From c58e7a5caf2949cb0a078f6ecd7c755f73fc825a Mon Sep 17 00:00:00 2001 From: ByeonJungHun Date: Wed, 10 Jan 2024 11:38:51 +0900 Subject: [PATCH] =?UTF-8?q?=EC=B2=B4=ED=81=AC=20=ED=95=AD=EB=AA=A9=20?= =?UTF-8?q?=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ansible/01_old/security-settings/ansible.cfg | 8 ++ .../roles/security-settings/.DS_Store | Bin 0 -> 6148 bytes .../roles/security-settings/defaults/main.yml | 46 +++++++++ .../security-settings/files/login_banner | 18 ++++ .../roles/security-settings/handlers/main.yml | 6 ++ .../security-settings/tasks/admin_set.yml | 7 ++ .../roles/security-settings/tasks/banner.yml | 29 ++++++ .../roles/security-settings/tasks/crictl.yml | 19 ++++ .../security-settings/tasks/login_defs.yml | 48 +++++++++ .../roles/security-settings/tasks/main.yml | 24 +++++ .../roles/security-settings/tasks/pam.yml | 50 ++++++++++ .../roles/security-settings/tasks/profile.yml | 24 +++++ .../security-settings/tasks/sshd_config.yml | 30 ++++++ .../roles/security-settings/tasks/sudoers.yml | 94 ++++++++++++++++++ .../templates/allow_users.j2 | 11 ++ .../templates/common-auth.j2 | 27 +++++ .../templates/pwquality.conf.j2 | 50 ++++++++++ .../templates/sudoers_users.j2 | 6 ++ .../security-settings/server-settings.yml | 6 ++ ansible/01_old/security-settings/teleport | 65 ++++++++++++ ansible/01_old/security-settings/teleport_etc | 31 ++++++ ansible/infra_setting/inventory | 60 +++++------ ansible/security_check/ansible.cfg | 3 +- .../roles/security_check/files/ubuntu.sh | 4 +- ansible/security_check/server_check.yml | 2 +- ansible/security_settings/ansible.cfg | 9 ++ ansible/security_settings/inventory | 30 ++++++ .../roles/security_settings/handlers/main.yml | 10 ++ .../tasks/debian_setting_banner.yml | 8 ++ .../roles/security_settings/tasks/main.yml | 5 + .../tasks/setting_root_ssh.yml | 11 ++ .../security_settings/templates/banner.j2 | 18 ++++ .../security_settings/security_settings.yml | 6 ++ .../roles/teleport/templates/teleport.yaml.j2 | 3 + ansible/teleport_setting/teleport.yml | 4 +- ansible/teleport_setting/teleport_etc | 31 ++++++ 36 files changed, 766 insertions(+), 37 deletions(-) create mode 100644 ansible/01_old/security-settings/ansible.cfg create mode 100644 ansible/01_old/security-settings/roles/security-settings/.DS_Store create mode 100755 ansible/01_old/security-settings/roles/security-settings/defaults/main.yml create mode 100755 ansible/01_old/security-settings/roles/security-settings/files/login_banner create mode 100755 ansible/01_old/security-settings/roles/security-settings/handlers/main.yml create mode 100755 ansible/01_old/security-settings/roles/security-settings/tasks/admin_set.yml create mode 100755 ansible/01_old/security-settings/roles/security-settings/tasks/banner.yml create mode 100755 ansible/01_old/security-settings/roles/security-settings/tasks/crictl.yml create mode 100755 ansible/01_old/security-settings/roles/security-settings/tasks/login_defs.yml create mode 100755 ansible/01_old/security-settings/roles/security-settings/tasks/main.yml create mode 100755 ansible/01_old/security-settings/roles/security-settings/tasks/pam.yml create mode 100755 ansible/01_old/security-settings/roles/security-settings/tasks/profile.yml create mode 100755 ansible/01_old/security-settings/roles/security-settings/tasks/sshd_config.yml create mode 100755 ansible/01_old/security-settings/roles/security-settings/tasks/sudoers.yml create mode 100755 ansible/01_old/security-settings/roles/security-settings/templates/allow_users.j2 create mode 100755 ansible/01_old/security-settings/roles/security-settings/templates/common-auth.j2 create mode 100755 ansible/01_old/security-settings/roles/security-settings/templates/pwquality.conf.j2 create mode 100755 ansible/01_old/security-settings/roles/security-settings/templates/sudoers_users.j2 create mode 100644 ansible/01_old/security-settings/server-settings.yml create mode 100755 ansible/01_old/security-settings/teleport create mode 100755 ansible/01_old/security-settings/teleport_etc create mode 100644 ansible/security_settings/ansible.cfg create mode 100644 ansible/security_settings/inventory create mode 100644 ansible/security_settings/roles/security_settings/handlers/main.yml create mode 100644 ansible/security_settings/roles/security_settings/tasks/debian_setting_banner.yml create mode 100644 ansible/security_settings/roles/security_settings/tasks/main.yml create mode 100644 ansible/security_settings/roles/security_settings/tasks/setting_root_ssh.yml create mode 100644 ansible/security_settings/roles/security_settings/templates/banner.j2 create mode 100644 ansible/security_settings/security_settings.yml create mode 100644 ansible/teleport_setting/teleport_etc diff --git a/ansible/01_old/security-settings/ansible.cfg b/ansible/01_old/security-settings/ansible.cfg new file mode 100644 index 0000000..9664248 --- /dev/null +++ b/ansible/01_old/security-settings/ansible.cfg @@ -0,0 +1,8 @@ +[defaults] +become = true +inventory = checklist +roles_path = roles +deprecation_warnings = false +display_skipped_hosts = no +ansible_home = . +stdout_callback = debug diff --git a/ansible/01_old/security-settings/roles/security-settings/.DS_Store b/ansible/01_old/security-settings/roles/security-settings/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..8bec8722c381ca317bf822109fde6f2fef5be2e9 GIT binary patch literal 6148 zcmeHK%}T>S5Z>*NO({YS3VK`cTClAJEnY&bFJMFuDm5WRLu0lysXdfJ?)pN$h|lB9 z?gm;69!2a7?0&QJvzz%K`@3s4^wN~G0SPiRXJ$TP@;bnd{PhEd@hofsL=V=Ey!