sa_8001/dsk-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

체크 항목 수정

Browse Source
This commit is contained in:
ByeonJungHun
2024-01-10 11:38:51 +09:00
parent 9ede2d3731
commit c58e7a5caf
36 changed files with 766 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ansible/01_old/security-settings/ansible.cfg Normal file
View File

@@ -0,0 +1,8 @@
[defaults]
become = true
inventory = checklist
roles_path = roles
deprecation_warnings = false
display_skipped_hosts = no
ansible_home = .
stdout_callback = debug

BIN
ansible/01_old/security-settings/roles/security-settings/.DS_Store vendored Normal file
View File

Binary file not shown.

46
ansible/01_old/security-settings/roles/security-settings/defaults/main.yml Executable file
View File

@@ -0,0 +1,46 @@
# Password aging settings
os_auth_pw_max_age: 90
os_auth_pw_min_age: 1
os_auth_pw_warn_age: 7
passhistory: 2
# Inactivity and Failed attempts lockout settings
fail_deny: 5
fail_unlock: 0
inactive_lock: 0
shell_timeout: 300
# tally settings
onerr: 'fail'
deny: 5
unlock_time: 300
# Password complexity settings
pwquality_minlen: 9
pwquality_maxrepeat: 3
pwquality_lcredit: -1
pwquality_ucredit: -1
pwquality_dcredit: -1
pwquality_ocredit: -1
# SSH settings
sshrootlogin: 'yes'
sshmainport: 22
ssh_service_name: sshd
# Crictl setup
crictl_app: crictl
crictl_version: 1.25.0
crictl_os: linux
crictl_arch: amd64
crictl_dl_url: https://github.com/kubernetes-sigs/cri-tools/releases/download/v{{ crictl_version }}/{{ crictl_app }}-v{{ crictl_version }}-{{ crictl_os }}-{{ crictl_arch }}.tar.gz
crictl_bin_path: /usr/local/bin
crictl_file_owner: root
crictl_file_group: root
# temp
username: root
password: saasadmin1234
# common user flag
common_user: False

18
ansible/01_old/security-settings/roles/security-settings/files/login_banner Executable file
View File

@@ -0,0 +1,18 @@
#!/bin/sh
echo "-------------------------------------------------------------------------------\n"
echo " _╓g@DDKg╓_ \033[0;31m=╗╗╗╗,\033[0;0m \033[0;34m,╗╗╗╗╤\033[0;0m ,╔╗DDKg╔_ ╓g@DD╗╔_ ╓g@DD╗╔_"
echo " ╓D╝╙\` \`╠╠H \033[0;31m╙╠╠╠╠▒\033[0;0m \033[0;34mÆ╬╬╬╬╩\033[0;0m _j╠╙\` 1╠R j╠R^ \`╙╠▒,j╠R^ \`╙╠▒,"
echo " 1╠^ ,╠╝ \033[0;31m╝╠R\033[0;0m \033[0;34m╓▓╬╬╬╝\033[0;0m j╠H 1╠^ ╠╠ ╚╠H ╚╠H"
echo "j╠⌐ j╠Γ \033[0;31m'\033[0;0m \033[0;34mÆ╬╬╬╬╙\033[0;0m ╠H ╔╠R ╠╠ ╠╠ ╠╠"
echo "╠╠ ╒╠R \033[0;34m╔╣╬╬╬\033[0;33m╬▒\033[0;0m j╠H _D╝\` ╠╠ ╠╠ ╠╠"
echo "'╠H 1╠^ .. \033[0;34m,╣╬╬╬╣\033[0;33m╬╣╣▓┐\033[0;0m ╠D ╔╚╙ ╔_ ╠╠ ╠╠ ╠╠"
echo " '╠▒╓░╙ _╔╔^ \033[0;34m¢╬╬╬╬╩\033[0;33m ╚╣╣╣╣▌\033[0;0m ╚▒╓░╙ ╔░H ╠╠ ╠╠ ╠╠"
echo " ⁿ╚╠K≥╔╔╔1▒╝^ \033[0;34m╒▓╬╬╬╩^\033[0;33m \`╣╣╣╣▓╕\033[0;0m \`╚╠▒g╔╔╔gD╝╙ ╠╠ ╠╠ ╠╠\n"
echo "-------------------------------------------------------------------------------"
echo ""
echo " - 알 림 - "
echo ""
echo " 현재 접속하신 서버는 DataSaker 개발 서버 입니다. "
echo " 인가되지 않은 사용자의 접근, 수정 등 행위 시 처벌을 받을 수 있습니다. "
echo ""
echo "-------------------------------------------------------------------------------"

