task 추가

2024-01-11 15:47:36 +09:00
parent 2a9caec167
commit 76584fb0ba
54 changed files with 709 additions and 122 deletions
--- a/.DS_Store
+++ b/.DS_Store
--- a/ansible/.DS_Store
+++ b/ansible/.DS_Store
--- a/ansible/01_old/.DS_Store
+++ b/ansible/01_old/.DS_Store
--- a/ansible/README.md
+++ b/ansible/README.md
@@ -17,4 +17,4 @@ ansible script 구조
 | zabbix_agent | Zabbix Agent 배포, Zabbix 등록 |
 | kubespray | dsk dev 환경 kubernetes 관리용 kubespray |
 | security_check | 주요정보통신기반시설 기술적 취약점 분석·평가 상세가이드를 기반으로 취약점을 점검하는 스크립트를 각 서버에서 실행<br>최종적으로 결과를 NAS 에 저장 후 요약을 Git 레파지토리에 README.md 로 확인할 수 있게 구성<br>상세 정보 같은 경우 NAS 혹은 README.md에 함께 작성되는 링크를 통해 확인 가능 |
-| security_settings | 기본적으로 적용되어야 하는 취약점 대응 |
+| security_settings | 기본적으로 적용되어야 하는 취약점 대응 |
--- a/ansible/infra_setting/.DS_Store
+++ b/ansible/infra_setting/.DS_Store
--- a/ansible/infra_setting/roles/.DS_Store
+++ b/ansible/infra_setting/roles/.DS_Store
--- a/ansible/infra_setting/roles/connect-settings/.DS_Store
+++ b/ansible/infra_setting/roles/connect-settings/.DS_Store
--- a/ansible/infra_setting/roles/connect-settings/tasks/main.yml
+++ b/ansible/infra_setting/roles/connect-settings/tasks/main.yml
@@ -1,6 +1,6 @@
 ---
- include: 00_host_setting.yml
+#- include: 00_host_setting.yml
-  tags: host
+#  tags: host
 - include: 01_get_password.yml
  tags: password
--- a/ansible/security_check/README.md
+++ b/ansible/security_check/README.md
@@ -1,4 +1,3 @@
 | 이름 | 아이피 | 상태 요약 | 상세 보기 |
 | --- | --- | --- | --- |
-| cmoa-master-1 | 10.10.43.200 | 취약 | http://10.10.43.42:8080/cmoa-master-1.10.10.43.200.txt |
+| datasaker | 10.10.43.99 | 양호 | http://10.10.43.42:8080/datasaker.10.10.43.99.txt |
 | cmoa-jaeger-master | 10.10.43.213 | 양호 | http://10.10.43.42:8080/cmoa-jaeger-master.10.10.43.213.txt |
--- a/ansible/security_check/test
+++ b/ansible/security_check/test
@@ -3,8 +3,7 @@ server
 nas
 [server]
-10.10.43.200 ansible_user=dev2 ansible_port=2222
+10.10.43.99 ansible_user=datasaker ansible_port=2222
 10.10.43.213 ansible_user=dev2 ansible_port=2222
 [nas]
-10.10.43.42 ansible_port=2222 ansible_user=exemdev2
+10.10.43.42 ansible_port=2222 ansible_user=exemdev2
--- a/ansible/security_settings/invenotry
+++ b/ansible/security_settings/invenotry
@@ -1,105 +0,0 @@
 [all]
 10.10.43.43 ansible_port=2222 ansible_user=dev2
 10.10.43.100 ansible_port=2222 ansible_user=dev2 
 10.10.43.101 ansible_port=2222 ansible_user=dev2
 10.10.43.105 ansible_port=2222 ansible_user=dev2
 10.10.43.106 ansible_port=2222 ansible_user=dev2
 10.10.43.111 ansible_port=2222 ansible_user=dev2
 10.10.43.112 ansible_port=2222 ansible_user=dev2
 10.10.43.113 ansible_port=2222 ansible_user=dev2
 10.10.43.114 ansible_port=2222 ansible_user=dev2
 10.10.43.115 ansible_port=2222 ansible_user=dev2
 10.10.43.116 ansible_port=2222 ansible_user=dev2
 10.10.43.117 ansible_port=2222 ansible_user=dev2
 10.10.43.118 ansible_port=2222 ansible_user=dev2
 10.10.43.119 ansible_port=2222 ansible_user=dev2
 10.10.43.120 ansible_port=2222 ansible_user=dev2
 10.10.43.121 ansible_port=2222 ansible_user=dev2
 10.10.43.122 ansible_port=2222 ansible_user=dev2
 10.10.43.123 ansible_port=2222 ansible_user=dev2
 10.10.43.124 ansible_port=2222 ansible_user=dev2
 10.10.43.125 ansible_port=2222 ansible_user=dev2
 10.10.43.126 ansible_port=2222 ansible_user=dev2
 10.10.43.127 ansible_port=2222 ansible_user=dev2
 10.10.43.128 ansible_port=2222 ansible_user=dev2
 10.10.43.129 ansible_port=2222 ansible_user=dev2
 10.10.43.130 ansible_port=2222 ansible_user=dev2
 10.10.43.131 ansible_port=2222 ansible_user=dev2
 10.10.43.132 ansible_port=2222 ansible_user=dev2
 10.10.43.133 ansible_port=2222 ansible_user=dev2
 10.10.43.134 ansible_port=2222 ansible_user=dev2
 10.10.43.135 ansible_port=2222 ansible_user=dev2
 10.10.43.136 ansible_port=2222 ansible_user=dev2
 10.10.43.137 ansible_port=2222 ansible_user=dev2
 10.10.43.138 ansible_port=2222 ansible_user=dev2
 10.10.43.139 ansible_port=2222 ansible_user=dev2
 10.10.43.140 ansible_port=2222 ansible_user=dev2
 10.10.43.141 ansible_port=2222 ansible_user=dev2
 10.10.43.142 ansible_port=2222 ansible_user=dev2
 10.10.43.143 ansible_port=2222 ansible_user=dev2
 10.10.43.144 ansible_port=2222 ansible_user=dev2
 10.10.43.145 ansible_port=2222 ansible_user=dev2
 10.10.43.146 ansible_port=2222 ansible_user=dev2
 10.10.43.147 ansible_port=2222 ansible_user=dev2
 10.10.43.148 ansible_port=2222 ansible_user=dev2
 10.10.43.151 ansible_port=2222 ansible_user=dev2
