sa_8001/dsk-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

task 추가

Browse Source
This commit is contained in:
ByeonJungHun
2024-01-11 15:47:36 +09:00
parent 2a9caec167
commit 76584fb0ba
54 changed files with 709 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
ansible/server_settings/roles/.DS_Store vendored Normal file
View File

Binary file not shown.

BIN
ansible/server_settings/roles/password-settings/.DS_Store vendored Normal file
View File

Binary file not shown.

38
ansible/server_settings/roles/password-settings/README.md Normal file
View File

@@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

15
ansible/server_settings/roles/password-settings/defaults/main.yml Normal file
View File

@@ -0,0 +1,15 @@
---
# defaults file for password
encrypt: 0 # strings 0 , encrypted 1
debug_mode: False
sshrootlogin: forced-commands-only
sshmainport: 2222
iptables_rules:
- { source: "10.10.45.0/24", target: "DROP" }
- { source: "10.10.47.0/24", target: "DROP" }
- { source: "10.10.48.0/24", target: "DROP" }
- { source: "10.10.50.0/24", target: "DROP" }
- { source: "10.10.37.0/24", target: "DROP" }
delete_rule: False
add_rule: True

44
ansible/server_settings/roles/password-settings/files/00_old/gen_password.py Normal file
View File

@@ -0,0 +1,44 @@
#!/usr/bin/python3
import base64, random, string, os
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes
from Crypto.Util.Padding import pad, unpad
try:
encrypt_flag=True if os.sys.argv[1].lower()=='1' else False
except Exception as err:
encrypt_flag=False
def generate_password(length=8, num_uppercase=1, num_lowercase=1, num_digits=1, num_sp_char=1):
sp_char = '!@#$'
all_chars = string.ascii_letters + string.digits + sp_char
password = [
*random.choices(string.ascii_uppercase, k=num_uppercase),
*random.choices(string.ascii_lowercase, k=num_lowercase),
*random.choices(string.digits, k=num_digits),
*random.choices(sp_char, k=num_sp_char)
]
remaining_length = length - (num_uppercase + num_lowercase + num_digits + num_sp_char)
password += random.choices(all_chars, k=remaining_length)
random.shuffle(password)
return ''.join(password)
def encrypt(plain_text, key):
manual_iv = b'PhilinnovatorDEV'
cipher = AES.new(key, AES.MODE_CBC, iv=manual_iv)
ct_bytes = cipher.encrypt(pad(plain_text.encode(), 16))
ct = base64.b64encode(ct_bytes).decode('utf-8')
return ct
key = b'PhilinnovatorDEVPhilinnovatorDEV'
plain_text = generate_password()
if encrypt_flag:
encrypted_text = encrypt(plain_text, key)
print(encrypted_text)
else:
print(plain_text)

11
ansible/server_settings/roles/password-settings/files/00_old/vault_test.py Normal file
View File

@@ -0,0 +1,11 @@
import hvac
str_url = "http://10.10.43.98:31080"
str_token = "hvs.CAESIMV6zCg-GpUP4pQgVA5f1ZXkgyJZrqOC6QDCegrpiAX9Gh4KHGh2cy5ORkpkc2ZyVUxYd09qUVFtQldRNDBjS3I"
client = hvac.Client(url=str_url, token=str_token)
str_mount_point = 'kv'
str_secret_path = 'host1'
read_secret_result = client.secrets.kv.v1.read_secret(mount_point=str_mount_point, path=str_secret_path)
print(read_secret_result)

108
ansible/server_settings/roles/password-settings/files/custom_excel Executable file
View File