6
ansible/01_old/security-settings/roles/security-settings/handlers/main.yml Executable file
View File

@@ -0,0 +1,6 @@
---
- name: restart sshd
service:
name: "{{ ssh_service_name }}"
state: restarted
enabled: true

7
ansible/01_old/security-settings/roles/security-settings/tasks/admin_set.yml Executable file
View File

@@ -0,0 +1,7 @@
---
- name: user change
user:
name: "{{ username }}"
password: "{{ password | password_hash('sha512') }}"
state: present

29
ansible/01_old/security-settings/roles/security-settings/tasks/banner.yml Executable file
View File

@@ -0,0 +1,29 @@
---
- name: Create a tar.gz archive of a single file.
archive:
path: /etc/update-motd.d/*
dest: /etc/update-motd.d/motd.tar.gz
format: gz
force_archive: true
- name: remove a motd.d files
file:
path: /etc/update-motd.d/{{ item }}
state: absent
with_items:
- 10-help-text
- 85-fwupd
- 90-updates-available
- 91-release-upgrade
- 95-hwe-eol
- 98-fsck-at-reboot
- 50-motd-news
- 88-esm-announce
- name: Create login banner
copy:
src: login_banner
dest: /etc/update-motd.d/00-header
owner: root
group: root
mode: 0755

19
ansible/01_old/security-settings/roles/security-settings/tasks/crictl.yml Executable file
View File

@@ -0,0 +1,19 @@
---
- name: Downloading and extracting {{ crictl_app }} {{ crictl_version }}
unarchive:
src: "{{ crictl_dl_url }}"
dest: "{{ crictl_bin_path }}"
owner: "{{ crictl_file_owner }}"
group: "{{ crictl_file_group }}"
extra_opts:
- crictl
remote_src: yes
- name: Crictl command crontab setting
ansible.builtin.cron:
name: crontab command
minute: "0"
hour: "3"
user: root
job: "/usr/local/bin/crictl rmi --prune"

48
ansible/01_old/security-settings/roles/security-settings/tasks/login_defs.yml Executable file
View File

@@ -0,0 +1,48 @@
---
- name: Set pass max days
lineinfile:
dest: /etc/login.defs
state: present
regexp: '^PASS_MAX_DAYS.*$'
line: "PASS_MAX_DAYS\t{{os_auth_pw_max_age}}"
backrefs: yes
- name: Set pass min days
lineinfile:
dest: /etc/login.defs
state: present
regexp: '^PASS_MIN_DAYS.*$'
line: "PASS_MIN_DAYS\t{{os_auth_pw_min_age}}"
backrefs: yes
- name: Set pass min length
lineinfile:
dest: /etc/login.defs
state: present
regexp: '^PASS_MIN_LEN.*$'
line: "PASS_MIN_LEN\t{{pwquality_minlen}}"
backrefs: yes
- name: Set pass warn days
lineinfile:
dest: /etc/login.defs
state: present
regexp: '^PASS_WARN_AGE.*$'
line: "PASS_WARN_AGE\t{{os_auth_pw_warn_age}}"
backrefs: yes
- name: Set password encryption to SHA512
lineinfile:
dest: /etc/login.defs
state: present
regexp: '^ENCRYPT_METHOD\s.*$'
line: "ENCRYPT_METHOD\tSHA512"
backrefs: yes
- name: Disable MD5 crypt explicitly
lineinfile:
dest: /etc/login.defs
state: present
regexp: '^MD5_CRYPT_ENAB.*$'
line: "MD5_CRYPT_ENAB NO"
backrefs: yes

24
ansible/01_old/security-settings/roles/security-settings/tasks/main.yml Executable file
View File

@@ -0,0 +1,24 @@
---
- include: login_defs.yml
tags: login_defs
- include: pam.yml
tags: pam
- include: sshd_config.yml
tags: sshd_config
- include: sudoers.yml
tags: sudoers
- include: profile.yml
tags: profile
- include: banner.yml
tags: banner
- include: crictl.yml
tags: crictl
- include: admin_set.yml
tags: admin_set

50
ansible/01_old/security-settings/roles/security-settings/tasks/pam.yml Executable file
View File

