diff --git a/.DS_Store b/.DS_Store
new file mode 100644
index 0000000..961b9bd
Binary files /dev/null and b/.DS_Store differ
diff --git a/ansible/.DS_Store b/ansible/.DS_Store
new file mode 100644
index 0000000..b905f61
Binary files /dev/null and b/ansible/.DS_Store differ
diff --git a/ansible/01_old/.DS_Store b/ansible/01_old/.DS_Store
new file mode 100644
index 0000000..6d57542
Binary files /dev/null and b/ansible/01_old/.DS_Store differ
diff --git a/ansible/README.md b/ansible/README.md
index 2af3b5e..a7ccf6e 100644
--- a/ansible/README.md
+++ b/ansible/README.md
@@ -17,4 +17,4 @@ ansible script 구조
| zabbix_agent | Zabbix Agent 배포, Zabbix 등록 |
| kubespray | dsk dev 환경 kubernetes 관리용 kubespray |
| security_check | 주요정보통신기반시설 기술적 취약점 분석·평가 상세가이드를 기반으로 취약점을 점검하는 스크립트를 각 서버에서 실행
최종적으로 결과를 NAS 에 저장 후 요약을 Git 레파지토리에 README.md 로 확인할 수 있게 구성
상세 정보 같은 경우 NAS 혹은 README.md에 함께 작성되는 링크를 통해 확인 가능 |
-| security_settings | 기본적으로 적용되어야 하는 취약점 대응 |
+| security_settings | 기본적으로 적용되어야 하는 취약점 대응 |
\ No newline at end of file
diff --git a/ansible/infra_setting/.DS_Store b/ansible/infra_setting/.DS_Store
new file mode 100644
index 0000000..40fab12
Binary files /dev/null and b/ansible/infra_setting/.DS_Store differ
diff --git a/ansible/infra_setting/roles/.DS_Store b/ansible/infra_setting/roles/.DS_Store
new file mode 100644
index 0000000..75bb37d
Binary files /dev/null and b/ansible/infra_setting/roles/.DS_Store differ
diff --git a/ansible/infra_setting/roles/connect-settings/.DS_Store b/ansible/infra_setting/roles/connect-settings/.DS_Store
new file mode 100644
index 0000000..7470ee3
Binary files /dev/null and b/ansible/infra_setting/roles/connect-settings/.DS_Store differ
diff --git a/ansible/infra_setting/roles/connect-settings/tasks/main.yml b/ansible/infra_setting/roles/connect-settings/tasks/main.yml
index 82dd567..0b39356 100644
--- a/ansible/infra_setting/roles/connect-settings/tasks/main.yml
+++ b/ansible/infra_setting/roles/connect-settings/tasks/main.yml
@@ -1,6 +1,6 @@
---
-- include: 00_host_setting.yml
- tags: host
+#- include: 00_host_setting.yml
+# tags: host
- include: 01_get_password.yml
tags: password
diff --git a/ansible/security_check/README.md b/ansible/security_check/README.md
index 74c1e11..ed64053 100644
--- a/ansible/security_check/README.md
+++ b/ansible/security_check/README.md
@@ -1,4 +1,3 @@
| 이름 | 아이피 | 상태 요약 | 상세 보기 |
| --- | --- | --- | --- |
-| cmoa-master-1 | 10.10.43.200 | 취약 | http://10.10.43.42:8080/cmoa-master-1.10.10.43.200.txt |
-| cmoa-jaeger-master | 10.10.43.213 | 양호 | http://10.10.43.42:8080/cmoa-jaeger-master.10.10.43.213.txt |
+| datasaker | 10.10.43.99 | 양호 | http://10.10.43.42:8080/datasaker.10.10.43.99.txt |
diff --git a/ansible/security_check/test b/ansible/security_check/test
index 5c17153..9409a8f 100644
--- a/ansible/security_check/test
+++ b/ansible/security_check/test
@@ -3,8 +3,7 @@ server
nas
[server]
-10.10.43.200 ansible_user=dev2 ansible_port=2222
-10.10.43.213 ansible_user=dev2 ansible_port=2222
+10.10.43.99 ansible_user=datasaker ansible_port=2222
[nas]
-10.10.43.42 ansible_port=2222 ansible_user=exemdev2
\ No newline at end of file
+10.10.43.42 ansible_port=2222 ansible_user=exemdev2
diff --git a/ansible/security_settings/invenotry b/ansible/security_settings/invenotry
deleted file mode 100644
index 6f2ee94..0000000
--- a/ansible/security_settings/invenotry
+++ /dev/null
@@ -1,105 +0,0 @@
-[all]
-10.10.43.43 ansible_port=2222 ansible_user=dev2
-10.10.43.100 ansible_port=2222 ansible_user=dev2
-10.10.43.101 ansible_port=2222 ansible_user=dev2
-10.10.43.105 ansible_port=2222 ansible_user=dev2
-10.10.43.106 ansible_port=2222 ansible_user=dev2
-10.10.43.111 ansible_port=2222 ansible_user=dev2
-10.10.43.112 ansible_port=2222 ansible_user=dev2
-10.10.43.113 ansible_port=2222 ansible_user=dev2
-10.10.43.114 ansible_port=2222 ansible_user=dev2
-10.10.43.115 ansible_port=2222 ansible_user=dev2
-10.10.43.116 ansible_port=2222 ansible_user=dev2
-10.10.43.117 ansible_port=2222 ansible_user=dev2
-10.10.43.118 ansible_port=2222 ansible_user=dev2
-10.10.43.119 ansible_port=2222 ansible_user=dev2
-10.10.43.120 ansible_port=2222 ansible_user=dev2
-10.10.43.121 ansible_port=2222 ansible_user=dev2
-10.10.43.122 ansible_port=2222 ansible_user=dev2
-10.10.43.123 ansible_port=2222 ansible_user=dev2
-10.10.43.124 ansible_port=2222 ansible_user=dev2
-10.10.43.125 ansible_port=2222 ansible_user=dev2
-10.10.43.126 ansible_port=2222 ansible_user=dev2
-10.10.43.127 ansible_port=2222 ansible_user=dev2
-10.10.43.128 ansible_port=2222 ansible_user=dev2
-10.10.43.129 ansible_port=2222 ansible_user=dev2
-10.10.43.130 ansible_port=2222 ansible_user=dev2
-10.10.43.131 ansible_port=2222 ansible_user=dev2
-10.10.43.132 ansible_port=2222 ansible_user=dev2
-10.10.43.133 ansible_port=2222 ansible_user=dev2
-10.10.43.134 ansible_port=2222 ansible_user=dev2
-10.10.43.135 ansible_port=2222 ansible_user=dev2
-10.10.43.136 ansible_port=2222 ansible_user=dev2
-10.10.43.137 ansible_port=2222 ansible_user=dev2
-10.10.43.138 ansible_port=2222 ansible_user=dev2
-10.10.43.139 ansible_port=2222 ansible_user=dev2
-10.10.43.140 ansible_port=2222 ansible_user=dev2
-10.10.43.141 ansible_port=2222 ansible_user=dev2
-10.10.43.142 ansible_port=2222 ansible_user=dev2
-10.10.43.143 ansible_port=2222 ansible_user=dev2
-10.10.43.144 ansible_port=2222 ansible_user=dev2
-10.10.43.145 ansible_port=2222 ansible_user=dev2
-10.10.43.146 ansible_port=2222 ansible_user=dev2
-10.10.43.147 ansible_port=2222 ansible_user=dev2
-10.10.43.148 ansible_port=2222 ansible_user=dev2
-10.10.43.151 ansible_port=2222 ansible_user=dev2
-10.10.43.152 ansible_port=2222 ansible_user=dev2
-10.10.43.153 ansible_port=2222 ansible_user=dev2