=E_c+eMH2(Wz)uX|{ve>0lQo&M}y4)ai_?m0=#Ua`AZKYIU#+70$S$k$Pf)7}#W>s)sh7|CjK~ zls@t|Q)omC5Ci{=0bUz=Ll=rNXY04}@T?Wk9-*ONT#gC|=o^;+7~no~pq$z-P=`3j XV6G8oLAy!^q>F$eggRp27Z~^g0k}&- literal 0 HcmV?d00001 diff --git a/ansible/01_old/security-settings/roles/security-settings/defaults/main.yml b/ansible/01_old/security-settings/roles/security-settings/defaults/main.yml new file mode 100755 index 0000000..4d29a9e --- /dev/null +++ b/ansible/01_old/security-settings/roles/security-settings/defaults/main.yml @@ -0,0 +1,46 @@ +# Password aging settings +os_auth_pw_max_age: 90 +os_auth_pw_min_age: 1 +os_auth_pw_warn_age: 7 +passhistory: 2 + +# Inactivity and Failed attempts lockout settings +fail_deny: 5 +fail_unlock: 0 +inactive_lock: 0 +shell_timeout: 300 + +# tally settings +onerr: 'fail' +deny: 5 +unlock_time: 300 + +# Password complexity settings +pwquality_minlen: 9 +pwquality_maxrepeat: 3 +pwquality_lcredit: -1 +pwquality_ucredit: -1 +pwquality_dcredit: -1 +pwquality_ocredit: -1 + +# SSH settings +sshrootlogin: 'yes' +sshmainport: 22 +ssh_service_name: sshd + +# Crictl setup +crictl_app: crictl +crictl_version: 1.25.0 +crictl_os: linux +crictl_arch: amd64 +crictl_dl_url: https://github.com/kubernetes-sigs/cri-tools/releases/download/v{{ crictl_version }}/{{ crictl_app }}-v{{ crictl_version }}-{{ crictl_os }}-{{ crictl_arch }}.tar.gz +crictl_bin_path: /usr/local/bin +crictl_file_owner: root +crictl_file_group: root + +# temp +username: root +password: saasadmin1234 + +# common user flag +common_user: False diff --git a/ansible/01_old/security-settings/roles/security-settings/files/login_banner b/ansible/01_old/security-settings/roles/security-settings/files/login_banner new file mode 100755 index 0000000..5f6a0e0 --- /dev/null +++ b/ansible/01_old/security-settings/roles/security-settings/files/login_banner @@ -0,0 +1,18 @@ +#!/bin/sh +echo "-------------------------------------------------------------------------------\n" +echo " _╓g@DDKg╓_ \033[0;31m=╗╗╗╗,\033[0;0m \033[0;34m,╗╗╗╗╤\033[0;0m ,╔╗DDKg╔_ ╓g@DD╗╔_ ╓g@DD╗╔_" +echo " ╓D╝╙\` \`╠╠H \033[0;31m╙╠╠╠╠▒\033[0;0m \033[0;34mÆ╬╬╬╬╩\033[0;0m _j╠╙\` 1╠R j╠R^ \`╙╠▒,j╠R^ \`╙╠▒," +echo " 1╠^ ,╠╝ \033[0;31m╝╠R\033[0;0m \033[0;34m╓▓╬╬╬╝\033[0;0m j╠H 1╠^ ╠╠ ╚╠H ╚╠H" +echo "j╠⌐ j╠Γ \033[0;31m'\033[0;0m \033[0;34mÆ╬╬╬╬╙\033[0;0m ╠H ╔╠R ╠╠ ╠╠ ╠╠" +echo "╠╠ ╒╠R \033[0;34m╔╣╬╬╬\033[0;33m╬▒\033[0;0m j╠H _D╝\` ╠╠ ╠╠ ╠╠" +echo "'╠H 1╠^ .. \033[0;34m,╣╬╬╬╣\033[0;33m╬╣╣▓┐\033[0;0m ╠D ╔╚╙ ╔_ ╠╠ ╠╠ ╠╠" +echo " '╠▒╓░╙ _╔╔^ \033[0;34m¢╬╬╬╬╩\033[0;33m ╚╣╣╣╣▌\033[0;0m ╚▒╓░╙ ╔░H ╠╠ ╠╠ ╠╠" +echo " ⁿ╚╠K≥╔╔╔1▒╝^ \033[0;34m╒▓╬╬╬╩^\033[0;33m \`╣╣╣╣▓╕\033[0;0m \`╚╠▒g╔╔╔gD╝╙ ╠╠ ╠╠ ╠╠\n" +echo "-------------------------------------------------------------------------------" +echo "" +echo " - 알 림 - " +echo "" +echo " 현재 접속하신 서버는 DataSaker 개발 서버 입니다. " +echo " 인가되지 않은 사용자의 접근, 수정 등 행위 시 처벌을 받을 수 있습니다. " +echo "" +echo "-------------------------------------------------------------------------------" diff --git a/ansible/01_old/security-settings/roles/security-settings/handlers/main.yml b/ansible/01_old/security-settings/roles/security-settings/handlers/main.yml new file mode 100755 index 0000000..abab7ef --- /dev/null +++ b/ansible/01_old/security-settings/roles/security-settings/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart sshd + service: + name: "{{ ssh_service_name }}" + state: restarted + enabled: true diff --git a/ansible/01_old/security-settings/roles/security-settings/tasks/admin_set.yml b/ansible/01_old/security-settings/roles/security-settings/tasks/admin_set.yml new file mode 100755 index 0000000..3836c16 --- /dev/null +++ b/ansible/01_old/security-settings/roles/security-settings/tasks/admin_set.yml @@ -0,0 +1,7 @@ +--- +- name: user change + user: + name: "{{ username }}" + password: "{{ password | password_hash('sha512') }}" + state: present + diff --git a/ansible/01_old/security-settings/roles/security-settings/tasks/banner.yml b/ansible/01_old/security-settings/roles/security-settings/tasks/banner.yml new file mode 100755 index 0000000..6a172c9 --- /dev/null +++ b/ansible/01_old/security-settings/roles/security-settings/tasks/banner.yml @@ -0,0 +1,29 @@ +--- +- name: Create a tar.gz archive of a single file. + archive: + path: /etc/update-motd.d/* + dest: /etc/update-motd.d/motd.tar.gz + format: gz + force_archive: true + +- name: remove a motd.d files + file: + path: /etc/update-motd.d/{{ item }} + state: absent + with_items: + - 10-help-text + - 85-fwupd + - 90-updates-available + - 91-release-upgrade + - 95-hwe-eol + - 98-fsck-at-reboot + - 50-motd-news + - 88-esm-announce + +- name: Create login banner + copy: + src: login_banner + dest: /etc/update-motd.d/00-header + owner: root + group: root + mode: 0755 diff --git a/ansible/01_old/security-settings/roles/security-settings/tasks/crictl.yml b/ansible/01_old/security-settings/roles/security-settings/tasks/crictl.yml new file mode 100755 index 0000000..125a878 --- /dev/null +++ b/ansible/01_old/security-settings/roles/security-settings/tasks/crictl.yml @@ -0,0 +1,19 @@ +--- +- name: Downloading and extracting {{ crictl_app }} {{ crictl_version }} + unarchive: + src: "{{ crictl_dl_url }}" + dest: "{{ crictl_bin_path }}" + owner: "{{ crictl_file_owner }}" + group: "{{ crictl_file_group }}" + extra_opts: + - crictl + remote_src: yes + +- name: Crictl command crontab setting + ansible.builtin.cron: + name: crontab command + minute: "0" + hour: "3" + user: root + job: "/usr/local/bin/crictl rmi --prune" + diff --git a/ansible/01_old/security-settings/roles/security-settings/tasks/login_defs.yml b/ansible/01_old/security-settings/roles/security-settings/tasks/login_defs.yml new file mode 100755 index 0000000..f25702a --- /dev/null +++ b/ansible/01_old/security-settings/roles/security-settings/tasks/login_defs.yml @@ -0,0 +1,48 @@ +--- +- name: Set pass max days + lineinfile: + dest: /etc/login.defs + state: present + regexp: '^PASS_MAX_DAYS.*$' + line: "PASS_MAX_DAYS\t{{os_auth_pw_max_age}}" + backrefs: yes + +- name: Set pass min days + lineinfile: + dest: /etc/login.defs + state: present + regexp: '^PASS_MIN_DAYS.*$' + line: "PASS_MIN_DAYS\t{{os_auth_pw_min_age}}" + backrefs: yes + +- name: Set pass min length + lineinfile: + dest: /etc/login.defs + state: present + regexp: '^PASS_MIN_LEN.*$' + line: "PASS_MIN_LEN\t{{pwquality_minlen}}" + backrefs: yes + +- name: Set pass warn days + lineinfile: + dest: /etc/login.defs + state: present + regexp: '^PASS_WARN_AGE.*$' + line: "PASS_WARN_AGE\t{{os_auth_pw_warn_age}}" + backrefs: yes + +- name: Set password encryption to SHA512 + lineinfile: + dest: /etc/login.defs + state: present + regexp: '^ENCRYPT_METHOD\s.*$' + line: "ENCRYPT_METHOD\tSHA512" + backrefs: yes + +- name: Disable MD5 crypt explicitly + lineinfile: + dest: /etc/login.defs + state: present + regexp: '^MD5_CRYPT_ENAB.*$' + line: "MD5_CRYPT_ENAB NO" + backrefs: yes diff --git a/ansible/01_old/security-settings/roles/security-settings/tasks/main.yml b/ansible/01_old/security-settings/roles/security-settings/tasks/main.yml new file mode 100755 index 0000000..c9a3fe6 --- /dev/null +++ b/ansible/01_old/security-settings/roles/security-settings/tasks/main.yml @@ -0,0 +1,24 @@ +--- +- include: login_defs.yml + tags: login_defs + +- include: pam.yml + tags: pam + +- include: sshd_config.yml + tags: sshd_config + +- include: sudoers.yml + tags: sudoers + +- include: profile.yml + tags: profile + +- include: banner.yml + tags: banner + +- include: crictl.yml + tags: crictl + +- include: admin_set.yml + tags: admin_set diff --git a/ansible/01_old/security-settings/roles/security-settings/tasks/pam.yml b/ansible/01_old/security-settings/roles/security-settings/tasks/pam.yml new file mode 100755 index 0000000..ae1c637 --- /dev/null +++ b/ansible/01_old/security-settings/roles/security-settings/tasks/pam.yml @@ -0,0 +1,50 @@ +--- +- name: Add pam_tally2.so + template: + src: common-auth.j2 + dest: /etc/pam.d/common-auth + owner: root + group: root + mode: 0644 + +- name: Create pwquality.conf password complexity configuration + block: + - apt: + name: libpam-pwquality + state: present + install_recommends: false + - template: + src: pwquality.conf.j2 + dest: /etc/security/pwquality.conf + owner: root + group: root + mode: 0644 + +- name: Add pam_tally2.so + block: + - lineinfile: + dest: /etc/pam.d/common-account + regexp: '^account\srequisite' + line: "account requisite pam_deny.so" + + - lineinfile: + dest: /etc/pam.d/common-account + regexp: '^account\srequired' + line: "account required pam_tally2.so" + +- name: password reuse is limited + lineinfile: + dest: /etc/pam.d/common-password + line: "password required pam_pwhistory.so remember=5" + +- name: password hashing algorithm is SHA-512 + lineinfile: + dest: /etc/pam.d/common-password + regexp: '^password\s+\[success' + line: "password [success=1 default=ignore] pam_unix.so sha512" + +- name: Shadow Password Suite Parameters + lineinfile: + dest: /etc/pam.d/common-password + regexp: '^password\s+\[success' + line: "password [success=1 default=ignore] pam_unix.so sha512" diff --git a/ansible/01_old/security-settings/roles/security-settings/tasks/profile.yml b/ansible/01_old/security-settings/roles/security-settings/tasks/profile.yml new file mode 100755 index 0000000..fb1b456 --- /dev/null +++ b/ansible/01_old/security-settings/roles/security-settings/tasks/profile.yml @@ -0,0 +1,24 @@ +--- +- name: Set session timeout + lineinfile: + dest: /etc/profile + regexp: '^TMOUT=.