From 76584fb0ba39e1de1245b9b8c7d60513deea76ad Mon Sep 17 00:00:00 2001 From: ByeonJungHun Date: Thu, 11 Jan 2024 15:47:36 +0900 Subject: [PATCH] =?UTF-8?q?task=20=EC=B6=94=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .DS_Store | Bin 0 -> 6148 bytes ansible/.DS_Store | Bin 0 -> 6148 bytes ansible/01_old/.DS_Store | Bin 0 -> 6148 bytes ansible/README.md | 2 +- ansible/infra_setting/.DS_Store | Bin 0 -> 6148 bytes ansible/infra_setting/roles/.DS_Store | Bin 0 -> 6148 bytes .../roles/connect-settings/.DS_Store | Bin 0 -> 6148 bytes .../roles/connect-settings/tasks/main.yml | 4 +- ansible/security_check/README.md | 3 +- ansible/security_check/test | 5 +- ansible/security_settings/invenotry | 105 ----------------- .../security_settings/security_settings.yml | 6 - ansible/security_settings/test | 2 - ansible/server_settings/.DS_Store | Bin 0 -> 6148 bytes .../ansible.cfg | 0 ansible/server_settings/invenotry | 2 + .../q => server_settings/passwd_inventory} | 2 +- ansible/server_settings/roles/.DS_Store | Bin 0 -> 6148 bytes .../roles/password-settings/.DS_Store | Bin 0 -> 6148 bytes .../roles/password-settings/README.md | 38 ++++++ .../roles/password-settings/defaults/main.yml | 15 +++ .../files/00_old/gen_password.py | 44 +++++++ .../files/00_old/vault_test.py | 11 ++ .../password-settings/files/custom_excel | 108 ++++++++++++++++++ .../password-settings/files/decrypt_password | 21 ++++ .../password-settings/files/gen_password | 45 ++++++++ .../roles/password-settings/files/vault_get | 17 +++ .../roles/password-settings/files/vault_put | 21 ++++ .../roles/password-settings/handlers/main.yml | 16 +++ .../roles/password-settings/meta/main.yml | 52 +++++++++ .../roles/password-settings/tasks/.DS_Store | Bin 0 -> 6148 bytes .../tasks/00_host_setting.yml | 103 +++++++++++++++++ .../tasks/01_get_password.yml | 36 ++++++ .../tasks/02_change_password.yml | 21 ++++ .../password-settings/tasks/03_vault.yml | 21 ++++ .../tasks/99_decrypt_password.yml | 27 +++++ .../roles/password-settings/tasks/main.yml | 15 +++ .../templates/allow_users.j2 | 22 ++++ .../roles/password-settings/tests/inventory | 2 + .../roles/password-settings/tests/test.yml | 5 + .../roles/password-settings/vars/main.yml | 2 + .../roles/security_settings/defaults/main.yml | 0 .../roles/security_settings/handlers/main.yml | 0 .../tasks/all_setting_device_organize.yml | 0 .../tasks/all_setting_mode_change.yml | 0 .../tasks/all_setting_root_ssh.yml | 0 .../tasks/debian_setting_banner.yml | 0 .../tasks/debian_setting_password_rule.yml | 8 ++ .../roles/security_settings/tasks/main.yml | 0 .../security_settings/templates/banner.j2 | 0 .../templates/common-auth.j2 | 29 +++++ .../templates/common-password.j2 | 0 .../security_settings/templates/sysinfo.j2 | 0 ansible/server_settings/server_settings.yml | 21 ++++ 54 files changed, 709 insertions(+), 122 deletions(-) create mode 100644 .DS_Store create mode 100644 ansible/.DS_Store create mode 100644 ansible/01_old/.DS_Store create mode 100644 ansible/infra_setting/.DS_Store create mode 100644 ansible/infra_setting/roles/.DS_Store create mode 100644 ansible/infra_setting/roles/connect-settings/.DS_Store delete mode 100644 ansible/security_settings/invenotry delete mode 100644 ansible/security_settings/security_settings.yml delete mode 100644 ansible/security_settings/test create mode 100644 ansible/server_settings/.DS_Store rename ansible/{security_settings => server_settings}/ansible.cfg (100%) create mode 100644 ansible/server_settings/invenotry rename ansible/{infra_setting/q => server_settings/passwd_inventory} (99%) create mode 100644 ansible/server_settings/roles/.DS_Store create mode 100644 ansible/server_settings/roles/password-settings/.DS_Store create mode 100644 ansible/server_settings/roles/password-settings/README.md create mode 100644 ansible/server_settings/roles/password-settings/defaults/main.yml create mode 100644 ansible/server_settings/roles/password-settings/files/00_old/gen_password.py create mode 100644 ansible/server_settings/roles/password-settings/files/00_old/vault_test.py create mode 100755 ansible/server_settings/roles/password-settings/files/custom_excel