-10.10.43.164 ansible_port=2222 ansible_user=dev2
-10.10.43.165 ansible_port=2222 ansible_user=dev2
-10.10.43.166 ansible_port=2222 ansible_user=dev2
-10.10.43.167 ansible_port=2222 ansible_user=dev2
-10.10.43.168 ansible_port=2222 ansible_user=dev2
-10.10.43.169 ansible_port=2222 ansible_user=dev2
-10.10.43.171 ansible_port=2222 ansible_user=dev2
-10.10.43.172 ansible_port=2222 ansible_user=dev2
-10.10.43.173 ansible_port=2222 ansible_user=dev2
-10.10.43.174 ansible_port=2222 ansible_user=dev2
-10.10.43.175 ansible_port=2222 ansible_user=dev2
-10.10.43.176 ansible_port=2222 ansible_user=dev2
-10.10.43.177 ansible_port=2222 ansible_user=dev2
-10.10.43.178 ansible_port=2222 ansible_user=dev2
-10.10.43.179 ansible_port=2222 ansible_user=dev2
-10.10.43.180 ansible_port=2222 ansible_user=dev2
-10.10.43.181 ansible_port=2222 ansible_user=dev2
-10.10.43.182 ansible_port=2222 ansible_user=dev2
-10.10.43.185 ansible_port=2222 ansible_user=dev2
-10.10.43.186 ansible_port=2222 ansible_user=dev2
-10.10.43.187 ansible_port=2222 ansible_user=dev2
-10.10.43.188 ansible_port=2222 ansible_user=dev2
-10.10.43.189 ansible_port=2222 ansible_user=dev2
-10.10.43.190 ansible_port=2222 ansible_user=dev2
-10.10.43.191 ansible_port=2222 ansible_user=dev2
-10.10.43.192 ansible_port=2222 ansible_user=dev2
-10.10.43.193 ansible_port=2222 ansible_user=dev2
-10.10.43.194 ansible_port=2222 ansible_user=dev2
-10.10.43.199 ansible_port=2222 ansible_user=dev2
-10.10.43.195 ansible_port=2222 ansible_user=dev2
-10.10.43.196 ansible_port=2222 ansible_user=dev2
-10.10.43.197 ansible_port=2222 ansible_user=dev2
-10.10.43.200 ansible_port=2222 ansible_user=dev2
-10.10.43.201 ansible_port=2222 ansible_user=dev2
-10.10.43.202 ansible_port=2222 ansible_user=dev2
-10.10.43.203 ansible_port=2222 ansible_user=dev2
-10.10.43.204 ansible_port=2222 ansible_user=dev2
-10.10.43.205 ansible_port=2222 ansible_user=dev2
-10.10.43.206 ansible_port=2222 ansible_user=dev2
-10.10.43.207 ansible_port=2222 ansible_user=dev2
-10.10.43.208 ansible_port=2222 ansible_user=dev2
-10.10.43.210 ansible_port=2222 ansible_user=dev2
-10.10.43.211 ansible_port=2222 ansible_user=dev2
-10.10.43.212 ansible_port=2222 ansible_user=dev2
-10.10.43.213 ansible_port=2222 ansible_user=dev2
-10.10.43.214 ansible_port=2222 ansible_user=dev2
-10.10.43.215 ansible_port=2222 ansible_user=dev2
-10.10.43.216 ansible_port=2222 ansible_user=dev2
-10.10.43.217 ansible_port=2222 ansible_user=dev2
-10.10.43.218 ansible_port=2222 ansible_user=dev2
-10.10.43.224 ansible_port=2222 ansible_user=dev2
-10.10.43.225 ansible_port=2222 ansible_user=dev2
-10.10.43.226 ansible_port=2222 ansible_user=dev2
-10.10.43.227 ansible_port=2222 ansible_user=dev2
-10.10.43.228 ansible_port=2222 ansible_user=dev2
-10.10.43.235 ansible_port=2222 ansible_user=dev2
-10.10.43.236 ansible_port=2222 ansible_user=dev2
-10.10.43.252 ansible_port=2222 ansible_user=dev2
diff --git a/ansible/security_settings/security_settings.yml b/ansible/security_settings/security_settings.yml
deleted file mode 100644
index 624d10c..0000000
--- a/ansible/security_settings/security_settings.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-- hosts: all
- become: true
- gather_facts: true
- roles:
- - role: security_settings
\ No newline at end of file
diff --git a/ansible/security_settings/test b/ansible/security_settings/test
deleted file mode 100644
index 6b24dbc..0000000
--- a/ansible/security_settings/test
+++ /dev/null
@@ -1,2 +0,0 @@
-[all]
-10.10.43.213 ansible_user=dev2 ansible_port=2222
diff --git a/ansible/server_settings/.DS_Store b/ansible/server_settings/.DS_Store
new file mode 100644
index 0000000..0d35fc6
Binary files /dev/null and b/ansible/server_settings/.DS_Store differ
diff --git a/ansible/security_settings/ansible.cfg b/ansible/server_settings/ansible.cfg
similarity index 100%
rename from ansible/security_settings/ansible.cfg
rename to ansible/server_settings/ansible.cfg
diff --git a/ansible/server_settings/invenotry b/ansible/server_settings/invenotry
new file mode 100644
index 0000000..a84fdc2
--- /dev/null
+++ b/ansible/server_settings/invenotry
@@ -0,0 +1,2 @@
+[all]
+10.10.43.99 ansible_user=datasaker ansible_port=2222
diff --git a/ansible/infra_setting/q b/ansible/server_settings/passwd_inventory
similarity index 99%
rename from ansible/infra_setting/q
rename to ansible/server_settings/passwd_inventory
index 3025811..81972bd 100644
--- a/ansible/infra_setting/q
+++ b/ansible/server_settings/passwd_inventory
@@ -101,4 +101,4 @@
10.10.43.228 ansible_port=2222 ansible_user=dev2
10.10.43.235 ansible_port=2222 ansible_user=dev2
10.10.43.236 ansible_port=2222 ansible_user=dev2
-10.10.43.252 ansible_port=2222 ansible_user=dev2
+10.10.43.252 ansible_port=2222 ansible_user=dev2
\ No newline at end of file
diff --git a/ansible/server_settings/roles/.DS_Store b/ansible/server_settings/roles/.DS_Store
new file mode 100644
index 0000000..2aa9592
Binary files /dev/null and b/ansible/server_settings/roles/.DS_Store differ
diff --git a/ansible/server_settings/roles/password-settings/.DS_Store b/ansible/server_settings/roles/password-settings/.DS_Store
new file mode 100644
index 0000000..836aadd
Binary files /dev/null and b/ansible/server_settings/roles/password-settings/.DS_Store differ
diff --git a/ansible/server_settings/roles/password-settings/README.md b/ansible/server_settings/roles/password-settings/README.md
new file mode 100644
index 0000000..225dd44
--- /dev/null
+++ b/ansible/server_settings/roles/password-settings/README.md
@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+ - hosts: servers
+ roles:
+ - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).