 10.10.43.152 ansible_port=2222 ansible_user=dev2
 10.10.43.153 ansible_port=2222 ansible_user=dev2
 10.10.43.164 ansible_port=2222 ansible_user=dev2
 10.10.43.165 ansible_port=2222 ansible_user=dev2
 10.10.43.166 ansible_port=2222 ansible_user=dev2
 10.10.43.167 ansible_port=2222 ansible_user=dev2
 10.10.43.168 ansible_port=2222 ansible_user=dev2
 10.10.43.169 ansible_port=2222 ansible_user=dev2
 10.10.43.171 ansible_port=2222 ansible_user=dev2
 10.10.43.172 ansible_port=2222 ansible_user=dev2
 10.10.43.173 ansible_port=2222 ansible_user=dev2
 10.10.43.174 ansible_port=2222 ansible_user=dev2
 10.10.43.175 ansible_port=2222 ansible_user=dev2
 10.10.43.176 ansible_port=2222 ansible_user=dev2
 10.10.43.177 ansible_port=2222 ansible_user=dev2
 10.10.43.178 ansible_port=2222 ansible_user=dev2
 10.10.43.179 ansible_port=2222 ansible_user=dev2
 10.10.43.180 ansible_port=2222 ansible_user=dev2
 10.10.43.181 ansible_port=2222 ansible_user=dev2
 10.10.43.182 ansible_port=2222 ansible_user=dev2
 10.10.43.185 ansible_port=2222 ansible_user=dev2
 10.10.43.186 ansible_port=2222 ansible_user=dev2
 10.10.43.187 ansible_port=2222 ansible_user=dev2
 10.10.43.188 ansible_port=2222 ansible_user=dev2
 10.10.43.189 ansible_port=2222 ansible_user=dev2
 10.10.43.190 ansible_port=2222 ansible_user=dev2
 10.10.43.191 ansible_port=2222 ansible_user=dev2
 10.10.43.192 ansible_port=2222 ansible_user=dev2
 10.10.43.193 ansible_port=2222 ansible_user=dev2
 10.10.43.194 ansible_port=2222 ansible_user=dev2
 10.10.43.199 ansible_port=2222 ansible_user=dev2
 10.10.43.195 ansible_port=2222 ansible_user=dev2
 10.10.43.196 ansible_port=2222 ansible_user=dev2
 10.10.43.197 ansible_port=2222 ansible_user=dev2
 10.10.43.200 ansible_port=2222 ansible_user=dev2
 10.10.43.201 ansible_port=2222 ansible_user=dev2
 10.10.43.202 ansible_port=2222 ansible_user=dev2
 10.10.43.203 ansible_port=2222 ansible_user=dev2
 10.10.43.204 ansible_port=2222 ansible_user=dev2
 10.10.43.205 ansible_port=2222 ansible_user=dev2
 10.10.43.206 ansible_port=2222 ansible_user=dev2
 10.10.43.207 ansible_port=2222 ansible_user=dev2
 10.10.43.208 ansible_port=2222 ansible_user=dev2
 10.10.43.210 ansible_port=2222 ansible_user=dev2
 10.10.43.211 ansible_port=2222 ansible_user=dev2
 10.10.43.212 ansible_port=2222 ansible_user=dev2
 10.10.43.213 ansible_port=2222 ansible_user=dev2
 10.10.43.214 ansible_port=2222 ansible_user=dev2
 10.10.43.215 ansible_port=2222 ansible_user=dev2
 10.10.43.216 ansible_port=2222 ansible_user=dev2
 10.10.43.217 ansible_port=2222 ansible_user=dev2
 10.10.43.218 ansible_port=2222 ansible_user=dev2
 10.10.43.224 ansible_port=2222 ansible_user=dev2
 10.10.43.225 ansible_port=2222 ansible_user=dev2
 10.10.43.226 ansible_port=2222 ansible_user=dev2
 10.10.43.227 ansible_port=2222 ansible_user=dev2
 10.10.43.228 ansible_port=2222 ansible_user=dev2
 10.10.43.235 ansible_port=2222 ansible_user=dev2
 10.10.43.236 ansible_port=2222 ansible_user=dev2
 10.10.43.252 ansible_port=2222 ansible_user=dev2
--- a/ansible/security_settings/security_settings.yml
+++ b/ansible/security_settings/security_settings.yml
@@ -1,6 +0,0 @@
 ---
 - hosts: all
  become: true
  gather_facts: true
  roles:
    - role: security_settings
--- a/ansible/security_settings/test
+++ b/ansible/security_settings/test
@@ -1,2 +0,0 @@
 [all]
 10.10.43.213 ansible_user=dev2 ansible_port=2222
--- a/ansible/server_settings/.DS_Store
+++ b/ansible/server_settings/.DS_Store
--- a/ansible/security_settings/ansible.cfg
+++ b/ansible/security_settings/ansible.cfg
--- a/ansible/server_settings/invenotry
+++ b/ansible/server_settings/invenotry
@@ -0,0 +1,2 @@
 [all]
 10.10.43.99 ansible_user=datasaker ansible_port=2222
--- a/ansible/server_settings/passwd_inventory
+++ b/ansible/server_settings/passwd_inventory
@@ -101,4 +101,4 @@
 10.10.43.228 ansible_port=2222 ansible_user=dev2
 10.10.43.235 ansible_port=2222 ansible_user=dev2
 10.10.43.236 ansible_port=2222 ansible_user=dev2
-10.10.43.252 ansible_port=2222 ansible_user=dev2
+10.10.43.252 ansible_port=2222 ansible_user=dev2
--- a/ansible/server_settings/roles/.DS_Store
+++ b/ansible/server_settings/roles/.DS_Store
--- a/ansible/server_settings/roles/password-settings/.DS_Store
+++ b/ansible/server_settings/roles/password-settings/.DS_Store
--- a/ansible/server_settings/roles/password-settings/README.md
+++ b/ansible/server_settings/roles/password-settings/README.md
@@ -0,0 +1,38 @@
 Role Name
 =========
 A brief description of the role goes here.