create mode 100755 ansible/server_settings/roles/password-settings/files/decrypt_password create mode 100755 ansible/server_settings/roles/password-settings/files/gen_password create mode 100755 ansible/server_settings/roles/password-settings/files/vault_get create mode 100755 ansible/server_settings/roles/password-settings/files/vault_put create mode 100644 ansible/server_settings/roles/password-settings/handlers/main.yml create mode 100644 ansible/server_settings/roles/password-settings/meta/main.yml create mode 100644 ansible/server_settings/roles/password-settings/tasks/.DS_Store create mode 100644 ansible/server_settings/roles/password-settings/tasks/00_host_setting.yml create mode 100644 ansible/server_settings/roles/password-settings/tasks/01_get_password.yml create mode 100644 ansible/server_settings/roles/password-settings/tasks/02_change_password.yml create mode 100644 ansible/server_settings/roles/password-settings/tasks/03_vault.yml create mode 100644 ansible/server_settings/roles/password-settings/tasks/99_decrypt_password.yml create mode 100644 ansible/server_settings/roles/password-settings/tasks/main.yml create mode 100755 ansible/server_settings/roles/password-settings/templates/allow_users.j2 create mode 100644 ansible/server_settings/roles/password-settings/tests/inventory create mode 100644 ansible/server_settings/roles/password-settings/tests/test.yml create mode 100644 ansible/server_settings/roles/password-settings/vars/main.yml rename ansible/{security_settings => server_settings}/roles/security_settings/defaults/main.yml (100%) rename ansible/{security_settings => server_settings}/roles/security_settings/handlers/main.yml (100%) rename ansible/{security_settings => server_settings}/roles/security_settings/tasks/all_setting_device_organize.yml (100%) rename ansible/{security_settings => server_settings}/roles/security_settings/tasks/all_setting_mode_change.yml (100%) rename ansible/{security_settings => server_settings}/roles/security_settings/tasks/all_setting_root_ssh.yml (100%) rename ansible/{security_settings => server_settings}/roles/security_settings/tasks/debian_setting_banner.yml (100%) rename ansible/{security_settings => server_settings}/roles/security_settings/tasks/debian_setting_password_rule.yml (50%) rename ansible/{security_settings => server_settings}/roles/security_settings/tasks/main.yml (100%) rename ansible/{security_settings => server_settings}/roles/security_settings/templates/banner.j2 (100%) create mode 100644 ansible/server_settings/roles/security_settings/templates/common-auth.j2 rename ansible/{security_settings => server_settings}/roles/security_settings/templates/common-password.j2 (100%) rename ansible/{security_settings => server_settings}/roles/security_settings/templates/sysinfo.j2 (100%) create mode 100644 ansible/server_settings/server_settings.yml diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..961b9bdebb165ec27381f0b5e1d8b35f558fef5b GIT binary patch literal 6148 zcmeHK%}T>S5T0$TO({YT3VI88EtpoJf|n5M3mDOZN=-=6V9b^#wTDv3U0=u-@p+ut z-GJ2|Jc-yD*!^a9W_B|lWPboac+;o{&;bAo8=)X&h0yRySIqgceR~rE$RLLVK7GFo(eoCL({XcePmZTwcjQk Z<6MKKMw*4jRXQSH1Qa3MF$2HAzz4){OrZb( literal 0 HcmV?d00001 diff --git a/ansible/.DS_Store b/ansible/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..b905f6106756b9c215c61fc42c5dff630e6eb57b GIT binary patch literal 6148 zcmeHK%}T>S5T4aqQ$_4SL2nCQ3no=;#Y?FA0!H+pQWH`&7_*Y3_D~AB>kIiJK94iI zTd=J^;K84=6K1~M*`0*>*q;mluvRy80IC3Bp%RuB(7YowPC6ko+EYek@*OdRK`*-x zVi8QtHV(spVc@SZKzp|gHaO4*0i*l(Ik=CbEVu0!HZxnAE6-c=)}nRc-H4u-`*}BO z`RN(;j)jPWVcQQ*qE4?}UD+2&?ng-{l>t%M!71mbQ4)$?OLUVkld+x}uqsxiU0v_@ zx0`m2*PZP_jrSdAXSc?i_1(dsVy$j$?j5ynGF(Yhje7f7i&LGYNzO1}82AnYbUtuYLRVv3TaOobwOVe;$velDj2a}^qE z7%&WsGBB&URl5HVKd%2rgG|pbU>KMx23YC9J7{4_`fi;_j_z8HdWlLx^9qGB1dYCq gWrMEbHB>1$#;JkmYAh6@2gUpdNE(bW4E!hqufz$|(f|Me literal 0 HcmV?d00001 diff --git a/ansible/01_old/.DS_Store b/ansible/01_old/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..6d575427a5347a48ffb371e94c6350d2de3fdcc5 GIT binary patch literal 6148 zcmeHK!AiqG5S?wSO(}&Q6!f;>wP0IRTD*i>f53Wo z-K|)v9y|z^nK1iiXJ>ZVm#~us0MVKB8vs=Ra8LEroHOciHcJ{j0a<#5cUTca(x-beKqZ!2o^^}~5h&KixQc1^aL?fJaqZ13$KpYI+o6k$>kO{%b03}MpIFKwJ_F*9h=LFkon9=o!zHx!{)N59nJAY6mo zG6T%OG6Q+jty29z{r>*HoWwn5fEidT21KFjbvw8vTU%E)N3~X>-lCFFTxRei1r1$_ gF_ud44yqRPOEM5$i최종적으로 결과를 NAS 에 저장 후 요약을 Git 레파지토리에 README.md 로 확인할 수 있게 구성