diff --git a/ansible/server_settings/roles/password-settings/defaults/main.yml b/ansible/server_settings/roles/password-settings/defaults/main.yml
new file mode 100644
index 0000000..5415520
--- /dev/null
+++ b/ansible/server_settings/roles/password-settings/defaults/main.yml
@@ -0,0 +1,15 @@
+---
+# defaults file for password
+
+encrypt: 0 # strings 0 , encrypted 1
+debug_mode: False
+sshrootlogin: forced-commands-only
+sshmainport: 2222
+iptables_rules:
+ - { source: "10.10.45.0/24", target: "DROP" }
+ - { source: "10.10.47.0/24", target: "DROP" }
+ - { source: "10.10.48.0/24", target: "DROP" }
+ - { source: "10.10.50.0/24", target: "DROP" }
+ - { source: "10.10.37.0/24", target: "DROP" }
+delete_rule: False
+add_rule: True
\ No newline at end of file
diff --git a/ansible/server_settings/roles/password-settings/files/00_old/gen_password.py b/ansible/server_settings/roles/password-settings/files/00_old/gen_password.py
new file mode 100644
index 0000000..b1b4e13
--- /dev/null
+++ b/ansible/server_settings/roles/password-settings/files/00_old/gen_password.py
@@ -0,0 +1,44 @@
+#!/usr/bin/python3
+
+import base64, random, string, os
+from Crypto.Cipher import AES
+from Crypto.Random import get_random_bytes
+from Crypto.Util.Padding import pad, unpad
+
+try:
+ encrypt_flag=True if os.sys.argv[1].lower()=='1' else False
+except Exception as err:
+ encrypt_flag=False
+
+def generate_password(length=8, num_uppercase=1, num_lowercase=1, num_digits=1, num_sp_char=1):
+ sp_char = '!@#$'
+ all_chars = string.ascii_letters + string.digits + sp_char
+
+ password = [
+ *random.choices(string.ascii_uppercase, k=num_uppercase),
+ *random.choices(string.ascii_lowercase, k=num_lowercase),
+ *random.choices(string.digits, k=num_digits),
+ *random.choices(sp_char, k=num_sp_char)
+ ]
+
+ remaining_length = length - (num_uppercase + num_lowercase + num_digits + num_sp_char)
+ password += random.choices(all_chars, k=remaining_length)
+
+ random.shuffle(password)
+ return ''.join(password)
+
+def encrypt(plain_text, key):
+ manual_iv = b'PhilinnovatorDEV'
+ cipher = AES.new(key, AES.MODE_CBC, iv=manual_iv)
+ ct_bytes = cipher.encrypt(pad(plain_text.encode(), 16))
+ ct = base64.b64encode(ct_bytes).decode('utf-8')
+ return ct
+
+key = b'PhilinnovatorDEVPhilinnovatorDEV'
+plain_text = generate_password()
+
+if encrypt_flag:
+ encrypted_text = encrypt(plain_text, key)
+ print(encrypted_text)
+else:
+ print(plain_text)
diff --git a/ansible/server_settings/roles/password-settings/files/00_old/vault_test.py b/ansible/server_settings/roles/password-settings/files/00_old/vault_test.py
new file mode 100644
index 0000000..18f6988
--- /dev/null
+++ b/ansible/server_settings/roles/password-settings/files/00_old/vault_test.py
@@ -0,0 +1,11 @@
+import hvac
+
+str_url = "http://10.10.43.98:31080"
+str_token = "hvs.CAESIMV6zCg-GpUP4pQgVA5f1ZXkgyJZrqOC6QDCegrpiAX9Gh4KHGh2cy5ORkpkc2ZyVUxYd09qUVFtQldRNDBjS3I"
+client = hvac.Client(url=str_url, token=str_token)
+
+str_mount_point = 'kv'
+str_secret_path = 'host1'
+read_secret_result = client.secrets.kv.v1.read_secret(mount_point=str_mount_point, path=str_secret_path)
+print(read_secret_result)
+
diff --git a/ansible/server_settings/roles/password-settings/files/custom_excel b/ansible/server_settings/roles/password-settings/files/custom_excel
new file mode 100755
index 0000000..562b89c
--- /dev/null
+++ b/ansible/server_settings/roles/password-settings/files/custom_excel
@@ -0,0 +1,108 @@
+#!/usr/bin/python3
+#-*- coding: utf-8 -*-
+
+import os, sys, time, errno, socket, signal, psutil, random, logging.handlers, subprocess, paramiko, hvac
+from xlwt import Workbook, XFStyle, Borders, Font, Pattern
+from socket import error as SocketError
+
+process_time = time.strftime("%Y%m%d_%H%M", time.localtime())
+excel_file_name = '/mnt/e/excel/{}.xls'.format(process_time)
+
+def process_close(flag=True, result=''):
+ if flag:
+ print("[Success]")
+ else:
+ print("[Fail]:{}".format(result))
+
+ sys.exit(0)
+
+def set_header(sheet, header_list):
+ # 폰트 설정
+ font = Font()
+ font.bold = True
+
+ # 테두리 설정
+ borders = Borders()
+ borders.left = Borders.THIN
+ borders.right = Borders.THIN
+ borders.top = Borders.THIN
+ borders.bottom = Borders.THIN
+
+ # 배경색 설정
+ pattern = Pattern()
+ pattern.pattern = Pattern.SOLID_PATTERN
+ pattern.pattern_fore_colour = 22 # #E2EFDA는 xlwt에서 인덱스 22에 해당하는 색입니다.
