143.txt | -| opensearch-search-0 | 10.10.43.146 | 취약 | http://10.10.43.42:8080/opensearch-search-0.10.10.43.146.txt | -| release-master | 10.10.43.100 | 취약 | http://10.10.43.42:8080/release-master.10.10.43.100.txt | -| releaseworker | 10.10.43.101 | 취약 | http://10.10.43.42:8080/releaseworker.10.10.43.101.txt | -| ubuntu-18-04 | 10.10.43.164 | 취약 | http://10.10.43.42:8080/ubuntu-18-04.10.10.43.164.txt | -| ubuntu-20-04 | 10.10.43.165 | 취약 | http://10.10.43.42:8080/ubuntu-20-04.10.10.43.165.txt | -| ubuntu-22-04 | 10.10.43.166 | 취약 | http://10.10.43.42:8080/ubuntu-22-04.10.10.43.166.txt | -| ubuntu2004 | 10.10.43.181 | 취약 | http://10.10.43.42:8080/ubuntu2004.10.10.43.181.txt | -| ubuntu2204 | 10.10.43.182 | 취약 | http://10.10.43.42:8080/ubuntu2204.10.10.43.182.txt | +| amazon-2023 | 10.10.43.175 | 취약 | http://10.10.43.42:8080/amazon-2023.10.10.43.175.txt | +| centos-7 | 10.10.43.167 | 취약 | http://10.10.43.42:8080/centos-7.10.10.43.167.txt | +| centos-8 | 10.10.43.168 | 취약 | http://10.10.43.42:8080/centos-8.10.10.43.168.txt | +| centos-9 | 10.10.43.169 | 취약 | http://10.10.43.42:8080/centos-9.10.10.43.169.txt | +| db-env | 10.10.43.176 | 취약 | http://10.10.43.42:8080/db-env.10.10.43.176.txt | +| debian-12 | 10.10.43.173 | 취약 | http://10.10.43.42:8080/debian-12.10.10.43.173.txt | +| openshift-4-13 | 10.10.43.171 | 취약 | http://10.10.43.42:8080/openshift-4-13.10.10.43.171.txt | +| oracle-linux-9 | 10.10.43.174 | 취약 | http://10.10.43.42:8080/oracle-linux-9.10.10.43.174.txt | diff --git a/ansible/security_check/checklist b/ansible/security_check/checklist index 0fd1ad0..5a0a4f5 100644 --- a/ansible/security_check/checklist +++ b/ansible/security_check/checklist @@ -3,54 +3,54 @@ server nas [server] -10.10.43.100 ansible_port=2222 ansible_user=dev2 -10.10.43.101 ansible_port=2222 ansible_user=dev2 -10.10.43.105 ansible_port=2222 ansible_user=dev2 -10.10.43.106 ansible_port=2222 ansible_user=dev2 -10.10.43.111 ansible_port=2222 ansible_user=dev2 -10.10.43.112 ansible_port=2222 ansible_user=dev2 -10.10.43.113 ansible_port=2222 ansible_user=dev2 -10.10.43.114 ansible_port=2222 ansible_user=dev2 -10.10.43.115 ansible_port=2222 ansible_user=dev2 -10.10.43.116 ansible_port=2222 ansible_user=dev2 -10.10.43.117 ansible_port=2222 ansible_user=dev2 -10.10.43.118 ansible_port=2222 ansible_user=dev2 -10.10.43.119 ansible_port=2222 ansible_user=dev2 -10.10.43.120 ansible_port=2222 ansible_user=dev2 -10.10.43.121 ansible_port=2222 ansible_user=dev2 -10.10.43.122 ansible_port=2222 ansible_user=dev2 -10.10.43.123 ansible_port=2222 ansible_user=dev2 -10.10.43.124 ansible_port=2222 ansible_user=dev2 -10.10.43.125 ansible_port=2222 ansible_user=dev2 -10.10.43.126 ansible_port=2222 ansible_user=dev2 -10.10.43.127 ansible_port=2222 ansible_user=dev2 -10.10.43.128 ansible_port=2222 ansible_user=dev2 -10.10.43.129 ansible_port=2222 ansible_user=dev2 -10.10.43.130 ansible_port=2222 ansible_user=dev2 -10.10.43.131 ansible_port=2222 ansible_user=dev2 -10.10.43.132 ansible_port=2222 ansible_user=dev2 -10.10.43.133 ansible_port=2222 ansible_user=dev2 -10.10.43.134 ansible_port=2222 ansible_user=dev2 -10.10.43.135 ansible_port=2222 ansible_user=dev2 -10.10.43.136 ansible_port=2222 ansible_user=dev2 -10.10.43.137 ansible_port=2222 ansible_user=dev2 -10.10.43.138 ansible_port=2222 ansible_user=dev2 -10.10.43.139 ansible_port=2222 ansible_user=dev2 -10.10.43.140 ansible_port=2222 ansible_user=dev2 -10.10.43.141 ansible_port=2222 ansible_user=dev2 -10.10.43.142 ansible_port=2222 ansible_user=dev2 -10.10.43.143 ansible_port=2222 ansible_user=dev2 -10.10.43.144 ansible_port=2222 ansible_user=dev2 -10.10.43.145 ansible_port=2222 ansible_user=dev2 -10.10.43.146 ansible_port=2222 ansible_user=dev2 -10.10.43.147 ansible_port=2222 ansible_user=dev2 -10.10.43.148 ansible_port=2222 ansible_user=dev2 -10.10.43.151 ansible_port=2222 ansible_user=dev2 -10.10.43.152 ansible_port=2222 ansible_user=dev2 -10.10.43.153 ansible_port=2222 ansible_user=dev2 -10.10.43.164 ansible_port=2222 ansible_user=dev2 -10.10.43.165 ansible_port=2222 ansible_user=dev2 -10.10.43.166 ansible_port=2222 ansible_user=dev2 +#10.10.43.100 ansible_port=2222 ansible_user=dev2 +#10.10.43.101 ansible_port=2222 ansible_user=dev2 +#10.10.43.105 ansible_port=2222 ansible_user=dev2 +#10.10.43.106 ansible_port=2222 ansible_user=dev2 +#10.10.43.111 ansible_port=2222 ansible_user=dev2 +#10.10.43.112 ansible_port=2222 ansible_user=dev2 +#10.10.43.113 ansible_port=2222 ansible_user=dev2 +#10.10.43.114 ansible_port=2222 ansible_user=dev2 +#10.10.43.115 ansible_port=2222 ansible_user=dev2 +#10.10.43.116 ansible_port=2222 ansible_user=dev2 +#10.10.43.117 ansible_port=2222 ansible_user=dev2 +#10.10.43.118 ansible_port=2222 ansible_user=dev2 +#10.10.43.119 ansible_port=2222 ansible_user=dev2 +#10.10.43.120 ansible_port=2222 ansible_user=dev2 +#10.10.43.121 ansible_port=2222 ansible_user=dev2 +#10.10.43.122 ansible_port=2222 ansible_user=dev2 +#10.10.43.123 ansible_port=2222 ansible_user=dev2 +#10.10.43.124 ansible_port=2222 ansible_user=dev2 +#10.10.43.125 ansible_port=2222 ansible_user=dev2 +#10.10.43.126 ansible_port=2222 ansible_user=dev2 +#10.10.43.127 ansible_port=2222 ansible_user=dev2 +#10.10.43.128 ansible_port=2222 ansible_user=dev2 +#10.10.43.129 ansible_port=2222 ansible_user=dev2 +#10.10.43.130 ansible_port=2222 ansible_user=dev2 +#10.10.43.131 ansible_port=2222 ansible_user=dev2 +#10.10.43.132 ansible_port=2222 ansible_user=dev2 +#10.10.43.133 ansible_port=2222 ansible_user=dev2 +#10.10.43.134 ansible_port=2222 ansible_user=dev2 +#10.10.43.135 ansible_port=2222 ansible_user=dev2 +#10.10.43.136 ansible_port=2222 ansible_user=dev2 +#10.10.43.137 ansible_port=2222 ansible_user=dev2 +#10.10.43.138 ansible_port=2222 ansible_user=dev2 +#10.10.43.139 ansible_port=2222 ansible_user=dev2 +#10.10.43.140 ansible_port=2222 ansible_user=dev2 +#10.10.43.141 ansible_port=2222 ansible_user=dev2 +#10.10.43.142 ansible_port=2222 ansible_user=dev2 +#10.10.43.143 ansible_port=2222 ansible_user=dev2 +#10.10.43.144 ansible_port=2222 ansible_user=dev2 +#10.10.43.145 ansible_port=2222 ansible_user=dev2 +#10.10.43.146 ansible_port=2222 ansible_user=dev2 +#10.10.43.147 ansible_port=2222 ansible_user=dev2 +#10.10.43.148 ansible_port=2222 ansible_user=dev2 +#10.10.43.151 ansible_port=2222 ansible_user=dev2 +#10.10.43.152 ansible_port=2222 ansible_user=dev2 +#10.10.43.153 ansible_port=2222 ansible_user=dev2 +#10.10.43.164 ansible_port=2222 ansible_user=dev2 +#10.10.43.165 ansible_port=2222 ansible_user=dev2 +#10.10.43.166 ansible_port=2222 ansible_user=dev2 10.10.43.167 ansible_port=2222 ansible_user=dev2 10.10.43.168 ansible_port=2222 ansible_user=dev2 10.10.43.169 ansible_port=2222 ansible_user=dev2 @@ -60,51 +60,51 @@ nas 10.10.43.174 ansible_port=2222 ansible_user=dev2 10.10.43.175 ansible_port=2222 ansible_user=dev2 10.10.43.176 ansible_port=2222 ansible_user=dev2 -10.10.43.177 ansible_port=2222 ansible_user=dev2 -10.10.43.178 ansible_port=2222 ansible_user=dev2 -10.10.43.179 ansible_port=2222 ansible_user=dev2 -10.10.43.180 ansible_port=2222 ansible_user=dev2 -10.10.43.181 ansible_port=2222 ansible_user=dev2 -10.10.43.182 ansible_port=2222 ansible_user=dev2 -10.10.43.185 ansible_port=2222 ansible_user=dev2 -10.10.43.186 ansible_port=2222 ansible_user=dev2 -10.10.43.187 ansible_port=2222 ansible_user=dev2 -10.10.43.188 ansible_port=2222 ansible_user=dev2 -10.10.43.189 ansible_port=2222 ansible_user=dev2 -10.10.43.190 ansible_port=2222 ansible_user=dev2 -10.10.43.191 ansible_port=2222 ansible_user=dev2 -10.10.43.192 ansible_port=2222 ansible_user=dev2 -10.10.43.193 ansible_port=2222 ansible_user=dev2 -10.10.43.194 ansible_port=2222 ansible_user=dev2 -10.10.43.199 ansible_port=2222 ansible_user=dev2 -10.10.43.195 ansible_port=2222 ansible_user=dev2 -10.10.43.196 ansible_port=2222 ansible_user=dev2 -10.10.43.197 ansible_port=2222 ansible_user=dev2 -10.10.43.200 ansible_port=2222 ansible_user=dev2 -10.10.43.201 ansible_port=2222 ansible_user=dev2 -10.10.43.202 ansible_port=2222 ansible_user=dev2 -10.10.43.203 ansible_port=2222 ansible_user=dev2 -10.10.43.204 ansible_port=2222 ansible_user=dev2 -10.10.43.205 ansible_port=2222 