상세 정보 같은 경우 NAS 혹은 README.md에 함께 작성되는 링크를 통해 확인 가능 | -| security_settings | 기본적으로 적용되어야 하는 취약점 대응 | +| security_settings | 기본적으로 적용되어야 하는 취약점 대응 | \ No newline at end of file diff --git a/ansible/infra_setting/.DS_Store b/ansible/infra_setting/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..40fab1290366a8d8248af528c676d81c9ed474c8 GIT binary patch literal 6148 zcmeHK%}T>S5Z<+|O({YS3VK`cTCgcaTD*i?wfB#1~Nt1lm?SAr|TD`H`w3=4iy7!;t!k-1RdF}<%TO3_UnTDkv zgx5*D7~A{jGMfcS7Ee_|62%a5cavn1TzGPxMY+oLwZm#zt+9QyT=oauj_5i4RYxox z=XBT+gWhnpYFP)zCuf)A=kz6$Z<JaA| WEHvUQXjkcgbP-U5P)7{>0s~*v_Detj literal 0 HcmV?d00001 diff --git a/ansible/infra_setting/roles/.DS_Store b/ansible/infra_setting/roles/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..75bb37d4a83ec2e170d6fd0e368aab324c786be7 GIT binary patch literal 6148 zcmeHK!Ab)$5S_HuZYjbZ6!aGGTCpu67B5S!Kj4ZURBG2Qb#dL4?$#bkVek4w{)pe> zOp=PFiWdmd|+ju7r3gFQ$g zT#9DLe`J8p&c#zxkl^q0`DJ*L5&8y@29tCc#45np*I*b&X;!bli9)fowqAD1PSv^b z@72W5df7N__eNLLJ69?W=5{Z*h{8$N-8@lA){ByGq!Xfkh#}XPQPNkFwi+k>ROk9; zz^OQuuDdgx9vszcve`J8)#S9%IBeDAQL{ChRh+He{o}LlL;RSiXTz?*Kcbcmi*tBE z=ox!S7=YX6=r}L_#Fo5evqhyp2ggtzB;g> z&qo?B5t5)yZwW$a(X*Hv#1Rx>QV~t6uulwO($Oz%oM$mNXwpIGm2n=sval}{p;t%0 z)ZrjJgWNI$%)lZ8MbmYu{-1vT{$EVu9y7oUtP}&H)bTrQ+>))WOPixwD^YJzNhmHi m_>qE!F2xv2rFa`v3;HD)h@QpVAbL>vLqOBO4Kwhk47>xPky4TX literal 0 HcmV?d00001 diff --git a/ansible/infra_setting/roles/connect-settings/.DS_Store b/ansible/infra_setting/roles/connect-settings/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..7470ee328f366b0ff66246e4305ca74af3f88752 GIT binary patch literal 6148 zcmeHK%}T>S5Z>*NO({YT3VK`cTCgoeTD*iwxNA!Dxbw{jv zy|YnA4Ev+?x@jGroSt7zX3ofXmh$x`rTLMuSv<>DO!2`l| zDxgl~=83^|I@pDYvkm4Nbvol}WthjTTs&U5S{>{{g)?qzq@EZc2DTZf>R}tt|4aB~ zN+0>#DKsJmh=G5`0I!YRu>(b!v-Mkfc-9JNkI+ysE=L6f^sP$(3~(PgQcmp`s6(7> XFxQB)pk1W{(nUZKLLD*i3k-Y#0nkfA literal 0 HcmV?d00001 diff --git a/ansible/infra_setting/roles/connect-settings/tasks/main.yml b/ansible/infra_setting/roles/connect-settings/tasks/main.yml index 82dd567..0b39356 100644 --- a/ansible/infra_setting/roles/connect-settings/tasks/main.yml +++ b/ansible/infra_setting/roles/connect-settings/tasks/main.yml @@ -1,6 +1,6 @@ --- -- include: 00_host_setting.yml - tags: host +#- include: 00_host_setting.yml +# tags: host - include: 01_get_password.yml tags: password diff --git a/ansible/security_check/README.md b/ansible/security_check/README.md index 74c1e11..ed64053 100644 --- a/ansible/security_check/README.md +++ b/ansible/security_check/README.md @@ -1,4 +1,3 @@ | 이름 | 아이피 | 상태 요약 | 상세 보기 | | --- | --- | --- | --- | -| cmoa-master-1 | 10.10.43.200 | 취약 | http://10.10.43.42:8080/cmoa-master-1.10.10.43.200.txt | -| cmoa-jaeger-master | 10.10.43.213 | 양호 | http://10.10.43.42:8080/cmoa-jaeger-master.10.10.43.213.txt | +| datasaker | 10.10.43.99 | 양호 | http://10.10.43.42:8080/datasaker.10.10.43.99.txt | diff --git a/ansible/security_check/test b/ansible/security_check/test index 5c17153..9409a8f 100644 --- a/ansible/security_check/test +++ b/ansible/security_check/test @@ -3,8 +3,7 @@ server nas [server] -10.10.43.200 ansible_user=dev2 ansible_port=2222 -10.10.43.213 ansible_user=dev2 ansible_port=2222 +10.10.43.99 ansible_user=datasaker ansible_port=2222 [nas] -10.10.43.42 ansible_port=2222 ansible_user=exemdev2 \ No newline at end of file +10.10.43.42 ansible_port=2222 ansible_user=exemdev2 diff --git a/ansible/security_settings/invenotry b/ansible/security_settings/invenotry deleted file mode 100644 index 6f2ee94..0000000 --- a/ansible/security_settings/invenotry +++ /dev/null @@ -1,105 +0,0 @@ -[all] -10.10.43.43 ansible_port=2222 ansible_user=dev2 -10.10.43.100 ansible_port=2222 ansible_user=dev2 -10.10.43.101 ansible_port=2222 ansible_user=dev2 -10.10.43.105 ansible_port=2222 ansible_user=dev2 -10.10.43.106 ansible_port=2222 ansible_user=dev2 -10.10.43.111 