From e3a240bc419e9d9b666d181d595277567964d1a4 Mon Sep 17 00:00:00 2001 From: havelight-ee Date: Wed, 28 Jun 2023 15:48:32 +0900 Subject: [PATCH] bastion update --- ansible/bastion.yml | 95 +++++++++++++++++++ ansible/inventory | 6 ++ ansible/inventory.ini | 3 +- ansible/node.yaml | 1 - ansible/roles/bastion/defaults/main.yml | 43 +++++++++ ansible/roles/bastion/files/login_banner | 20 ++++ ansible/roles/bastion/handlers/main.yml | 6 ++ ansible/roles/bastion/tasks/admin_set.yml | 7 ++ ansible/roles/bastion/tasks/banner.yml | 29 ++++++ ansible/roles/bastion/tasks/crictl.yml | 19 ++++ ansible/roles/bastion/tasks/login_defs.yml | 48 ++++++++++ ansible/roles/bastion/tasks/main.yml | 24 +++++ ansible/roles/bastion/tasks/pam.yml | 50 ++++++++++ ansible/roles/bastion/tasks/profile.yml | 24 +++++ ansible/roles/bastion/tasks/sshd_config.yml | 30 ++++++ ansible/roles/bastion/tasks/sudoers.yml | 95 +++++++++++++++++++ .../roles/bastion/templates/allow_users.j2 | 10 ++ .../roles/bastion/templates/common-auth.j2 | 27 ++++++ .../roles/bastion/templates/pwquality.conf.j2 | 50 ++++++++++ .../roles/bastion/templates/sudoers_users.j2 | 5 + .../roles/security-settings/defaults/main.yml | 4 +- .../security-settings/files/allow_users.conf | 2 + .../security-settings/tasks/sshd_config.yml | 9 ++ ansible/rsa_key/asdf.sh | 4 + ansible/rsa_key/ip_list | 37 ++++++++ ansible/rsa_key/key.sh | 2 +- ansible/rsa_key/test.sh | 10 +- ansible/security.yaml | 2 +- 28 files changed, 649 insertions(+), 13 deletions(-) create mode 100644 ansible/bastion.yml create mode 100644 ansible/inventory mode change 100755 => 100644 ansible/node.yaml create mode 100755 ansible/roles/bastion/defaults/main.yml create mode 100755 ansible/roles/bastion/files/login_banner create mode 100755 ansible/roles/bastion/handlers/main.yml create mode 100755 ansible/roles/bastion/tasks/admin_set.yml create mode 100755 ansible/roles/bastion/tasks/banner.yml create mode 100755 ansible/roles/bastion/tasks/crictl.yml create mode 100755 ansible/roles/bastion/tasks/login_defs.yml create mode 100755 ansible/roles/bastion/tasks/main.yml create mode 100755 ansible/roles/bastion/tasks/pam.yml create mode 100755 ansible/roles/bastion/tasks/profile.yml create mode 100755 ansible/roles/bastion/tasks/sshd_config.yml create mode 100755 ansible/roles/bastion/tasks/sudoers.yml create mode 100755 ansible/roles/bastion/templates/allow_users.j2 create mode 100755 ansible/roles/bastion/templates/common-auth.j2 create mode 100755 ansible/roles/bastion/templates/pwquality.conf.j2 create mode 100755 ansible/roles/bastion/templates/sudoers_users.j2 create mode 100644 ansible/roles/security-settings/files/allow_users.conf