+
+ hdrstyle = XFStyle()
+ hdrstyle.font = font
+ hdrstyle.borders = borders
+ hdrstyle.pattern = pattern
+
+ for idx, header in enumerate(header_list):
+ sheet.write(0, idx, header, hdrstyle)
+ sheet.col(idx).width = len(header) * 800
+
+def write_data(sheet, data_list):
+ datestyle = XFStyle()
+ datestyle.num_format_str = 'YYYY-MM-DD'
+
+ for row_num, data in enumerate(data_list, start=1):
+ for col_num, cell_data in enumerate(data):
+ if col_num == 7:
+ sheet.write(row_num, col_num, cell_data, datestyle)
+ elif col_num in [1, 4, 5]:
+ formatted_data = u'{}'.format(cell_data) if cell_data else ''
+ sheet.write(row_num, col_num, formatted_data)
+ else:
+ sheet.write(row_num, col_num, cell_data)
+
+def excel_write(header_list=[], data_list=[], filename='', sheetTitle=''):
+ workbook = Workbook(style_compression=2, encoding='utf-8')
+ sheet = workbook.add_sheet(sheetTitle)
+
+ set_header(sheet, header_list)
+ write_data(sheet, data_list)
+
+ sheet.panes_frozen = True
+ sheet.vert_split_pos = 0
+ sheet.horz_split_pos = 1
+ workbook.save(filename)
+
+def main():
+ header_list=['번호','호스트 유형','호스트명','호스트 IP','포트번호','프로토콜','인증방법','1차 로그인 계정명','1차 로그인 비밀번호','1차 로그인 계정명','2차 로그인 비밀번호','용도','비고']
+ data_list=[]
+
+ openfile=open('/tmp/host_list','r')
+ readfile=openfile.readlines()
+ openfile.close()
+ for idx, host_data in enumerate(readfile):
+ try:
+ if idx==0: continue
+ host_num=idx
+ hosttype=host_data.strip().split(' ')[0]
+ print(hosttype)
+ hostname=host_data.strip().split(' ')[1]
+ host_ips=host_data.strip().split(' ')[2]
+ port_num=int(host_data.strip().split(' ')[3])
+ protocol='SSH'
+ auth_con='Password'
+ username=host_data.strip().split(' ')[4]
+ first_pw=host_data.strip().split(' ')[5]
+ rootuser=host_data.strip().split(' ')[6]
+ secon_pw=host_data.strip().split(' ')[7]
+ descript='-'
+ remarks_='-'
+ data_list.append([host_num,hosttype,hostname,host_ips,port_num,protocol,auth_con,username,first_pw,rootuser,secon_pw,descript,remarks_,])
+ except:
+ continue
+
+ excel_write(header_list, data_list, excel_file_name, 'TEST')
+
+DEBUG=False
+try:
+ if os.sys.argv[1]: DEBUG=True
+except:
+ pass
+main()
+process_close()
+
diff --git a/ansible/server_settings/roles/password-settings/files/decrypt_password b/ansible/server_settings/roles/password-settings/files/decrypt_password
new file mode 100755
index 0000000..5e31c71
--- /dev/null
+++ b/ansible/server_settings/roles/password-settings/files/decrypt_password
@@ -0,0 +1,21 @@
+#!/usr/bin/python3
+#-*- coding: utf-8 -*-
+
+import base64, random, string, os
+from Crypto.Cipher import AES
+from Crypto.Random import get_random_bytes
+from Crypto.Util.Padding import pad, unpad
+
+try:
+ encrypted_text=os.sys.argv[1]
+except:
+ encrypted_text="q6i1/JxyNe1OUrO0JKu+Z4WQTyQZam2yIJTp43dl1pI="
+
+def decrypt(ct, key):
+ manual_iv = b'PhilinnovatorDEV'
+ ct_bytes = base64.b64decode(ct)
+ cipher = AES.new(key, AES.MODE_CBC, iv=manual_iv)
+ return unpad(cipher.decrypt(ct_bytes), 16).decode('utf-8')
+
+key = b'PhilinnovatorDEVPhilinnovatorDEV'
+print(decrypt(encrypted_text, key))
\ No newline at end of file
diff --git a/ansible/server_settings/roles/password-settings/files/gen_password b/ansible/server_settings/roles/password-settings/files/gen_password
new file mode 100755
index 0000000..febe48a
--- /dev/null
+++ b/ansible/server_settings/roles/password-settings/files/gen_password
@@ -0,0 +1,45 @@
+#!/usr/bin/python3
+#-*- coding: utf-8 -*-
+
+import base64, random, string, os
+from Crypto.Cipher import AES
+from Crypto.Random import get_random_bytes
+from Crypto.Util.Padding import pad, unpad
+
+try:
+ encrypt_flag=True if os.sys.argv[1].lower()=='1' else False
+except Exception as err:
+ encrypt_flag=False
+
+def generate_password(length=12, num_uppercase=3, num_lowercase=4, num_digits=3, num_sp_char=2):
+ sp_char = '!@#$'
+ all_chars = string.ascii_letters + string.digits + sp_char
+
+ password = [
+ *random.choices(string.ascii_uppercase, k=num_uppercase),
+ *random.choices(string.ascii_lowercase, k=num_lowercase),
+ *random.choices(string.digits, k=num_digits),
+ *random.choices(sp_char, k=num_sp_char)
+ ]
+
+ remaining_length = length - (num_uppercase + num_lowercase + num_digits + num_sp_char)
+ password += random.choices(all_chars, k=remaining_length)
+
+ random.shuffle(password)
+ return ''.join(password)
+
+def encrypt(plain_text, key):
+ manual_iv = b'PhilinnovatorDEV'
+ cipher = AES.new(key, AES.MODE_CBC, iv=manual_iv)
