From b1f72b0a10fb407f54423d30ce890a86af9bfaa4 Mon Sep 17 00:00:00 2001
From: ByeonJungHun <sa_8001@ex-em.com>
Date: Wed, 10 Jan 2024 16:14:53 +0900
Subject: [PATCH] =?UTF-8?q?security=20setting=20role=20=EC=B6=94=EA=B0=80?=
 =?UTF-8?q?=20=EB=B0=8F=20script=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../roles/security_check/files/ubuntu.sh      |  2 +-
 .../tasks/all_setting_mode_change.yml         | 26 +++++++++++++++++++
 .../roles/security_settings/tasks/main.yml    |  4 ++-
 3 files changed, 30 insertions(+), 2 deletions(-)
 create mode 100644 ansible/security_settings/roles/security_settings/tasks/all_setting_mode_change.yml

diff --git a/ansible/security_check/roles/security_check/files/ubuntu.sh b/ansible/security_check/roles/security_check/files/ubuntu.sh
index 335ac2f..216ce4f 100644
--- a/ansible/security_check/roles/security_check/files/ubuntu.sh
+++ b/ansible/security_check/roles/security_check/files/ubuntu.sh
@@ -3622,7 +3622,7 @@ U_02 # 랜덤 패스워드를 사용중이라 제외
 U_03 # 계정 잠금 임계값 설정
 U_04 # 패스워드 파일 보호
 U_05 # root 홈, 패스 디렉터리 권한 및 패스 설정
-U_06 # 파일 및 디렉터리 소유자 설정
+#U_06 # kubernetes를 사용함으로 어쩔 수 없는 부분
 U_07 # /etc/passwd 파일 소유자 및 권한 설정
 U_08 # /etc/shadow 파일 소유자 및 권한 설정
 U_09 # /etc/hosts 파일 소유자 및 권한 설정
diff --git a/ansible/security_settings/roles/security_settings/tasks/all_setting_mode_change.yml b/ansible/security_settings/roles/security_settings/tasks/all_setting_mode_change.yml
new file mode 100644
index 0000000..2cb4fcd
--- /dev/null
+++ b/ansible/security_settings/roles/security_settings/tasks/all_setting_mode_change.yml
@@ -0,0 +1,26 @@
+---
+- name: shadow mode change
+  file:
+    path: /etc/shadow
+    mode: 0400
+
+- name: hosts mode change
+  file:
+    path: /etc/hosts
+    #mode: u=rw,g=r,o=r
+    mode: 0600
+
+- name: rsyslog mode change
+  file:
+    path: /etc/rsyslog.conf
+    mode: 0640
+
+- name: crontab mode change [1]
+  file:
+    path: /usr/bin/crontab
+    mode: 0750
+
+- name: crontab mode change [2]
+  file:
+    path: /bin/crontab
+    mode: 0640
\ No newline at end of file
diff --git a/ansible/security_settings/roles/security_settings/tasks/main.yml b/ansible/security_settings/roles/security_settings/tasks/main.yml
index c3b1f86..7dc1800 100644
--- a/ansible/security_settings/roles/security_settings/tasks/main.yml
+++ b/ansible/security_settings/roles/security_settings/tasks/main.yml
@@ -5,4 +5,6 @@
 - include: all_setting_root_ssh.yml
 
 - include: debian_setting_password_rule.yml
-  when: ansible_facts.os_family == 'Debian'
\ No newline at end of file
+  when: ansible_facts.os_family == 'Debian'
+
+- include: all_setting_mode_change.yml
\ No newline at end of file