ansible_user=dev2 -10.10.43.206 ansible_port=2222 ansible_user=dev2 -10.10.43.207 ansible_port=2222 ansible_user=dev2 -10.10.43.208 ansible_port=2222 ansible_user=dev2 -10.10.43.210 ansible_port=2222 ansible_user=dev2 -10.10.43.211 ansible_port=2222 ansible_user=dev2 -10.10.43.212 ansible_port=2222 ansible_user=dev2 -10.10.43.213 ansible_port=2222 ansible_user=dev2 -10.10.43.214 ansible_port=2222 ansible_user=dev2 -10.10.43.215 ansible_port=2222 ansible_user=dev2 -10.10.43.216 ansible_port=2222 ansible_user=dev2 -10.10.43.217 ansible_port=2222 ansible_user=dev2 -10.10.43.218 ansible_port=2222 ansible_user=dev2 -10.10.43.224 ansible_port=2222 ansible_user=dev2 -10.10.43.225 ansible_port=2222 ansible_user=dev2 -10.10.43.226 ansible_port=2222 ansible_user=dev2 -10.10.43.227 ansible_port=2222 ansible_user=dev2 -10.10.43.228 ansible_port=2222 ansible_user=dev2 -10.10.43.235 ansible_port=2222 ansible_user=dev2 -10.10.43.236 ansible_port=2222 ansible_user=dev2 +#10.10.43.177 ansible_port=2222 ansible_user=dev2 +#10.10.43.178 ansible_port=2222 ansible_user=dev2 +#10.10.43.179 ansible_port=2222 ansible_user=dev2 +#10.10.43.180 ansible_port=2222 ansible_user=dev2 +#10.10.43.181 ansible_port=2222 ansible_user=dev2 +#10.10.43.182 ansible_port=2222 ansible_user=dev2 +#10.10.43.185 ansible_port=2222 ansible_user=dev2 +#10.10.43.186 ansible_port=2222 ansible_user=dev2 +#10.10.43.187 ansible_port=2222 ansible_user=dev2 +#10.10.43.188 ansible_port=2222 ansible_user=dev2 +#10.10.43.189 ansible_port=2222 ansible_user=dev2 +#10.10.43.190 ansible_port=2222 ansible_user=dev2 +#10.10.43.191 ansible_port=2222 ansible_user=dev2 +#10.10.43.192 ansible_port=2222 ansible_user=dev2 +#10.10.43.193 ansible_port=2222 ansible_user=dev2 +#10.10.43.194 ansible_port=2222 ansible_user=dev2 +#10.10.43.199 ansible_port=2222 ansible_user=dev2 +#10.10.43.195 ansible_port=2222 ansible_user=dev2 +#10.10.43.196 ansible_port=2222 ansible_user=dev2 +#10.10.43.197 ansible_port=2222 ansible_user=dev2 +#10.10.43.200 ansible_port=2222 ansible_user=dev2 +#10.10.43.201 ansible_port=2222 ansible_user=dev2 +#10.10.43.202 ansible_port=2222 ansible_user=dev2 +#10.10.43.203 ansible_port=2222 ansible_user=dev2 +#10.10.43.204 ansible_port=2222 ansible_user=dev2 +#10.10.43.205 ansible_port=2222 ansible_user=dev2 +#10.10.43.206 ansible_port=2222 ansible_user=dev2 +#10.10.43.207 ansible_port=2222 ansible_user=dev2 +#10.10.43.208 ansible_port=2222 ansible_user=dev2 +#10.10.43.210 ansible_port=2222 ansible_user=dev2 +#10.10.43.211 ansible_port=2222 ansible_user=dev2 +#10.10.43.212 ansible_port=2222 ansible_user=dev2 +#10.10.43.213 ansible_port=2222 ansible_user=dev2 +#10.10.43.214 ansible_port=2222 ansible_user=dev2 +#10.10.43.215 ansible_port=2222 