@@ -0,0 +1,50 @@
---
- name: Add pam_tally2.so
template:
src: common-auth.j2
dest: /etc/pam.d/common-auth
owner: root
group: root
mode: 0644
- name: Create pwquality.conf password complexity configuration
block:
- apt:
name: libpam-pwquality
state: present
install_recommends: false
- template:
src: pwquality.conf.j2
dest: /etc/security/pwquality.conf
owner: root
group: root
mode: 0644
- name: Add pam_tally2.so
block:
- lineinfile:
dest: /etc/pam.d/common-account
regexp: '^account\srequisite'
line: "account requisite pam_deny.so"
- lineinfile:
dest: /etc/pam.d/common-account
regexp: '^account\srequired'
line: "account required pam_tally2.so"
- name: password reuse is limited
lineinfile:
dest: /etc/pam.d/common-password
line: "password required pam_pwhistory.so remember=5"
- name: password hashing algorithm is SHA-512
lineinfile:
dest: /etc/pam.d/common-password
regexp: '^password\s+\[success'
line: "password [success=1 default=ignore] pam_unix.so sha512"
- name: Shadow Password Suite Parameters
lineinfile:
dest: /etc/pam.d/common-password
regexp: '^password\s+\[success'
line: "password [success=1 default=ignore] pam_unix.so sha512"

24
ansible/01_old/security-settings/roles/security-settings/tasks/profile.yml Executable file
View File

@@ -0,0 +1,24 @@
---
- name: Set session timeout
lineinfile:
dest: /etc/profile
regexp: '^TMOUT=.*'
insertbefore: '^readonly TMOUT'
line: 'TMOUT={{shell_timeout}}'
state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
- name: Set TMOUT readonly
lineinfile:
dest: /etc/profile
regexp: '^readonly TMOUT'
insertafter: 'TMOUT={{shell_timeout}}'
line: 'readonly TMOUT'
state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
- name: Set export TMOUT
lineinfile:
dest: /etc/profile
regexp: '^export TMOUT.*'
insertafter: 'readonly TMOUT'
line: 'export TMOUT'
state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"

30
ansible/01_old/security-settings/roles/security-settings/tasks/sshd_config.yml Executable file
View File

@@ -0,0 +1,30 @@
---
- name: Configure ssh root login to {{sshrootlogin}}
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^(#)?PermitRootLogin.*'
line: 'PermitRootLogin {{sshrootlogin}}'
insertbefore: '^Match.*'
state: present
owner: root
group: root
mode: 0640
notify: restart sshd
- name: SSH Listen on Main Port
lineinfile:
dest: /etc/ssh/sshd_config
insertbefore: '^#*AddressFamily'
line: 'Port {{sshmainport}}'
state: present
owner: root
group: root
mode: 0640
notify: restart sshd
- name: "Setting sshd allow users"
template:
src: allow_users.j2
dest: "/etc/ssh/sshd_config.d/allow_users.conf"
notify: restart sshd

94
ansible/01_old/security-settings/roles/security-settings/tasks/sudoers.yml Executable file
View File

@@ -0,0 +1,94 @@
---
- name: "Create devops group"
ansible.builtin.group:
name: "devops"
state: present
- name: "get current users"
shell: "cat /etc/passwd | egrep -iv '(false|nologin|sync|root|dev2-iac)' | awk -F: '{print $1}'"
register: deleting_users
- name: "Delete users"
ansible.builtin.user:
name: "{{ item }}"
state: absent
remove: yes
with_items: "{{ deleting_users.stdout_lines }}"
when: item != ansible_user
ignore_errors: true
- name: "Create admin user"
ansible.builtin.user:
name: "{{ item.name }}"
group: "devops"
shell: "/bin/bash"
system: yes
state: present
with_items: "{{ admin_users }}"
when:
- item.name is defined
ignore_errors: true
- name: "admin user password change"
user:
name: "{{ item.name }}"
password: "{{ password | password_hash('sha512') }}"
state: present
with_items: "{{ admin_users }}"
when:
- item.name is defined
ignore_errors: true
- name: "Add admin user key"
authorized_key:
user: "{{ item.name }}"
state: present
key: "{{ item.key }}"
with_items: "{{ admin_users }}"
when:
- item.name is defined
- item.key is defined
- common_user is defined
ignore_errors: true
- name: "Create common user"
ansible.builtin.user:
name: "{{ item.name }}"
group: "users"
shell: "/bin/bash"
system: yes
state: present
with_items: "{{ allow_users }}"
when:
- item.name is defined
- common_user is defined
ignore_errors: true
- name: "Change common user password change"
user:
name: "{{ item.name }}"
password: "{{ password | password_hash('sha512') }}"
state: present
with_items: "{{ allow_users }}"
when:
- item.name is defined
- common_user is defined
ignore_errors: true
- name: "Add common user key"
authorized_key:
user: "{{ item.name }}"
state: present
key: "{{ item.key }}"
with_items: "{{ allow_users }}"
when:
- item.name is defined
- item.key is defined
- common_user is defined
ignore_errors: true
- name: "Setting sudoers allow users"
template:
src: sudoers_users.j2
dest: "/etc/sudoers.d/sudoers_users"
ignore_errors: true