+ ct_bytes = cipher.encrypt(pad(plain_text.encode(), 16))
+ ct = base64.b64encode(ct_bytes).decode('utf-8')
+ return ct
+
+key = b'PhilinnovatorDEVPhilinnovatorDEV'
+plain_text = generate_password()
+
+if encrypt_flag:
+ encrypted_text = encrypt(plain_text, key)
+ print(encrypted_text)
+else:
+ print(plain_text)
diff --git a/ansible/server_settings/roles/password-settings/files/vault_get b/ansible/server_settings/roles/password-settings/files/vault_get
new file mode 100755
index 0000000..d0fabdb
--- /dev/null
+++ b/ansible/server_settings/roles/password-settings/files/vault_get
@@ -0,0 +1,17 @@
+#!/usr/bin/python3
+#-*- coding: utf-8 -*-
+
+import hvac
+import os
+
+hostname=os.sys.argv[1]
+
+str_url = "http://10.10.43.240:30803"
+client = hvac.Client(url=str_url)
+client.auth.approle.login(role_id="e96c5fd8-abde-084a-fde7-7450a9348a70", secret_id="5371706b-414a-11d3-f3fd-6cf98871aad1")
+
+try:
+ data = client.secrets.kv.v2.read_secret_version(mount_point='host', path=hostname, raise_on_deleted_version=True)['data']['data']
+ print(data)
+except Exception as err:
+ print(err)
diff --git a/ansible/server_settings/roles/password-settings/files/vault_put b/ansible/server_settings/roles/password-settings/files/vault_put
new file mode 100755
index 0000000..aeae507
--- /dev/null
+++ b/ansible/server_settings/roles/password-settings/files/vault_put
@@ -0,0 +1,21 @@
+#!/usr/bin/python3
+#-*- coding: utf-8 -*-
+
+import hvac
+import os
+
+hostname=os.sys.argv[1]
+accountid=os.sys.argv[2]
+password=os.sys.argv[3]
+adminuser=os.sys.argv[4]
+adminpass=os.sys.argv[5]
+
+str_url = "http://10.10.43.240:30803"
+client = hvac.Client(url=str_url)
+client.auth.approle.login(role_id="e96c5fd8-abde-084a-fde7-7450a9348a70", secret_id="5371706b-414a-11d3-f3fd-6cf98871aad1")
+
+client.secrets.kv.v2.create_or_update_secret(
+ mount_point='host',
+ path=hostname,
+ secret=dict(accountid=f'{accountid}',password=f'{password}',adminuser=f'{adminuser}',adminpass=f'{adminpass}')
+)
diff --git a/ansible/server_settings/roles/password-settings/handlers/main.yml b/ansible/server_settings/roles/password-settings/handlers/main.yml
new file mode 100644
index 0000000..b44722c
--- /dev/null
+++ b/ansible/server_settings/roles/password-settings/handlers/main.yml
@@ -0,0 +1,16 @@
+---
+- name: Reload systemd configuration
+ ansible.builtin.systemd:
+ daemon_reload: True
+
+- name: Restart teleport service
+ ansible.builtin.systemd:
+ name: teleport
+ enabled: true
+ state: restarted
+
+- name: restart sshd
+ service:
+ name: sshd
+ state: restarted
+ enabled: true
\ No newline at end of file
diff --git a/ansible/server_settings/roles/password-settings/meta/main.yml b/ansible/server_settings/roles/password-settings/meta/main.yml
new file mode 100644
index 0000000..c572acc
--- /dev/null
+++ b/ansible/server_settings/roles/password-settings/meta/main.yml
@@ -0,0 +1,52 @@
+galaxy_info:
+ author: your name
+ description: your role description
+ company: your company (optional)
+
+ # If the issue tracker for your role is not on github, uncomment the
+ # next line and provide a value
+ # issue_tracker_url: http://example.com/issue/tracker
+
+ # Choose a valid license ID from https://spdx.org - some suggested licenses:
+ # - BSD-3-Clause (default)
+ # - MIT
+ # - GPL-2.0-or-later
+ # - GPL-3.0-only
+ # - Apache-2.0
+ # - CC-BY-4.0
+ license: license (GPL-2.0-or-later, MIT, etc)
+
+ min_ansible_version: 2.1
+
+ # If this a Container Enabled role, provide the minimum Ansible Container version.
+ # min_ansible_container_version:
+
+ #
+ # Provide a list of supported platforms, and for each platform a list of versions.
+ # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+ # To view available platforms and versions (or releases), visit:
+ # https://galaxy.ansible.com/api/v1/platforms/
+ #
+ # platforms:
+ # - name: Fedora
+ # versions:
+ # - all
+ # - 25
+ # - name: SomePlatform
+ # versions:
+ # - all
+ # - 1.0
+ # - 7
+ # - 99.99
+
+ galaxy_tags: []
+ # List tags for your role here, one per line. A tag is a keyword that describes
+ # and categorizes the role. Users find roles by searching for tags. Be sure to
+ # remove the '[]' above, if you add tags to this list.
+ #
+ # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+ # Maximum 20 tags per role.
+
+dependencies: []
+ # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+ # if you add dependencies to this list.