ansible_user=dev2 +#10.10.43.216 ansible_port=2222 ansible_user=dev2 +#10.10.43.217 ansible_port=2222 ansible_user=dev2 +#10.10.43.218 ansible_port=2222 ansible_user=dev2 +#10.10.43.224 ansible_port=2222 ansible_user=dev2 +#10.10.43.225 ansible_port=2222 ansible_user=dev2 +#10.10.43.226 ansible_port=2222 ansible_user=dev2 +#10.10.43.227 ansible_port=2222 ansible_user=dev2 +#10.10.43.228 ansible_port=2222 ansible_user=dev2 +#10.10.43.235 ansible_port=2222 ansible_user=dev2 +#10.10.43.236 ansible_port=2222 ansible_user=dev2 #10.10.43.252 ansible_port=2222 ansible_user=dev2 [nas] diff --git a/ansible/security_check/roles/security_check/files/rocky.sh b/ansible/security_check/roles/security_check/files/rocky.sh index 9104b7b..e185012 100644 --- a/ansible/security_check/roles/security_check/files/rocky.sh +++ b/ansible/security_check/roles/security_check/files/rocky.sh @@ -1,6 +1,6 @@ #!/bin/bash -resultfile="Results_$(date '+%F_%H:%M:%S').txt" +resultfile="/tmp/$(hostname).$(hostname -I | awk '{print $1}').txt" U_01() { echo "" >> $resultfile 2>&1 @@ -2116,31 +2116,31 @@ U_45() { echo "" >> $resultfile 2>&1 echo "▶ U-45(하) | 1. 계정관리 > 1.6 root 계정 su 제한 ◀" >> $resultfile 2>&1 echo " 양호 판단 기준 : su 명령어를 특정 그룹에 속한 사용자만 사용하도록 제한되어 있는 경우" >> $resultfile 2>&1 - echo " ### pam_rootok.so 모듈을 사용하지 않는 경우 U_45 함수 수정 필요" >> $resultfile 2>&1 - echo " ### pam_rootok.so 모듈 사용과 함께 trust 문구를 추가한 경우 U_45 함수 수정 필요" >> $resultfile 2>&1 + #echo " ### pam_rootok.so 모듈을 사용하지 않는 경우 U_45 함수 수정 필요" >> $resultfile 2>&1 + #echo " ### pam_rootok.so 모듈 사용과 함께 trust 문구를 추가한 경우 U_45 함수 수정 필요" >> $resultfile 2>&1 rpm_libpam_count=`rpm -qa 2>/dev/null | grep '^libpam' | wc -l` dnf_libpam_count=`dnf list installed 2>/dev/null | grep -i '^libpam' | wc -l` if [ $rpm_libpam_count -gt 0 ] && [ $dnf_libpam_count -gt 0 ]; then # !!! pam_rootok.so 설정을 하지 않은 경우 하단의 첫 번째 if 문을 삭제하세요. etc_pamd_su_rootokso_count=`grep -vE '^#|^\s#' /etc/pam.d/su | grep 'pam_rootok.so' | wc -l` - if [ $etc_pamd_su_rootokso_count -gt 0 ]; then - # !!! pam_wheel.so 설정에 trust 문구를 추가한 경우 하단의 if 문 조건절에 'grep 'trust'를 추가하세요. - etc_pamd_su_wheelso_count=`grep -vE '^#|^\s#' /etc/pam.d/su | grep 'pam_wheel.so' | wc -l` - if [ $etc_pamd_su_wheelso_count -eq 0 ]; then - echo "※ U-45 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 - echo " /etc/pam.d/su 파일에 pam_wheel.so 모듈이 없습니다." >> $resultfile 2>&1 - return 0 - fi - else - echo "※ U-45 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 - echo " /etc/pam.d/su 파일에서 pam_rootok.so 모듈이 없습니다." >> $resultfile 2>&1 - return 0 - fi + #if [ $etc_pamd_su_rootokso_count -gt 0 ]; then + # # !!! pam_wheel.so 설정에 trust 문구를 추가한 경우 하단의 if 문 조건절에 'grep 'trust'를 추가하세요. + # etc_pamd_su_wheelso_count=`grep -vE '^#|^\s#' /etc/pam.d/su | grep 'pam_wheel.so' | wc -l` + # if [ $etc_pamd_su_wheelso_count -eq 0 ]; then + # echo "※ U-45 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 + # echo " /etc/pam.d/su 파일에 pam_wheel.so 모듈이 없습니다." >> $resultfile 2>&1 + # return 0 + # fi + #else + # echo "※ U-45 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 + # echo " /etc/pam.d/su 파일에서 pam_rootok.so 모듈이 없습니다." >> $resultfile 2>&1 + # return 0 + #fi else su_executables=("/bin/su" "/usr/bin/su") - if [ `which su 2>/dev/null | wc -l` -gt 0 ]; then - su_executables[${#su_executables[@]}]=`which su 2>/dev/null` - fi + #if [ `which su 2>/dev/null | wc -l` -gt 0 ]; then + # su_executables[${#su_executables[@]}]=`which su 2>/dev/null` + #fi for ((i=0; i<${#su_executables[@]}; i++)) do if [ -f ${su_executables[$i]} ]; then @@ -3683,78 +3683,82 @@ echo "# Copyright (c) 2023 Kim Jei echo "# #" >> $resultfile 2>&1 echo "##############################################################################" >> $resultfile 2>&1 -U_01 -U_02 -U_03 -U_04 -U_05 -U_06 -U_07 -U_08 -U_09 -U_10 -U_11 -U_12 -U_13 -U_14 -U_15 -U_16 -U_17 -U_18 -U_19 -U_20 -U_21 -U_22 -U_23 -U_24 -U_25 -U_26 -U_27 -U_28 -U_29 -U_30 -U_31 -U_32 -U_33 -U_34 -U_35 -U_36 -U_37 -U_38 -U_39 -U_40 -U_41 -U_42 -U_43 -U_44 -U_45 -U_46 -U_47 -U_48 -U_49 -U_50 -U_51 -U_52 -U_53 -U_54 -U_55 -U_56 -U_57 -U_58 -U_59 -U_60 -U_61 -U_62 -U_63 -U_64 -U_65 -U_66 -U_67 -U_68 -U_69 -U_70 -U_71 -U_72 +U_01 # root 계정 원격 접속 제한 +#U_02 # 랜덤 패스워드를 사용중이라 제외 +U_03 # 계정 잠금 임계값 설정 +U_04 # 패스워드 파일 보호 +U_05 # root 홈, 패스 디렉터리 권한 및 패스 설정 +U_06 # 파일 및 디렉터리 소유자 설정 +U_07 # /etc/passwd 파일 소유자 및 권한 설정 +U_08 # /etc/shadow 파일 소유자 및 권한 설정 +U_09 # /etc/hosts 파일 소유자 및 권한 설정 +U_10 # /etc/(x)inetd.conf 파일 소유자 및 권한 설정 +U_11 # /etc/syslog.conf 파일 소유자 및 권한 설정 +U_12 # /etc/services 파일 소유자 및 권한 설정 +#U_13 # kubernetes 사용에 의한 어쩔 수 없음 제외 +U_14 # 사용자, 시스템 시작파일 및 환경파일 소유자 및 권한 설정 +#U_15 # kubernetes 사용에 의한 어쩔 수 없음 제외 +U_16 # /dev에 존재하지 않는 device 파일 점검 +U_17 # $HOME/.rhosts, hosts.equiv 사용 금지 +#U_18 # /etc/ssh/sshd_config.d/cat allow_users.conf 에서 별도로 관리하기 때문에 제외 +#U_19 # Finger 서비스를 사용하지 않아 제외 +#U_20 # FTP 서비스를 사용하지 않아 제외 (익명 ftp 차단 되어 있음) +U_21 # r 계열 서비스 비활성화 +U_22 # cron 파일 소유자 및 권한설정 +U_23 # Dos 공격에 취약한 서비스 비활성화 +#U_24 # NFS 서비스를 사용하지 않아 제외 +#U_25 # NFS 서비스를 사용하지 않아 제외 +U_26 # automountd 제거 +#U_27 # RPC 서비스를 사용하지 않아 제외 +#U_28 # NIS 서비스를 사용하지 않아 제외 +#U_29 # tftp, talk, ntalk 서비스를 사용하지 않아 제외 +#U_30 # SMTP 서비스를 사용하지 않아 제외 (sendmail 버전은 최신) +#U_31 # SMTP 서비스를 사용하지 않아 제외 +#U_32 # SMTP 서비스를 사용하지 않아 제외 +#U_33 # DNS 서비스를 사용하지 않아 제외 +#U_34 # DNS 서비스를 사용하지 않아 제외 +#U_35 # 웹 서비스를 사용하지 않아 제외 +#U_36 # 웹 서비스를 사용하지 않아 제외 +#U_37 # 웹 서비스를 사용하지 않아 제외 +#U_38 # 웹 서비스를 사용하지 않아 제외 +#U_39 # 웹 서비스를 사용하지 않아 제외 +#U_40 # 웹 서비스를 사용하지 않아 제외 +#U_41 # 웹 서비스를 사용하지 않아 제외 +#U_42 # 수동 점검이 필요한 항목이라 제외 +#U_43 # 수동 점검이 필요한 항목이라 제외 +#U_44 # UID가 0은 root 뿐 임으로 제외 +#U_45 # sudo 같은 경우 root와 dev2 그룹만 할당되어 있기 때문에 제외 +#U_46 # 랜덤한 패스워드를 사용중이기 때문에 제외 +#U_47 # 적용되어 있기 때문에 제외 +#U_48 # 적용되어 있기 때문에 제외 +#U_49 # dev2 , dev2-iac를 제외 모두 os 기본 계정인데 삭제하기 애매하기 때문에 제외 +#U_50 # 관리자 그룹에는 "root" 계정만 있기 때문에 제외 +#U_51 # dev2 를 제외 생성한 그룹이 존재하지 않아 제외 +#U_52 # 기본적으로 동일한 UID로 계정이 생성되지 않고, 현재 존재하지 않아서 제외 +#U_53 # SSH Port 변경이 되어 있어서 제외 +#U_54 # 타임 아웃 설정이 되어 있어 제외 +#U_55 # hosts.lpd 파일을 사용하지 않음 +#U_56 # UMASK의 값은 022 에서 변경하지 않음 + +############################################# +#U_57 #OS 기본 설정이 "/usr/sbin/ 의 소유자는 root# +############################################# + +#U_58 # "/" 가 홈디렉토리인 계정을 찾을 수 없음 +#U_59 # 숨김 파일은 있을 수 밖에 없어 제외 +#U_60 # FTP 서비스를 사용하지 않아 제외 +#U_61 # FTP 서비스를 사용하지 않아 제외 +#U_62 # FTP 서비스를 사용하지 않아 제외 +#U_63 # FTP 서비스를 사용하지 않아 제외 +#U_64 # FTP 서비스를 사용하지 않아 제외 +U_65 # at 파일 소유자 및 권한 설정 +#U_66 # SMTP 서비스를 사용하지 않아 제외 +#U_67 # SMTP 서비스를 사용하지 않아 제외 +#U_68 # 메시지 추가 예정이기 때문에 제외 +#U_69 # NFS 서비스를 사용하지 않아 제외 +#U_70 # SMTP 서비스를 사용하지 않아 제외 +#U_71 # 아파치 서비스를 사용하지 않아 제외 +#U_72 # 수동 점검이 필요한 항목이라 제외 echo "" >> $resultfile 2>&1 echo "================================ 진단 결과 요약 ================================" >> $resultfile 2>&1 diff --git a/ansible/security_check/roles/security_check/tasks/create_readme.yml b/ansible/security_check/roles/security_check/tasks/create_readme.yml index b3968de..8ace5e0 100644 --- a/ansible/security_check/roles/security_check/tasks/create_readme.yml +++ b/ansible/security_check/roles/security_check/tasks/create_readme.yml @@ -5,7 +5,6 @@ args: chdir: /volume1/platform/05_Security_check/ register: check_status - when: "'nas' in group_names" - name: check status [2] shell: | @@ -13,22 +12,18 @@ args: chdir: /volume1/platform/05_Security_check/ register: check_ok - when: "'nas' in group_names" - debug: msg: "취약점 {{ check_status.stdout_lines }} 발견" - when: "'nas' in group_names" - debug: msg: "취약점 {{ check_ok.stdout_lines }} 양호" - when: "'nas' in group_names" - name: Create README.md template: src: README.md.j2 dest: "{{ playbook_dir }}/README.md" delegate_to: 127.0.0.1 - when: "'nas' in group_names" - name: git push shell: | @@ -36,9 +31,9 @@ ls -al git config --global user.email "sa_8001@ex-em.com" git config --global user.name "ByeonJungHun" - git clone https://{{ git_user }}:{{ git_key }}github.com/CloudMOA/dsk-iac.git ~/security_check + git clone https://{{ git_user }}:{{ git_key }}github.com/CloudMOA/dsk-iac.git ~/dsk-iac cp ./README.md ~/dsk-iac/ansible/security_check/README.md - cd ~/security_check + cd ~/dsk-iac cat README.md pwd ls -al @@ -46,8 +41,6 @@ git commit -m "검사 결과 업데이트" git push