11
ansible/01_old/security-settings/roles/security-settings/templates/allow_users.j2 Executable file
View File

@@ -0,0 +1,11 @@
AllowUsers dev2-iac@10.10.43.*
{% if admin_users is defined %}
{% for user in admin_users %}
AllowUsers {{ user.name }}@{{ user.ip }}
{% endfor %}
{% endif %}
{% if allow_users is defined %}
{% for user in allow_users %}
AllowUsers {{ user.name }}@{{ user.ip }}
{% endfor %}
{% endif %}

27
ansible/01_old/security-settings/roles/security-settings/templates/common-auth.j2 Executable file
View File

@@ -0,0 +1,27 @@
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
auth required pam_tally2.so onerr={{onerr}} even_deny_root deny={{deny}} unlock_time={{unlock_time}}
# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
auth required pam_permit.so
# since the modules above will each just jump around
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config

50
ansible/01_old/security-settings/roles/security-settings/templates/pwquality.conf.j2 Executable file
View File

@@ -0,0 +1,50 @@
# Configuration for systemwide password quality limits
# Defaults:
#
# Number of characters in the new password that must not be present in the
# old password.
# difok = 5
#
# Minimum acceptable size for the new password (plus one if
# credits are not disabled which is the default). (See pam_cracklib manual.)
# Cannot be set to lower value than 6.
minlen = {{pwquality_minlen}}
#
# The maximum credit for having digits in the new password. If less than 0
# it is the minimum number of digits in the new password.
dcredit = {{pwquality_dcredit}}
#
# The maximum credit for having uppercase characters in the new password.
# If less than 0 it is the minimum number of uppercase characters in the new
# password.
ucredit = {{pwquality_ucredit}}
#
# The maximum credit for having lowercase characters in the new password.
# If less than 0 it is the minimum number of lowercase characters in the new
# password.
lcredit = {{pwquality_lcredit}}
#
# The maximum credit for having other characters in the new password.
# If less than 0 it is the minimum number of other characters in the new
# password.
ocredit = {{pwquality_ocredit}}
#
# The minimum number of required classes of characters for the new
# password (digits, uppercase, lowercase, others).
# minclass = 0
#
# The maximum number of allowed consecutive same characters in the new password.
# The check is disabled if the value is 0.
maxrepeat = {{pwquality_maxrepeat}}
#
# The maximum number of allowed consecutive characters of the same class in the
# new password.
# The check is disabled if the value is 0.
# maxclassrepeat = 0
#
# Whether to check for the words from the passwd entry GECOS string of the user.
# The check is enabled if the value is not 0.
# gecoscheck = 0
#
# Path to the cracklib dictionaries. Default is to use the cracklib default.
# dictpath =

6
ansible/01_old/security-settings/roles/security-settings/templates/sudoers_users.j2 Executable file
View File

@@ -0,0 +1,6 @@
dev2-iac ALL=(ALL) NOPASSWD: ALL
{% if allow_users is defined %}
{% for user in admin_users %}
{{ user.name }} ALL=(ALL) NOPASSWD: ALL
{% endfor %}
{% endif %}

6
ansible/01_old/security-settings/server-settings.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- hosts: all
become: true
gather_facts: true
roles:
- role: security-settings