ansible_port=2222 ansible_user=dev2 -10.10.43.112 ansible_port=2222 ansible_user=dev2 -10.10.43.113 ansible_port=2222 ansible_user=dev2 -10.10.43.114 ansible_port=2222 ansible_user=dev2 -10.10.43.115 ansible_port=2222 ansible_user=dev2 -10.10.43.116 ansible_port=2222 ansible_user=dev2 -10.10.43.117 ansible_port=2222 ansible_user=dev2 -10.10.43.118 ansible_port=2222 ansible_user=dev2 -10.10.43.119 ansible_port=2222 ansible_user=dev2 -10.10.43.120 ansible_port=2222 ansible_user=dev2 -10.10.43.121 ansible_port=2222 ansible_user=dev2 -10.10.43.122 ansible_port=2222 ansible_user=dev2 -10.10.43.123 ansible_port=2222 ansible_user=dev2 -10.10.43.124 ansible_port=2222 ansible_user=dev2 -10.10.43.125 ansible_port=2222 ansible_user=dev2 -10.10.43.126 ansible_port=2222 ansible_user=dev2 -10.10.43.127 ansible_port=2222 ansible_user=dev2 -10.10.43.128 ansible_port=2222 ansible_user=dev2 -10.10.43.129 ansible_port=2222 ansible_user=dev2 -10.10.43.130 ansible_port=2222 ansible_user=dev2 -10.10.43.131 ansible_port=2222 ansible_user=dev2 -10.10.43.132 ansible_port=2222 ansible_user=dev2 -10.10.43.133 ansible_port=2222 ansible_user=dev2 -10.10.43.134 ansible_port=2222 ansible_user=dev2 -10.10.43.135 ansible_port=2222 ansible_user=dev2 -10.10.43.136 ansible_port=2222 ansible_user=dev2 -10.10.43.137 ansible_port=2222 ansible_user=dev2 -10.10.43.138 ansible_port=2222 ansible_user=dev2 -10.10.43.139 ansible_port=2222 ansible_user=dev2 -10.10.43.140 ansible_port=2222 ansible_user=dev2 -10.10.43.141 ansible_port=2222 ansible_user=dev2 -10.10.43.142 ansible_port=2222 ansible_user=dev2 -10.10.43.143 ansible_port=2222 ansible_user=dev2 -10.10.43.144 ansible_port=2222 ansible_user=dev2 -10.10.43.145 ansible_port=2222 ansible_user=dev2 -10.10.43.146 ansible_port=2222 ansible_user=dev2 -10.10.43.147 ansible_port=2222 ansible_user=dev2 -10.10.43.148 ansible_port=2222 ansible_user=dev2 -10.10.43.151 ansible_port=2222 ansible_user=dev2 -10.10.43.152 ansible_port=2222 ansible_user=dev2 -10.10.43.153 ansible_port=2222 ansible_user=dev2 -10.10.43.164 ansible_port=2222 ansible_user=dev2 -10.10.43.165 ansible_port=2222 ansible_user=dev2 -10.10.43.166 ansible_port=2222 ansible_user=dev2 -10.10.43.167 ansible_port=2222 ansible_user=dev2 -10.10.43.168 ansible_port=2222 ansible_user=dev2 -10.10.43.169 ansible_port=2222 ansible_user=dev2 -10.10.43.171 ansible_port=2222 ansible_user=dev2 -10.10.43.172 ansible_port=2222 ansible_user=dev2 -10.10.43.173 ansible_port=2222 ansible_user=dev2 -10.10.43.174 ansible_port=2222 ansible_user=dev2 -10.10.43.175 ansible_port=2222 ansible_user=dev2 -10.10.43.176 ansible_port=2222 ansible_user=dev2 -10.10.43.177 ansible_port=2222 ansible_user=dev2 -10.10.43.178 ansible_port=2222 ansible_user=dev2 -10.10.43.179 ansible_port=2222 ansible_user=dev2 -10.10.43.180 ansible_port=2222 ansible_user=dev2 -10.10.43.181 ansible_port=2222 ansible_user=dev2 -10.10.43.182 ansible_port=2222 ansible_user=dev2 -10.10.43.185 ansible_port=2222 ansible_user=dev2 -10.10.43.186 ansible_port=2222 ansible_user=dev2 -10.10.43.187 ansible_port=2222 ansible_user=dev2 -10.10.43.188 ansible_port=2222 ansible_user=dev2 -10.10.43.189 ansible_port=2222 ansible_user=dev2 -10.10.43.190 ansible_port=2222 ansible_user=dev2 -10.10.43.191 ansible_port=2222 ansible_user=dev2 -10.10.43.192 ansible_port=2222 ansible_user=dev2 -10.10.43.193 ansible_port=2222 ansible_user=dev2 -10.10.43.194 ansible_port=2222 ansible_user=dev2 -10.10.43.199 ansible_port=2222 ansible_user=dev2 -10.10.43.195 ansible_port=2222 ansible_user=dev2 -10.10.43.196 ansible_port=2222 ansible_user=dev2 -10.10.43.197 ansible_port=2222 ansible_user=dev2 -10.10.43.200 ansible_port=2222 ansible_user=dev2 -10.10.43.201 ansible_port=2222 ansible_user=dev2 -10.10.43.202 ansible_port=2222 ansible_user=dev2 -10.10.43.203 ansible_port=2222 ansible_user=dev2 -10.10.43.204 ansible_port=2222 ansible_user=dev2 -10.10.43.205 ansible_port=2222 ansible_user=dev2 -10.10.43.206 ansible_port=2222 ansible_user=dev2 -10.10.43.207 ansible_port=2222 ansible_user=dev2 -10.10.43.208 ansible_port=2222 ansible_user=dev2 -10.10.43.210 ansible_port=2222 ansible_user=dev2 -10.10.43.211 