체크 항목 수정

ansible/01_old/security-settings/ansible.cfg

@@ -0,0 +1,8 @@
+[defaults]
+become = true
+inventory = checklist
+roles_path = roles
+deprecation_warnings = false
+display_skipped_hosts = no
+ansible_home = .
+stdout_callback = debug

ansible/01_old/security-settings/roles/security-settings/defaults/main.yml

@@ -0,0 +1,46 @@
+# Password aging settings
+os_auth_pw_max_age: 90
+os_auth_pw_min_age: 1
+os_auth_pw_warn_age: 7
+passhistory: 2
+
+# Inactivity and Failed attempts lockout settings
+fail_deny: 5
+fail_unlock: 0
+inactive_lock: 0
+shell_timeout: 300
+
+# tally settings
+onerr: 'fail'
+deny: 5
+unlock_time: 300
+
+# Password complexity settings
+pwquality_minlen: 9
+pwquality_maxrepeat: 3
+pwquality_lcredit: -1
+pwquality_ucredit: -1
+pwquality_dcredit: -1
+pwquality_ocredit: -1
+
+# SSH settings
+sshrootlogin: 'yes'
+sshmainport: 22
+ssh_service_name: sshd
+
+# Crictl setup
+crictl_app: crictl
+crictl_version: 1.25.0
+crictl_os: linux
+crictl_arch: amd64
+crictl_dl_url: https://github.com/kubernetes-sigs/cri-tools/releases/download/v{{ crictl_version }}/{{ crictl_app }}-v{{ crictl_version }}-{{ crictl_os }}-{{ crictl_arch }}.tar.gz
+crictl_bin_path: /usr/local/bin
+crictl_file_owner: root
+crictl_file_group: root
+
+# temp
+username: root
+password: saasadmin1234
+
+# common user flag
+common_user: False

ansible/01_old/security-settings/roles/security-settings/files/login_banner

@@ -0,0 +1,18 @@
+#!/bin/sh
+echo "-------------------------------------------------------------------------------\n"
+echo "    _╓g@DDKg╓_   \033[0;31m=╗╗╗╗,\033[0;0m     \033[0;34m,╗╗╗╗╤\033[0;0m    ,╔╗DDKg╔_        ╓g@DD╗╔_    ╓g@DD╗╔_"
+echo "  ╓D╝╙\`    \`╠╠H   \033[0;31m╙╠╠╠╠▒\033[0;0m   \033[0;34mÆ╬╬╬╬╩\033[0;0m  _j╠╙\`     1╠R     j╠R^   \`╙╠▒,j╠R^   \`╙╠▒,"
+echo " 1╠^      ,╠╝       \033[0;31m╝╠R\033[0;0m  \033[0;34m╓▓╬╬╬╝\033[0;0m   j╠H       1╠^     ╠╠         ╚╠H         ╚╠H"
+echo "j╠⌐      j╠Γ         \033[0;31m'\033[0;0m  \033[0;34mÆ╬╬╬╬╙\033[0;0m    ╠H      ╔╠R       ╠╠          ╠╠          ╠╠"
+echo "╠╠     ╒╠R            \033[0;34m╔╣╬╬╬\033[0;33m╬▒\033[0;0m    j╠H    _D╝\`        ╠╠          ╠╠          ╠╠"
+echo "'╠H   1╠^      ..   \033[0;34m,╣╬╬╬╣\033[0;33m╬╣╣▓┐\033[0;0m   ╠D   ╔╚╙       ╔_ ╠╠          ╠╠          ╠╠"
+echo " '╠▒╓░╙      _╔╔^  \033[0;34m¢╬╬╬╬╩\033[0;33m ╚╣╣╣╣▌\033[0;0m   ╚▒╓░╙       ╔░H  ╠╠          ╠╠          ╠╠"
+echo "   ⁿ╚╠K≥╔╔╔1▒╝^  \033[0;34m╒▓╬╬╬╩^\033[0;33m   \`╣╣╣╣▓╕\033[0;0m  \`╚╠▒g╔╔╔gD╝╙    ╠╠          ╠╠          ╠╠\n"
+echo "-------------------------------------------------------------------------------"
+echo ""
+echo "                             - 알              림 -                             "
+echo ""
+echo " 현재 접속하신 서버는 DataSaker 개발 서버 입니다.                                       "
+echo " 인가되지 않은 사용자의 접근, 수정 등 행위 시 처벌을 받을 수 있습니다.                         "
+echo ""
+echo "-------------------------------------------------------------------------------"

ansible/01_old/security-settings/roles/security-settings/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: restart sshd
+  service:
+    name: "{{ ssh_service_name }}"
+    state: restarted
+    enabled: true