65
ansible/01_old/security-settings/teleport Executable file
View File

@@ -0,0 +1,65 @@
[prod-demo-master]
10.10.43.100 ansible_port=2222 ansible_user=dev2
[prod-demo-worker]
10.10.43.101 ansible_port=2222 ansible_user=dev2
[dev-demo-master]
10.10.43.105 ansible_port=2222 ansible_user=dev2
[dev-demo-worker]
10.10.43.106 ansible_port=2222 ansible_user=dev2
[saas_mgmt_master]
10.10.43.240 ansible_port=2222 ansible_user=dev2
[saas_mgmt_node]
10.10.43.[241:243] ansible_port=2222 ansible_user=dev2
[dsk_dev_master]
10.10.43.[111:113] ansible_port=2222 ansible_user=dev2
[dsk_dev_node]
10.10.43.[114:153] ansible_port=2222 ansible_user=dev2
[bastion]
10.10.43.43 ansible_port=2222 ansible_user=havelight
[agent_host]
10.10.43.177 ansible_port=2222 ansible_user=dev2
10.10.43.178 ansible_port=2222 ansible_user=dev2
10.10.43.179 ansible_port=2222 ansible_user=dev2
10.10.43.180 ansible_port=2222 ansible_user=dev2
10.10.43.181 ansible_port=2222 ansible_user=dev2
10.10.43.182 ansible_port=2222 ansible_user=dev2
[agent_cri_master]
10.10.43.185 ansible_port=2222 ansible_user=dev2
[agent_cri_worker]
10.10.43.186 ansible_port=2222 ansible_user=dev2
10.10.43.187 ansible_port=2222 ansible_user=dev2
10.10.43.188 ansible_port=2222 ansible_user=dev2
[agent_middleware_master]
10.10.43.189 ansible_port=2222 ansible_user=dev2
[agent_middleware_worker]
10.10.43.190 ansible_port=2222 ansible_user=dev2
10.10.43.191 ansible_port=2222 ansible_user=dev2
10.10.43.192 ansible_port=2222 ansible_user=dev2
10.10.43.193 ansible_port=2222 ansible_user=dev2
10.10.43.194 ansible_port=2222 ansible_user=dev2
10.10.43.199 ansible_port=2222 ansible_user=dev2
[all:children]
saas_mgmt_master
saas_mgmt_node
dsk_dev_master
dsk_dev_node
bastion
agent_host
agent_cri_master
agent_cri_worker
agent_middleware_master
agent_middleware_worker

31
ansible/01_old/security-settings/teleport_etc Executable file
View File

@@ -0,0 +1,31 @@
[all]
10.10.43.195 ansible_user=dev2 ansible_port=2222
10.10.43.196 ansible_user=dev2 ansible_port=2222
10.10.43.197 ansible_user=dev2 ansible_port=2222
10.10.43.200 ansible_user=dev2 ansible_port=2222
10.10.43.201 ansible_user=dev2 ansible_port=2222
10.10.43.202 ansible_user=dev2 ansible_port=2222
10.10.43.203 ansible_user=dev2 ansible_port=2222
10.10.43.204 ansible_user=dev2 ansible_port=2222
10.10.43.205 ansible_user=dev2 ansible_port=2222
10.10.43.206 ansible_user=dev2 ansible_port=2222
10.10.43.207 ansible_user=dev2 ansible_port=2222
10.10.43.208 ansible_user=dev2 ansible_port=2222
10.10.43.210 ansible_user=dev2 ansible_port=2222
10.10.43.211 ansible_user=dev2 ansible_port=2222
10.10.43.212 ansible_user=dev2 ansible_port=2222
10.10.43.213 ansible_user=dev2 ansible_port=2222
10.10.43.214 ansible_user=dev2 ansible_port=2222
10.10.43.215 ansible_user=dev2 ansible_port=2222
10.10.43.216 ansible_user=dev2 ansible_port=2222
10.10.43.217 ansible_user=dev2 ansible_port=2222
10.10.43.218 ansible_user=dev2 ansible_port=2222
10.10.43.224 ansible_user=dev2 ansible_port=2222
10.10.43.225 ansible_user=dev2 ansible_port=2222
10.10.43.226 ansible_user=dev2 ansible_port=2222
10.10.43.227 ansible_user=dev2 ansible_port=2222
10.10.43.228 ansible_user=dev2 ansible_port=2222
10.10.43.230 ansible_user=dev2 ansible_port=2222
10.10.43.235 ansible_user=dev2 ansible_port=2222
10.10.43.236 ansible_user=dev2 ansible_port=2222
10.10.43.252 ansible_user=dev2 ansible_port=2222