 Requirements
 ------------
 Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
 Role Variables
 --------------
 A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
 Dependencies
 ------------
 A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
 Example Playbook
 ----------------
 Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
    - hosts: servers
      roles:
         - { role: username.rolename, x: 42 }
 License
 -------
 BSD
 Author Information
 ------------------
 An optional section for the role authors to include contact information, or a website (HTML is not allowed).
--- a/ansible/server_settings/roles/password-settings/defaults/main.yml
+++ b/ansible/server_settings/roles/password-settings/defaults/main.yml
@@ -0,0 +1,15 @@
 ---
 # defaults file for password
 encrypt: 0 # strings 0 , encrypted 1
 debug_mode: False
 sshrootlogin: forced-commands-only
 sshmainport: 2222
 iptables_rules:
  - { source: "10.10.45.0/24", target: "DROP" }
  - { source: "10.10.47.0/24", target: "DROP" }
  - { source: "10.10.48.0/24", target: "DROP" }
  - { source: "10.10.50.0/24", target: "DROP" }
  - { source: "10.10.37.0/24", target: "DROP" }
 delete_rule: False
 add_rule: True
--- a/ansible/server_settings/roles/password-settings/files/00_old/gen_password.py
+++ b/ansible/server_settings/roles/password-settings/files/00_old/gen_password.py
@@ -0,0 +1,44 @@
 #!/usr/bin/python3
 import base64, random, string, os
 from Crypto.Cipher import AES
 from Crypto.Random import get_random_bytes
 from Crypto.Util.Padding import pad, unpad
 try:
    encrypt_flag=True if os.sys.argv[1].lower()=='1' else False 
 except Exception as err:
    encrypt_flag=False
 def generate_password(length=8, num_uppercase=1, num_lowercase=1, num_digits=1, num_sp_char=1):
    sp_char = '!@#$'
    all_chars = string.ascii_letters + string.digits + sp_char
    password = [
        *random.choices(string.ascii_uppercase, k=num_uppercase),
        *random.choices(string.ascii_lowercase, k=num_lowercase),
        *random.choices(string.digits, k=num_digits),
        *random.choices(sp_char, k=num_sp_char)
    ]
    remaining_length = length - (num_uppercase + num_lowercase + num_digits + num_sp_char)
    password += random.choices(all_chars, k=remaining_length)
    random.shuffle(password)
    return ''.join(password)
 def encrypt(plain_text, key):
    manual_iv = b'PhilinnovatorDEV'
    cipher = AES.new(key, AES.MODE_CBC, iv=manual_iv)
    ct_bytes = cipher.encrypt(pad(plain_text.encode(), 16))
    ct = base64.b64encode(ct_bytes).decode('utf-8')
    return ct
 key = b'PhilinnovatorDEVPhilinnovatorDEV'
 plain_text = generate_password()
 if encrypt_flag: 
    encrypted_text = encrypt(plain_text, key)
    print(encrypted_text)
 else:
    print(plain_text)
--- a/ansible/server_settings/roles/password-settings/files/00_old/vault_test.py
+++ b/ansible/server_settings/roles/password-settings/files/00_old/vault_test.py
@@ -0,0 +1,11 @@
 import hvac
 str_url   = "http://10.10.43.98:31080"
 str_token = "hvs.CAESIMV6zCg-GpUP4pQgVA5f1ZXkgyJZrqOC6QDCegrpiAX9Gh4KHGh2cy5ORkpkc2ZyVUxYd09qUVFtQldRNDBjS3I"
 client = hvac.Client(url=str_url, token=str_token)
 str_mount_point = 'kv'
 str_secret_path = 'host1'
 read_secret_result = client.secrets.kv.v1.read_secret(mount_point=str_mount_point, path=str_secret_path)
 print(read_secret_result)
--- a/ansible/server_settings/roles/password-settings/files/custom_excel
+++ b/ansible/server_settings/roles/password-settings/files/custom_excel
@@ -0,0 +1,108 @@
 #!/usr/bin/python3
 #-*- coding: utf-8 -*-
 import os, sys, time, errno, socket, signal, psutil, random, logging.handlers, subprocess, paramiko, hvac
 from xlwt import Workbook, XFStyle, Borders, Font, Pattern
 from socket import error as SocketError
 process_time 	= time.strftime("%Y%m%d_%H%M", time.localtime())
 excel_file_name = '/mnt/e/excel/{}.xls'.format(process_time)
 def process_close(flag=True, result=''):
    if flag:
        print("[Success]")
    else:
        print("[Fail]:{}".format(result))
    sys.exit(0)
 def set_header(sheet, header_list):
    # 폰트 설정
    font = Font()
    font.bold = True
    # 테두리 설정
    borders = Borders()
    borders.left = Borders.THIN
    borders.right = Borders.THIN
    borders.top = Borders.THIN
    borders.bottom = Borders.THIN
    # 배경색 설정
    pattern = Pattern() 
    pattern.pattern = Pattern.SOLID_PATTERN 
    pattern.pattern_fore_colour = 22 # #E2EFDA는 xlwt에서 인덱스 22에 해당하는 색입니다.