ansible/01_old/security-settings/roles/security-settings/tasks/admin_set.yml

@@ -0,0 +1,7 @@
+---
+- name: user change
+  user:
+    name: "{{ username }}"
+    password: "{{ password | password_hash('sha512') }}"
+    state: present
+

ansible/01_old/security-settings/roles/security-settings/tasks/banner.yml

@@ -0,0 +1,29 @@
+---
+- name: Create a tar.gz archive of a single file.
+  archive:
+    path: /etc/update-motd.d/*
+    dest: /etc/update-motd.d/motd.tar.gz
+    format: gz
+    force_archive: true
+
+- name: remove a motd.d files
+  file:
+    path: /etc/update-motd.d/{{ item }}
+    state: absent
+  with_items:
+    - 10-help-text
+    - 85-fwupd
+    - 90-updates-available
+    - 91-release-upgrade
+    - 95-hwe-eol
+    - 98-fsck-at-reboot
+    - 50-motd-news
+    - 88-esm-announce
+
+- name: Create login banner
+  copy:
+    src: login_banner
+    dest: /etc/update-motd.d/00-header
+    owner: root
+    group: root
+    mode: 0755

ansible/01_old/security-settings/roles/security-settings/tasks/crictl.yml

@@ -0,0 +1,19 @@
+---
+- name: Downloading and extracting {{ crictl_app }} {{ crictl_version }}
+  unarchive:
+    src: "{{ crictl_dl_url }}"
+    dest: "{{ crictl_bin_path }}"
+    owner: "{{ crictl_file_owner }}"
+    group: "{{ crictl_file_group }}"
+    extra_opts:
+      - crictl
+    remote_src: yes
+
+- name: Crictl command crontab setting
+  ansible.builtin.cron:
+    name: crontab command
+    minute: "0"
+    hour: "3"
+    user: root
+    job: "/usr/local/bin/crictl rmi --prune"
+ 

ansible/01_old/security-settings/roles/security-settings/tasks/login_defs.yml

@@ -0,0 +1,48 @@
+---
+- name: Set pass max days
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^PASS_MAX_DAYS.*$'
+    line: "PASS_MAX_DAYS\t{{os_auth_pw_max_age}}"
+    backrefs: yes
+
+- name: Set pass min days
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^PASS_MIN_DAYS.*$'
+    line: "PASS_MIN_DAYS\t{{os_auth_pw_min_age}}"
+    backrefs: yes
+
+- name: Set pass min length
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^PASS_MIN_LEN.*$'
+    line: "PASS_MIN_LEN\t{{pwquality_minlen}}"
+    backrefs: yes
+
+- name: Set pass warn days
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^PASS_WARN_AGE.*$'
+    line: "PASS_WARN_AGE\t{{os_auth_pw_warn_age}}"
+    backrefs: yes
+
+- name: Set password encryption to SHA512
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^ENCRYPT_METHOD\s.*$'
+    line: "ENCRYPT_METHOD\tSHA512"
+    backrefs: yes
+
+- name: Disable MD5 crypt explicitly
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^MD5_CRYPT_ENAB.*$'
+    line: "MD5_CRYPT_ENAB NO"
+    backrefs: yes

ansible/01_old/security-settings/roles/security-settings/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+- include: login_defs.yml
+  tags: login_defs
+
+- include: pam.yml
+  tags: pam
+
+- include: sshd_config.yml
+  tags: sshd_config
+
+- include: sudoers.yml
+  tags: sudoers
+
+- include: profile.yml
+  tags: profile
+
+- include: banner.yml
+  tags: banner
+
+- include: crictl.yml
+  tags: crictl
+
+- include: admin_set.yml
+  tags: admin_set

ansible/01_old/security-settings/roles/security-settings/tasks/pam.yml

@@ -0,0 +1,50 @@
+---
+- name: Add pam_tally2.so 
+  template:
+    src: common-auth.j2
+    dest: /etc/pam.d/common-auth
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Create pwquality.conf password complexity configuration
+  block:
+    - apt:
+        name: libpam-pwquality
+        state: present
+        install_recommends: false
+    - template:
+        src: pwquality.conf.j2
+        dest: /etc/security/pwquality.conf
+        owner: root
+        group: root
+        mode: 0644
+
+- name: Add pam_tally2.so
+  block:
+    - lineinfile:
+        dest: /etc/pam.d/common-account
+        regexp: '^account\srequisite'
+        line: "account requisite pam_deny.so"
+
+    - lineinfile:
+        dest: /etc/pam.d/common-account
+        regexp: '^account\srequired'
+        line: "account required pam_tally2.so"
+
+- name: password reuse is limited
+  lineinfile:
+    dest: /etc/pam.d/common-password
+    line: "password required pam_pwhistory.so remember=5"
+
+- name: password hashing algorithm is SHA-512
+  lineinfile:
+    dest: /etc/pam.d/common-password
+    regexp: '^password\s+\[success'
+    line: "password [success=1 default=ignore] pam_unix.so sha512"
+
+- name: Shadow Password Suite Parameters
+  lineinfile:
+    dest: /etc/pam.d/common-password
+    regexp: '^password\s+\[success'
+    line: "password [success=1 default=ignore] pam_unix.so sha512"