60
ansible/infra_setting/inventory
View File

@@ -1,31 +1,31 @@
[all] [all]
10.10.43.195 10.10.43.195 ansible_user=dev2-iac ansible_port=2222
10.10.43.196 10.10.43.196 ansible_user=dev2-iac ansible_port=2222
10.10.43.197 10.10.43.197 ansible_user=dev2-iac ansible_port=2222
10.10.43.200 10.10.43.200 ansible_user=dev2-iac ansible_port=2222
10.10.43.201 10.10.43.201 ansible_user=dev2-iac ansible_port=2222
10.10.43.202 10.10.43.202 ansible_user=dev2-iac ansible_port=2222
10.10.43.203 10.10.43.203 ansible_user=dev2-iac ansible_port=2222
10.10.43.204 10.10.43.204 ansible_user=dev2-iac ansible_port=2222
10.10.43.205 10.10.43.205 ansible_user=dev2-iac ansible_port=2222
10.10.43.206 10.10.43.206 ansible_user=dev2-iac ansible_port=2222
10.10.43.207 10.10.43.207 ansible_user=dev2-iac ansible_port=2222
10.10.43.208 10.10.43.208 ansible_user=dev2-iac ansible_port=2222
10.10.43.210 10.10.43.210 ansible_user=dev2-iac ansible_port=2222
10.10.43.211 10.10.43.211 ansible_user=dev2-iac ansible_port=2222
10.10.43.212 10.10.43.212 ansible_user=dev2-iac ansible_port=2222
10.10.43.213 10.10.43.213 ansible_user=dev2-iac ansible_port=2222
10.10.43.214 10.10.43.214 ansible_user=dev2-iac ansible_port=2222
10.10.43.215 10.10.43.215 ansible_user=dev2-iac ansible_port=2222
10.10.43.216 10.10.43.216 ansible_user=dev2-iac ansible_port=2222
10.10.43.217 10.10.43.217 ansible_user=dev2-iac ansible_port=2222
10.10.43.218 10.10.43.218 ansible_user=dev2-iac ansible_port=2222
10.10.43.224 10.10.43.224 ansible_user=dev2-iac ansible_port=2222
10.10.43.225 10.10.43.225 ansible_user=dev2-iac ansible_port=2222
10.10.43.226 10.10.43.226 ansible_user=dev2-iac ansible_port=2222
10.10.43.227 10.10.43.227 ansible_user=dev2-iac ansible_port=2222
10.10.43.228 10.10.43.228 ansible_user=dev2-iac ansible_port=2222
10.10.43.230 10.10.43.230 ansible_user=dev2-iac ansible_port=2222
10.10.43.235 10.10.43.235 ansible_user=dev2-iac ansible_port=2222
10.10.43.236 10.10.43.236 ansible_user=dev2-iac ansible_port=2222
10.10.43.252 10.10.43.252 ansible_user=dev2-iac ansible_port=2222

3
ansible/security_check/ansible.cfg
View File

@@ -6,5 +6,4 @@ deprecation_warnings = false
display_skipped_hosts = no display_skipped_hosts = no
ansible_home = . ansible_home = .
stdout_callback = debug stdout_callback = debug
host_key_checking = false host_key_checking = false

4
ansible/security_check/roles/security_check/files/ubuntu.sh
View File

@@ -3617,7 +3617,7 @@ echo "#
echo "##############################################################################" >> $resultfile 2>&1 echo "##############################################################################" >> $resultfile 2>&1
U_01 # root 계정 원격 접속 제한 U_01 # root 계정 원격 접속 제한
# U_02 # 랜덤 패스워드를 사용중이라 제외 U_02 # 랜덤 패스워드를 사용중이라 제외
U_03 # 계정 잠금 임계값 설정 U_03 # 계정 잠금 임계값 설정
U_04 # 패스워드 파일 보호 U_04 # 패스워드 파일 보호
U_05 # root 홈, 패스 디렉터리 권한 및 패스 설정 U_05 # root 홈, 패스 디렉터리 권한 및 패스 설정
@@ -3702,4 +3702,4 @@ echo " ★ 양호 개수 = `cat $resultfile | grep
echo " ☆ N/A 개수 = `cat $resultfile | grep '결과 : N/A' | wc -l`" >> $resultfile 2>&1 echo " ☆ N/A 개수 = `cat $resultfile | grep '결과 : N/A' | wc -l`" >> $resultfile 2>&1
echo "" >> $resultfile 2>&1 echo "" >> $resultfile 2>&1
echo "==============================================================================" >> $resultfile 2>&1 echo "==============================================================================" >> $resultfile 2>&1
echo "" >> $resultfile 2>&1 echo "" >> $resultfile 2>&1

2
ansible/security_check/server_check.yml
View File

@@ -6,4 +6,4 @@
git_user: sa_8001 git_user: sa_8001
git_key: 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 git_key: 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
roles: roles:
- role: security_check - role: security_check

9
ansible/security_settings/ansible.cfg Normal file
View File

@@ -0,0 +1,9 @@
[defaults]
become = true
inventory = checklist
roles_path = roles
deprecation_warnings = false
display_skipped_hosts = no
ansible_home = .
stdout_callback = debug
host_key_checking = false