@@ -0,0 +1,108 @@
#!/usr/bin/python3
#-*- coding: utf-8 -*-
import os, sys, time, errno, socket, signal, psutil, random, logging.handlers, subprocess, paramiko, hvac
from xlwt import Workbook, XFStyle, Borders, Font, Pattern
from socket import error as SocketError
process_time = time.strftime("%Y%m%d_%H%M", time.localtime())
excel_file_name = '/mnt/e/excel/{}.xls'.format(process_time)
def process_close(flag=True, result=''):
if flag:
print("[Success]")
else:
print("[Fail]:{}".format(result))
sys.exit(0)
def set_header(sheet, header_list):
# 폰트 설정
font = Font()
font.bold = True
# 테두리 설정
borders = Borders()
borders.left = Borders.THIN
borders.right = Borders.THIN
borders.top = Borders.THIN
borders.bottom = Borders.THIN
# 배경색 설정
pattern = Pattern()
pattern.pattern = Pattern.SOLID_PATTERN
pattern.pattern_fore_colour = 22 # #E2EFDA는 xlwt에서 인덱스 22에 해당하는 색입니다.
hdrstyle = XFStyle()
hdrstyle.font = font
hdrstyle.borders = borders
hdrstyle.pattern = pattern
for idx, header in enumerate(header_list):
sheet.write(0, idx, header, hdrstyle)
sheet.col(idx).width = len(header) * 800
def write_data(sheet, data_list):
datestyle = XFStyle()
datestyle.num_format_str = 'YYYY-MM-DD'
for row_num, data in enumerate(data_list, start=1):
for col_num, cell_data in enumerate(data):
if col_num == 7:
sheet.write(row_num, col_num, cell_data, datestyle)
elif col_num in [1, 4, 5]:
formatted_data = u'{}'.format(cell_data) if cell_data else ''
sheet.write(row_num, col_num, formatted_data)
else:
sheet.write(row_num, col_num, cell_data)
def excel_write(header_list=[], data_list=[], filename='', sheetTitle=''):
workbook = Workbook(style_compression=2, encoding='utf-8')
sheet = workbook.add_sheet(sheetTitle)
set_header(sheet, header_list)
write_data(sheet, data_list)
sheet.panes_frozen = True
sheet.vert_split_pos = 0
sheet.horz_split_pos = 1
workbook.save(filename)
def main():
header_list=['번호','호스트 유형','호스트명','호스트 IP','포트번호','프로토콜','인증방법','1차 로그인 계정명','1차 로그인 비밀번호','1차 로그인 계정명','2차 로그인 비밀번호','용도','비고']
data_list=[]
openfile=open('/tmp/host_list','r')
readfile=openfile.readlines()
openfile.close()
for idx, host_data in enumerate(readfile):
try:
if idx==0: continue
host_num=idx
hosttype=host_data.strip().split(' ')[0]
print(hosttype)
hostname=host_data.strip().split(' ')[1]
host_ips=host_data.strip().split(' ')[2]
port_num=int(host_data.strip().split(' ')[3])
protocol='SSH'
auth_con='Password'
username=host_data.strip().split(' ')[4]
first_pw=host_data.strip().split(' ')[5]
rootuser=host_data.strip().split(' ')[6]
secon_pw=host_data.strip().split(' ')[7]
descript='-'
remarks_='-'
data_list.append([host_num,hosttype,hostname,host_ips,port_num,protocol,auth_con,username,first_pw,rootuser,secon_pw,descript,remarks_,])
except:
continue
excel_write(header_list, data_list, excel_file_name, 'TEST')
DEBUG=False
try:
if os.sys.argv[1]: DEBUG=True
except:
pass
main()
process_close()

21
ansible/server_settings/roles/password-settings/files/decrypt_password Executable file
View File

@@ -0,0 +1,21 @@
#!/usr/bin/python3
#-*- coding: utf-8 -*-
import base64, random, string, os
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes
from Crypto.Util.Padding import pad, unpad
try:
encrypted_text=os.sys.argv[1]
except:
encrypted_text="q6i1/JxyNe1OUrO0JKu+Z4WQTyQZam2yIJTp43dl1pI="
def decrypt(ct, key):
manual_iv = b'PhilinnovatorDEV'
ct_bytes = base64.b64decode(ct)
cipher = AES.new(key, AES.MODE_CBC, iv=manual_iv)
return unpad(cipher.decrypt(ct_bytes), 16).decode('utf-8')
key = b'PhilinnovatorDEVPhilinnovatorDEV'
print(decrypt(encrypted_text, key))

