task 추가

ansible/server_settings/roles/security_settings/tasks/all_setting_device_organize.yml

@@ -0,0 +1,13 @@
+---
+- name: search non-existent device
+  shell: find /dev -type f -exec ls -l {} \; | awk '{print $NF}'
+  register: search_result
+
+- debug:
+    msg: "발견된 존재하지 않는 디바이스 {{ search_result.stdout_lines }}"
+
+- name: delete non-existent device
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items: "{{ search_result.stdout_lines }}"

ansible/server_settings/roles/security_settings/tasks/all_setting_mode_change.yml

@@ -0,0 +1,59 @@
+---
+- name: shadow mode change
+  file:
+    path: /etc/shadow
+    mode: 0400
+
+- name: hosts mode change
+  file:
+    path: /etc/hosts
+    #mode: u=rw,g=r,o=r
+    mode: 0600
+
+- name: rsyslog mode change
+  file:
+    path: /etc/rsyslog.conf
+    mode: 0640
+
+- name: crontab mode change
+  file:
+    path: /usr/bin/crontab
+    mode: 0750
+
+- name: cron file mode change
+  file:
+    path: "{{ item }}"
+    mode: 0640
+  with_items:
+    - /etc/crontab
+    - /etc/cron.hourly/.placeholder
+    - /etc/cron.daily/logrotate
+    - /etc/cron.daily/apt-compat
+    - /etc/cron.daily/popularity-contest
+    - /etc/cron.daily/apport
+    - /etc/cron.daily/.placeholder
+    - /etc/cron.daily/update-notifier-common
+    - /etc/cron.daily/bsdmainutils
+    - /etc/cron.daily/dpkg
+    - /etc/cron.daily/man-db
+    - /etc/cron.weekly/.placeholder
+    - /etc/cron.weekly/man-db
+    - /etc/cron.weekly/update-notifier-common
+    - /etc/cron.monthly/.placeholder
+
+- name: cron file owner change
+  file: 
+    path: /var/spool/cron/atjobs/.SEQ
+    owner: root
+
+- name: at mode change
+  file:
+    path: /usr/bin/at
+    mode: 640
+
+- name: create at.allow file
+  file:
+    path: /etc/at.allow
+    state: touch
+    mode: 0640
+    owner: root

ansible/server_settings/roles/security_settings/tasks/all_setting_root_ssh.yml

@@ -0,0 +1,11 @@
+- name: Configure ssh root login to no
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(#)?PermitRootLogin.*'
+    line: 'PermitRootLogin no'
+    insertbefore: '^Match.*'
+    state: present
+    owner: root
+    group: root
+    mode: 0640
+  notify: restart sshd

ansible/server_settings/roles/security_settings/tasks/debian_setting_banner.yml

@@ -0,0 +1,29 @@
+---
+- name: Setting EXEM Banner (Debian)
+  template:
+    src: banner.j2
+    dest: /etc/update-motd.d/00-header
+    mode: 0755
+    owner: root
+    group: root
+
+- name: Setting Sysinfo
+  template:
+    src: sysinfo.j2
+    dest: /usr/share/landscape/landscape-sysinfo.wrapper
+    mode: 0755
+    owner: root
+    group: root
+
+- name: Delete ETC file
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /etc/update-motd.d/10-help-text
+    - /etc/update-motd.d/50-motd-news
+    - /etc/update-motd.d/85-fwupd
+    - /etc/update-motd.d/90-updates-available
+    - /etc/update-motd.d/91-release-upgrade
+    - /etc/update-motd.d/95-hwe-eol
+    - /etc/update-motd.d/98-fsck-at-reboot

ansible/server_settings/roles/security_settings/tasks/debian_setting_password_rule.yml

@@ -0,0 +1,16 @@
+---
+- name: Setting Password Rule (Debian)
+  template:
+    src: common-password.j2
+    dest: /etc/pam.d/common-password
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
+- name: Setting Password Auth Rule (Debian)
+  template:
+    src: common-auth.j2
+    dest: /etc/pam.d/common-auth
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r

ansible/server_settings/roles/security_settings/tasks/main.yml

@@ -0,0 +1,18 @@
+---
+
+# SSH 접속 시 Banner 설정
+- include: debian_setting_banner.yml
+  when: ansible_facts.os_family == 'Debian'
+
+# root 사용자를 사용한 ssh 접속 비활성화
+- include: all_setting_root_ssh.yml
+
+# 패스워드 정책 설정
+- include: debian_setting_password_rule.yml
+  when: ansible_facts.os_family == 'Debian'
+
+# 일부 파일 권한 설정
+- include: all_setting_mode_change.yml
+
+# /dev 경로의 불필요 디바이스 검색 및 제거
+- include: all_setting_device_organize.yml