delegate_to: 127.0.0.1 - when: "'nas' in group_names" - debug: - msg: "결과 확인 : https://github.com/CloudMOA/dsk-iac/tree/main/ansible/security_check" - when: "'nas' in group_names" \ No newline at end of file + msg: "결과 확인 : https://github.com/CloudMOA/dsk-iac/tree/main/ansible/security_check" \ No newline at end of file diff --git a/ansible/security_check/roles/security_check/tasks/main.yml b/ansible/security_check/roles/security_check/tasks/main.yml index 6fcfe9a..f313a2b 100644 --- a/ansible/security_check/roles/security_check/tasks/main.yml +++ b/ansible/security_check/roles/security_check/tasks/main.yml @@ -2,3 +2,4 @@ - include: start.yml - include: create_readme.yml + when: "'nas' in group_names" diff --git a/ansible/security_check/roles/security_check/tasks/start.yml b/ansible/security_check/roles/security_check/tasks/start.yml index 9996089..2d0b74b 100644 --- a/ansible/security_check/roles/security_check/tasks/start.yml +++ b/ansible/security_check/roles/security_check/tasks/start.yml @@ -15,7 +15,13 @@ copy: src: "{{ role_path }}/files/ubuntu.sh" dest: /tmp/ubuntu.sh - when: ansible_distribution == 'Ubuntu' + when: ansible_facts['os_family'] == 'Debian' + +- name: Copy Security Check Script + copy: + src: "{{ role_path }}/files/rocky.sh" + dest: /tmp/rocky.sh + when: ansible_facts['os_family'] == 'RedHat' - name: Start Security Check Script (become -> true) shell: | @@ -23,21 +29,29 @@ bash /tmp/ubuntu.sh rm -rf /tmp/ubuntu.sh become: true - when: ansible_distribution == 'Ubuntu' + when: ansible_facts['os_family'] == 'Debian' + +- name: Start Security Check Script (become -> true) + shell: | + chdir + bash /tmp/rocky.sh + rm -rf /tmp/rocky.sh + become: true + when: ansible_facts['os_family'] == 'RedHat' - name: Copy Result File to Local fetch: src: "/tmp/{{ ansible_hostname }}.{{ ansible_host }}.txt" dest: "~/checklist/" flat: yes - when: ansible_distribution == 'Ubuntu' + when: ansible_facts['os_family'] == 'Debian' or ansible_facts['os_family'] == 'RedHat' - name: Delete Result File (become -> true) file: path: "/tmp/{{ ansible_hostname }}.txt" state: absent become: true - when: ansible_distribution == 'Ubuntu' + when: ansible_facts['os_family'] == 'Debian' or ansible_facts['os_family'] == 'RedHat' - name: Find Copy File Name shell: ls -l ~/checklist/ | awk 'NR>1 {print $9}' diff --git a/ansible/security_check/server_check.yml b/ansible/security_check/server_check.yml index d8cf498..1435aac 100644 --- a/ansible/security_check/server_check.yml +++ b/ansible/security_check/server_check.yml @@ -2,5 +2,8 @@ - hosts: all become: false gather_facts: true + vars: + git_user: sa_8001 + git_key: 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 roles: - role: security_check