create mode 100644 ansible/rsa_key/asdf.sh create mode 100644 ansible/rsa_key/ip_list mode change 100755 => 100644 ansible/security.yaml diff --git a/ansible/bastion.yml b/ansible/bastion.yml new file mode 100644 index 0000000..dc12510 --- /dev/null +++ b/ansible/bastion.yml @@ -0,0 +1,95 @@ +--- +- hosts: bastion + become: true + gather_facts: true + roles: + - role: bastion + vars: + - sshmainport: 2222 + admin_users: + - name: "minchulahn" + ip: "10.20.142.22" + description: "안민철" + key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKDxtkcfx2ITlT2Yh7ZCT79do/25YQ2vROz38m8veAuBhOw+75oZJ4nN//zOWaaMvpC3Z7NIzOR+3UeukhnLZ591q8AaHcKjV8JEJMo2pvpH1vdLcTL9baLqWrxzgRimnZUNf5n5HNr+AKoXuPp//aVSJSoeznb66r04/rJSetT0QGDC8Kj5Q+MNvdd0/3U/nu7JxW9LIEaLoeiX6mVb4PpV7kl3rI3Vut/GnWakOhbS4yNvIFdR6d8rv305/BXJOz/aWy+0j7qK+NBzbSsI/l0vVUHfeD3whYGePCpWmj73ZsMTMjIjrC8DpRQlOJlAZ0GVpQnd/ayIWi4+V8VjvFcd6vSqrhhsNoOyo0Y/6cyO6iyvKqohMK6+HF1w6aXoaGCFFSl/3gw63saNAsdZPArnwf5yZ6GfPa/9bRn2k9g5xfp97Itpo6Iqq+PuRcZOes0EiIQe2hOoYQEIHIRhf8CZ+Xf6W1+XZB+WxEzUe4GCCwgUdTB6RIr4ThDxwCBV0=" + + - name: "havelight" + ip: "10.20.142.21" + description: "정재희" + key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDUAppqxDLltrMsYMwIxGi0FA5STA/R+H6oy7myfiJP2Lt4woCogMi3ELVKEhFkeJx4i8y9G80lynEYCHRH1kAQ/7YaJEVFrPXTvBw+OVxYdVS/gLl0rL89ky+n0dv6A9mancrvUOMacI5aN7/W+EhoLohRjRbWlsPGNnvAmO0AZnt595aMUjFkdhusGyBVunDUFSitj9TFkjxDhr6cx8Bi0FLpvdsoAvfqiw/MVKW2pMgj56AT5UCT0wvtSHSNY/C731jP/RKrxP0fnVhIkVys/XmLV/6SVEqL1XwqMTvRfi5+Q8cPsXrnPuUFHiNN4e/MGJkYi0lg7XbX8jDXv3ybdxZ7lGiUDebxjTKBCCghFae3eAwpJADEDfrzb8DHJZFwJVVdKGXvStTWTibcs14ilRPcB4SWIBx/cFCzwOBK/iw8CfEfsbVe6WQbDc4T4LrgL8cUzHPOO8CQcC4DV/O3BuoqQExu6xTmU8rhLT9kgatIdX0K5jgGbuqz7c2lelU=" + + - name: "sa_8001" + ip: "10.20.142.50" + description: "변정훈" + key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgvFtLP7A1bR2ANxHiyTalgaI2pvxnCAzsqTAAh/+egIOi2vUIC2jRWGQXyoiTlupdNWQli2D93tEJBvG3VO5LOVocOHsFnFcV8RsiR4QGhqMeXRfMBWbf7Prby0qWv/VQ00gNWEgEjZUhOfBQeJsozGTd3dS4AgRnQkQmnvCT6TWD7+GwMg1SDlu/23y5aKLmpLkVT9kEG3yxZ3rWQfepjAubt+/saZPtyhkmc9+qhe2K+6PCZU2MCh6TYoKrcRUhVaJLvWqS35/Cv/9oxLg7lZwsasHFO9ANXWV9gBelCXLpYosN5hylUvl4JmSN+/qiOH3hpEbOtTCY/ZU0o1/xXLr0pmbYpZoT6zMKZ5fkweW7xidrg/bI1s/4+DVf4c/NJehw4PL3sqRmVdJsriFUifywh05Up5j1NQANiFlFngwEWy81cWRyvSL5q/plJHSvpd6g+WbsyC/QqYNAhxjnEosOb52QGZmLL7GqaC1hdKDOlJYZK63EBQ8YpHqGHo0=" + + allow_users: + - name: "wkd1994" + ip: "10.20.142.28" + description: "김동우" + key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDtmuAhVVyVJ87+t2xVtiS3bvTxxn0dmD7t4D2iSvSErIjRsXRCPLdc/yGWiezj+oVZtRPLJ2mjKToGUerdkcW8oqiQeL0+x/CjdlS2rQXvQa2HXCjB+MejwZyJ2bl7VDtIMdLianJBn7+XVc48+bIf7yait8yVH1aVWcS/AXOSo9LwX/uNW5VCL5BeXSGwXdwkuhjeJurR4WIVSBXuh1ql5Vy6BdSxcmLMihNlIL/DyuzfPLuQZbuSeaJ7eJKiHu63/SwBA1cPzj9tgI7zNvguapIHKXvoK8n5gNUXVRDGnD4J6xbzUQB3DbU8kaz7pDClxzgpkf3MnvP9QvnTyqV+aftYlb02as0PrwIxlTlW/sBxyEGdFe+JwoTctHkrSfp0lYRpyCv3eXJcdDu2l3dTJXAHlpcJuQRH2j9herURxML0w6re1iKJ8MAjOqUvh+B3A1U3x116zEGdsCNCRcfwehEir7fmGKaPvrmOiDOTlNswdL/OJ1RHKFuEZJPlUr8=" + + - name: "djkim" + ip: "10.20.142.36" + description: "김득진" + key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9Go9pLADJUQtq+ptTAcSIpi+VYv5/Kik0lBuV8xEc++vNtix5kwi+XSsNShHM3MVeiE8J27rYfyNn79r5pVKMuasMRyP3mTDZtRKr7/piM8MXuGSu1jCsVrTBZX0Sf4wuOA1tSkG9QgjBMZfvE9jOSYozA1K85mVE28m2rTihPnL5zYsDKnx+xIcwUBTpkOCoHiAfAX9b5ADAfScJigSZDjFLvexJ1aapPV2Iajh8huIhWvCUhrqUv/ldUm+b1iiOT7GXdrM/cam3FnLZ0b5KI9CQb7084+4l0BlmtPkuFcIlTDm1K6YO7+Mewd+F9uQZwvxGuElBPg8NVgFLD7+nrf2VlJYYCAeChyDV5+ZD70pSTcvHpJbmLKMtRFGov73ZPJ3vld9XCGUCajaoZz5Kz+ANmSC9nl3FpxnYgvFWfS7iwyC+VkGRKUg96/crXz4D8fW/wIskt+3cVrW9Z66psH41ll979mC8xly0ITWwbQZv7rvbdWSDVKVRgbXQOSc=" + + - name: "sanghee1357" + ip: "10.20.142.40" + description: "김상희" + key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC45maYW137cwvdS8AE9UzNHq9AMYrkEJtoNDAOVkUXtpVQITqvBCc4B4FfR5JK2h+imnBDng5fu728YAB7q31BE3Wub8I+QWhnQgv+kH1yMWj2s329tkHvcyNWIHSBqw4z1N74Zba+7mojKioju27HdcRcN1L7tpXSCHrq5bU6++CMShpZ7a3wo20RfikFWd563Y15mE3uDqlbkcuzE0KGSNrdY6Gy9aiE3/poVQRLaCmXnUKNw9wM3UGN9DanJi6iosXrlZRkpwhV+tHh2x+BWCbyY8jj94RDJgMwoKw71tzlEp+B1k6a7g+lEo3KFP//3PQxc9fdKBdg1YzSAKGKjsqATEVclmQHVskk6wZQC/wcjFxrSOreSp6knswX9AhIvGhMtoVo9iMy9cm+F4AauzjjfszCMO484983hIYwsh321VB14Wg7NroCYMUh7krATeKmNWhK0YicYCXINVMphBAcXFhuJduPejz19ZN356t+F/LDqlCxW7kO9QfYUy0=" + + - name: "jinbekim" + ip: "10.10.142.48" + description: "김진범" + + - name: "bypark" + ip: "10.20.142.26" + description: "박병욱" + key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCZig/9xMWR3QhwHPbkvY2b9nmHiWkJHgnztGfIyxVTmkcsr9QViIvNUINlRBlE2+I5j7R2+0qI5GkAYndJsQoZiZ3iPqxnM5KdB9bEbWS5Tv7pbGyHyzaYPMUS3g6ZRMKnbJlAmhOLuq4TNYaUSESvaiYbCbaZK2JdsfPtSC99Gez6+HNoapILeg6xkxLnMsgUG6QzGaZyRABlPRbctGfx2U7cYe/7b7T+/yNtMU2FKrAJqcy0S1IUzc/dK2m5SQ3Y2GMohuGkv8mfs16i0wi3LfgEIatsmj2KB7Y7lIYW/GEZA2I+K2uH9Pu+F/kmGvAu5jNd1ztSo9MgElyu2NMXYhM3f/eDD+PdHKjUvOtE5twNBHQooPjBpp/mja4hnxLKepTqgP1t6azncPB8m6jC6MTbkhOHpgSNXurhx0kCurLA+l9KaySidhc0mFNJZGRKAhQoMIDFgXlzkZ4GmmtbfOJ/J1k7QqHZya5x6M4mOfvlPECFKVF24vzJVEulY3E=" + + - name: "joonsoopark" + ip: "10.20.142.33" + description: "박준수" + key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETt3DbkOgMY40sI0+dOxa3A/6o4yxNpoUWuuaSuUR/P" + + - name: "baekchan1024" + ip: "10.20.142.39" + description: "백승찬" + key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDaqqy9YVwxh37xOU0nytBPd6GEJe30e1L/K5UXDZToteNebyfQrtFogxB6MpMNaAzAk6qbyPuZA3rgP8Y+qXgRlx88cxje5P5yOCsMW2o3xD5PiJ7lluWQ9tlS5ti4B9EWurJOsGF27XKKuSHN+dx9ZIb4sDqLYzmycPNwFaEtH6GQ2vjqpPMfjmKAuYmKD4L7mdA8lXTiRS2uYDkUxwQ+6PU+axTauD9qsXuGDAnGkVHKNE0o9OCf1uoyOhy6EB2sDz5Pymr7fbRJauWNxuSJdYPKY33GdDKpioP/1nRLSLtr1nvLHVrG/5CSNO1x20WYXFEGoMTzW4T5nYSS61apHkQ/0Csv0LBeHPc9gsMPobNJpIYlvGwdODQ+fpgxyB4SAQJKtQR1YB4w5OVtXVZAMvZZKI9gQQHZ8wQ4Zk0erGxKeyLxnDrKKNHLRPyUrjkL7H2a0i8BGpdk8sxW9NVrJJGgmQQiPbJx0yvIi1n55mUq+ZVjiF5qPvxtc5D133k=" + + - name: "jungry" + ip: "10.20.142.44" + description: "서정우" + + - name: "ose" + ip: "10.20.142.34" + description: "오승은" + key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAlYSGJZpOOEPZqIa1/CXxiaUNj1wsgkp0kEyD2SX8r7ovwmSAWCS24v/IOSgsUTFRpL64vIeCtcZ8sj4Hwzd3F2h+carQP0v+leCkzPpQ7aP/BoPS27+fSCzaOZv/QJ+eIcXWHIbWkXf6MYQ35PykDeJIO61OMOlWhpNV425VSwfZoB72xZmEH+rIZjXHHs8vYtIG2sXZE22BLiVw6PEL/C4QB2khBT5ZAjX2xGEzUoSknzva/8Uu20adQBalFTIdyLV7V6CxkIPkSgfmZh/fqXfbfPsxHLPK2o2ueGbx3fcN3kAqFrqpJgjEIZmNj6qhVPtbN5TSUyIjtoPhC4JR0heqckz1qLah+8lSiUfHSblGW89QuUcedHdwHp/RiZW6HQO0cqS/QPNcgPLTiv68voBapS9rav+j0tt1RynNY+AdhCOoo4BbGW0pXqi0vaHzbbfbzxp78kx/7/KXmUHkzGSkmlXVbKqzDm5k/kRn0q4pimDun42b+MjNYu3gZz0=" + + - name: "gurwns1540" + ip: "10.20.142.35" + description: "윤혁준" + key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1+kC8LzDxwc4gfiGzUQH+CeKGf+elX3oKciMmLQJmpddlcWuRthq1pszufHjypT/FfC/XVLZkGvjMDJUWro/Pen3RcdTcENteVZO/nzQ89nmS/D3tbg6nVWxiast6bDdSEdPF8CKSUAlA+8hTgSCWou7TtOuWGCKj+6HSHctBA41WFLpYInYHWTnC+LY1nwOurjG4qjmgdEzBXMhLWvuZDVE21oIUMEXbjW1dXhHNMKfyn/mUqSSG9zoXZSK0KB8OHhBsbxzFqu5cXC1TTpJOyX05730LUdwF9MevreUS3ws5NY8h0C6EVAOMQqeH5gkwVTHsyXQHtXB9nGI1g7sMIjEzJHkOygK17nAfapWhGFahhaaq42qdo7N3Pj8IjrY3S9EDXnPtQODROj3JVzo3Sgd2FUKDcAIWwJHMAwkaFqciPGIrj4ib81NbOoWn7oCjbIyDxgoxSp1vpW7C25rL22LtrCHyMWPbhV19FJIZqtg7f94JptzLND1pHDnsnfeNAxz9d6oKdcJW5bXUDeDCQxBio1RBF6nNzSRoiD0+FD29of9wNWRd2cBkR8uJV7P9XfXMzMK5q7Wqte/DABs3wJ3v/cth6kPrRV7j2h+4DGbEj5Mpz8XAFnGkZFmd/UiSbNqRBLKmp0lPpyxZrRU00xuqJ51pYB2wMwkQgOIVuw==" + + - name: "yyeun" + ip: "10.20.142.45" + description: "이예은" + + - name: "sujung" + ip: "10.20.142.27" + description: "정성락" + key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbI5DjRkABz65NnREzf5HKKIMPrIA4DrnDDXTrjnRH8" + + - name: "antcho" + ip: "10.20.142.46" + description: "조혜수" + + - name: "stdhsw" + ip: "10.20.142.32" + description: "한승우" + key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANTMTgqbTtIKKRsZU9An9D3La9Fh1bUtiLE/Y0nL4CZ" + + - name: "seungjinjeong" + ip: "10.20.142.41" + description: "정승진" + key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDi8funYVM0eRmfplW5EdnfJOFEVDEMMw08VRn6FD9x9VuNWCEkY3iErzekBY2SRat8g6q0VXRyu7b/bhm/kD+BtI79fmz9FKxslTZCeKKN1KWfoZoXSRnvjOX1Y6NDnY2X5M+3kN40ek9ku6abN6lOtInTXJ1QOJIISa8l6vrB/j1xVVZghTYY5MBMc89cRZESGdBZWld0CtmoM+mnjh5vWCCA3VJTcDbj5LKtWllA6t58KwtGBikr8iaOpi83dQ91eXWzxTttl/LCe9bfgSxYlmvZILn0UZMu1WiWBhlIBzC6RlxorkDVRXcSRjguEt+/ys2rv6UTSkm150O4PgjgxlZPmTJt1m5y/St57LELUVbV6XGSq6+eZNTZOYBxxRkKcV0uByCBjxjsVlMmoEZoxedhSVT1Z8/AiMnjPBjXx2ease04EvtZs6rpDRd0puzcx1TKoCkyak60ymxc91X9lQg3kUl0av/G5kMKJQqW6v31GA1Vnh4K9haCVF/Ki/M=" diff --git a/ansible/inventory b/ansible/inventory new file mode 100644 index 0000000..2f79ca9 --- /dev/null +++ b/ansible/inventory @@ -0,0 +1,6 @@ +[datasaker-demo] +10.10.43.100 +10.10.43.101 + +[bastion] +10.10.43.43 ansible_port=2222 ansible_user=havelight diff --git a/ansible/inventory.ini b/ansible/inventory.ini index 3bdd326..8731a96 100644 --- a/ansible/inventory.ini +++ b/ansible/inventory.ini @@ -24,6 +24,7 @@ 10.10.43.133 10.10.43.134 10.10.43.135 +10.10.43.136 10.10.43.137 10.10.43.138 10.10.43.140 @@ -34,4 +35,4 @@ 10.10.43.145 10.10.43.146 10.10.43.147 - +#10.10.43.148 diff --git a/ansible/node.yaml b/ansible/node.yaml old mode 100755 new mode 100644 index b6344cf..a7d7f3a --- a/ansible/node.yaml +++ b/ansible/node.yaml @@ -4,4 +4,3 @@ become: true roles: - node - diff --git a/ansible/roles/bastion/defaults/main.yml b/ansible/roles/bastion/defaults/main.yml new file mode 100755 index 0000000..d11d7ee --- /dev/null +++ b/ansible/roles/bastion/defaults/main.yml @@ -0,0 +1,43 @@ +# Password aging settings +os_auth_pw_max_age: 90 +os_auth_pw_min_age: 1 +os_auth_pw_warn_age: 7 +passhistory: 2 + +# Inactivity and Failed attempts lockout settings +fail_deny: 5 +fail_unlock: 0 +inactive_lock: 0 +shell_timeout: 300 + +# tally settings +onerr: 'fail' +deny: 5 +unlock_time: 300 + +# Password complexity settings +pwquality_minlen: 9 +pwquality_maxrepeat: 3 +pwquality_lcredit: -1 +pwquality_ucredit: -1 +pwquality_dcredit: -1 +pwquality_ocredit: -1 + +# SSH settings +sshrootlogin: 'yes' +sshmainport: 22 +ssh_service_name: sshd + +# Crictl setup +crictl_app: crictl +crictl_version: 1.25.0 +crictl_os: linux +crictl_arch: amd64 +crictl_dl_url: https://github.com/kubernetes-sigs/cri-tools/releases/download/v{{ crictl_version }}/{{ crictl_app }}-v{{ crictl_version }}-{{ crictl_os }}-{{ crictl_arch }}.tar.gz +crictl_bin_path: /usr/local/bin +crictl_file_owner: root +crictl_file_group: root + +# temp +username: root +password: saasadmin1234 diff --git a/ansible/roles/bastion/files/login_banner b/ansible/roles/bastion/files/login_banner new file mode 100755 index 0000000..d294eeb --- /dev/null +++ b/ansible/roles/bastion/files/login_banner @@ -0,0 +1,20 @@ +#!