45
ansible/server_settings/roles/password-settings/files/gen_password Executable file
View File

@@ -0,0 +1,45 @@
#!/usr/bin/python3
#-*- coding: utf-8 -*-
import base64, random, string, os
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes
from Crypto.Util.Padding import pad, unpad
try:
encrypt_flag=True if os.sys.argv[1].lower()=='1' else False
except Exception as err:
encrypt_flag=False
def generate_password(length=12, num_uppercase=3, num_lowercase=4, num_digits=3, num_sp_char=2):
sp_char = '!@#$'
all_chars = string.ascii_letters + string.digits + sp_char
password = [
*random.choices(string.ascii_uppercase, k=num_uppercase),
*random.choices(string.ascii_lowercase, k=num_lowercase),
*random.choices(string.digits, k=num_digits),
*random.choices(sp_char, k=num_sp_char)
]
remaining_length = length - (num_uppercase + num_lowercase + num_digits + num_sp_char)
password += random.choices(all_chars, k=remaining_length)
random.shuffle(password)
return ''.join(password)
def encrypt(plain_text, key):
manual_iv = b'PhilinnovatorDEV'
cipher = AES.new(key, AES.MODE_CBC, iv=manual_iv)
ct_bytes = cipher.encrypt(pad(plain_text.encode(), 16))
ct = base64.b64encode(ct_bytes).decode('utf-8')
return ct
key = b'PhilinnovatorDEVPhilinnovatorDEV'
plain_text = generate_password()
if encrypt_flag:
encrypted_text = encrypt(plain_text, key)
print(encrypted_text)
else:
print(plain_text)

17
ansible/server_settings/roles/password-settings/files/vault_get Executable file
View File

@@ -0,0 +1,17 @@
#!/usr/bin/python3
#-*- coding: utf-8 -*-
import hvac
import os
hostname=os.sys.argv[1]
str_url = "http://10.10.43.240:30803"
client = hvac.Client(url=str_url)
client.auth.approle.login(role_id="e96c5fd8-abde-084a-fde7-7450a9348a70", secret_id="5371706b-414a-11d3-f3fd-6cf98871aad1")
try:
data = client.secrets.kv.v2.read_secret_version(mount_point='host', path=hostname, raise_on_deleted_version=True)['data']['data']
print(data)
except Exception as err:
print(err)

21
ansible/server_settings/roles/password-settings/files/vault_put Executable file
View File

@@ -0,0 +1,21 @@
#!/usr/bin/python3
#-*- coding: utf-8 -*-
import hvac
import os
hostname=os.sys.argv[1]
accountid=os.sys.argv[2]
password=os.sys.argv[3]
adminuser=os.sys.argv[4]
adminpass=os.sys.argv[5]
str_url = "http://10.10.43.240:30803"
client = hvac.Client(url=str_url)
client.auth.approle.login(role_id="e96c5fd8-abde-084a-fde7-7450a9348a70", secret_id="5371706b-414a-11d3-f3fd-6cf98871aad1")
client.secrets.kv.v2.create_or_update_secret(
mount_point='host',
path=hostname,
secret=dict(accountid=f'{accountid}',password=f'{password}',adminuser=f'{adminuser}',adminpass=f'{adminpass}')
)

16
ansible/server_settings/roles/password-settings/handlers/main.yml Normal file
View File

@@ -0,0 +1,16 @@
---
- name: Reload systemd configuration
ansible.builtin.systemd:
daemon_reload: True
- name: Restart teleport service
ansible.builtin.systemd:
name: teleport
enabled: true
state: restarted
- name: restart sshd
service:
name: sshd
state: restarted
enabled: true

52
ansible/server_settings/roles/password-settings/meta/main.yml Normal file
View File

@@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

BIN
ansible/server_settings/roles/password-settings/tasks/.DS_Store vendored Normal file
View File

Binary file not shown.