ansible/01_old/security-settings/roles/security-settings/tasks/profile.yml

@@ -0,0 +1,24 @@
+---
+- name: Set session timeout
+  lineinfile:
+    dest: /etc/profile
+    regexp: '^TMOUT=.*'
+    insertbefore: '^readonly TMOUT'
+    line: 'TMOUT={{shell_timeout}}'
+    state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
+
+- name: Set TMOUT readonly
+  lineinfile:
+    dest: /etc/profile
+    regexp: '^readonly TMOUT'
+    insertafter: 'TMOUT={{shell_timeout}}'
+    line: 'readonly TMOUT'
+    state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
+
+- name: Set export TMOUT
+  lineinfile:
+    dest: /etc/profile
+    regexp: '^export TMOUT.*'
+    insertafter: 'readonly TMOUT'
+    line: 'export TMOUT'
+    state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"

ansible/01_old/security-settings/roles/security-settings/tasks/sshd_config.yml

@@ -0,0 +1,30 @@
+---
+- name: Configure ssh root login to {{sshrootlogin}}
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(#)?PermitRootLogin.*'
+    line: 'PermitRootLogin {{sshrootlogin}}'
+    insertbefore: '^Match.*'
+    state: present
+    owner: root
+    group: root
+    mode: 0640
+  notify: restart sshd
+
+- name: SSH Listen on Main Port
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    insertbefore: '^#*AddressFamily'
+    line: 'Port {{sshmainport}}'
+    state: present
+    owner: root
+    group: root
+    mode: 0640
+  notify: restart sshd
+
+- name: "Setting sshd allow users"
+  template:
+    src: allow_users.j2
+    dest: "/etc/ssh/sshd_config.d/allow_users.conf"
+  notify: restart sshd
+    

ansible/01_old/security-settings/roles/security-settings/tasks/sudoers.yml

@@ -0,0 +1,94 @@
+---
+- name: "Create devops group"
+  ansible.builtin.group:
+    name: "devops"
+    state: present
+
+- name: "get current users"
+  shell: "cat /etc/passwd | egrep -iv '(false|nologin|sync|root|dev2-iac)' | awk -F: '{print $1}'"
+  register: deleting_users
+
+- name: "Delete users"
+  ansible.builtin.user:
+    name: "{{ item }}"
+    state: absent
+    remove: yes
+  with_items: "{{ deleting_users.stdout_lines }}"
+  when: item != ansible_user
+  ignore_errors: true
+
+- name: "Create admin user"
+  ansible.builtin.user:
+    name: "{{ item.name }}"
+    group: "devops"
+    shell: "/bin/bash"
+    system: yes
+    state: present
+  with_items: "{{ admin_users }}"
+  when: 
+  - item.name is defined
+  ignore_errors: true
+
+- name: "admin user password change"
+  user:
+    name: "{{ item.name }}"
+    password: "{{ password | password_hash('sha512') }}"
+    state: present
+  with_items: "{{ admin_users }}"
+  when: 
+  - item.name is defined 
+  ignore_errors: true
+
+- name: "Add admin user key"
+  authorized_key:
+    user: "{{ item.name }}"
+    state: present
+    key: "{{ item.key }}"
+  with_items: "{{ admin_users }}"
+  when: 
+  - item.name is defined
+  - item.key is defined
+  - common_user is defined
+  ignore_errors: true
+
+- name: "Create common user"
+  ansible.builtin.user:
+    name: "{{ item.name }}"
+    group: "users"
+    shell: "/bin/bash"
+    system: yes
+    state: present
+  with_items: "{{ allow_users }}"
+  when: 
+  - item.name is defined 
+  - common_user is defined
+  ignore_errors: true
+
+- name: "Change common user password change"
+  user:
+    name: "{{ item.name }}"
+    password: "{{ password | password_hash('sha512') }}"
+    state: present
+  with_items: "{{ allow_users }}"
+  when: 
+  - item.name is defined 
+  - common_user is defined
+  ignore_errors: true
+
+- name: "Add common user key"
+  authorized_key:
+    user: "{{ item.name  }}"
+    state: present
+    key: "{{ item.key }}"
+  with_items: "{{ allow_users }}"
+  when:
+  - item.name is defined
+  - item.key is defined
+  - common_user is defined
+  ignore_errors: true
+
+- name: "Setting sudoers allow users"
+  template:
+    src: sudoers_users.j2
+    dest: "/etc/sudoers.d/sudoers_users"
+  ignore_errors: true

ansible/01_old/security-settings/roles/security-settings/templates/allow_users.j2