diff --git a/ansible/server_settings/roles/password-settings/tasks/.DS_Store b/ansible/server_settings/roles/password-settings/tasks/.DS_Store
new file mode 100644
index 0000000..5008ddf
Binary files /dev/null and b/ansible/server_settings/roles/password-settings/tasks/.DS_Store differ
diff --git a/ansible/server_settings/roles/password-settings/tasks/00_host_setting.yml b/ansible/server_settings/roles/password-settings/tasks/00_host_setting.yml
new file mode 100644
index 0000000..2e6de80
--- /dev/null
+++ b/ansible/server_settings/roles/password-settings/tasks/00_host_setting.yml
@@ -0,0 +1,103 @@
+---
+- name: "Create datasaker group"
+ ansible.builtin.group:
+ name: "datasaker"
+ state: present
+ when:
+ - add_rule == True
+
+- name: Ensure user datasaker exists
+ user:
+ name: "{{ item }}"
+ create_home: yes
+ home: "/home/{{ item }}"
+ group: datasaker
+ shell: /bin/bash
+ with_items:
+ - datasaker
+ when:
+ - add_rule == True
+
+- name: "Ensure .ssh directory exists for datasaker"
+ file:
+ path: /home/datasaker/.ssh
+ state: directory
+ owner: datasaker
+ group: datasaker
+ mode: '0700'
+ when:
+ - add_rule == True
+
+- name: "Add authorized key for datasaker"
+ authorized_key:
+ user: datasaker
+ key: "{{ item }}"
+ with_items:
+ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRP/Kjn7UBudTO4ZLtWXRJNDcOPGbm+5jLKax+1tVgN2n0MCmwwrbFJQJvdaE/wp4+PnMtEyt+IqdwFdUDah8tu9CIYZ2Jk2T18oU7hYGvymh+QJmZgCNvYcmM9ATJbXpns7y8VLDVbkSq9EJIB+emLt1ZV/C8cyvhlmBUwGQA6c3zMgzWl9MT0HLa7H88cNVVknZPY0vGIw+H0Y2JtDr62xyVNT7w8B+jh7Yu6nCnQchwx3IRWGATuKfi2FB3rhkDqNvM1h00JJosu5ooBn3g5xll+w+sVKIQxEWShI9zatYP9/zrce+uVYeZLfz52X8giJ9dns66vqEKdJtdp4By5RPxRSsdQ2QGAQ0UuBHKgweU2EzivLynu49oiShAiJPxmru4TiGtchl52dvw/E9rjZiCKTq697azHHLbwTiOgbHpnu7GrxNRMdXCON70RYJpfERg/SGxxmUNF9OhYUeQJGNc8DcWnlBUrT/9Wi3Ryh1rKx2wtZt6eDkrehJ1lgU="
+ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDmxGUDo5rdB/XA+cyH4a7Kn8zGWHqbL0AZDL55j5JLRLXC/z482Rp2cIx/FsQRtwEslEVXHHSowpJWHvQ4Z6NcInh0/0psJK2K8qnApLDHhPoiQzpGL+nG4JIho/10QPGpJ2aDcXdushvUME97j0A8hfaoR2xhBl2C9r865Vred0M971A5SRchwN/cmsTh2OMYGXKHD9RC6OFud2sQjyidkSTW58yBoN2B5CoAO4GMV09jX6Wp43jot19xJ5lX65NAHLsNIXMWiURmQDieIKqEiwWlPgwo7geErHlMOoNoypU9yTaN9NMYWZBG1xVL5skjmkdTEd+cnHBLAvhVtW1w5pOA7S8OUXkmiu0UITLYyWfzUx4uwzb7nGcb6aDboRVX6w8H4+GVgpYWJq+fh0ZZ9JbsdP6+PjRz1vgptM7K4Ji5ZRvqV5WMT0cvpySBaJakLSiPSa+dxGi6nfowXvUEAzMIVyaScNgCs1/NpdgN8dwffZlYB9WBUxY+5IjBQc8="
+ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKDxtkcfx2ITlT2Yh7ZCT79do/25YQ2vROz38m8veAuBhOw+75oZJ4nN//zOWaaMvpC3Z7NIzOR+3UeukhnLZ591q8AaHcKjV8JEJMo2pvpH1vdLcTL9baLqWrxzgRimnZUNf5n5HNr+AKoXuPp//aVSJSoeznb66r04/rJSetT0QGDC8Kj5Q+MNvdd0/3U/nu7JxW9LIEaLoeiX6mVb4PpV7kl3rI3Vut/GnWakOhbS4yNvIFdR6d8rv305/BXJOz/aWy+0j7qK+NBzbSsI/l0vVUHfeD3whYGePCpWmj73ZsMTMjIjrC8DpRQlOJlAZ0GVpQnd/ayIWi4+V8VjvFcd6vSqrhhsNoOyo0Y/6cyO6iyvKqohMK6+HF1w6aXoaGCFFSl/3gw63saNAsdZPArnwf5yZ6GfPa/9bRn2k9g5xfp97Itpo6Iqq+PuRcZOes0EiIQe2hOoYQEIHIRhf8CZ+Xf6W1+XZB+WxEzUe4GCCwgUdTB6RIr4ThDxwCBV0="
+ when:
+ - add_rule == True
+
+- name: "sudoers_users file"
+ file:
+ path: /etc/sudoers.d/sudoers_users
+ state: touch
+ when:
+ - add_rule == True
+
+- name: "Allow user to sudo"
+ lineinfile:
+ path: /etc/sudoers.d/sudoers_users
+ line: "{{ item }} ALL=(ALL) NOPASSWD:ALL"
+ state: present
+ with_items:
+ - datasaker
+ when:
+ - add_rule == True
+
+- name: "selinux permissive"
+ command: "setenforce 0"
+ ignore_errors: yes
+ when:
+ - ansible_facts.os_family == "RedHat"
+
+- name: "firewalld stop"
+ systemd:
+ name: firewalld
+ state: stopped
+ enabled: false
+ ignore_errors: yes
+ when:
+ - ansible_facts.os_family == "RedHat"
+
+- name: Remove existing Port lines
+ lineinfile:
+ path: /etc/ssh/sshd_config
+ regexp: '^Port'
+ state: absent
+
+- name: SSH Listen on Main Port
+ lineinfile:
+ dest: /etc/ssh/sshd_config
+ insertbefore: '^#*AddressFamily'
+ line: 'Port {{sshmainport}}'
+ state: present
+ owner: root
+ group: root
+ mode: 0640
+ notify: restart sshd
+
+- name: "Create sshd_config.d directory"
+ ansible.builtin.file:
+ path: "/etc/ssh/sshd_config.d/"
+ state: directory
+ recurse: yes
+ owner: root
+ group: root
+
+- name: "Setting sshd allow users"
+ template:
+ src: allow_users.j2
+ dest: "/etc/ssh/sshd_config.d/allow_users.conf"
+ notify: restart sshd
diff --git a/ansible/server_settings/roles/password-settings/tasks/01_get_password.yml b/ansible/server_settings/roles/password-settings/tasks/01_get_password.yml
new file mode 100644
index 0000000..c848fda
--- /dev/null
+++ b/ansible/server_settings/roles/password-settings/tasks/01_get_password.yml
@@ -0,0 +1,36 @@
+---
+- name: get password
+ command: "{{ role_path }}/files/gen_password {{ encrypt }}"
+ register: user_password
+ delegate_to: 127.0.0.1
+ when: manual_password is not defined
+
+- name: get admin password
+ command: "{{ role_path }}/files/gen_password {{ encrypt }}"
+ register: admin_password
+ delegate_to: 127.0.0.1
+ when: manual_password is not defined
+
+- name: set fact user password
+ block:
+ - set_fact:
+ user_password: "{{ user_password.stdout }}"
+ rescue:
+ - set_fact:
+ user_password: "{{ manual_password }}"
+ always:
+ - debug:
+ msg: "{{ username }} : {{ user_password }}"
+ when: debug_mode == True
+
+- name: set fact admin password
+ block:
+ - set_fact:
+ admin_password: "{{ admin_password.stdout }}"
+ rescue:
+ - set_fact:
+ admin_password: "{{ manual_password }}"
+ always:
+ - debug:
+ msg: "{{ adminuser }} : {{ admin_password }}"
+ when: debug_mode == True
\ No newline at end of file
diff --git a/ansible/server_settings/roles/password-settings/tasks/02_change_password.yml b/ansible/server_settings/roles/password-settings/tasks/02_change_password.yml
new file mode 100644