103
ansible/server_settings/roles/password-settings/tasks/00_host_setting.yml Normal file
View File

@@ -0,0 +1,103 @@
---
- name: "Create datasaker group"
ansible.builtin.group:
name: "datasaker"
state: present
when:
- add_rule == True
- name: Ensure user datasaker exists
user:
name: "{{ item }}"
create_home: yes
home: "/home/{{ item }}"
group: datasaker
shell: /bin/bash
with_items:
- datasaker
when:
- add_rule == True
- name: "Ensure .ssh directory exists for datasaker"
file:
path: /home/datasaker/.ssh
state: directory
owner: datasaker
group: datasaker
mode: '0700'
when:
- add_rule == True
- name: "Add authorized key for datasaker"
authorized_key:
user: datasaker
key: "{{ item }}"
with_items:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRP/Kjn7UBudTO4ZLtWXRJNDcOPGbm+5jLKax+1tVgN2n0MCmwwrbFJQJvdaE/wp4+PnMtEyt+IqdwFdUDah8tu9CIYZ2Jk2T18oU7hYGvymh+QJmZgCNvYcmM9ATJbXpns7y8VLDVbkSq9EJIB+emLt1ZV/C8cyvhlmBUwGQA6c3zMgzWl9MT0HLa7H88cNVVknZPY0vGIw+H0Y2JtDr62xyVNT7w8B+jh7Yu6nCnQchwx3IRWGATuKfi2FB3rhkDqNvM1h00JJosu5ooBn3g5xll+w+sVKIQxEWShI9zatYP9/zrce+uVYeZLfz52X8giJ9dns66vqEKdJtdp4By5RPxRSsdQ2QGAQ0UuBHKgweU2EzivLynu49oiShAiJPxmru4TiGtchl52dvw/E9rjZiCKTq697azHHLbwTiOgbHpnu7GrxNRMdXCON70RYJpfERg/SGxxmUNF9OhYUeQJGNc8DcWnlBUrT/9Wi3Ryh1rKx2wtZt6eDkrehJ1lgU="
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDmxGUDo5rdB/XA+cyH4a7Kn8zGWHqbL0AZDL55j5JLRLXC/z482Rp2cIx/FsQRtwEslEVXHHSowpJWHvQ4Z6NcInh0/0psJK2K8qnApLDHhPoiQzpGL+nG4JIho/10QPGpJ2aDcXdushvUME97j0A8hfaoR2xhBl2C9r865Vred0M971A5SRchwN/cmsTh2OMYGXKHD9RC6OFud2sQjyidkSTW58yBoN2B5CoAO4GMV09jX6Wp43jot19xJ5lX65NAHLsNIXMWiURmQDieIKqEiwWlPgwo7geErHlMOoNoypU9yTaN9NMYWZBG1xVL5skjmkdTEd+cnHBLAvhVtW1w5pOA7S8OUXkmiu0UITLYyWfzUx4uwzb7nGcb6aDboRVX6w8H4+GVgpYWJq+fh0ZZ9JbsdP6+PjRz1vgptM7K4Ji5ZRvqV5WMT0cvpySBaJakLSiPSa+dxGi6nfowXvUEAzMIVyaScNgCs1/NpdgN8dwffZlYB9WBUxY+5IjBQc8="
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKDxtkcfx2ITlT2Yh7ZCT79do/25YQ2vROz38m8veAuBhOw+75oZJ4nN//zOWaaMvpC3Z7NIzOR+3UeukhnLZ591q8AaHcKjV8JEJMo2pvpH1vdLcTL9baLqWrxzgRimnZUNf5n5HNr+AKoXuPp//aVSJSoeznb66r04/rJSetT0QGDC8Kj5Q+MNvdd0/3U/nu7JxW9LIEaLoeiX6mVb4PpV7kl3rI3Vut/GnWakOhbS4yNvIFdR6d8rv305/BXJOz/aWy+0j7qK+NBzbSsI/l0vVUHfeD3whYGePCpWmj73ZsMTMjIjrC8DpRQlOJlAZ0GVpQnd/ayIWi4+V8VjvFcd6vSqrhhsNoOyo0Y/6cyO6iyvKqohMK6+HF1w6aXoaGCFFSl/3gw63saNAsdZPArnwf5yZ6GfPa/9bRn2k9g5xfp97Itpo6Iqq+PuRcZOes0EiIQe2hOoYQEIHIRhf8CZ+Xf6W1+XZB+WxEzUe4GCCwgUdTB6RIr4ThDxwCBV0="
when:
- add_rule == True
- name: "sudoers_users file"
file:
path: /etc/sudoers.d/sudoers_users
state: touch
when:
- add_rule == True
- name: "Allow user to sudo"
lineinfile:
path: /etc/sudoers.d/sudoers_users
line: "{{ item }} ALL=(ALL) NOPASSWD:ALL"
state: present
with_items:
- datasaker
when:
- add_rule == True
- name: "selinux permissive"
command: "setenforce 0"
ignore_errors: yes
when:
- ansible_facts.os_family == "RedHat"
- name: "firewalld stop"
systemd:
name: firewalld
state: stopped
enabled: false
ignore_errors: yes
when:
- ansible_facts.os_family == "RedHat"
- name: Remove existing Port lines
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^Port'
state: absent
- name: SSH Listen on Main Port
lineinfile:
dest: /etc/ssh/sshd_config
insertbefore: '^#*AddressFamily'
line: 'Port {{sshmainport}}'
state: present
owner: root
group: root
mode: 0640
notify: restart sshd
- name: "Create sshd_config.d directory"
ansible.builtin.file:
path: "/etc/ssh/sshd_config.d/"
state: directory
recurse: yes
owner: root
group: root
- name: "Setting sshd allow users"
template:
src: allow_users.j2
dest: "/etc/ssh/sshd_config.d/allow_users.conf"
notify: restart sshd