ansible_port=2222 ansible_user=dev2 -10.10.43.212 ansible_port=2222 ansible_user=dev2 -10.10.43.213 ansible_port=2222 ansible_user=dev2 -10.10.43.214 ansible_port=2222 ansible_user=dev2 -10.10.43.215 ansible_port=2222 ansible_user=dev2 -10.10.43.216 ansible_port=2222 ansible_user=dev2 -10.10.43.217 ansible_port=2222 ansible_user=dev2 -10.10.43.218 ansible_port=2222 ansible_user=dev2 -10.10.43.224 ansible_port=2222 ansible_user=dev2 -10.10.43.225 ansible_port=2222 ansible_user=dev2 -10.10.43.226 ansible_port=2222 ansible_user=dev2 -10.10.43.227 ansible_port=2222 ansible_user=dev2 -10.10.43.228 ansible_port=2222 ansible_user=dev2 -10.10.43.235 ansible_port=2222 ansible_user=dev2 -10.10.43.236 ansible_port=2222 ansible_user=dev2 -10.10.43.252 ansible_port=2222 ansible_user=dev2 diff --git a/ansible/security_settings/security_settings.yml b/ansible/security_settings/security_settings.yml deleted file mode 100644 index 624d10c..0000000 --- a/ansible/security_settings/security_settings.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- hosts: all - become: true - gather_facts: true - roles: - - role: security_settings \ No newline at end of file diff --git a/ansible/security_settings/test b/ansible/security_settings/test deleted file mode 100644 index 6b24dbc..0000000 --- a/ansible/security_settings/test +++ /dev/null @@ -1,2 +0,0 @@ -[all] -10.10.43.213 ansible_user=dev2 ansible_port=2222 diff --git a/ansible/server_settings/.DS_Store b/ansible/server_settings/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..0d35fc6d0f16db28c300e24df106978d8dd1681d GIT binary patch literal 6148 zcmeHK%}T>S5Z>*NO({YT3VK`cTCfo+EnY&cFJMFuDm5WNgE3o@)E-J9cYPsW#OHBl zcLOa3k0N#kcE8#A+0A^A{b7vp@jS2@>oUeHXowt@3PE$Ft7d``xtb&M7un2@rC%}4 z-!$R3H(AOgi&@ClzyHIZ#Zi{``=7j4Z!~vWR?F&G_wJKixVe|lv$2=n;^<1s*e`X@ zzmCGiw7YjMliZ7vFjWar5JJe^O_T(3F_!Zr$W*SY9ah_FPrHZ9F&I)&U(}pV8kyL;)S&5{SZ}W3bQ&9uTfm z0d*=jPYkZp!7fakW3bSu(-~JQ!#rl?^6|pe>R=ZtoN-4Z^~3-%u*pDO54(8&U%)R@ z`N-c)p%F1a4E!?&cw^#D#!!?wTfdcuXRUzt01XA>3RFNq-?#+80QZpt<b2! W3ynAn+EqFrT?7;%)DZ)}z`z$o|4T&x literal 0 HcmV?d00001 diff --git a/ansible/security_settings/ansible.cfg b/ansible/server_settings/ansible.cfg similarity index 100% rename from ansible/security_settings/ansible.cfg rename to ansible/server_settings/ansible.cfg diff --git a/ansible/server_settings/invenotry b/ansible/server_settings/invenotry new file mode 100644 index 0000000..a84fdc2 --- /dev/null +++ b/ansible/server_settings/invenotry @@ -0,0 +1,2 @@ +[all] +10.10.43.99 ansible_user=datasaker ansible_port=2222 diff --git a/ansible/infra_setting/q b/ansible/server_settings/passwd_inventory similarity index 99% rename from ansible/infra_setting/q rename to ansible/server_settings/passwd_inventory index 3025811..81972bd 100644 --- a/ansible/infra_setting/q +++ b/ansible/server_settings/passwd_inventory @@ -101,4 +101,4 @@ 10.10.43.228 ansible_port=2222 ansible_user=dev2 10.10.43.235 ansible_port=2222 ansible_user=dev2 10.10.43.236 ansible_port=2222 ansible_user=dev2 -10.10.43.252 ansible_port=2222 ansible_user=dev2 +10.10.43.252 ansible_port=2222 ansible_user=dev2 \ No newline at end of file diff --git a/ansible/server_settings/roles/.DS_Store b/ansible/server_settings/roles/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..2aa95927baaae30a20584bdfd2937308ba62b50c GIT binary patch literal 6148 zcmeH~-AcnS6vt0=YNrSj6!b3O?Zj1>Zg^9szJL|IP?@bQTCB}jJByS-uhj?A7x8&K zCyAg=#T!K>rzHP;oRc;`NYVfR>kI-LpauXICeq3@X73pFQyQ@`-BLkia*P}V^dW#1 zNJqR)gCSrD{5Ar#cITi69n;Y>;-m{vp-&goyp;vghwdVcxCHZ;2%Hq9p9gfG7yj<>(+v0+Dyb zAPG_#>#7c`YE`?nrJ`syn{{qCTEjXoYfm}mZw!9DL{>R}g7R8#~s`K{7XKZd1 zgb&#eyD!Z24I4G6$^R$;y-=)~Kl=UVvkd`5;QI*B{=hMjI$BGma_hiMUI9?)H$obg z=`KMrT&ttCREj-lOogJVP^PaKOod}R*M5%HQmG0DrY|2%znSS93X^Zg@ws#d<|s9} zAz%o+CNQq5H9G%yKED6I4l*@Ez!3OX1XyL;-R|I&^w~NxIXY`OrV~tLvnF#Bd_XAkL8%pauXIDq+dSVS&&(>710br-I1jGqPZq^@2nM zbFs$pHyNOBw*oo%kii2?f4|qDm&94#XuPpfxw5jlX02IO>&CkmLofI9LDup6S2Q~p zA_*q8A6&%Iuv^S*SXU; z7}xp8arO`E{GfR_9^2OD&hF7!_aS*q#j|3P;V&m;UE>5^(3mRe$?KO#Oxd!