30
ansible/security_settings/inventory Normal file
View File

@@ -0,0 +1,30 @@
[all]
10.10.43.195 ansible_user=dev2-iac ansible_port=2222
10.10.43.196 ansible_user=dev2-iac ansible_port=2222
10.10.43.197 ansible_user=dev2-iac ansible_port=2222
10.10.43.200 ansible_user=dev2-iac ansible_port=2222
10.10.43.201 ansible_user=dev2-iac ansible_port=2222
10.10.43.202 ansible_user=dev2-iac ansible_port=2222
10.10.43.203 ansible_user=dev2-iac ansible_port=2222
10.10.43.204 ansible_user=dev2-iac ansible_port=2222
10.10.43.205 ansible_user=dev2-iac ansible_port=2222
10.10.43.206 ansible_user=dev2-iac ansible_port=2222
10.10.43.207 ansible_user=dev2-iac ansible_port=2222
10.10.43.208 ansible_user=dev2-iac ansible_port=2222
10.10.43.210 ansible_user=dev2-iac ansible_port=2222
10.10.43.211 ansible_user=dev2-iac ansible_port=2222
10.10.43.212 ansible_user=dev2-iac ansible_port=2222
10.10.43.213 ansible_user=dev2-iac ansible_port=2222
10.10.43.214 ansible_user=dev2-iac ansible_port=2222
10.10.43.215 ansible_user=dev2-iac ansible_port=2222
10.10.43.216 ansible_user=dev2-iac ansible_port=2222
10.10.43.217 ansible_user=dev2-iac ansible_port=2222
10.10.43.218 ansible_user=dev2-iac ansible_port=2222
10.10.43.224 ansible_user=dev2-iac ansible_port=2222
10.10.43.225 ansible_user=dev2-iac ansible_port=2222
10.10.43.226 ansible_user=dev2-iac ansible_port=2222
10.10.43.227 ansible_user=dev2-iac ansible_port=2222
10.10.43.228 ansible_user=dev2-iac ansible_port=2222
10.10.43.235 ansible_user=dev2-iac ansible_port=2222
10.10.43.236 ansible_user=dev2-iac ansible_port=2222
10.10.43.252 ansible_user=dev2-iac ansible_port=2222

10
ansible/security_settings/roles/security_settings/handlers/main.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: Reload systemd configuration
ansible.builtin.systemd:
daemon_reload: True
- name: restart sshd
service:
name: sshd
state: restarted
enabled: true

8
ansible/security_settings/roles/security_settings/tasks/debian_setting_banner.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: Setting EXEM Banner (Debian)
template:
src: banner.j2
dest: /etc/update-motd.d/00-header
mode: 0755
owner: root
group: root

5
ansible/security_settings/roles/security_settings/tasks/main.yml Normal file
View File

@@ -0,0 +1,5 @@
---
- include: debian_setting_banner.yml
when: ansible_facts['os_family'] == 'Debian'
- include: setting_root_ssh.yml

11
ansible/security_settings/roles/security_settings/tasks/setting_root_ssh.yml Normal file
View File

@@ -0,0 +1,11 @@
- name: Configure ssh root login to no
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^(#)?PermitRootLogin.*'
line: 'PermitRootLogin no'
insertbefore: '^Match.*'
state: present
owner: root
group: root
mode: 0640
notify: restart sshd

18
ansible/security_settings/roles/security_settings/templates/banner.j2 Normal file
View File