36
ansible/server_settings/roles/password-settings/tasks/01_get_password.yml Normal file
View File

@@ -0,0 +1,36 @@
---
- name: get password
command: "{{ role_path }}/files/gen_password {{ encrypt }}"
register: user_password
delegate_to: 127.0.0.1
when: manual_password is not defined
- name: get admin password
command: "{{ role_path }}/files/gen_password {{ encrypt }}"
register: admin_password
delegate_to: 127.0.0.1
when: manual_password is not defined
- name: set fact user password
block:
- set_fact:
user_password: "{{ user_password.stdout }}"
rescue:
- set_fact:
user_password: "{{ manual_password }}"
always:
- debug:
msg: "{{ username }} : {{ user_password }}"
when: debug_mode == True
- name: set fact admin password
block:
- set_fact:
admin_password: "{{ admin_password.stdout }}"
rescue:
- set_fact:
admin_password: "{{ manual_password }}"
always:
- debug:
msg: "{{ adminuser }} : {{ admin_password }}"
when: debug_mode == True

21
ansible/server_settings/roles/password-settings/tasks/02_change_password.yml Normal file
View File

@@ -0,0 +1,21 @@
---
- include_tasks: 99_decrypt_password.yml
when:
- encrypt == 1
- manual_password is not defined
- name: user password change
user:
name: "{{ item }}"
password: "{{ user_password | password_hash('sha512') }}"
state: present
with_items:
- "{{ username }}"
- name: admin password change
user:
name: "{{ item }}"
password: "{{ admin_password | password_hash('sha512') }}"
state: present
with_items:
- "{{ adminuser }}"

21
ansible/server_settings/roles/password-settings/tasks/03_vault.yml Normal file
View File

@@ -0,0 +1,21 @@
---
- name: Check if ansible_port is defined
set_fact:
ansible_port: "{{ ansible_port | default(22) }}"
- debug:
msg: "{{ ansible_distribution }} {{ ansible_hostname }} {{ ansible_default_ipv4.address }} {{ ansible_port }} {{ username }} {{ user_password }} {{ adminuser }} {{ admin_password }}"
when: debug_mode == True
- name: put vault
command: "{{ role_path }}/files/vault_put {{ ansible_default_ipv4.address }} {{ username }} {{ user_password }} {{ adminuser }} {{ admin_password }}"
delegate_to: 127.0.0.1
- name: get vault
command: "{{ role_path }}/files/vault_get {{ ansible_default_ipv4.address }} {{ username }} {{ user_password }} {{ adminuser }} {{ admin_password }}"
register: get_vault
delegate_to: 127.0.0.1
- debug:
msg: "{{get_vault.stdout_lines}}"
when: debug_mode == True