@@ -0,0 +1,11 @@
+AllowUsers dev2-iac@10.10.43.*
+{% if admin_users is defined %}
+{% for user in admin_users %}
+AllowUsers {{ user.name }}@{{ user.ip }} 
+{% endfor %}
+{% endif %}
+{% if allow_users is defined %}
+{% for user in allow_users %}
+AllowUsers {{ user.name }}@{{ user.ip }} 
+{% endfor %}
+{% endif %}

ansible/01_old/security-settings/roles/security-settings/templates/common-auth.j2

@@ -0,0 +1,27 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+auth	required			pam_tally2.so onerr={{onerr}} even_deny_root deny={{deny}} unlock_time={{unlock_time}}
+
+# here are the per-package modules (the "Primary" block)
+auth    [success=1 default=ignore]      pam_unix.so nullok
+# here's the fallback if no module succeeds
+auth    requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+auth    required                        pam_permit.so
+# since the modules above will each just jump around
+# and here are more per-package modules (the "Additional" block)
+auth    optional                        pam_cap.so
+# end of pam-auth-update config

ansible/01_old/security-settings/roles/security-settings/templates/pwquality.conf.j2

@@ -0,0 +1,50 @@
+# Configuration for systemwide password quality limits
+# Defaults:
+#
+# Number of characters in the new password that must not be present in the
+# old password.
+# difok = 5
+#
+# Minimum acceptable size for the new password (plus one if
+# credits are not disabled which is the default). (See pam_cracklib manual.)
+# Cannot be set to lower value than 6.
+minlen = {{pwquality_minlen}}
+#
+# The maximum credit for having digits in the new password. If less than 0
+# it is the minimum number of digits in the new password.
+dcredit = {{pwquality_dcredit}}
+#
+# The maximum credit for having uppercase characters in the new password.
+# If less than 0 it is the minimum number of uppercase characters in the new
+# password.
+ucredit = {{pwquality_ucredit}}
+#
+# The maximum credit for having lowercase characters in the new password.
+# If less than 0 it is the minimum number of lowercase characters in the new
+# password.
+lcredit = {{pwquality_lcredit}}
+#
+# The maximum credit for having other characters in the new password.
+# If less than 0 it is the minimum number of other characters in the new
+# password.
+ocredit = {{pwquality_ocredit}}
+#
+# The minimum number of required classes of characters for the new
+# password (digits, uppercase, lowercase, others).
+# minclass = 0
+#
+# The maximum number of allowed consecutive same characters in the new password.
+# The check is disabled if the value is 0.
+maxrepeat = {{pwquality_maxrepeat}}
+#
+# The maximum number of allowed consecutive characters of the same class in the
+# new password.
+# The check is disabled if the value is 0.
+# maxclassrepeat = 0
+#
+# Whether to check for the words from the passwd entry GECOS string of the user.
+# The check is enabled if the value is not 0.
+# gecoscheck = 0
+#
+# Path to the cracklib dictionaries. Default is to use the cracklib default.
+# dictpath =

ansible/01_old/security-settings/roles/security-settings/templates/sudoers_users.j2

@@ -0,0 +1,6 @@
+dev2-iac ALL=(ALL) NOPASSWD: ALL
+{% if allow_users is defined %}
+{% for user in admin_users %}
+{{ user.name }} ALL=(ALL) NOPASSWD: ALL
+{% endfor %}
+{% endif %}

ansible/01_old/security-settings/server-settings.yml

@@ -0,0 +1,6 @@
+---
+- hosts: all
+  become: true
+  gather_facts: true
+  roles:
+    - role: security-settings