@wK^v_EiE zLRVvo`|qp-`m*)6ECd zZ)UnfVe;+xd@jR*xeCo_7%&XXGEi328lC^AU-$pBNoHmkFbw=F23Y09JLzCa`fQym xj?P++dW%XzafQN<6g1>fjIneSZ=p&-KPLmx)mSJ*4~n@6NE*yw82C{J-T@wPi^Ko` literal 0 HcmV?d00001 diff --git a/ansible/server_settings/roles/password-settings/README.md b/ansible/server_settings/roles/password-settings/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/ansible/server_settings/roles/password-settings/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/ansible/server_settings/roles/password-settings/defaults/main.yml b/ansible/server_settings/roles/password-settings/defaults/main.yml new file mode 100644 index 0000000..5415520 --- /dev/null +++ b/ansible/server_settings/roles/password-settings/defaults/main.yml @@ -0,0 +1,15 @@ +--- +# defaults file for password + +encrypt: 0 # strings 0 , encrypted 1 +debug_mode: False +sshrootlogin: forced-commands-only +sshmainport: 2222 +iptables_rules: + - { source: "10.10.45.0/24", target: "DROP" } + - { source: "10.10.47.0/24", target: "DROP" } + - { source: "10.10.48.0/24", target: "DROP" } + - { source: "10.10.50.0/24", target: "DROP" } + - { source: "10.10.37.0/24", target: "DROP" } +delete_rule: False +add_rule: True \ No newline at end of file diff --git a/ansible/server_settings/roles/password-settings/files/00_old/gen_password.py b/ansible/server_settings/roles/password-settings/files/00_old/gen_password.py new file mode 100644 index 0000000..b1b4e13 --- /dev/null +++ b/ansible/server_settings/roles/password-settings/files/00_old/gen_password.py @@ -0,0 +1,44 @@ +#!/usr/bin/python3 + +import base64, random, string, os +from Crypto.Cipher import AES +from Crypto.Random import get_random_bytes +from Crypto.Util.Padding import pad, unpad + +try: + encrypt_flag=True if os.sys.argv[1].lower()=='1' else False +except Exception as err: + encrypt_flag=False + +def generate_password(length=8, num_uppercase=1, num_lowercase=1, num_digits=1, num_sp_char=1): + sp_char = '!@#$' + all_chars = string.ascii_letters + string.digits + sp_char + + password = [ + *random.choices(string.ascii_uppercase, k=num_uppercase), + *random.choices(string.ascii_lowercase, k=num_lowercase), + *random.choices(string.digits, k=num_digits), + *random.choices(sp_char, k=num_sp_char) + ] + + remaining_length = length - (num_uppercase + num_lowercase + num_digits + num_sp_char) + password += random.choices(all_chars, k=remaining_length) + + random.shuffle(password) + return ''.join(password) + +def encrypt(plain_text, key): + manual_iv = b'PhilinnovatorDEV' + cipher = AES.new(key, AES.MODE_CBC, iv=manual_iv) + ct_bytes = cipher.encrypt(pad(plain_text.encode(), 16)) + ct = base64.b64encode(ct_bytes).decode('utf-8') + return ct + +key = b'PhilinnovatorDEVPhilinnovatorDEV' +plain_text = generate_password() + +if encrypt_flag: + encrypted_text = encrypt(plain_text, key) + print(encrypted_text) +else: + print(plain_text) diff --git a/ansible/server_settings/roles/password-settings/files/00_old/vault_test.py b/ansible/server_settings/roles/password-settings/files/00_old/vault_test.py new file mode 100644 index 0000000..18f6988 --- /dev/null +++ b/ansible/server_settings/roles/password-settings/files/00_old/vault_test.py @@ -0,0 +1,11 @@ +import hvac + +str_url = "http://10.10.43.98:31080" +str_token = "hvs.CAESIMV6zCg-GpUP4pQgVA5f1ZXkgyJZrqOC6QDCegrpiAX9Gh4KHGh2cy5ORkpkc2ZyVUxYd09qUVFtQldRNDBjS3I" +client = hvac.Client(url=str_url, token=str_token) + +str_mount_point = 'kv' +str_secret_path = 'host1' +read_secret_result = client.secrets.kv.v1.read_secret(mount_point=str_mount_point, path=str_secret_path) +print(read_secret_result) + diff --git a/ansible/server_settings/roles/password-settings/files/custom_excel b/ansible/server_settings/roles/password-settings/files/custom_excel new file mode 100755 index 0000000..562b89c --- /dev/null +++ b/ansible/server_settings/roles/password-settings/files/custom_excel @@ -0,0 +1,108 @@ +#!