/bin/sh +printf ''' + |-----------------------------------------------------------------| + | This system is for the use of authorized users only. | + | Individuals using this computer system without authority, or in | + | excess of their authority, are subject to having all of their | + | activities on this system monitored and recorded by system | + | personnel. | + | | + | In the course of monitoring individuals improperly using this | + | system, or in the course of system maintenance, the activities | + | of authorized users may also be monitored. | + | | + | Anyone using this system expressly consents to such monitoring | + | and is advised that if such monitoring reveals possible | + | evidence of criminal activity, system personnel may provide the | + | evidence of such monitoring to law enforcement officials. | + |-----------------------------------------------------------------| +''' + diff --git a/ansible/roles/bastion/handlers/main.yml b/ansible/roles/bastion/handlers/main.yml new file mode 100755 index 0000000..abab7ef --- /dev/null +++ b/ansible/roles/bastion/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart sshd + service: + name: "{{ ssh_service_name }}" + state: restarted + enabled: true diff --git a/ansible/roles/bastion/tasks/admin_set.yml b/ansible/roles/bastion/tasks/admin_set.yml new file mode 100755 index 0000000..3836c16 --- /dev/null +++ b/ansible/roles/bastion/tasks/admin_set.yml @@ -0,0 +1,7 @@ +--- +- name: user change + user: + name: "{{ username }}" + password: "{{ password | password_hash('sha512') }}" + state: present + diff --git a/ansible/roles/bastion/tasks/banner.yml b/ansible/roles/bastion/tasks/banner.yml new file mode 100755 index 0000000..6a172c9 --- /dev/null +++ b/ansible/roles/bastion/tasks/banner.yml @@ -0,0 +1,29 @@ +--- +- name: Create a tar.gz archive of a single file. + archive: + path: /etc/update-motd.d/* + dest: /etc/update-motd.d/motd.tar.gz + format: gz + force_archive: true + +- name: remove a motd.d files + file: + path: /etc/update-motd.d/{{ item }} + state: absent + with_items: + - 10-help-text + - 85-fwupd + - 90-updates-available + - 91-release-upgrade + - 95-hwe-eol + - 98-fsck-at-reboot + - 50-motd-news + - 88-esm-announce + +- name: Create login banner + copy: + src: login_banner + dest: /etc/update-motd.d/00-header + owner: root + group: root + mode: 0755 diff --git a/ansible/roles/bastion/tasks/crictl.yml b/ansible/roles/bastion/tasks/crictl.yml new file mode 100755 index 0000000..125a878 --- /dev/null +++ b/ansible/roles/bastion/tasks/crictl.yml @@ -0,0 +1,19 @@ +--- +- name: Downloading and extracting {{ crictl_app }} {{ crictl_version }} + unarchive: + src: "{{ crictl_dl_url }}" + dest: "{{ crictl_bin_path }}" + owner: "{{ crictl_file_owner }}" + group: "{{ crictl_file_group }}" + extra_opts: + - crictl + remote_src: yes + +- name: Crictl command crontab setting + ansible.builtin.cron: + name: crontab command + minute: "0" + hour: "3" + user: root + job: "/usr/local/bin/crictl rmi --prune" + diff --git a/ansible/roles/bastion/tasks/login_defs.yml b/ansible/roles/bastion/tasks/login_defs.yml new file mode 100755 index 0000000..f25702a --- /dev/null +++ b/ansible/roles/bastion/tasks/login_defs.yml @@ -0,0 +1,48 @@ +--- +- name: Set pass max days + lineinfile: + dest: /etc/login.defs + state: present + regexp: '^PASS_MAX_DAYS.*$' + line: "PASS_MAX_DAYS\t{{os_auth_pw_max_age}}" + backrefs: yes + +- name: Set pass min days + lineinfile: + dest: /etc/login.defs + state: present + regexp: '^PASS_MIN_DAYS.*$' + line: "PASS_MIN_DAYS\t{{os_auth_pw_min_age}}" + backrefs: yes + +- name: Set pass min length + lineinfile: + dest: /etc/login.defs + state: present + regexp: '^PASS_MIN_LEN.*$' + line: "PASS_MIN_LEN\t{{pwquality_minlen}}" + backrefs: yes + +- name: Set pass warn days + lineinfile: + dest: /etc/login.defs + state: present + regexp: '^PASS_WARN_AGE.*$' + line: "PASS_WARN_AGE\t{{os_auth_pw_warn_age}}" + backrefs: yes + +- name: Set password encryption to SHA512 + lineinfile: + dest: /etc/login.defs + state: present + regexp: '^ENCRYPT_METHOD\s.*$' + line: "ENCRYPT_METHOD\tSHA512" + backrefs: yes + +- name: Disable MD5 crypt explicitly + lineinfile: + dest: /etc/login.defs + state: present + regexp: '^MD5_CRYPT_ENAB.*$' + line: "MD5_CRYPT_ENAB NO" + backrefs: yes diff --git a/ansible/roles/bastion/tasks/main.yml b/ansible/roles/bastion/tasks/main.yml new file mode 100755 index 0000000..c9a3fe6 --- /dev/null +++ b/ansible/roles/bastion/tasks/main.yml @@ -0,0 +1,24 @@ +--- +- include: login_defs.yml + tags: login_defs + +- include: pam.yml + tags: pam + +- include: sshd_config.yml + tags: sshd_config + +- include: sudoers.yml + tags: sudoers + +- include: profile.yml + tags: profile + +- include: banner.yml + tags: banner + +- include: crictl.yml + tags: crictl + +- include: admin_set.yml + tags: admin_set diff --git a/ansible/roles/bastion/tasks/pam.yml b/ansible/roles/bastion/tasks/pam.yml new file mode 100755 index 0000000..ae1c637 --- /dev/null +++ b/ansible/roles/bastion/tasks/pam.yml @@ -0,0 +1,50 @@ +--- +- name: Add pam_tally2.so + template: + src: common-auth.j2 + dest: /etc/pam.d/common-auth + owner: root + group: root + mode: 0644 + +- name: Create pwquality.conf password complexity configuration + block: + - apt: + name: libpam-pwquality + state: present + install_recommends: false + - template: + src: pwquality.conf.j2 + dest: /etc/security/pwquality.conf + owner: root + group: root + mode: 0644 + +- name: Add