ansible/01_old/security-settings/teleport

@@ -0,0 +1,65 @@
+[prod-demo-master]
+10.10.43.100 ansible_port=2222 ansible_user=dev2
+
+[prod-demo-worker]
+10.10.43.101 ansible_port=2222 ansible_user=dev2
+
+[dev-demo-master]
+10.10.43.105 ansible_port=2222 ansible_user=dev2
+
+[dev-demo-worker]
+10.10.43.106 ansible_port=2222 ansible_user=dev2
+
+[saas_mgmt_master]
+10.10.43.240 ansible_port=2222 ansible_user=dev2
+
+[saas_mgmt_node]
+10.10.43.[241:243] ansible_port=2222 ansible_user=dev2
+
+[dsk_dev_master]
+10.10.43.[111:113] ansible_port=2222 ansible_user=dev2
+
+[dsk_dev_node]
+10.10.43.[114:153] ansible_port=2222 ansible_user=dev2
+
+[bastion]
+10.10.43.43 ansible_port=2222 ansible_user=havelight
+
+[agent_host]
+10.10.43.177 ansible_port=2222 ansible_user=dev2
+10.10.43.178 ansible_port=2222 ansible_user=dev2
+10.10.43.179 ansible_port=2222 ansible_user=dev2
+10.10.43.180 ansible_port=2222 ansible_user=dev2
+10.10.43.181 ansible_port=2222 ansible_user=dev2
+10.10.43.182 ansible_port=2222 ansible_user=dev2
+
+[agent_cri_master]
+10.10.43.185 ansible_port=2222 ansible_user=dev2
+
+[agent_cri_worker]
+10.10.43.186 ansible_port=2222 ansible_user=dev2
+10.10.43.187 ansible_port=2222 ansible_user=dev2
+10.10.43.188 ansible_port=2222 ansible_user=dev2
+
+[agent_middleware_master]
+10.10.43.189 ansible_port=2222 ansible_user=dev2
+
+[agent_middleware_worker]
+10.10.43.190 ansible_port=2222 ansible_user=dev2
+10.10.43.191 ansible_port=2222 ansible_user=dev2
+10.10.43.192 ansible_port=2222 ansible_user=dev2
+10.10.43.193 ansible_port=2222 ansible_user=dev2
+10.10.43.194 ansible_port=2222 ansible_user=dev2
+10.10.43.199 ansible_port=2222 ansible_user=dev2
+
+[all:children]
+saas_mgmt_master
+saas_mgmt_node
+dsk_dev_master
+dsk_dev_node
+bastion
+agent_host
+agent_cri_master
+agent_cri_worker
+agent_middleware_master
+agent_middleware_worker

ansible/01_old/security-settings/teleport_etc

@@ -0,0 +1,31 @@
+[all]
+10.10.43.195 ansible_user=dev2 ansible_port=2222
+10.10.43.196 ansible_user=dev2 ansible_port=2222
+10.10.43.197 ansible_user=dev2 ansible_port=2222
+10.10.43.200 ansible_user=dev2 ansible_port=2222
+10.10.43.201 ansible_user=dev2 ansible_port=2222
+10.10.43.202 ansible_user=dev2 ansible_port=2222
+10.10.43.203 ansible_user=dev2 ansible_port=2222
+10.10.43.204 ansible_user=dev2 ansible_port=2222
+10.10.43.205 ansible_user=dev2 ansible_port=2222
+10.10.43.206 ansible_user=dev2 ansible_port=2222
+10.10.43.207 ansible_user=dev2 ansible_port=2222
+10.10.43.208 ansible_user=dev2 ansible_port=2222
+10.10.43.210 ansible_user=dev2 ansible_port=2222
+10.10.43.211 ansible_user=dev2 ansible_port=2222
+10.10.43.212 ansible_user=dev2 ansible_port=2222
+10.10.43.213 ansible_user=dev2 ansible_port=2222
+10.10.43.214 ansible_user=dev2 ansible_port=2222
+10.10.43.215 ansible_user=dev2 ansible_port=2222
+10.10.43.216 ansible_user=dev2 ansible_port=2222
+10.10.43.217 ansible_user=dev2 ansible_port=2222
+10.10.43.218 ansible_user=dev2 ansible_port=2222
+10.10.43.224 ansible_user=dev2 ansible_port=2222
+10.10.43.225 ansible_user=dev2 ansible_port=2222
+10.10.43.226 ansible_user=dev2 ansible_port=2222
+10.10.43.227 ansible_user=dev2 ansible_port=2222
+10.10.43.228 ansible_user=dev2 ansible_port=2222
+10.10.43.230 ansible_user=dev2 ansible_port=2222
+10.10.43.235 ansible_user=dev2 ansible_port=2222
+10.10.43.236 ansible_user=dev2 ansible_port=2222
+10.10.43.252 ansible_user=dev2 ansible_port=2222