index 0000000..64deba0
--- /dev/null
+++ b/ansible/server_settings/roles/password-settings/tasks/02_change_password.yml
@@ -0,0 +1,21 @@
+---
+- include_tasks: 99_decrypt_password.yml
+ when:
+ - encrypt == 1
+ - manual_password is not defined
+
+- name: user password change
+ user:
+ name: "{{ item }}"
+ password: "{{ user_password | password_hash('sha512') }}"
+ state: present
+ with_items:
+ - "{{ username }}"
+
+- name: admin password change
+ user:
+ name: "{{ item }}"
+ password: "{{ admin_password | password_hash('sha512') }}"
+ state: present
+ with_items:
+ - "{{ adminuser }}"
\ No newline at end of file
diff --git a/ansible/server_settings/roles/password-settings/tasks/03_vault.yml b/ansible/server_settings/roles/password-settings/tasks/03_vault.yml
new file mode 100644
index 0000000..1f3aa95
--- /dev/null
+++ b/ansible/server_settings/roles/password-settings/tasks/03_vault.yml
@@ -0,0 +1,21 @@
+---
+- name: Check if ansible_port is defined
+ set_fact:
+ ansible_port: "{{ ansible_port | default(22) }}"
+
+- debug:
+ msg: "{{ ansible_distribution }} {{ ansible_hostname }} {{ ansible_default_ipv4.address }} {{ ansible_port }} {{ username }} {{ user_password }} {{ adminuser }} {{ admin_password }}"
+ when: debug_mode == True
+
+- name: put vault
+ command: "{{ role_path }}/files/vault_put {{ ansible_default_ipv4.address }} {{ username }} {{ user_password }} {{ adminuser }} {{ admin_password }}"
+ delegate_to: 127.0.0.1
+
+- name: get vault
+ command: "{{ role_path }}/files/vault_get {{ ansible_default_ipv4.address }} {{ username }} {{ user_password }} {{ adminuser }} {{ admin_password }}"
+ register: get_vault
+ delegate_to: 127.0.0.1
+
+- debug:
+ msg: "{{get_vault.stdout_lines}}"
+ when: debug_mode == True
diff --git a/ansible/server_settings/roles/password-settings/tasks/99_decrypt_password.yml b/ansible/server_settings/roles/password-settings/tasks/99_decrypt_password.yml
new file mode 100644
index 0000000..164cecc
--- /dev/null
+++ b/ansible/server_settings/roles/password-settings/tasks/99_decrypt_password.yml
@@ -0,0 +1,27 @@
+---
+- name: user_password decrypt
+ command: "{{ role_path }}/files/decrypt_password {{ user_password }}"
+ register: user_password
+ delegate_to: 127.0.0.1
+
+- name: admin_password decrypt
+ command: "{{ role_path }}/files/decrypt_password {{ admin_password }}"
+ register: admin_password
+ delegate_to: 127.0.0.1
+ when:
+ - encrypt == 1
+ - manual_password is not defined
+
+- name: admin_password re fact
+ set_fact:
+ admin_password: "{{ admin_password.stdout }}"
+ when:
+ - encrypt == 1
+ - manual_password is not defined
+
+- name: user_password re fact
+ set_fact:
+ user_password: "{{ user_password.stdout }}"
+ when:
+ - encrypt == 1
+ - manual_password is not defined
diff --git a/ansible/server_settings/roles/password-settings/tasks/main.yml b/ansible/server_settings/roles/password-settings/tasks/main.yml
new file mode 100644
index 0000000..76b1b7d
--- /dev/null
+++ b/ansible/server_settings/roles/password-settings/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+- include: 00_host_setting.yml
+ tags: host
+
+- include: 01_get_password.yml
+ tags: password
+
+- include: 02_change_password.yml
+ tags: change
+
+- include: 03_vault.yml
+ tags: vault
+#
+#- include: 04_excel_export.yml
+# tags: excel
\ No newline at end of file
diff --git a/ansible/server_settings/roles/password-settings/templates/allow_users.j2 b/ansible/server_settings/roles/password-settings/templates/allow_users.j2
new file mode 100755
index 0000000..0d49c62
--- /dev/null
+++ b/ansible/server_settings/roles/password-settings/templates/allow_users.j2
@@ -0,0 +1,22 @@
+AllowUsers datasaker@10.10.43.*
+AllowUsers *@10.20.142.*
+{% if ansible_distribution == "Ubuntu" %}
+AllowUsers ubuntu@10.10.43.*
+{% endif %}
+{% if ansible_distribution == "CentOS" %}
+AllowUsers centos@10.10.43.*
+{% endif %}
+{% if ansible_distribution == "RedHat" %}
+AllowUsers redhat@10.10.43.*
+{% endif %}
+
+{% if admin_users is defined %}
+{% for user in admin_users %}
+AllowUsers {{ user.name }}@{{ user.ip }}
+{% endfor %}
+{% endif %}
+{% if allow_users is defined %}
+{% for user in allow_users %}
+AllowUsers {{ user.name }}@{{ user.ip }}
+{% endfor %}
+{% endif %}
\ No newline at end of file
diff --git a/ansible/server_settings/roles/password-settings/tests/inventory b/ansible/server_settings/roles/password-settings/tests/inventory
new file mode 100644
index 0000000..878877b
--- /dev/null
+++ b/ansible/server_settings/roles/password-settings/tests/inventory
@@ -0,0 +1,2 @@
+localhost
+
diff --git a/ansible/server_settings/roles/password-settings/tests/test.yml b/ansible/server_settings/roles/password-settings/tests/test.yml
new file mode 100644
index 0000000..c604954
--- /dev/null
+++ b/ansible/server_settings/roles/password-settings/tests/test.yml
@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+ remote_user: root
+ roles:
+ - password
diff --git a/ansible/server_settings/roles/password-settings/vars/main.yml b/ansible/server_settings/roles/password-settings/vars/main.yml
new file mode 100644
index 0000000..1392b01
--- /dev/null
+++ b/ansible/server_settings/roles/password-settings/vars/main.yml
@@ -0,0 +1,2 @@
+---
+# vars file for password
diff --git a/ansible/security_settings/roles/security_settings/defaults/main.yml b/ansible/server_settings/roles/security_settings/defaults/main.yml
similarity index 100%
rename from ansible/security_settings/roles/security_settings/defaults/main.yml
rename to ansible/server_settings/roles/security_settings/defaults/main.yml
diff --git a/ansible/security_settings/roles/security_settings/handlers/main.yml b/ansible/server_settings/roles/security_settings/handlers/main.yml