    hdrstyle = XFStyle()
    hdrstyle.font = font
    hdrstyle.borders = borders
    hdrstyle.pattern = pattern
    for idx, header in enumerate(header_list):
        sheet.write(0, idx, header, hdrstyle)
        sheet.col(idx).width = len(header) * 800
 def write_data(sheet, data_list):
    datestyle = XFStyle()
    datestyle.num_format_str = 'YYYY-MM-DD'
    for row_num, data in enumerate(data_list, start=1):
        for col_num, cell_data in enumerate(data):
            if col_num == 7:
                sheet.write(row_num, col_num, cell_data, datestyle)
            elif col_num in [1, 4, 5]:
                formatted_data = u'{}'.format(cell_data) if cell_data else ''
                sheet.write(row_num, col_num, formatted_data)
            else:
                sheet.write(row_num, col_num, cell_data)
 def excel_write(header_list=[], data_list=[], filename='', sheetTitle=''):
    workbook = Workbook(style_compression=2, encoding='utf-8')
    sheet = workbook.add_sheet(sheetTitle)
    set_header(sheet, header_list)
    write_data(sheet, data_list)
    sheet.panes_frozen = True
    sheet.vert_split_pos = 0
    sheet.horz_split_pos = 1
    workbook.save(filename)
 def main():
    header_list=['번호','호스트 유형','호스트명','호스트 IP','포트번호','프로토콜','인증방법','1차 로그인 계정명','1차 로그인 비밀번호','1차 로그인 계정명','2차 로그인 비밀번호','용도','비고']
    data_list=[]
    openfile=open('/tmp/host_list','r')
    readfile=openfile.readlines()
    openfile.close()
    for idx, host_data in enumerate(readfile):
        try:
            if idx==0: continue
            host_num=idx
            hosttype=host_data.strip().split(' ')[0]
            print(hosttype)
            hostname=host_data.strip().split(' ')[1]
            host_ips=host_data.strip().split(' ')[2]
            port_num=int(host_data.strip().split(' ')[3])
            protocol='SSH'
            auth_con='Password'
            username=host_data.strip().split(' ')[4]
            first_pw=host_data.strip().split(' ')[5]
            rootuser=host_data.strip().split(' ')[6]
            secon_pw=host_data.strip().split(' ')[7]
            descript='-'
            remarks_='-'
            data_list.append([host_num,hosttype,hostname,host_ips,port_num,protocol,auth_con,username,first_pw,rootuser,secon_pw,descript,remarks_,])
        except:
            continue
    excel_write(header_list, data_list, excel_file_name, 'TEST')
 DEBUG=False
 try:
 	if os.sys.argv[1]: DEBUG=True
 except:
 	pass
 main()
 process_close()
--- a/ansible/server_settings/roles/password-settings/files/decrypt_password
+++ b/ansible/server_settings/roles/password-settings/files/decrypt_password
@@ -0,0 +1,21 @@
 #!/usr/bin/python3
 #-*- coding: utf-8 -*-
 import base64, random, string, os
 from Crypto.Cipher import AES
 from Crypto.Random import get_random_bytes
 from Crypto.Util.Padding import pad, unpad
 try:
    encrypted_text=os.sys.argv[1]
 except:
    encrypted_text="q6i1/JxyNe1OUrO0JKu+Z4WQTyQZam2yIJTp43dl1pI="
 def decrypt(ct, key):
    manual_iv = b'PhilinnovatorDEV'
    ct_bytes = base64.b64decode(ct)
    cipher = AES.new(key, AES.MODE_CBC, iv=manual_iv)
    return unpad(cipher.decrypt(ct_bytes), 16).decode('utf-8')
 key = b'PhilinnovatorDEVPhilinnovatorDEV'
 print(decrypt(encrypted_text, key))
--- a/ansible/server_settings/roles/password-settings/files/gen_password
+++ b/ansible/server_settings/roles/password-settings/files/gen_password
@@ -0,0 +1,45 @@
 #!/usr/bin/python3
 #-*- coding: utf-8 -*-
 import base64, random, string, os
 from Crypto.Cipher import AES
 from Crypto.Random import get_random_bytes
 from Crypto.Util.Padding import pad, unpad
 try:
    encrypt_flag=True if os.sys.argv[1].lower()=='1' else False 
 except Exception as err:
    encrypt_flag=False
 def generate_password(length=12, num_uppercase=3, num_lowercase=4, num_digits=3, num_sp_char=2):
    sp_char = '!@#$'
    all_chars = string.ascii_letters + string.digits + sp_char
    password = [
        *random.choices(string.ascii_uppercase, k=num_uppercase),
        *random.choices(string.ascii_lowercase, k=num_lowercase),
        *random.choices(string.digits, k=num_digits),
        *random.choices(sp_char, k=num_sp_char)