ansible/infra_setting/inventory

@@ -1,31 +1,31 @@
 [all]
-10.10.43.195
-10.10.43.196
-10.10.43.197
-10.10.43.200
-10.10.43.201
-10.10.43.202
-10.10.43.203
-10.10.43.204
-10.10.43.205
-10.10.43.206
-10.10.43.207
-10.10.43.208
-10.10.43.210
-10.10.43.211
-10.10.43.212
-10.10.43.213
-10.10.43.214
-10.10.43.215
-10.10.43.216
-10.10.43.217
-10.10.43.218
-10.10.43.224
-10.10.43.225
-10.10.43.226
-10.10.43.227
-10.10.43.228
-10.10.43.230
-10.10.43.235
-10.10.43.236
-10.10.43.252
+10.10.43.195 ansible_user=dev2-iac ansible_port=2222
+10.10.43.196 ansible_user=dev2-iac ansible_port=2222
+10.10.43.197 ansible_user=dev2-iac ansible_port=2222
+10.10.43.200 ansible_user=dev2-iac ansible_port=2222
+10.10.43.201 ansible_user=dev2-iac ansible_port=2222
+10.10.43.202 ansible_user=dev2-iac ansible_port=2222
+10.10.43.203 ansible_user=dev2-iac ansible_port=2222
+10.10.43.204 ansible_user=dev2-iac ansible_port=2222
+10.10.43.205 ansible_user=dev2-iac ansible_port=2222
+10.10.43.206 ansible_user=dev2-iac ansible_port=2222
+10.10.43.207 ansible_user=dev2-iac ansible_port=2222
+10.10.43.208 ansible_user=dev2-iac ansible_port=2222
+10.10.43.210 ansible_user=dev2-iac ansible_port=2222
+10.10.43.211 ansible_user=dev2-iac ansible_port=2222
+10.10.43.212 ansible_user=dev2-iac ansible_port=2222
+10.10.43.213 ansible_user=dev2-iac ansible_port=2222
+10.10.43.214 ansible_user=dev2-iac ansible_port=2222
+10.10.43.215 ansible_user=dev2-iac ansible_port=2222
+10.10.43.216 ansible_user=dev2-iac ansible_port=2222
+10.10.43.217 ansible_user=dev2-iac ansible_port=2222
+10.10.43.218 ansible_user=dev2-iac ansible_port=2222
+10.10.43.224 ansible_user=dev2-iac ansible_port=2222
+10.10.43.225 ansible_user=dev2-iac ansible_port=2222
+10.10.43.226 ansible_user=dev2-iac ansible_port=2222
+10.10.43.227 ansible_user=dev2-iac ansible_port=2222
+10.10.43.228 ansible_user=dev2-iac ansible_port=2222
+10.10.43.230 ansible_user=dev2-iac ansible_port=2222
+10.10.43.235 ansible_user=dev2-iac ansible_port=2222
+10.10.43.236 ansible_user=dev2-iac ansible_port=2222
+10.10.43.252 ansible_user=dev2-iac ansible_port=2222

ansible/security_check/ansible.cfg

@@ -6,5 +6,4 @@ deprecation_warnings = false
 display_skipped_hosts = no
 ansible_home = .
 stdout_callback = debug
-host_key_checking = false
-
+host_key_checking = false

ansible/security_check/roles/security_check/files/ubuntu.sh

@@ -3617,7 +3617,7 @@ echo "#
 echo "##############################################################################" >> $resultfile 2>&1
 
 U_01 # root 계정 원격 접속 제한
-# U_02 # 랜덤 패스워드를 사용중이라 제외
+U_02 # 랜덤 패스워드를 사용중이라 제외
 U_03 # 계정 잠금 임계값 설정
 U_04 # 패스워드 파일 보호
 U_05 # root 홈, 패스 디렉터리 권한 및 패스 설정
@@ -3702,4 +3702,4 @@ echo "                              ★ 양호 개수 = `cat $resultfile | grep
 echo "                              ☆ N/A 개수 = `cat $resultfile | grep '결과 : N/A' | wc -l`" >> $resultfile 2>&1
 echo ""  >> $resultfile 2>&1
 echo "==============================================================================" >> $resultfile 2>&1
-echo ""  >> $resultfile 2>&1
+echo ""  >> $resultfile 2>&1

ansible/security_check/server_check.yml

@@ -6,4 +6,4 @@
     git_user: sa_8001
     git_key: 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
   roles:
-    - role: security_check
+    - role: security_check

ansible/security_settings/ansible.cfg

@@ -0,0 +1,9 @@
+[defaults]
+become = true
+inventory = checklist
+roles_path = roles
+deprecation_warnings = false
+display_skipped_hosts = no
+ansible_home = .
+stdout_callback = debug
+host_key_checking = false