27
ansible/server_settings/roles/password-settings/tasks/99_decrypt_password.yml Normal file
View File

@@ -0,0 +1,27 @@
---
- name: user_password decrypt
command: "{{ role_path }}/files/decrypt_password {{ user_password }}"
register: user_password
delegate_to: 127.0.0.1
- name: admin_password decrypt
command: "{{ role_path }}/files/decrypt_password {{ admin_password }}"
register: admin_password
delegate_to: 127.0.0.1
when:
- encrypt == 1
- manual_password is not defined
- name: admin_password re fact
set_fact:
admin_password: "{{ admin_password.stdout }}"
when:
- encrypt == 1
- manual_password is not defined
- name: user_password re fact
set_fact:
user_password: "{{ user_password.stdout }}"
when:
- encrypt == 1
- manual_password is not defined

15
ansible/server_settings/roles/password-settings/tasks/main.yml Normal file
View File

@@ -0,0 +1,15 @@
---
- include: 00_host_setting.yml
tags: host
- include: 01_get_password.yml
tags: password
- include: 02_change_password.yml
tags: change
- include: 03_vault.yml
tags: vault
#
#- include: 04_excel_export.yml
# tags: excel

22
ansible/server_settings/roles/password-settings/templates/allow_users.j2 Executable file
View File

@@ -0,0 +1,22 @@
AllowUsers datasaker@10.10.43.*
AllowUsers *@10.20.142.*
{% if ansible_distribution == "Ubuntu" %}
AllowUsers ubuntu@10.10.43.*
{% endif %}
{% if ansible_distribution == "CentOS" %}
AllowUsers centos@10.10.43.*
{% endif %}
{% if ansible_distribution == "RedHat" %}
AllowUsers redhat@10.10.43.*
{% endif %}
{% if admin_users is defined %}
{% for user in admin_users %}
AllowUsers {{ user.name }}@{{ user.ip }}
{% endfor %}
{% endif %}
{% if allow_users is defined %}
{% for user in allow_users %}
AllowUsers {{ user.name }}@{{ user.ip }}
{% endfor %}
{% endif %}

2
ansible/server_settings/roles/password-settings/tests/inventory Normal file
View File

@@ -0,0 +1,2 @@
localhost

5
ansible/server_settings/roles/password-settings/tests/test.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- password

2
ansible/server_settings/roles/password-settings/vars/main.yml Normal file
View File

@@ -0,0 +1,2 @@
---
# vars file for password

8
ansible/server_settings/roles/security_settings/defaults/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
debian_retry: 5
debina_minlen: 8
debian_lcredit: -1
debian_ucredit: -1
debian_dcredit: -1
debian_ocredit: -1

10
ansible/server_settings/roles/security_settings/handlers/main.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: Reload systemd configuration
ansible.builtin.systemd:
daemon_reload: True
- name: restart sshd
service:
name: sshd
state: restarted
enabled: true

13
ansible/server_settings/roles/security_settings/tasks/all_setting_device_organize.yml Normal file
View File

@@ -0,0 +1,13 @@
---
- name: search non-existent device
shell: find /dev -type f -exec ls -l {} \; | awk '{print $NF}'
register: search_result
- debug:
msg: "발견된 존재하지 않는 디바이스 {{ search_result.stdout_lines }}"
- name: delete non-existent device
file:
path: "{{ item }}"
state: absent
with_items: "{{ search_result.stdout_lines }}"

59
ansible/server_settings/roles/security_settings/tasks/all_setting_mode_change.yml Normal file
View File