    ]
    remaining_length = length - (num_uppercase + num_lowercase + num_digits + num_sp_char)
    password += random.choices(all_chars, k=remaining_length)
    random.shuffle(password)
    return ''.join(password)
 def encrypt(plain_text, key):
    manual_iv = b'PhilinnovatorDEV'
    cipher = AES.new(key, AES.MODE_CBC, iv=manual_iv)
    ct_bytes = cipher.encrypt(pad(plain_text.encode(), 16))
    ct = base64.b64encode(ct_bytes).decode('utf-8')
    return ct
 key = b'PhilinnovatorDEVPhilinnovatorDEV'
 plain_text = generate_password()
 if encrypt_flag: 
    encrypted_text = encrypt(plain_text, key)
    print(encrypted_text)
 else:
    print(plain_text)
--- a/ansible/server_settings/roles/password-settings/files/vault_get
+++ b/ansible/server_settings/roles/password-settings/files/vault_get
@@ -0,0 +1,17 @@
 #!/usr/bin/python3
 #-*- coding: utf-8 -*-
 import hvac
 import os
 hostname=os.sys.argv[1]
 str_url   = "http://10.10.43.240:30803"
 client = hvac.Client(url=str_url)
 client.auth.approle.login(role_id="e96c5fd8-abde-084a-fde7-7450a9348a70", secret_id="5371706b-414a-11d3-f3fd-6cf98871aad1")
 try:
    data = client.secrets.kv.v2.read_secret_version(mount_point='host', path=hostname, raise_on_deleted_version=True)['data']['data']
    print(data)
 except Exception as err:
    print(err)
--- a/ansible/server_settings/roles/password-settings/files/vault_put
+++ b/ansible/server_settings/roles/password-settings/files/vault_put
@@ -0,0 +1,21 @@
 #!/usr/bin/python3
 #-*- coding: utf-8 -*-
 import hvac
 import os
 hostname=os.sys.argv[1]
 accountid=os.sys.argv[2]
 password=os.sys.argv[3]
 adminuser=os.sys.argv[4]
 adminpass=os.sys.argv[5]
 str_url   = "http://10.10.43.240:30803"
 client = hvac.Client(url=str_url)
 client.auth.approle.login(role_id="e96c5fd8-abde-084a-fde7-7450a9348a70", secret_id="5371706b-414a-11d3-f3fd-6cf98871aad1")
 client.secrets.kv.v2.create_or_update_secret(
    mount_point='host',
    path=hostname,
    secret=dict(accountid=f'{accountid}',password=f'{password}',adminuser=f'{adminuser}',adminpass=f'{adminpass}')
 )
--- a/ansible/server_settings/roles/password-settings/handlers/main.yml
+++ b/ansible/server_settings/roles/password-settings/handlers/main.yml
@@ -0,0 +1,16 @@
 ---
 - name: Reload systemd configuration
  ansible.builtin.systemd:
    daemon_reload: True
 - name: Restart teleport service
  ansible.builtin.systemd:
    name: teleport
    enabled: true
    state: restarted
 - name: restart sshd
  service:
    name: sshd
    state: restarted
    enabled: true
--- a/ansible/server_settings/roles/password-settings/meta/main.yml
+++ b/ansible/server_settings/roles/password-settings/meta/main.yml
@@ -0,0 +1,52 @@
 galaxy_info:
  author: your name
  description: your role description
  company: your company (optional)
  # If the issue tracker for your role is not on github, uncomment the
  # next line and provide a value
  # issue_tracker_url: http://example.com/issue/tracker
  # Choose a valid license ID from https://spdx.org - some suggested licenses:
  # - BSD-3-Clause (default)
  # - MIT
  # - GPL-2.0-or-later
  # - GPL-3.0-only
  # - Apache-2.0
  # - CC-BY-4.0
  license: license (GPL-2.0-or-later, MIT, etc)
  min_ansible_version: 2.1
  # If this a Container Enabled role, provide the minimum Ansible Container version.
  # min_ansible_container_version:
  #
  # Provide a list of supported platforms, and for each platform a list of versions.
  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
  # To view available platforms and versions (or releases), visit:
  # https://galaxy.ansible.com/api/v1/platforms/
  #
  # platforms:
  # - name: Fedora
  #   versions:
  #   - all
  #   - 25
  # - name: SomePlatform
  #   versions:
  #   - all
  #   - 1.0
  #   - 7
  #   - 99.99
  galaxy_tags: []
    # List tags for your role here, one per line. A tag is a keyword that describes
    # and categorizes the role. Users find roles by searching for tags. Be sure to
    # remove the '[]' above, if you add tags to this list.
    #
    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
    #       Maximum 20 tags per role.
 dependencies: []