*' + insertbefore: '^readonly TMOUT' + line: 'TMOUT={{shell_timeout}}' + state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}" + +- name: Set TMOUT readonly + lineinfile: + dest: /etc/profile + regexp: '^readonly TMOUT' + insertafter: 'TMOUT={{shell_timeout}}' + line: 'readonly TMOUT' + state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}" + +- name: Set export TMOUT + lineinfile: + dest: /etc/profile + regexp: '^export TMOUT.*' + insertafter: 'readonly TMOUT' + line: 'export TMOUT' + state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}" diff --git a/ansible/01_old/security-settings/roles/security-settings/tasks/sshd_config.yml b/ansible/01_old/security-settings/roles/security-settings/tasks/sshd_config.yml new file mode 100755 index 0000000..6b9f7a3 --- /dev/null +++ b/ansible/01_old/security-settings/roles/security-settings/tasks/sshd_config.yml @@ -0,0 +1,30 @@ +--- +- name: Configure ssh root login to {{sshrootlogin}} + lineinfile: + dest: /etc/ssh/sshd_config + regexp: '^(#)?PermitRootLogin.*' + line: 'PermitRootLogin {{sshrootlogin}}' + insertbefore: '^Match.*' + state: present + owner: root + group: root + mode: 0640 + notify: restart sshd + +- name: SSH Listen on Main Port + lineinfile: + dest: /etc/ssh/sshd_config + insertbefore: '^#*AddressFamily' + line: 'Port {{sshmainport}}' + state: present + owner: root + group: root + mode: 0640 + notify: restart sshd + +- name: "Setting sshd allow users" + template: + src: allow_users.j2 + dest: "/etc/ssh/sshd_config.d/allow_users.conf" + notify: restart sshd + diff --git a/ansible/01_old/security-settings/roles/security-settings/tasks/sudoers.yml b/ansible/01_old/security-settings/roles/security-settings/tasks/sudoers.yml new file mode 100755 index 0000000..4be28c0 --- /dev/null +++ b/ansible/01_old/security-settings/roles/security-settings/tasks/sudoers.yml @@ -0,0 +1,94 @@ +--- +- name: "Create devops group" + ansible.builtin.group: + name: "devops" + state: present + +- name: "get current users" + shell: "cat /etc/passwd | egrep -iv '(false|nologin|sync|root|dev2-iac)' | awk -F: '{print $1}'" + register: deleting_users + +- name: "Delete users" + ansible.builtin.user: + name: "{{ item }}" + state: absent + remove: yes + with_items: "{{ deleting_users.stdout_lines }}" + when: item != ansible_user + ignore_errors: true + +- name: "Create admin user" + ansible.builtin.user: + name: "{{ item.name }}" + group: "devops" + shell: "/bin/bash" + system: yes + state: present + with_items: "{{ admin_users }}" + when: + - item.name is defined + ignore_errors: true + +- name: "admin user password change" + user: + name: "{{ item.name }}" + password: "{{ password | password_hash('sha512') }}" + state: present + with_items: "{{ admin_users }}" + when: + - item.name is defined + ignore_errors: true + +- name: "Add admin user key" + authorized_key: + user: "{{ item.name }}" + state: present + key: "{{ item.key }}" + with_items: "{{ admin_users }}" + when: + - item.name is defined + - item.key is defined + - common_user is defined + ignore_errors: true + +- name: "Create common user" + ansible.builtin.user: + name: "{{ item.name }}" + group: "users" + shell: "/bin/bash" + system: yes + state: present + with_items: "{{ allow_users }}" + when: + - item.name is defined + - common_user is defined + ignore_errors: true + +- name: "Change common user password change" + user: + name: "{{ item.name }}" + password: "{{ password | password_hash('sha512') }}" + state: present + with_items: "{{ allow_users }}" + when: + - item.name is defined + - common_user is defined + ignore_errors: true + +- name: "Add common user key" + authorized_key: + user: "{{ item.name }}" + state: present + key: "{{ item.key }}" + with_items: "{{ allow_users }}" + when: + - item.name is defined + - item.key is defined + - common_user is defined + ignore_errors: true + +- name: "Setting sudoers allow users" + template: + src: sudoers_users.j2 + dest: "/etc/sudoers.d/sudoers_users" + ignore_errors: true diff --git a/ansible/01_old/security-settings/roles/security-settings/templates/allow_users.j2 b/ansible/01_old/security-settings/roles/security-settings/templates/allow_users.j2 new file mode 100755 index 0000000..fab55dc --- /dev/null +++ b/ansible/01_old/security-settings/roles/security-settings/templates/allow_users.j2 @@ -0,0 +1,11 @@ +AllowUsers dev2-iac@10.10.43.