@@ -0,0 +1,59 @@
---
- name: shadow mode change
file:
path: /etc/shadow
mode: 0400
- name: hosts mode change
file:
path: /etc/hosts
#mode: u=rw,g=r,o=r
mode: 0600
- name: rsyslog mode change
file:
path: /etc/rsyslog.conf
mode: 0640
- name: crontab mode change
file:
path: /usr/bin/crontab
mode: 0750
- name: cron file mode change
file:
path: "{{ item }}"
mode: 0640
with_items:
- /etc/crontab
- /etc/cron.hourly/.placeholder
- /etc/cron.daily/logrotate
- /etc/cron.daily/apt-compat
- /etc/cron.daily/popularity-contest
- /etc/cron.daily/apport
- /etc/cron.daily/.placeholder
- /etc/cron.daily/update-notifier-common
- /etc/cron.daily/bsdmainutils
- /etc/cron.daily/dpkg
- /etc/cron.daily/man-db
- /etc/cron.weekly/.placeholder
- /etc/cron.weekly/man-db
- /etc/cron.weekly/update-notifier-common
- /etc/cron.monthly/.placeholder
- name: cron file owner change
file:
path: /var/spool/cron/atjobs/.SEQ
owner: root
- name: at mode change
file:
path: /usr/bin/at
mode: 640
- name: create at.allow file
file:
path: /etc/at.allow
state: touch
mode: 0640
owner: root

11
ansible/server_settings/roles/security_settings/tasks/all_setting_root_ssh.yml Normal file
View File

@@ -0,0 +1,11 @@
- name: Configure ssh root login to no
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^(#)?PermitRootLogin.*'
line: 'PermitRootLogin no'
insertbefore: '^Match.*'
state: present
owner: root
group: root
mode: 0640
notify: restart sshd

29
ansible/server_settings/roles/security_settings/tasks/debian_setting_banner.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- name: Setting EXEM Banner (Debian)
template:
src: banner.j2
dest: /etc/update-motd.d/00-header
mode: 0755
owner: root
group: root
- name: Setting Sysinfo
template:
src: sysinfo.j2
dest: /usr/share/landscape/landscape-sysinfo.wrapper
mode: 0755
owner: root
group: root
- name: Delete ETC file
file:
path: "{{ item }}"
state: absent
with_items:
- /etc/update-motd.d/10-help-text
- /etc/update-motd.d/50-motd-news
- /etc/update-motd.d/85-fwupd
- /etc/update-motd.d/90-updates-available
- /etc/update-motd.d/91-release-upgrade
- /etc/update-motd.d/95-hwe-eol
- /etc/update-motd.d/98-fsck-at-reboot

16
ansible/server_settings/roles/security_settings/tasks/debian_setting_password_rule.yml Normal file
View File

@@ -0,0 +1,16 @@
---
- name: Setting Password Rule (Debian)
template:
src: common-password.j2
dest: /etc/pam.d/common-password
owner: root
group: root
mode: u=rw,g=r,o=r
- name: Setting Password Auth Rule (Debian)
template:
src: common-auth.j2
dest: /etc/pam.d/common-auth
owner: root
group: root
mode: u=rw,g=r,o=r

18
ansible/server_settings/roles/security_settings/tasks/main.yml Normal file
View File

@@ -0,0 +1,18 @@
---
# SSH 접속 시 Banner 설정
- include: debian_setting_banner.yml
when: ansible_facts.os_family == 'Debian'
# root 사용자를 사용한 ssh 접속 비활성화
- include: all_setting_root_ssh.yml
# 패스워드 정책 설정
- include: debian_setting_password_rule.yml
when: ansible_facts.os_family == 'Debian'
# 일부 파일 권한 설정
- include: all_setting_mode_change.yml
# /dev 경로의 불필요 디바이스 검색 및 제거
- include: all_setting_device_organize.yml

18
ansible/server_settings/roles/security_settings/templates/banner.j2 Normal file
View File