  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
  # if you add dependencies to this list.
--- a/ansible/server_settings/roles/password-settings/tasks/.DS_Store
+++ b/ansible/server_settings/roles/password-settings/tasks/.DS_Store
--- a/ansible/server_settings/roles/password-settings/tasks/00_host_setting.yml
+++ b/ansible/server_settings/roles/password-settings/tasks/00_host_setting.yml
@@ -0,0 +1,103 @@
 ---
 - name: "Create datasaker group"
  ansible.builtin.group:
    name: "datasaker"
    state: present
  when:
    - add_rule == True
 - name: Ensure user datasaker exists
  user:
    name: "{{ item }}"
    create_home: yes
    home: "/home/{{ item }}"
    group: datasaker
    shell: /bin/bash
  with_items:
    - datasaker
  when:
    - add_rule == True
 - name: "Ensure .ssh directory exists for datasaker"
  file:
    path: /home/datasaker/.ssh
    state: directory
    owner: datasaker
    group: datasaker
    mode: '0700'
  when:
    - add_rule == True
 - name: "Add authorized key for datasaker"
  authorized_key:
    user: datasaker
    key: "{{ item }}"
  with_items:
    - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRP/Kjn7UBudTO4ZLtWXRJNDcOPGbm+5jLKax+1tVgN2n0MCmwwrbFJQJvdaE/wp4+PnMtEyt+IqdwFdUDah8tu9CIYZ2Jk2T18oU7hYGvymh+QJmZgCNvYcmM9ATJbXpns7y8VLDVbkSq9EJIB+emLt1ZV/C8cyvhlmBUwGQA6c3zMgzWl9MT0HLa7H88cNVVknZPY0vGIw+H0Y2JtDr62xyVNT7w8B+jh7Yu6nCnQchwx3IRWGATuKfi2FB3rhkDqNvM1h00JJosu5ooBn3g5xll+w+sVKIQxEWShI9zatYP9/zrce+uVYeZLfz52X8giJ9dns66vqEKdJtdp4By5RPxRSsdQ2QGAQ0UuBHKgweU2EzivLynu49oiShAiJPxmru4TiGtchl52dvw/E9rjZiCKTq697azHHLbwTiOgbHpnu7GrxNRMdXCON70RYJpfERg/SGxxmUNF9OhYUeQJGNc8DcWnlBUrT/9Wi3Ryh1rKx2wtZt6eDkrehJ1lgU="
    - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDmxGUDo5rdB/XA+cyH4a7Kn8zGWHqbL0AZDL55j5JLRLXC/z482Rp2cIx/FsQRtwEslEVXHHSowpJWHvQ4Z6NcInh0/0psJK2K8qnApLDHhPoiQzpGL+nG4JIho/10QPGpJ2aDcXdushvUME97j0A8hfaoR2xhBl2C9r865Vred0M971A5SRchwN/cmsTh2OMYGXKHD9RC6OFud2sQjyidkSTW58yBoN2B5CoAO4GMV09jX6Wp43jot19xJ5lX65NAHLsNIXMWiURmQDieIKqEiwWlPgwo7geErHlMOoNoypU9yTaN9NMYWZBG1xVL5skjmkdTEd+cnHBLAvhVtW1w5pOA7S8OUXkmiu0UITLYyWfzUx4uwzb7nGcb6aDboRVX6w8H4+GVgpYWJq+fh0ZZ9JbsdP6+PjRz1vgptM7K4Ji5ZRvqV5WMT0cvpySBaJakLSiPSa+dxGi6nfowXvUEAzMIVyaScNgCs1/NpdgN8dwffZlYB9WBUxY+5IjBQc8=" 
    - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKDxtkcfx2ITlT2Yh7ZCT79do/25YQ2vROz38m8veAuBhOw+75oZJ4nN//zOWaaMvpC3Z7NIzOR+3UeukhnLZ591q8AaHcKjV8JEJMo2pvpH1vdLcTL9baLqWrxzgRimnZUNf5n5HNr+AKoXuPp//aVSJSoeznb66r04/rJSetT0QGDC8Kj5Q+MNvdd0/3U/nu7JxW9LIEaLoeiX6mVb4PpV7kl3rI3Vut/GnWakOhbS4yNvIFdR6d8rv305/BXJOz/aWy+0j7qK+NBzbSsI/l0vVUHfeD3whYGePCpWmj73ZsMTMjIjrC8DpRQlOJlAZ0GVpQnd/ayIWi4+V8VjvFcd6vSqrhhsNoOyo0Y/6cyO6iyvKqohMK6+HF1w6aXoaGCFFSl/3gw63saNAsdZPArnwf5yZ6GfPa/9bRn2k9g5xfp97Itpo6Iqq+PuRcZOes0EiIQe2hOoYQEIHIRhf8CZ+Xf6W1+XZB+WxEzUe4GCCwgUdTB6RIr4ThDxwCBV0="
  when:
    - add_rule == True
 - name: "sudoers_users file"
  file: 
    path: /etc/sudoers.d/sudoers_users
    state: touch
  when:
    - add_rule == True
 - name: "Allow user to sudo"
  lineinfile:
    path: /etc/sudoers.d/sudoers_users
    line: "{{ item }} ALL=(ALL) NOPASSWD:ALL"
    state: present
  with_items:
    - datasaker
  when:
    - add_rule == True
 - name: "selinux permissive"
  command: "setenforce 0"
  ignore_errors: yes
  when:
  - ansible_facts.os_family == "RedHat"
 - name: "firewalld stop"
  systemd:
    name: firewalld
    state: stopped
    enabled: false
  ignore_errors: yes
  when:
  - ansible_facts.os_family == "RedHat"
 - name: Remove existing Port lines
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^Port'
    state: absent
 - name: SSH Listen on Main Port
  lineinfile:
    dest: /etc/ssh/sshd_config
    insertbefore: '^#*AddressFamily'
    line: 'Port {{sshmainport}}'
    state: present
    owner: root
    group: root
    mode: 0640
  notify: restart sshd
 - name: "Create sshd_config.d directory"
  ansible.builtin.file:
    path: "/etc/ssh/sshd_config.d/"
    state: directory
    recurse: yes
    owner: root
    group: root
 - name: "Setting sshd allow users"
  template:
    src: allow_users.j2
    dest: "/etc/ssh/sshd_config.d/allow_users.conf"
  notify: restart sshd
--- a/ansible/server_settings/roles/password-settings/tasks/01_get_password.yml
+++ b/ansible/server_settings/roles/password-settings/tasks/01_get_password.yml
@@ -0,0 +1,36 @@
 ---
 - name: get password
  command: "{{ role_path }}/files/gen_password {{ encrypt }}"
  register: user_password
  delegate_to: 127.0.0.1
  when: manual_password is not defined
 - name: get admin password
  command: "{{ role_path }}/files/gen_password {{ encrypt }}"
  register: admin_password
  delegate_to: 127.0.0.1
  when: manual_password is not defined
 - name: set fact user password