/usr/bin/python3 +#-*- coding: utf-8 -*- + +import os, sys, time, errno, socket, signal, psutil, random, logging.handlers, subprocess, paramiko, hvac +from xlwt import Workbook, XFStyle, Borders, Font, Pattern +from socket import error as SocketError + +process_time = time.strftime("%Y%m%d_%H%M", time.localtime()) +excel_file_name = '/mnt/e/excel/{}.xls'.format(process_time) + +def process_close(flag=True, result=''): + if flag: + print("[Success]") + else: + print("[Fail]:{}".format(result)) + + sys.exit(0) + +def set_header(sheet, header_list): + # 폰트 설정 + font = Font() + font.bold = True + + # 테두리 설정 + borders = Borders() + borders.left = Borders.THIN + borders.right = Borders.THIN + borders.top = Borders.THIN + borders.bottom = Borders.THIN + + # 배경색 설정 + pattern = Pattern() + pattern.pattern = Pattern.SOLID_PATTERN + pattern.pattern_fore_colour = 22 # #E2EFDA는 xlwt에서 인덱스 22에 해당하는 색입니다. + + hdrstyle = XFStyle() + hdrstyle.font = font + hdrstyle.borders = borders + hdrstyle.pattern = pattern + + for idx, header in enumerate(header_list): + sheet.write(0, idx, header, hdrstyle) + sheet.col(idx).width = len(header) * 800 + +def write_data(sheet, data_list): + datestyle = XFStyle() + datestyle.num_format_str = 'YYYY-MM-DD' + + for row_num, data in enumerate(data_list, start=1): + for col_num, cell_data in enumerate(data): + if col_num == 7: + sheet.write(row_num, col_num, cell_data, datestyle) + elif col_num in [1, 4, 5]: + formatted_data = u'{}'.format(cell_data) if cell_data else '' + sheet.write(row_num, col_num, formatted_data) + else: + sheet.write(row_num, col_num, cell_data) + +def excel_write(header_list=[], data_list=[], filename='', sheetTitle=''): + workbook = Workbook(style_compression=2, encoding='utf-8') + sheet = workbook.add_sheet(sheetTitle) + + set_header(sheet, header_list) + write_data(sheet, data_list) + + sheet.panes_frozen = True + sheet.vert_split_pos = 0 + sheet.horz_split_pos = 1 + workbook.save(filename) + +def main(): + header_list=['번호','호스트 유형','호스트명','호스트 IP','포트번호','프로토콜','인증방법','1차 로그인 계정명','1차 로그인 비밀번호','1차 로그인 계정명','2차 로그인 비밀번호','용도','비고'] + data_list=[] + + openfile=open('/tmp/host_list','r') + readfile=openfile.readlines() + openfile.close() + for idx, host_data in enumerate(readfile): + try: + if idx==0: continue + host_num=idx + hosttype=host_data.strip().split(' ')[0] + print(hosttype) + hostname=host_data.strip().split(' ')[1] + host_ips=host_data.strip().split(' ')[2] + port_num=int(host_data.strip().split(' ')[3]) + protocol='SSH' + auth_con='Password' + username=host_data.strip().split(' ')[4] + first_pw=host_data.strip().split(' ')[5] + rootuser=host_data.strip().split(' ')[6] + secon_pw=host_data.strip().split(' ')[7] + descript='-' + remarks_='-' + data_list.append([host_num,hosttype,hostname,host_ips,port_num,protocol,auth_con,username,first_pw,rootuser,secon_pw,descript,remarks_,]) + except: + continue + + excel_write(header_list, data_list, excel_file_name, 'TEST') + +DEBUG=False +try: + if os.sys.argv[1]: DEBUG=True +except: + pass +main() +process_close() + diff --git a/ansible/server_settings/roles/password-settings/files/decrypt_password b/ansible/server_settings/roles/password-settings/files/decrypt_password new file mode 100755 index 0000000..5e31c71 --- /dev/null +++ b/ansible/server_settings/roles/password-settings/files/decrypt_password @@ -0,0 +1,21 @@ +#!/usr/bin/python3 +#-*- coding: utf-8 -*- + +import base64, random, string, os +from Crypto.Cipher import AES +from Crypto.Random import get_random_bytes +from Crypto.Util.Padding import pad, unpad + +try: + encrypted_text=os.sys.argv[1] +except: + encrypted_text="q6i1/JxyNe1OUrO0JKu+Z4WQTyQZam2yIJTp43dl1pI=" + +def decrypt(ct, key): + manual_iv = b'PhilinnovatorDEV' + ct_bytes = base64.b64decode(ct) + cipher = AES.new(key, AES.MODE_CBC, iv=manual_iv) + return unpad(cipher.decrypt(ct_bytes), 16).decode('utf-8') + +key = b'PhilinnovatorDEVPhilinnovatorDEV' +print(decrypt(encrypted_text, key)) \ No newline at end of file diff --git a/ansible/server_settings/roles/password-settings/files/gen_password b/ansible/server_settings/roles/password-settings/files/gen_password new file mode 100755 index 0000000..febe48a --- /dev/null +++ b/ansible/server_settings/roles/password-settings/files/gen_password @@ -0,0 +1,45 @@ +#!