* +{% if admin_users is defined %} +{% for user in admin_users %} +AllowUsers {{ user.name }}@{{ user.ip }} +{% endfor %} +{% endif %} +{% if allow_users is defined %} +{% for user in allow_users %} +AllowUsers {{ user.name }}@{{ user.ip }} +{% endfor %} +{% endif %} diff --git a/ansible/01_old/security-settings/roles/security-settings/templates/common-auth.j2 b/ansible/01_old/security-settings/roles/security-settings/templates/common-auth.j2 new file mode 100755 index 0000000..64a603b --- /dev/null +++ b/ansible/01_old/security-settings/roles/security-settings/templates/common-auth.j2 @@ -0,0 +1,27 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +auth required pam_tally2.so onerr={{onerr}} even_deny_root deny={{deny}} unlock_time={{unlock_time}} + +# here are the per-package modules (the "Primary" block) +auth [success=1 default=ignore] pam_unix.so nullok +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +auth required pam_permit.so +# since the modules above will each just jump around +# and here are more per-package modules (the "Additional" block) +auth optional pam_cap.so +# end of pam-auth-update config diff --git a/ansible/01_old/security-settings/roles/security-settings/templates/pwquality.conf.j2 b/ansible/01_old/security-settings/roles/security-settings/templates/pwquality.conf.j2 new file mode 100755 index 0000000..3ec2cbe --- /dev/null +++ b/ansible/01_old/security-settings/roles/security-settings/templates/pwquality.conf.j2 @@ -0,0 +1,50 @@ +# Configuration for systemwide password quality limits +# Defaults: +# +# Number of characters in the new password that must not be present in the +# old password. +# difok = 5 +# +# Minimum acceptable size for the new password (plus one if +# credits are not disabled which is the default). (See pam_cracklib manual.) +# Cannot be set to lower value than 6. +minlen = {{pwquality_minlen}} +# +# The maximum credit for having digits in the new password. If less than 0 +# it is the minimum number of digits in the new password. +dcredit = {{pwquality_dcredit}} +# +# The maximum credit for having uppercase characters in the new password. +# If less than 0 it is the minimum number of uppercase characters in the new +# password. +ucredit = {{pwquality_ucredit}} +# +# The maximum credit for having lowercase characters in the new password. +# If less than 0 it is the minimum number of lowercase characters in the new +# password. +lcredit = {{pwquality_lcredit}} +# +# The maximum credit for having other characters in the new password. +# If less than 0 it is the minimum number of other characters in the new +# password. +ocredit = {{pwquality_ocredit}} +# +# The minimum number of required classes of characters for the new +# password (digits, uppercase, lowercase, others). +# minclass = 0 +# +# The maximum number of allowed consecutive same characters in the new password. +# The check is disabled if the value is 0. +maxrepeat = {{pwquality_maxrepeat}} +# +# The maximum number of allowed consecutive characters of the same class in the +# new password. +# The check is disabled if the value is 0. +# maxclassrepeat = 0 +# +# Whether to check for the words from the passwd entry GECOS string of the user. +# The check is enabled if the value is not 0. +# gecoscheck = 0 +# +# Path to the cracklib dictionaries. Default is to use the cracklib default. +# dictpath = diff --git a/ansible/01_old/security-settings/roles/security-settings/templates/sudoers_users.j2 b/ansible/01_old/security-settings/roles/security-settings/templates/sudoers_users.j2 new file mode 100755 index 0000000..4c30d95 --- /dev/null +++ b/ansible/01_old/security-settings/roles/security-settings/templates/sudoers_users.j2 @@ -0,0 +1,6 @@ +dev2-iac ALL=(ALL) NOPASSWD: ALL +{% if allow_users is defined %} +{% for user in admin_users %} +{{ user.name }} ALL=(ALL) NOPASSWD: ALL +{% endfor %} +{% endif %} diff --git a/ansible/01_old/security-settings/server-settings.yml b/ansible/01_old/security-settings/server-settings.yml new file mode 100644 index 0000000..7a7cabd --- /dev/null +++ b/ansible/01_old/security-settings/server-settings.yml @@ -0,0 +1,6 @@ +--- +- hosts: all + become: true + gather_facts: true + roles: + - role: security-settings diff --git a/ansible/01_old/security-settings/teleport b/ansible/01_old/security-settings/teleport new file mode 100755 index 0000000..270f7a4 --- /dev/null +++ b/ansible/01_old/security-settings/teleport @@ -0,0 +1,65 @@ +[prod-demo-master] +10.10.43.100 ansible_port=2222 ansible_user=dev2 + +[prod-demo-worker] +10.10.43.101 ansible_port=2222 ansible_user=dev2 + +[dev-demo-master] +10.10.43.105 ansible_port=2222 ansible_user=dev2 + +[dev-demo-worker] +10.10.43.106 ansible_port=2222 ansible_user=dev2 + +[saas_mgmt_master] +10.10.43.240 ansible_port=2222 ansible_user=dev2 + +[saas_mgmt_node] +10.10.43.[241:243] ansible_port=2222 ansible_user=dev2 + +[dsk_dev_master] +10.10.43.[111:113] ansible_port=2222 ansible_user=dev2 + +[dsk_dev_node] +10.10.43.