@@ -0,0 +1,18 @@
#!/bin/sh
echo "-------------------------------------------------------------------------------\n"
echo " _╓g@DDKg╓_ \033[0;31m=╗╗╗╗,\033[0;0m \033[0;34m,╗╗╗╗╤\033[0;0m ,╔╗DDKg╔_ ╓g@DD╗╔_ ╓g@DD╗╔_"
echo " ╓D╝╙\` \`╠╠H \033[0;31m╙╠╠╠╠▒\033[0;0m \033[0;34mÆ╬╬╬╬╩\033[0;0m _j╠╙\` 1╠R j╠R^ \`╙╠▒,j╠R^ \`╙╠▒,"
echo " 1╠^ ,╠╝ \033[0;31m╝╠R\033[0;0m \033[0;34m╓▓╬╬╬╝\033[0;0m j╠H 1╠^ ╠╠ ╚╠H ╚╠H"
echo "j╠⌐ j╠Γ \033[0;31m'\033[0;0m \033[0;34mÆ╬╬╬╬╙\033[0;0m ╠H ╔╠R ╠╠ ╠╠ ╠╠"
echo "╠╠ ╒╠R \033[0;34m╔╣╬╬╬\033[0;33m╬▒\033[0;0m j╠H _D╝\` ╠╠ ╠╠ ╠╠"
echo "'╠H 1╠^ .. \033[0;34m,╣╬╬╬╣\033[0;33m╬╣╣▓┐\033[0;0m ╠D ╔╚╙ ╔_ ╠╠ ╠╠ ╠╠"
echo " '╠▒╓░╙ _╔╔^ \033[0;34m¢╬╬╬╬╩\033[0;33m ╚╣╣╣╣▌\033[0;0m ╚▒╓░╙ ╔░H ╠╠ ╠╠ ╠╠"
echo " ⁿ╚╠K≥╔╔╔1▒╝^ \033[0;34m╒▓╬╬╬╩^\033[0;33m \`╣╣╣╣▓╕\033[0;0m \`╚╠▒g╔╔╔gD╝╙ ╠╠ ╠╠ ╠╠\n"
echo "-------------------------------------------------------------------------------"
echo ""
echo " - 알 림 - "
echo ""
echo " 현재 접속하신 서버는 SaaS기술연구팀 개발 서버 입니다. "
echo " 인가되지 않은 사용자의 접근, 수정 등 행위 시 처벌을 받을 수 있습니다. "
echo ""
echo "-------------------------------------------------------------------------------"

6
ansible/security_settings/security_settings.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- hosts: all
become: true
gather_facts: true
roles:
- role: security_settings

3
ansible/teleport_setting/roles/teleport/templates/teleport.yaml.j2
View File

@@ -17,6 +17,9 @@ auth_service:
enabled: "no" enabled: "no"
ssh_service: ssh_service:
enabled: "yes" enabled: "yes"
pam:
enabled: true
service_name: "sshd"
labels: labels:
ipaddr: {{ansible_default_ipv4.address}} ipaddr: {{ansible_default_ipv4.address}}
group: {{ group_names[-1] }} group: {{ group_names[-1] }}

4
ansible/teleport_setting/teleport.yml
View File

@@ -7,5 +7,5 @@
teleport_uri: teleport.kr.datasaker.io teleport_uri: teleport.kr.datasaker.io
# remove: True # remove: True
# custom_labels: 'user=havelight,company=exem' # custom_labels: 'user=havelight,company=exem'
# update: True update: True
install: True # install: True

31
ansible/teleport_setting/teleport_etc Normal file
View File

@@ -0,0 +1,31 @@
[all]
#10.10.43.195 ansible_user=dev2 ansible_port=2222
#10.10.43.196 ansible_user=dev2 ansible_port=2222
#10.10.43.197 ansible_user=dev2 ansible_port=2222
10.10.43.200 ansible_user=dev2 ansible_port=2222
10.10.43.201 ansible_user=dev2 ansible_port=2222
10.10.43.202 ansible_user=dev2 ansible_port=2222
10.10.43.203 ansible_user=dev2 ansible_port=2222
10.10.43.204 ansible_user=dev2 ansible_port=2222
10.10.43.205 ansible_user=dev2 ansible_port=2222
10.10.43.206 ansible_user=dev2 ansible_port=2222
10.10.43.207 ansible_user=dev2 ansible_port=2222
10.10.43.208 ansible_user=dev2 ansible_port=2222
10.10.43.210 ansible_user=dev2 ansible_port=2222
10.10.43.211 ansible_user=dev2 ansible_port=2222
10.10.43.212 ansible_user=dev2 ansible_port=2222
10.10.43.213 ansible_user=dev2 ansible_port=2222
10.10.43.214 ansible_user=dev2 ansible_port=2222
10.10.43.215 ansible_user=dev2 ansible_port=2222
10.10.43.216 ansible_user=dev2 ansible_port=2222
10.10.43.217 ansible_user=dev2 ansible_port=2222
10.10.43.218 ansible_user=dev2 ansible_port=2222
#10.10.43.224 ansible_user=dev2 ansible_port=2222
#10.10.43.225 ansible_user=dev2 ansible_port=2222
#10.10.43.226 ansible_user=dev2 ansible_port=2222
#10.10.43.227 ansible_user=dev2 ansible_port=2222
#10.10.43.228 ansible_user=dev2 ansible_port=2222
#10.10.43.230 ansible_user=dev2 ansible_port=2222
#10.10.43.235 ansible_user=dev2 ansible_port=2222
#10.10.43.236 ansible_user=dev2 ansible_port=2222
#10.10.43.252 ansible_user=dev2 ansible_port=2222