  block:
    - set_fact:
        user_password: "{{ user_password.stdout }}"
  rescue:
    - set_fact:
        user_password: "{{ manual_password }}"
  always:
    - debug:
        msg: "{{ username }} : {{ user_password }}"
      when: debug_mode == True
 - name: set fact admin password
  block:
    - set_fact:
        admin_password: "{{ admin_password.stdout }}"
  rescue:
    - set_fact:
        admin_password: "{{ manual_password }}"
  always:
    - debug:
        msg: "{{ adminuser }} : {{ admin_password }}"
      when: debug_mode == True
--- a/ansible/server_settings/roles/password-settings/tasks/02_change_password.yml
+++ b/ansible/server_settings/roles/password-settings/tasks/02_change_password.yml
@@ -0,0 +1,21 @@
 ---
 - include_tasks: 99_decrypt_password.yml
  when: 
  - encrypt == 1
  - manual_password is not defined
 - name: user password change
  user:
    name: "{{ item }}"
    password: "{{ user_password | password_hash('sha512') }}"
    state: present
  with_items:
    - "{{ username }}"
 - name: admin password change
  user:
    name: "{{ item }}"
    password: "{{ admin_password | password_hash('sha512') }}"
    state: present
  with_items:
  - "{{ adminuser }}"
--- a/ansible/server_settings/roles/password-settings/tasks/03_vault.yml
+++ b/ansible/server_settings/roles/password-settings/tasks/03_vault.yml
@@ -0,0 +1,21 @@
 ---
 - name: Check if ansible_port is defined
  set_fact:
    ansible_port: "{{ ansible_port | default(22) }}"
 - debug:
    msg: "{{ ansible_distribution }} {{ ansible_hostname }} {{ ansible_default_ipv4.address }} {{ ansible_port }} {{ username }} {{ user_password }} {{ adminuser }} {{ admin_password }}"
  when: debug_mode == True
 - name: put vault
  command: "{{ role_path }}/files/vault_put {{ ansible_default_ipv4.address }} {{ username }} {{ user_password }} {{ adminuser }} {{ admin_password }}"
  delegate_to: 127.0.0.1
 - name: get vault
  command: "{{ role_path }}/files/vault_get {{ ansible_default_ipv4.address }} {{ username }} {{ user_password }} {{ adminuser }} {{ admin_password }}"
  register: get_vault
  delegate_to: 127.0.0.1
 - debug:
    msg: "{{get_vault.stdout_lines}}"
  when: debug_mode == True
--- a/ansible/server_settings/roles/password-settings/tasks/99_decrypt_password.yml
+++ b/ansible/server_settings/roles/password-settings/tasks/99_decrypt_password.yml
@@ -0,0 +1,27 @@
 ---
 - name: user_password decrypt
  command: "{{ role_path }}/files/decrypt_password {{ user_password }}"
  register: user_password
  delegate_to: 127.0.0.1
 - name: admin_password decrypt
  command: "{{ role_path }}/files/decrypt_password {{ admin_password }}"
  register: admin_password
  delegate_to: 127.0.0.1
  when: 
  - encrypt == 1
  - manual_password is not defined
 - name: admin_password re fact
  set_fact: 
    admin_password: "{{ admin_password.stdout }}"
  when: 
  - encrypt == 1
  - manual_password is not defined
 - name: user_password re fact
  set_fact: 
    user_password: "{{ user_password.stdout }}"
  when: 
  - encrypt == 1
  - manual_password is not defined
--- a/ansible/server_settings/roles/password-settings/tasks/main.yml
+++ b/ansible/server_settings/roles/password-settings/tasks/main.yml
@@ -0,0 +1,15 @@
 ---
 - include: 00_host_setting.yml
  tags: host
 - include: 01_get_password.yml
  tags: password
 - include: 02_change_password.yml
  tags: change
 - include: 03_vault.yml
  tags: vault
 #
 #- include: 04_excel_export.yml
 #  tags: excel
--- a/ansible/server_settings/roles/password-settings/templates/allow_users.j2
+++ b/ansible/server_settings/roles/password-settings/templates/allow_users.j2
@@ -0,0 +1,22 @@
 AllowUsers datasaker@10.10.43.*
 AllowUsers *@10.20.142.*
 {% if ansible_distribution == "Ubuntu" %}
 AllowUsers ubuntu@10.10.43.*
 {% endif %}
 {% if ansible_distribution == "CentOS" %}
 AllowUsers centos@10.10.43.*
 {% endif %}
 {% if ansible_distribution == "RedHat" %}
 AllowUsers redhat@10.10.43.*
 {% endif %}
 {% if admin_users is defined %}
 {% for user in admin_users %}
 AllowUsers {{ user.name }}@{{ user.ip }} 
 {% endfor %}
 {% endif %}
 {% if allow_users is defined %}
 {% for user in allow_users %}
 AllowUsers {{ user.name }}@{{ user.ip }} 
 {% endfor %}
 {% endif %}
--- a/ansible/server_settings/roles/password-settings/tests/inventory
+++ b/ansible/server_settings/roles/password-settings/tests/inventory
@@ -0,0 +1,2 @@
 localhost
--- a/ansible/server_settings/roles/password-settings/tests/test.yml
+++ b/ansible/server_settings/roles/password-settings/tests/test.yml
@@ -0,0 +1,5 @@
 ---
 - hosts: localhost
  remote_user: root
  roles:
    - password
--- a/ansible/server_settings/roles/password-settings/vars/main.yml
