체크 항목 수정

2024-01-10 11:38:51 +09:00
parent 9ede2d3731
commit c58e7a5caf
36 changed files with 766 additions and 37 deletions
--- a/ansible/security_settings/ansible.cfg
+++ b/ansible/security_settings/ansible.cfg
@@ -0,0 +1,9 @@
+[defaults]
+become = true
+inventory = checklist
+roles_path = roles
+deprecation_warnings = false
+display_skipped_hosts = no
+ansible_home = .
+stdout_callback = debug
+host_key_checking = false
--- a/ansible/security_settings/inventory
+++ b/ansible/security_settings/inventory
@@ -0,0 +1,30 @@
+[all]
+10.10.43.195 ansible_user=dev2-iac ansible_port=2222
+10.10.43.196 ansible_user=dev2-iac ansible_port=2222
+10.10.43.197 ansible_user=dev2-iac ansible_port=2222
+10.10.43.200 ansible_user=dev2-iac ansible_port=2222
+10.10.43.201 ansible_user=dev2-iac ansible_port=2222
+10.10.43.202 ansible_user=dev2-iac ansible_port=2222
+10.10.43.203 ansible_user=dev2-iac ansible_port=2222
+10.10.43.204 ansible_user=dev2-iac ansible_port=2222
+10.10.43.205 ansible_user=dev2-iac ansible_port=2222
+10.10.43.206 ansible_user=dev2-iac ansible_port=2222
+10.10.43.207 ansible_user=dev2-iac ansible_port=2222
+10.10.43.208 ansible_user=dev2-iac ansible_port=2222
+10.10.43.210 ansible_user=dev2-iac ansible_port=2222
+10.10.43.211 ansible_user=dev2-iac ansible_port=2222
+10.10.43.212 ansible_user=dev2-iac ansible_port=2222
+10.10.43.213 ansible_user=dev2-iac ansible_port=2222
+10.10.43.214 ansible_user=dev2-iac ansible_port=2222
+10.10.43.215 ansible_user=dev2-iac ansible_port=2222
+10.10.43.216 ansible_user=dev2-iac ansible_port=2222
+10.10.43.217 ansible_user=dev2-iac ansible_port=2222
+10.10.43.218 ansible_user=dev2-iac ansible_port=2222
+10.10.43.224 ansible_user=dev2-iac ansible_port=2222
+10.10.43.225 ansible_user=dev2-iac ansible_port=2222
+10.10.43.226 ansible_user=dev2-iac ansible_port=2222
+10.10.43.227 ansible_user=dev2-iac ansible_port=2222
+10.10.43.228 ansible_user=dev2-iac ansible_port=2222
+10.10.43.235 ansible_user=dev2-iac ansible_port=2222
+10.10.43.236 ansible_user=dev2-iac ansible_port=2222
+10.10.43.252 ansible_user=dev2-iac ansible_port=2222
--- a/ansible/security_settings/roles/security_settings/handlers/main.yml
+++ b/ansible/security_settings/roles/security_settings/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: Reload systemd configuration
+  ansible.builtin.systemd:
+    daemon_reload: True
+
+- name: restart sshd
+  service:
+    name: sshd
+    state: restarted
+    enabled: true
--- a/ansible/security_settings/roles/security_settings/tasks/debian_setting_banner.yml
+++ b/ansible/security_settings/roles/security_settings/tasks/debian_setting_banner.yml
@@ -0,0 +1,8 @@
+---
+- name: Setting EXEM Banner (Debian)
+  template:
+    src: banner.j2
+    dest: /etc/update-motd.d/00-header
+    mode: 0755
+    owner: root
+    group: root
--- a/ansible/security_settings/roles/security_settings/tasks/main.yml
+++ b/ansible/security_settings/roles/security_settings/tasks/main.yml
@@ -0,0 +1,5 @@
+---
+- include: debian_setting_banner.yml
+  when: ansible_facts['os_family'] == 'Debian'
+
+- include: setting_root_ssh.yml
--- a/ansible/security_settings/roles/security_settings/tasks/setting_root_ssh.yml
+++ b/ansible/security_settings/roles/security_settings/tasks/setting_root_ssh.yml
@@ -0,0 +1,11 @@
+- name: Configure ssh root login to no
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(#)?PermitRootLogin.*'
+    line: 'PermitRootLogin no'
+    insertbefore: '^Match.*'
+    state: present
+    owner: root
+    group: root
+    mode: 0640
+  notify: restart sshd
--- a/ansible/security_settings/roles/security_settings/templates/banner.j2
+++ b/ansible/security_settings/roles/security_settings/templates/banner.j2
@@ -0,0 +1,18 @@
+#!/bin/sh
+echo "-------------------------------------------------------------------------------\n"
+echo  "    _╓g@DDKg╓_   \033[0;31m=╗╗╗╗,\033[0;0m     \033[0;34m,╗╗╗╗╤\033[0;0m    ,╔╗DDKg╔_        ╓g@DD╗╔_    ╓g@DD╗╔_"
+echo  "  ╓D╝╙\`    \`╠╠H   \033[0;31m╙╠╠╠╠▒\033[0;0m   \033[0;34mÆ╬╬╬╬╩\033[0;0m  _j╠╙\`     1╠R     j╠R^   \`╙╠▒,j╠R^   \`╙╠▒,"
+echo  " 1╠^      ,╠╝       \033[0;31m╝╠R\033[0;0m  \033[0;34m╓▓╬╬╬╝\033[0;0m   j╠H       1╠^     ╠╠         ╚╠H         ╚╠H"
+echo  "j╠⌐      j╠Γ         \033[0;31m'\033[0;0m  \033[0;34mÆ╬╬╬╬╙\033[0;0m    ╠H      ╔╠R       ╠╠          ╠╠          ╠╠"
+echo  "╠╠     ╒╠R            \033[0;34m╔╣╬╬╬\033[0;33m╬▒\033[0;0m    j╠H    _D╝\`        ╠╠          ╠╠          ╠╠"
+echo  "'╠H   1╠^      ..   \033[0;34m,╣╬╬╬╣\033[0;33m╬╣╣▓┐\033[0;0m   ╠D   ╔╚╙       ╔_ ╠╠          ╠╠          ╠╠"
+echo  " '╠▒╓░╙      _╔╔^  \033[0;34m¢╬╬╬╬╩\033[0;33m ╚╣╣╣╣▌\033[0;0m   ╚▒╓░╙       ╔░H  ╠╠          ╠╠          ╠╠"
+echo  "   ⁿ╚╠K≥╔╔╔1▒╝^  \033[0;34m╒▓╬╬╬╩^\033[0;33m   \`╣╣╣╣▓╕\033[0;0m  \`╚╠▒g╔╔╔gD╝╙    ╠╠          ╠╠          ╠╠\n"
+echo "-------------------------------------------------------------------------------"
+echo ""
+echo "                             - 알              림 -                             "
+echo ""
+echo " 현재 접속하신 서버는 SaaS기술연구팀 개발 서버 입니다.                                       "
+echo " 인가되지 않은 사용자의 접근, 수정 등 행위 시 처벌을 받을 수 있습니다.                         "
+echo ""
+echo "-------------------------------------------------------------------------------"
--- a/ansible/security_settings/security_settings.yml
+++ b/ansible/security_settings/security_settings.yml
@@ -0,0 +1,6 @@
+---
+- hosts: all
+  become: true
+  gather_facts: true
+  roles:
+    - role: security_settings