[114:153] ansible_port=2222 ansible_user=dev2 + +[bastion] +10.10.43.43 ansible_port=2222 ansible_user=havelight + +[agent_host] +10.10.43.177 ansible_port=2222 ansible_user=dev2 +10.10.43.178 ansible_port=2222 ansible_user=dev2 +10.10.43.179 ansible_port=2222 ansible_user=dev2 +10.10.43.180 ansible_port=2222 ansible_user=dev2 +10.10.43.181 ansible_port=2222 ansible_user=dev2 +10.10.43.182 ansible_port=2222 ansible_user=dev2 + +[agent_cri_master] +10.10.43.185 ansible_port=2222 ansible_user=dev2 + +[agent_cri_worker] +10.10.43.186 ansible_port=2222 ansible_user=dev2 +10.10.43.187 ansible_port=2222 ansible_user=dev2 +10.10.43.188 ansible_port=2222 ansible_user=dev2 + +[agent_middleware_master] +10.10.43.189 ansible_port=2222 ansible_user=dev2 + +[agent_middleware_worker] +10.10.43.190 ansible_port=2222 ansible_user=dev2 +10.10.43.191 ansible_port=2222 ansible_user=dev2 +10.10.43.192 ansible_port=2222 ansible_user=dev2 +10.10.43.193 ansible_port=2222 ansible_user=dev2 +10.10.43.194 ansible_port=2222 ansible_user=dev2 +10.10.43.199 ansible_port=2222 ansible_user=dev2 + +[all:children] +saas_mgmt_master +saas_mgmt_node +dsk_dev_master +dsk_dev_node +bastion +agent_host +agent_cri_master +agent_cri_worker +agent_middleware_master +agent_middleware_worker diff --git a/ansible/01_old/security-settings/teleport_etc b/ansible/01_old/security-settings/teleport_etc new file mode 100755 index 0000000..1ecee08 --- /dev/null +++ b/ansible/01_old/security-settings/teleport_etc @@ -0,0 +1,31 @@ +[all] +10.10.43.195 ansible_user=dev2 ansible_port=2222 +10.10.43.196 ansible_user=dev2 ansible_port=2222 +10.10.43.197 ansible_user=dev2 ansible_port=2222 +10.10.43.200 ansible_user=dev2 ansible_port=2222 +10.10.43.201 ansible_user=dev2 ansible_port=2222 +10.10.43.202 ansible_user=dev2 ansible_port=2222 +10.10.43.203 ansible_user=dev2 ansible_port=2222 +10.10.43.204 ansible_user=dev2 ansible_port=2222 +10.10.43.205 ansible_user=dev2 ansible_port=2222 +10.10.43.206 ansible_user=dev2 ansible_port=2222 +10.10.43.207 ansible_user=dev2 ansible_port=2222 +10.10.43.208 ansible_user=dev2 ansible_port=2222 +10.10.43.210 ansible_user=dev2 ansible_port=2222 +10.10.43.211 ansible_user=dev2 ansible_port=2222 +10.10.43.212 ansible_user=dev2 ansible_port=2222 +10.10.43.213 ansible_user=dev2 ansible_port=2222 +10.10.43.214 ansible_user=dev2 ansible_port=2222 +10.10.43.215 ansible_user=dev2 ansible_port=2222 +10.10.43.216 ansible_user=dev2 ansible_port=2222 +10.10.43.217 ansible_user=dev2 ansible_port=2222 +10.10.43.218 ansible_user=dev2 ansible_port=2222 +10.10.43.224 ansible_user=dev2 ansible_port=2222 +10.10.43.225 ansible_user=dev2 ansible_port=2222 +10.10.43.226 ansible_user=dev2 ansible_port=2222 +10.10.43.227 ansible_user=dev2 ansible_port=2222 +10.10.43.228 ansible_user=dev2 ansible_port=2222 +10.10.43.230 ansible_user=dev2 ansible_port=2222 +10.10.43.235 ansible_user=dev2 ansible_port=2222 +10.10.43.236 ansible_user=dev2 ansible_port=2222 +10.10.43.252 ansible_user=dev2 ansible_port=2222 diff --git a/ansible/infra_setting/inventory b/ansible/infra_setting/inventory index 67052d2..2df7e76 100644 --- a/ansible/infra_setting/inventory +++ b/ansible/infra_setting/inventory @@ -1,31 +1,31 @@ [all] -10.10.43.195 -10.10.43.196 -10.10.43.197 -10.10.43.200 -10.10.43.201 -10.10.43.202 -10.10.43.203 -10.10.43.204 -10.10.43.205 -10.10.43.206 -10.10.43.207 -10.10.43.208 -10.10.43.210 -10.10.43.211 -10.10.43.212 -10.10.43.213 -10.10.43.214 -10.10.43.215 -10.10.43.216 -10.10.43.217 -10.10.43.218 -10.10.43.224 -10.10.43.225 -10.10.43.226 -10.10.43.227 -10.10.43.228 -10.10.43.230 -10.10.43.235 -10.10.43.236 -10.10.43.252 +10.10.43.195 ansible_user=dev2-iac ansible_port=2222 +10.10.43.196 ansible_user=dev2-iac ansible_port=2222 +10.10.43.197 ansible_user=dev2-iac ansible_port=2222 +10.10.43.200 ansible_user=dev2-iac ansible_port=2222 +10.10.43.201 ansible_user=dev2-iac ansible_port=2222 +10.10.43.202 ansible_user=dev2-iac ansible_port=2222 +10.10.43.203 ansible_user=dev2-iac ansible_port=2222 +10.10.43.204 ansible_user=dev2-iac ansible_port=2222 +10.10.43.205 ansible_user=dev2-iac ansible_port=2222 +10.10.43.206 ansible_user=dev2-iac ansible_port=2222 +10.10.43.207 ansible_user=dev2-iac ansible_port=2222 +10.10.43.208 ansible_user=dev2-iac ansible_port=2222 +10.10.43.210 ansible_user=dev2-iac ansible_port=2222 +10.10.43.211 ansible_user=dev2-iac ansible_port=2222 +10.10.43.212 ansible_user=dev2-iac ansible_port=2222 +10.10.43.213 ansible_user=dev2-iac ansible_port=2222 +10.10.43.214 ansible_user=dev2-iac ansible_port=2222 +10.10.43.215 ansible_user=dev2-iac ansible_port=2222 +10.10.43.216 ansible_user=dev2-iac ansible_port=2222 +10.10.43.217 ansible_user=dev2-iac ansible_port=2222 +10.10.43.218 ansible_user=dev2-iac ansible_port=2222 +10.10.43.224 ansible_user=dev2-iac ansible_port=2222 +10.10.43.225 ansible_user=dev2-iac ansible_port=2222 +10.10.43.226 ansible_user=dev2-iac ansible_port=2222 +10.10.43.227 ansible_user=dev2-iac ansible_port=2222 +10.10.43.228 ansible_user=dev2-iac ansible_port=2222 +10.10.43.230 ansible_user=dev2-iac ansible_port=2222 +10.10.43.235 ansible_user=dev2-iac ansible_port=2222 +10.10.43.236 ansible_user=dev2-iac ansible_port=2222 +10.10.43.252 ansible_user=dev2-iac ansible_port=2222 \ No newline at end of file diff --git a/ansible/security_check/ansible.cfg b/ansible/security_check/ansible.cfg index 60b9f33..e905676 100644 --- a/ansible/security_check/ansible.cfg +++ b/ansible/security_check/ansible.cfg @@ -6,5 +6,4 @@ deprecation_warnings = false display_skipped_hosts = no ansible_home = . stdout_callback = debug -host_key_checking = false - +host_key_checking = false \ No newline at end of file diff --git a/ansible/security_check/roles/security_check/files/ubuntu.sh