+++ b/ansible/server_settings/roles/password-settings/vars/main.yml
@@ -0,0 +1,2 @@
 ---
 # vars file for password
--- a/ansible/security_settings/roles/security_settings/defaults/main.yml
+++ b/ansible/security_settings/roles/security_settings/defaults/main.yml
--- a/ansible/security_settings/roles/security_settings/handlers/main.yml
+++ b/ansible/security_settings/roles/security_settings/handlers/main.yml
--- a/ansible/security_settings/roles/security_settings/tasks/all_setting_device_organize.yml
+++ b/ansible/security_settings/roles/security_settings/tasks/all_setting_device_organize.yml
--- a/ansible/security_settings/roles/security_settings/tasks/all_setting_mode_change.yml
+++ b/ansible/security_settings/roles/security_settings/tasks/all_setting_mode_change.yml
--- a/ansible/security_settings/roles/security_settings/tasks/all_setting_root_ssh.yml
+++ b/ansible/security_settings/roles/security_settings/tasks/all_setting_root_ssh.yml
--- a/ansible/security_settings/roles/security_settings/tasks/debian_setting_banner.yml
+++ b/ansible/security_settings/roles/security_settings/tasks/debian_setting_banner.yml
--- a/ansible/security_settings/roles/security_settings/tasks/debian_setting_password_rule.yml
+++ b/ansible/security_settings/roles/security_settings/tasks/debian_setting_password_rule.yml
@@ -5,4 +5,12 @@
    dest: /etc/pam.d/common-password
    owner: root
    group: root
    mode: u=rw,g=r,o=r
 - name: Setting Password Auth Rule (Debian)
  template:
    src: common-auth.j2
    dest: /etc/pam.d/common-auth
    owner: root
    group: root
    mode: u=rw,g=r,o=r
--- a/ansible/security_settings/roles/security_settings/tasks/main.yml
+++ b/ansible/security_settings/roles/security_settings/tasks/main.yml
--- a/ansible/security_settings/roles/security_settings/templates/banner.j2
+++ b/ansible/security_settings/roles/security_settings/templates/banner.j2
--- a/ansible/server_settings/roles/security_settings/templates/common-auth.j2
+++ b/ansible/server_settings/roles/security_settings/templates/common-auth.j2
@@ -0,0 +1,29 @@
 #
 # /etc/pam.d/common-auth - authentication settings common to all services
 #
 # This file is included from other service-specific PAM config files,
 # and should contain a list of the authentication modules that define
 # the central authentication scheme for use on the system
 # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
 # traditional Unix authentication mechanisms.
 #
 # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 # To take advantage of this, it is recommended that you configure any
 # local modules either before or after the default block, and use
 # pam-auth-update to manage selection of other modules.  See
 # pam-auth-update(8) for details.
 # here are the per-package modules (the "Primary" block)
 auth    [success=1 default=ignore]      pam_unix.so nullok
 # here's the fallback if no module succeeds
 auth    requisite                       pam_deny.so
 # prime the stack with a positive return value if there isn't one already;
 # this avoids us returning an error just because nothing sets a success code
 # since the modules above will each just jump around
 auth    required                        pam_permit.so
 # and here are more per-package modules (the "Additional" block)
 auth    optional                        pam_cap.so
 # end of pam-auth-update config
 ## Add Ansible Playbook - Securtiy_Settings ##
 auth required pam_tally2.so onerr=fail even_deny_root deny=5 unlock_time=300
--- a/ansible/security_settings/roles/security_settings/templates/common-password.j2
+++ b/ansible/security_settings/roles/security_settings/templates/common-password.j2
--- a/ansible/security_settings/roles/security_settings/templates/sysinfo.j2
+++ b/ansible/security_settings/roles/security_settings/templates/sysinfo.j2
--- a/ansible/server_settings/server_settings.yml
+++ b/ansible/server_settings/server_settings.yml
@@ -0,0 +1,21 @@
 ---
 - hosts: all
  become: true
  gather_facts: true
  vars:
    username: datasaker
    adminuser: root
    #manual_password: saasadmin1234
    sshmainport: 2222
    teleport_uri: teleport.kr.datasaker.io
    iptables_rules:
      - { source: "10.10.45.0/24", target: "DROP" }
      - { source: "10.10.47.0/24", target: "DROP" }
      - { source: "10.10.48.0/24", target: "DROP" }
      - { source: "10.10.50.0/24", target: "DROP" }
      - { source: "10.10.37.0/24", target: "DROP" }
    delete_rule: False
    add_rule: True
  roles:
    - role: password-settings
    - role: security_settings
		`@@ -1,2 +0,0 @@`
			`[all]`
			`10.10.43.213 ansible_user=dev2 ansible_port=2222`
		`@@ -0,0 +1,2 @@`
							`[all]`
							`10.10.43.99 ansible_user=datasaker ansible_port=2222`