ansible/security_settings/inventory

@@ -0,0 +1,30 @@
+[all]
+10.10.43.195 ansible_user=dev2-iac ansible_port=2222
+10.10.43.196 ansible_user=dev2-iac ansible_port=2222
+10.10.43.197 ansible_user=dev2-iac ansible_port=2222
+10.10.43.200 ansible_user=dev2-iac ansible_port=2222
+10.10.43.201 ansible_user=dev2-iac ansible_port=2222
+10.10.43.202 ansible_user=dev2-iac ansible_port=2222
+10.10.43.203 ansible_user=dev2-iac ansible_port=2222
+10.10.43.204 ansible_user=dev2-iac ansible_port=2222
+10.10.43.205 ansible_user=dev2-iac ansible_port=2222
+10.10.43.206 ansible_user=dev2-iac ansible_port=2222
+10.10.43.207 ansible_user=dev2-iac ansible_port=2222
+10.10.43.208 ansible_user=dev2-iac ansible_port=2222
+10.10.43.210 ansible_user=dev2-iac ansible_port=2222
+10.10.43.211 ansible_user=dev2-iac ansible_port=2222
+10.10.43.212 ansible_user=dev2-iac ansible_port=2222
+10.10.43.213 ansible_user=dev2-iac ansible_port=2222
+10.10.43.214 ansible_user=dev2-iac ansible_port=2222
+10.10.43.215 ansible_user=dev2-iac ansible_port=2222
+10.10.43.216 ansible_user=dev2-iac ansible_port=2222
+10.10.43.217 ansible_user=dev2-iac ansible_port=2222
+10.10.43.218 ansible_user=dev2-iac ansible_port=2222
+10.10.43.224 ansible_user=dev2-iac ansible_port=2222
+10.10.43.225 ansible_user=dev2-iac ansible_port=2222
+10.10.43.226 ansible_user=dev2-iac ansible_port=2222
+10.10.43.227 ansible_user=dev2-iac ansible_port=2222
+10.10.43.228 ansible_user=dev2-iac ansible_port=2222
+10.10.43.235 ansible_user=dev2-iac ansible_port=2222
+10.10.43.236 ansible_user=dev2-iac ansible_port=2222
+10.10.43.252 ansible_user=dev2-iac ansible_port=2222

ansible/security_settings/roles/security_settings/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Reload systemd configuration
+  ansible.builtin.systemd:
+    daemon_reload: True
+
+- name: restart sshd
+  service:
+    name: sshd
+    state: restarted
+    enabled: true

ansible/security_settings/roles/security_settings/tasks/debian_setting_banner.yml

@@ -0,0 +1,8 @@
+---
+- name: Setting EXEM Banner (Debian)
+  template:
+    src: banner.j2
+    dest: /etc/update-motd.d/00-header
+    mode: 0755
+    owner: root
+    group: root

ansible/security_settings/roles/security_settings/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+- include: debian_setting_banner.yml
+  when: ansible_facts['os_family'] == 'Debian'
+
+- include: setting_root_ssh.yml

ansible/security_settings/roles/security_settings/tasks/setting_root_ssh.yml

@@ -0,0 +1,11 @@
+- name: Configure ssh root login to no
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(#)?PermitRootLogin.*'
+    line: 'PermitRootLogin no'
+    insertbefore: '^Match.*'
+    state: present
+    owner: root
+    group: root
+    mode: 0640
+  notify: restart sshd