@@ -0,0 +1,18 @@
#!/bin/sh
echo "-------------------------------------------------------------------------------\n"
echo " _╓g@DDKg╓_ \033[0;31m=╗╗╗╗,\033[0;0m \033[0;34m,╗╗╗╗╤\033[0;0m ,╔╗DDKg╔_ ╓g@DD╗╔_ ╓g@DD╗╔_"
echo " ╓D╝╙\` \`╠╠H \033[0;31m╙╠╠╠╠▒\033[0;0m \033[0;34mÆ╬╬╬╬╩\033[0;0m _j╠╙\` 1╠R j╠R^ \`╙╠▒,j╠R^ \`╙╠▒,"
echo " 1╠^ ,╠╝ \033[0;31m╝╠R\033[0;0m \033[0;34m╓▓╬╬╬╝\033[0;0m j╠H 1╠^ ╠╠ ╚╠H ╚╠H"
echo "j╠⌐ j╠Γ \033[0;31m'\033[0;0m \033[0;34mÆ╬╬╬╬╙\033[0;0m ╠H ╔╠R ╠╠ ╠╠ ╠╠"
echo "╠╠ ╒╠R \033[0;34m╔╣╬╬╬\033[0;33m╬▒\033[0;0m j╠H _D╝\` ╠╠ ╠╠ ╠╠"
echo "'╠H 1╠^ .. \033[0;34m,╣╬╬╬╣\033[0;33m╬╣╣▓┐\033[0;0m ╠D ╔╚╙ ╔_ ╠╠ ╠╠ ╠╠"
echo " '╠▒╓░╙ _╔╔^ \033[0;34m¢╬╬╬╬╩\033[0;33m ╚╣╣╣╣▌\033[0;0m ╚▒╓░╙ ╔░H ╠╠ ╠╠ ╠╠"
echo " ⁿ╚╠K≥╔╔╔1▒╝^ \033[0;34m╒▓╬╬╬╩^\033[0;33m \`╣╣╣╣▓╕\033[0;0m \`╚╠▒g╔╔╔gD╝╙ ╠╠ ╠╠ ╠╠\n"
echo "-------------------------------------------------------------------------------"
echo ""
echo " - 알 림 - "
echo ""
echo " 현재 접속하신 서버는 SaaS기술연구팀 개발 서버 입니다. "
echo " 인가되지 않은 사용자의 접근, 수정 등 행위 시 처벌을 받을 수 있습니다. "
echo ""
echo "-------------------------------------------------------------------------------"

29
ansible/server_settings/roles/security_settings/templates/common-auth.j2 Normal file
View File

@@ -0,0 +1,29 @@
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
## Add Ansible Playbook - Securtiy_Settings ##
auth required pam_tally2.so onerr=fail even_deny_root deny=5 unlock_time=300

37
ansible/server_settings/roles/security_settings/templates/common-password.j2 Normal file
View File

@@ -0,0 +1,37 @@
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords. The default is pam_unix.
# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords. Without this option,
# the default is Unix crypt. Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
password [success=1 default=ignore] pam_unix.so sha512
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
password required pam_pwhistory.so remember=5
## Add Ansible Playbook - Securtiy_Settings ##
password requisite pam_pwquality.so retry={{ debian_retry }} minlen={{ debina_minlen }} lcredit={{ debian_lcredit }} ucredit={{ debian_ucredit }} dcredit={{ debian_dcredit }} ocredit={{ debian_ocredit }}

19
ansible/server_settings/roles/security_settings/templates/sysinfo.j2 Normal file
View File

@@ -0,0 +1,19 @@
#!/bin/sh
# pam_motd does not carry the environment
[ -f /etc/default/locale ] && . /etc/default/locale
export LANG
cores=$(grep -c ^processor /proc/cpuinfo 2>/dev/null)
[ "$cores" -eq "0" ] && cores=1
threshold="${cores:-1}.0"
if [ $(echo "`cut -f1 -d ' ' /proc/loadavg` < $threshold" | bc) -eq 1 ]; then
echo
echo -n " System information as of "
/bin/date
echo
/usr/bin/landscape-sysinfo
else
echo
echo " System information disabled due to load higher than $threshold"
fi
echo ""