b/ansible/security_check/roles/security_check/files/ubuntu.sh index 3dfd70d..be1ab34 100644 --- a/ansible/security_check/roles/security_check/files/ubuntu.sh +++ b/ansible/security_check/roles/security_check/files/ubuntu.sh @@ -3617,7 +3617,7 @@ echo "# echo "##############################################################################" >> $resultfile 2>&1 U_01 # root 계정 원격 접속 제한 -# U_02 # 랜덤 패스워드를 사용중이라 제외 +U_02 # 랜덤 패스워드를 사용중이라 제외 U_03 # 계정 잠금 임계값 설정 U_04 # 패스워드 파일 보호 U_05 # root 홈, 패스 디렉터리 권한 및 패스 설정 @@ -3702,4 +3702,4 @@ echo " ★ 양호 개수 = `cat $resultfile | grep echo " ☆ N/A 개수 = `cat $resultfile | grep '결과 : N/A' | wc -l`" >> $resultfile 2>&1 echo "" >> $resultfile 2>&1 echo "==============================================================================" >> $resultfile 2>&1 -echo "" >> $resultfile 2>&1 \ No newline at end of file +echo "" >> $resultfile 2>&1 diff --git a/ansible/security_check/server_check.yml b/ansible/security_check/server_check.yml index 1435aac..3d2fbd3 100644 --- a/ansible/security_check/server_check.yml +++ b/ansible/security_check/server_check.yml @@ -6,4 +6,4 @@ git_user: sa_8001 git_key: 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 roles: - - role: security_check + - role: security_check \ No newline at end of file diff --git a/ansible/security_settings/ansible.cfg b/ansible/security_settings/ansible.cfg new file mode 100644 index 0000000..e905676 --- /dev/null +++ b/ansible/security_settings/ansible.cfg @@ -0,0 +1,9 @@ +[defaults] +become = true +inventory = checklist +roles_path = roles +deprecation_warnings = false +display_skipped_hosts = no +ansible_home = . +stdout_callback = debug +host_key_checking = false \ No newline at end of file diff --git a/ansible/security_settings/inventory b/ansible/security_settings/inventory new file mode 100644 index 0000000..1c3c0ad --- /dev/null +++ b/ansible/security_settings/inventory @@ -0,0 +1,30 @@ +[all] +10.10.43.195 ansible_user=dev2-iac ansible_port=2222 +10.10.43.196 ansible_user=dev2-iac ansible_port=2222 +10.10.43.197 ansible_user=dev2-iac ansible_port=2222 +10.10.43.200 ansible_user=dev2-iac ansible_port=2222 +10.10.43.201 ansible_user=dev2-iac ansible_port=2222 +10.10.43.202 ansible_user=dev2-iac ansible_port=2222 +10.10.43.203 ansible_user=dev2-iac ansible_port=2222 +10.10.43.204 ansible_user=dev2-iac ansible_port=2222 +10.10.43.205 ansible_user=dev2-iac ansible_port=2222 +10.10.43.206 ansible_user=dev2-iac ansible_port=2222 +10.10.43.207 ansible_user=dev2-iac ansible_port=2222 +10.10.43.208 ansible_user=dev2-iac ansible_port=2222 +10.10.43.210 ansible_user=dev2-iac ansible_port=2222 +10.10.43.211 ansible_user=dev2-iac ansible_port=2222 +10.10.43.212 ansible_user=dev2-iac ansible_port=2222 +10.10.43.213 ansible_user=dev2-iac ansible_port=2222 +10.10.43.214 ansible_user=dev2-iac ansible_port=2222 +10.10.43.215 ansible_user=dev2-iac ansible_port=2222 +10.10.43.216 ansible_user=dev2-iac ansible_port=2222 +10.10.43.217 ansible_user=dev2-iac ansible_port=2222 +10.10.43.218 ansible_user=dev2-iac ansible_port=2222 +10.10.43.224 ansible_user=dev2-iac ansible_port=2222 +10.10.43.225 ansible_user=dev2-iac ansible_port=2222 +10.10.43.226 ansible_user=dev2-iac ansible_port=2222 +10.10.43.227 ansible_user=dev2-iac ansible_port=2222 +10.10.43.228 ansible_user=dev2-iac ansible_port=2222 +10.10.43.235 ansible_user=dev2-iac ansible_port=2222 +10.10.43.236 ansible_user=dev2-iac ansible_port=2222 +10.10.43.252 ansible_user=dev2-iac ansible_port=2222 \ No newline at end of file diff --git a/ansible/security_settings/roles/security_settings/handlers/main.yml b/ansible/security_settings/roles/security_settings/handlers/main.yml new file mode 100644 index 0000000..f4e607b --- /dev/null +++ b/ansible/security_settings/roles/security_settings/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: Reload systemd configuration + ansible.builtin.systemd: + daemon_reload: True + +- name: restart sshd + service: + name: sshd + state: restarted + enabled: true \ No newline at end of file diff --git a/ansible/security_settings/roles/security_settings/tasks/debian_setting_banner.yml b/ansible/security_settings/roles/security_settings/tasks/debian_setting_banner.yml new file mode 100644 index 0000000..587c1ff --- /dev/null +++ b/ansible/security_settings/roles/security_settings/tasks/debian_setting_banner.yml @@ -0,0 +1,8 @@ +--- +- name: Setting EXEM Banner (Debian) + template: + src: banner.j2 + dest: /etc/update-motd.d/00-header + mode: 0755 + owner: root + group: root \ No newline at end of file diff --git a/ansible/security_settings/roles/security_settings/tasks/main.yml b/ansible/security_settings/roles/security_settings/tasks/main.yml new file mode 100644 index 0000000..1057473 --- /dev/null +++ b/ansible/security_settings/roles/security_settings/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- include: debian_setting_banner.yml + when: ansible_facts['os_family'] == 'Debian' + +- include: setting_root_ssh.yml \ No newline at end of file diff --git a/ansible/security_settings/roles/security_settings/tasks/setting_root_ssh.yml b/ansible/security_settings/roles/security_settings/tasks/setting_root_ssh.yml new file mode 100644 index 0000000..ca725d1 --- /dev/null +++ b/ansible/security_settings/roles/security_settings/tasks/setting_root_ssh.yml @@ -0,0 +1,11 @@ +- name: Configure ssh root login to no + lineinfile: + dest: /etc/ssh/sshd_config + regexp: '^(#)?PermitRootLogin.