ansible/security_settings/roles/security_settings/templates/banner.j2

@@ -0,0 +1,18 @@
+#!/bin/sh
+echo "-------------------------------------------------------------------------------\n"
+echo  "    _╓g@DDKg╓_   \033[0;31m=╗╗╗╗,\033[0;0m     \033[0;34m,╗╗╗╗╤\033[0;0m    ,╔╗DDKg╔_        ╓g@DD╗╔_    ╓g@DD╗╔_"
+echo  "  ╓D╝╙\`    \`╠╠H   \033[0;31m╙╠╠╠╠▒\033[0;0m   \033[0;34mÆ╬╬╬╬╩\033[0;0m  _j╠╙\`     1╠R     j╠R^   \`╙╠▒,j╠R^   \`╙╠▒,"
+echo  " 1╠^      ,╠╝       \033[0;31m╝╠R\033[0;0m  \033[0;34m╓▓╬╬╬╝\033[0;0m   j╠H       1╠^     ╠╠         ╚╠H         ╚╠H"
+echo  "j╠⌐      j╠Γ         \033[0;31m'\033[0;0m  \033[0;34mÆ╬╬╬╬╙\033[0;0m    ╠H      ╔╠R       ╠╠          ╠╠          ╠╠"
+echo  "╠╠     ╒╠R            \033[0;34m╔╣╬╬╬\033[0;33m╬▒\033[0;0m    j╠H    _D╝\`        ╠╠          ╠╠          ╠╠"
+echo  "'╠H   1╠^      ..   \033[0;34m,╣╬╬╬╣\033[0;33m╬╣╣▓┐\033[0;0m   ╠D   ╔╚╙       ╔_ ╠╠          ╠╠          ╠╠"
+echo  " '╠▒╓░╙      _╔╔^  \033[0;34m¢╬╬╬╬╩\033[0;33m ╚╣╣╣╣▌\033[0;0m   ╚▒╓░╙       ╔░H  ╠╠          ╠╠          ╠╠"
+echo  "   ⁿ╚╠K≥╔╔╔1▒╝^  \033[0;34m╒▓╬╬╬╩^\033[0;33m   \`╣╣╣╣▓╕\033[0;0m  \`╚╠▒g╔╔╔gD╝╙    ╠╠          ╠╠          ╠╠\n"
+echo "-------------------------------------------------------------------------------"
+echo ""
+echo "                             - 알              림 -                             "
+echo ""
+echo " 현재 접속하신 서버는 SaaS기술연구팀 개발 서버 입니다.                                       "
+echo " 인가되지 않은 사용자의 접근, 수정 등 행위 시 처벌을 받을 수 있습니다.                         "
+echo ""
+echo "-------------------------------------------------------------------------------"

ansible/security_settings/security_settings.yml

@@ -0,0 +1,6 @@
+---
+- hosts: all
+  become: true
+  gather_facts: true
+  roles:
+    - role: security_settings

ansible/teleport_setting/roles/teleport/templates/teleport.yaml.j2

@@ -17,6 +17,9 @@ auth_service:
   enabled: "no"
 ssh_service:
   enabled: "yes"
+  pam:
+    enabled: true
+    service_name: "sshd"
   labels:
     ipaddr: {{ansible_default_ipv4.address}}
     group: {{ group_names[-1] }}

ansible/teleport_setting/teleport.yml

@@ -7,5 +7,5 @@
     teleport_uri: teleport.kr.datasaker.io
     # remove: True
     # custom_labels: 'user=havelight,company=exem'
-    # update: True
-    install: True
+    update: True
+    # install: True

ansible/teleport_setting/teleport_etc

@@ -0,0 +1,31 @@
+[all]
+#10.10.43.195 ansible_user=dev2 ansible_port=2222
+#10.10.43.196 ansible_user=dev2 ansible_port=2222
+#10.10.43.197 ansible_user=dev2 ansible_port=2222
+10.10.43.200 ansible_user=dev2 ansible_port=2222
+10.10.43.201 ansible_user=dev2 ansible_port=2222
+10.10.43.202 ansible_user=dev2 ansible_port=2222
+10.10.43.203 ansible_user=dev2 ansible_port=2222
+10.10.43.204 ansible_user=dev2 ansible_port=2222
+10.10.43.205 ansible_user=dev2 ansible_port=2222
+10.10.43.206 ansible_user=dev2 ansible_port=2222
+10.10.43.207 ansible_user=dev2 ansible_port=2222
+10.10.43.208 ansible_user=dev2 ansible_port=2222
+10.10.43.210 ansible_user=dev2 ansible_port=2222
+10.10.43.211 ansible_user=dev2 ansible_port=2222
+10.10.43.212 ansible_user=dev2 ansible_port=2222
+10.10.43.213 ansible_user=dev2 ansible_port=2222
+10.10.43.214 ansible_user=dev2 ansible_port=2222
+10.10.43.215 ansible_user=dev2 ansible_port=2222
+10.10.43.216 ansible_user=dev2 ansible_port=2222
+10.10.43.217 ansible_user=dev2 ansible_port=2222
+10.10.43.218 ansible_user=dev2 ansible_port=2222
+#10.10.43.224 ansible_user=dev2 ansible_port=2222
+#10.10.43.225 ansible_user=dev2 ansible_port=2222
+#10.10.43.226 ansible_user=dev2 ansible_port=2222
+#10.10.43.227 ansible_user=dev2 ansible_port=2222
+#10.10.43.228 ansible_user=dev2 ansible_port=2222
+#10.10.43.230 ansible_user=dev2 ansible_port=2222
+#10.10.43.235 ansible_user=dev2 ansible_port=2222
+#10.10.43.236 ansible_user=dev2 ansible_port=2222
+#10.10.43.252 ansible_user=dev2 ansible_port=2222