similarity index 100%
rename from ansible/security_settings/roles/security_settings/handlers/main.yml
rename to ansible/server_settings/roles/security_settings/handlers/main.yml
diff --git a/ansible/security_settings/roles/security_settings/tasks/all_setting_device_organize.yml b/ansible/server_settings/roles/security_settings/tasks/all_setting_device_organize.yml
similarity index 100%
rename from ansible/security_settings/roles/security_settings/tasks/all_setting_device_organize.yml
rename to ansible/server_settings/roles/security_settings/tasks/all_setting_device_organize.yml
diff --git a/ansible/security_settings/roles/security_settings/tasks/all_setting_mode_change.yml b/ansible/server_settings/roles/security_settings/tasks/all_setting_mode_change.yml
similarity index 100%
rename from ansible/security_settings/roles/security_settings/tasks/all_setting_mode_change.yml
rename to ansible/server_settings/roles/security_settings/tasks/all_setting_mode_change.yml
diff --git a/ansible/security_settings/roles/security_settings/tasks/all_setting_root_ssh.yml b/ansible/server_settings/roles/security_settings/tasks/all_setting_root_ssh.yml
similarity index 100%
rename from ansible/security_settings/roles/security_settings/tasks/all_setting_root_ssh.yml
rename to ansible/server_settings/roles/security_settings/tasks/all_setting_root_ssh.yml
diff --git a/ansible/security_settings/roles/security_settings/tasks/debian_setting_banner.yml b/ansible/server_settings/roles/security_settings/tasks/debian_setting_banner.yml
similarity index 100%
rename from ansible/security_settings/roles/security_settings/tasks/debian_setting_banner.yml
rename to ansible/server_settings/roles/security_settings/tasks/debian_setting_banner.yml
diff --git a/ansible/security_settings/roles/security_settings/tasks/debian_setting_password_rule.yml b/ansible/server_settings/roles/security_settings/tasks/debian_setting_password_rule.yml
similarity index 50%
rename from ansible/security_settings/roles/security_settings/tasks/debian_setting_password_rule.yml
rename to ansible/server_settings/roles/security_settings/tasks/debian_setting_password_rule.yml
index eac93a5..f439988 100644
--- a/ansible/security_settings/roles/security_settings/tasks/debian_setting_password_rule.yml
+++ b/ansible/server_settings/roles/security_settings/tasks/debian_setting_password_rule.yml
@@ -5,4 +5,12 @@
dest: /etc/pam.d/common-password
owner: root
group: root
+ mode: u=rw,g=r,o=r
+
+- name: Setting Password Auth Rule (Debian)
+ template:
+ src: common-auth.j2
+ dest: /etc/pam.d/common-auth
+ owner: root
+ group: root
mode: u=rw,g=r,o=r
\ No newline at end of file
diff --git a/ansible/security_settings/roles/security_settings/tasks/main.yml b/ansible/server_settings/roles/security_settings/tasks/main.yml
similarity index 100%
rename from ansible/security_settings/roles/security_settings/tasks/main.yml
rename to ansible/server_settings/roles/security_settings/tasks/main.yml
diff --git a/ansible/security_settings/roles/security_settings/templates/banner.j2 b/ansible/server_settings/roles/security_settings/templates/banner.j2
similarity index 100%
rename from ansible/security_settings/roles/security_settings/templates/banner.j2
rename to ansible/server_settings/roles/security_settings/templates/banner.j2
diff --git a/ansible/server_settings/roles/security_settings/templates/common-auth.j2 b/ansible/server_settings/roles/security_settings/templates/common-auth.j2
new file mode 100644
index 0000000..4888a92
--- /dev/null
+++ b/ansible/server_settings/roles/security_settings/templates/common-auth.j2
@@ -0,0 +1,29 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules. See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+auth [success=1 default=ignore] pam_unix.so nullok
+# here's the fallback if no module succeeds
+auth requisite pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth required pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+auth optional pam_cap.so
+# end of pam-auth-update config
+
+## Add Ansible Playbook - Securtiy_Settings ##
+auth required pam_tally2.so onerr=fail even_deny_root deny=5 unlock_time=300
\ No newline at end of file
diff --git a/ansible/security_settings/roles/security_settings/templates/common-password.j2 b/ansible/server_settings/roles/security_settings/templates/common-password.j2
similarity index 100%
rename from ansible/security_settings/roles/security_settings/templates/common-password.j2
rename to ansible/server_settings/roles/security_settings/templates/common-password.j2
diff --git a/ansible/security_settings/roles/security_settings/templates/sysinfo.j2 b/ansible/server_settings/roles/security_settings/templates/sysinfo.j2
similarity index 100%
rename from ansible/security_settings/roles/security_settings/templates/sysinfo.j2
rename to ansible/server_settings/roles/security_settings/templates/sysinfo.j2
diff --git a/ansible/server_settings/server_settings.yml b/ansible/server_settings/server_settings.yml
new file mode 100644
index 0000000..2bc7455
--- /dev/null
+++ b/ansible/server_settings/server_settings.yml
@@ -0,0 +1,21 @@
+---
+- hosts: all
+ become: true
+ gather_facts: true
+ vars:
+ username: datasaker
+ adminuser: root
+ #manual_password: saasadmin1234
+ sshmainport: 2222
+ teleport_uri: teleport.kr.datasaker.io
+ iptables_rules:
+ - { source: "10.10.45.0/24", target: "DROP" }
+ - { source: "10.10.47.0/24", target: "DROP" }
+ - { source: "10.10.48.0/24", target: "DROP" }
+ - { source: "10.10.50.0/24", target: "DROP" }
+ - { source: "10.10.37.0/24", target: "DROP" }
+ delete_rule: False
+ add_rule: True
+ roles:
+ - role: password-settings
+ - role: security_settings