/usr/bin/python3 +#-*- coding: utf-8 -*- + +import base64, random, string, os +from Crypto.Cipher import AES +from Crypto.Random import get_random_bytes +from Crypto.Util.Padding import pad, unpad + +try: + encrypt_flag=True if os.sys.argv[1].lower()=='1' else False +except Exception as err: + encrypt_flag=False + +def generate_password(length=12, num_uppercase=3, num_lowercase=4, num_digits=3, num_sp_char=2): + sp_char = '!@#$' + all_chars = string.ascii_letters + string.digits + sp_char + + password = [ + *random.choices(string.ascii_uppercase, k=num_uppercase), + *random.choices(string.ascii_lowercase, k=num_lowercase), + *random.choices(string.digits, k=num_digits), + *random.choices(sp_char, k=num_sp_char) + ] + + remaining_length = length - (num_uppercase + num_lowercase + num_digits + num_sp_char) + password += random.choices(all_chars, k=remaining_length) + + random.shuffle(password) + return ''.join(password) + +def encrypt(plain_text, key): + manual_iv = b'PhilinnovatorDEV' + cipher = AES.new(key, AES.MODE_CBC, iv=manual_iv) + ct_bytes = cipher.encrypt(pad(plain_text.encode(), 16)) + ct = base64.b64encode(ct_bytes).decode('utf-8') + return ct + +key = b'PhilinnovatorDEVPhilinnovatorDEV' +plain_text = generate_password() + +if encrypt_flag: + encrypted_text = encrypt(plain_text, key) + print(encrypted_text) +else: + print(plain_text) diff --git a/ansible/server_settings/roles/password-settings/files/vault_get b/ansible/server_settings/roles/password-settings/files/vault_get new file mode 100755 index 0000000..d0fabdb --- /dev/null +++ b/ansible/server_settings/roles/password-settings/files/vault_get @@ -0,0 +1,17 @@ +#!/usr/bin/python3 +#-*- coding: utf-8 -*- + +import hvac +import os + +hostname=os.sys.argv[1] + +str_url = "http://10.10.43.240:30803" +client = hvac.Client(url=str_url) +client.auth.approle.login(role_id="e96c5fd8-abde-084a-fde7-7450a9348a70", secret_id="5371706b-414a-11d3-f3fd-6cf98871aad1") + +try: + data = client.secrets.kv.v2.read_secret_version(mount_point='host', path=hostname, raise_on_deleted_version=True)['data']['data'] + print(data) +except Exception as err: + print(err) diff --git a/ansible/server_settings/roles/password-settings/files/vault_put b/ansible/server_settings/roles/password-settings/files/vault_put new file mode 100755 index 0000000..aeae507 --- /dev/null +++ b/ansible/server_settings/roles/password-settings/files/vault_put @@ -0,0 +1,21 @@ +#!/usr/bin/python3 +#-*- coding: utf-8 -*- + +import hvac +import os + +hostname=os.sys.argv[1] +accountid=os.sys.argv[2] +password=os.sys.argv[3] +adminuser=os.sys.argv[4] +adminpass=os.sys.argv[5] + +str_url = "http://10.10.43.240:30803" +client = hvac.Client(url=str_url) +client.auth.approle.login(role_id="e96c5fd8-abde-084a-fde7-7450a9348a70", secret_id="5371706b-414a-11d3-f3fd-6cf98871aad1") + +client.secrets.kv.v2.create_or_update_secret( + mount_point='host', + path=hostname, + secret=dict(accountid=f'{accountid}',password=f'{password}',adminuser=f'{adminuser}',adminpass=f'{adminpass}') +) diff --git a/ansible/server_settings/roles/password-settings/handlers/main.yml b/ansible/server_settings/roles/password-settings/handlers/main.yml new file mode 100644 index 0000000..b44722c --- /dev/null +++ b/ansible/server_settings/roles/password-settings/handlers/main.yml @@ -0,0 +1,16 @@ +--- +- name: Reload systemd configuration + ansible.builtin.systemd: + daemon_reload: True + +- name: Restart teleport service + ansible.builtin.systemd: + name: teleport + enabled: true + state: restarted + +- name: restart sshd + service: + name: sshd + state: restarted + enabled: true \ No newline at end of file diff --git a/ansible/server_settings/roles/password-settings/meta/main.yml b/ansible/server_settings/roles/password-settings/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/ansible/server_settings/roles/password-settings/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/ansible/server_settings/roles/password-settings/tasks/.DS_Store b/ansible/server_settings/roles/password-settings/tasks/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..5008ddfcf53c02e82d7eee2e57c38e5672ef89f6 GIT binary patch literal 6148 zcmeH~Jr2S!425mzP>H1@V-^m;4Wg<&0T*E43hX&L&p$$qDprKhvt+--jT7}7np#A3 zem<@ulZcFPQ@L2!n>{z**++&mCkOWA81W14cNZlEfg7;MkzE(HCqgga^y>{tEnwC%0;vJ&^%eQ zLs35+`xjp>T0