*' + line: 'PermitRootLogin no' + insertbefore: '^Match.*' + state: present + owner: root + group: root + mode: 0640 + notify: restart sshd \ No newline at end of file diff --git a/ansible/security_settings/roles/security_settings/templates/banner.j2 b/ansible/security_settings/roles/security_settings/templates/banner.j2 new file mode 100644 index 0000000..d2cfb42 --- /dev/null +++ b/ansible/security_settings/roles/security_settings/templates/banner.j2 @@ -0,0 +1,18 @@ +#!/bin/sh +echo "-------------------------------------------------------------------------------\n" +echo " _╓g@DDKg╓_ \033[0;31m=╗╗╗╗,\033[0;0m \033[0;34m,╗╗╗╗╤\033[0;0m ,╔╗DDKg╔_ ╓g@DD╗╔_ ╓g@DD╗╔_" +echo " ╓D╝╙\` \`╠╠H \033[0;31m╙╠╠╠╠▒\033[0;0m \033[0;34mÆ╬╬╬╬╩\033[0;0m _j╠╙\` 1╠R j╠R^ \`╙╠▒,j╠R^ \`╙╠▒," +echo " 1╠^ ,╠╝ \033[0;31m╝╠R\033[0;0m \033[0;34m╓▓╬╬╬╝\033[0;0m j╠H 1╠^ ╠╠ ╚╠H ╚╠H" +echo "j╠⌐ j╠Γ \033[0;31m'\033[0;0m \033[0;34mÆ╬╬╬╬╙\033[0;0m ╠H ╔╠R ╠╠ ╠╠ ╠╠" +echo "╠╠ ╒╠R \033[0;34m╔╣╬╬╬\033[0;33m╬▒\033[0;0m j╠H _D╝\` ╠╠ ╠╠ ╠╠" +echo "'╠H 1╠^ .. \033[0;34m,╣╬╬╬╣\033[0;33m╬╣╣▓┐\033[0;0m ╠D ╔╚╙ ╔_ ╠╠ ╠╠ ╠╠" +echo " '╠▒╓░╙ _╔╔^ \033[0;34m¢╬╬╬╬╩\033[0;33m ╚╣╣╣╣▌\033[0;0m ╚▒╓░╙ ╔░H ╠╠ ╠╠ ╠╠" +echo " ⁿ╚╠K≥╔╔╔1▒╝^ \033[0;34m╒▓╬╬╬╩^\033[0;33m \`╣╣╣╣▓╕\033[0;0m \`╚╠▒g╔╔╔gD╝╙ ╠╠ ╠╠ ╠╠\n" +echo "-------------------------------------------------------------------------------" +echo "" +echo " - 알 림 - " +echo "" +echo " 현재 접속하신 서버는 SaaS기술연구팀 개발 서버 입니다. " +echo " 인가되지 않은 사용자의 접근, 수정 등 행위 시 처벌을 받을 수 있습니다. " +echo "" +echo "-------------------------------------------------------------------------------" \ No newline at end of file diff --git a/ansible/security_settings/security_settings.yml b/ansible/security_settings/security_settings.yml new file mode 100644 index 0000000..624d10c --- /dev/null +++ b/ansible/security_settings/security_settings.yml @@ -0,0 +1,6 @@ +--- +- hosts: all + become: true + gather_facts: true + roles: + - role: security_settings \ No newline at end of file diff --git a/ansible/teleport_setting/roles/teleport/templates/teleport.yaml.j2 b/ansible/teleport_setting/roles/teleport/templates/teleport.yaml.j2 index 180af28..764afc0 100644 --- a/ansible/teleport_setting/roles/teleport/templates/teleport.yaml.j2 +++ b/ansible/teleport_setting/roles/teleport/templates/teleport.yaml.j2 @@ -17,6 +17,9 @@ auth_service: enabled: "no" ssh_service: enabled: "yes" + pam: + enabled: true + service_name: "sshd" labels: ipaddr: {{ansible_default_ipv4.address}} group: {{ group_names[-1] }} diff --git a/ansible/teleport_setting/teleport.yml b/ansible/teleport_setting/teleport.yml index f35bffa..0afea7b 100644 --- a/ansible/teleport_setting/teleport.yml +++ b/ansible/teleport_setting/teleport.yml @@ -7,5 +7,5 @@ teleport_uri: teleport.kr.datasaker.io # remove: True # custom_labels: 'user=havelight,company=exem' - # update: True - install: True + update: True + # install: True diff --git a/ansible/teleport_setting/teleport_etc b/ansible/teleport_setting/teleport_etc new file mode 100644 index 0000000..f5cfe40 --- /dev/null +++ b/ansible/teleport_setting/teleport_etc @@ -0,0 +1,31 @@ +[all] +#10.10.43.195 ansible_user=dev2 ansible_port=2222 +#10.10.43.196 ansible_user=dev2 ansible_port=2222 +#10.10.43.197 ansible_user=dev2 ansible_port=2222 +10.10.43.200 ansible_user=dev2 ansible_port=2222 +10.10.43.201 ansible_user=dev2 ansible_port=2222 +10.10.43.202 ansible_user=dev2 ansible_port=2222 +10.10.43.203 ansible_user=dev2 ansible_port=2222 +10.10.43.204 ansible_user=dev2 ansible_port=2222 +10.10.43.205 ansible_user=dev2 ansible_port=2222 +10.10.43.206 ansible_user=dev2 ansible_port=2222 +10.10.43.207 ansible_user=dev2 ansible_port=2222 +10.10.43.208 ansible_user=dev2 ansible_port=2222 +10.10.43.210 ansible_user=dev2 ansible_port=2222 +10.10.43.211 ansible_user=dev2 ansible_port=2222 +10.10.43.212 ansible_user=dev2 ansible_port=2222 +10.10.43.213 ansible_user=dev2 ansible_port=2222 +10.10.43.214 ansible_user=dev2 ansible_port=2222 +10.10.43.215 ansible_user=dev2 ansible_port=2222 +10.10.43.216 ansible_user=dev2 ansible_port=2222 +10.10.43.217 ansible_user=dev2 ansible_port=2222 +10.10.43.218 ansible_user=dev2 ansible_port=2222 +#10.10.43.224 ansible_user=dev2 ansible_port=2222 +#10.10.43.225 ansible_user=dev2 ansible_port=2222 +#10.10.43.226 ansible_user=dev2 ansible_port=2222 +#10.10.43.227 ansible_user=dev2 ansible_port=2222 +#10.10.43.228 ansible_user=dev2 ansible_port=2222 +#10.10.43.230 ansible_user=dev2 ansible_port=2222 +#10.10.43.235 ansible_user=dev2 ansible_port=2222 +#10.10.43.236 ansible_user=dev2 ansible_port=2222 +#10.10.43.252 ansible_user=dev2 ansible_port=2222