pam_tally2.so + block: + - lineinfile: + dest: /etc/pam.d/common-account + regexp: '^account\srequisite' + line: "account requisite pam_deny.so" + + - lineinfile: + dest: /etc/pam.d/common-account + regexp: '^account\srequired' + line: "account required pam_tally2.so" + +- name: password reuse is limited + lineinfile: + dest: /etc/pam.d/common-password + line: "password required pam_pwhistory.so remember=5" + +- name: password hashing algorithm is SHA-512 + lineinfile: + dest: /etc/pam.d/common-password + regexp: '^password\s+\[success' + line: "password [success=1 default=ignore] pam_unix.so sha512" + +- name: Shadow Password Suite Parameters + lineinfile: + dest: /etc/pam.d/common-password + regexp: '^password\s+\[success' + line: "password [success=1 default=ignore] pam_unix.so sha512" diff --git a/ansible/roles/bastion/tasks/profile.yml b/ansible/roles/bastion/tasks/profile.yml new file mode 100755 index 0000000..fb1b456 --- /dev/null +++ b/ansible/roles/bastion/tasks/profile.yml @@ -0,0 +1,24 @@ +--- +- name: Set session timeout + lineinfile: + dest: /etc/profile + regexp: '^TMOUT=.*' + insertbefore: '^readonly TMOUT' + line: 'TMOUT={{shell_timeout}}' + state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}" + +- name: Set TMOUT readonly + lineinfile: + dest: /etc/profile + regexp: '^readonly TMOUT' + insertafter: 'TMOUT={{shell_timeout}}' + line: 'readonly TMOUT' + state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}" + +- name: Set export TMOUT + lineinfile: + dest: /etc/profile + regexp: '^export TMOUT.*' + insertafter: 'readonly TMOUT' + line: 'export TMOUT' + state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}" diff --git a/ansible/roles/bastion/tasks/sshd_config.yml b/ansible/roles/bastion/tasks/sshd_config.yml new file mode 100755 index 0000000..6b9f7a3 --- /dev/null +++ b/ansible/roles/bastion/tasks/sshd_config.yml @@ -0,0 +1,30 @@ +--- +- name: Configure ssh root login to {{sshrootlogin}} + lineinfile: + dest: /etc/ssh/sshd_config + regexp: '^(#)?PermitRootLogin.*' + line: 'PermitRootLogin {{sshrootlogin}}' + insertbefore: '^Match.*' + state: present + owner: root + group: root + mode: 0640 + notify: restart sshd + +- name: SSH Listen on Main Port + lineinfile: + dest: /etc/ssh/sshd_config + insertbefore: '^#*AddressFamily' + line: 'Port {{sshmainport}}' + state: present + owner: root + group: root + mode: 0640 + notify: restart sshd + +- name: "Setting sshd allow users" + template: + src: allow_users.j2 + dest: "/etc/ssh/sshd_config.d/allow_users.conf" + notify: restart sshd + diff --git a/ansible/roles/bastion/tasks/sudoers.yml b/ansible/roles/bastion/tasks/sudoers.yml new file mode 100755 index 0000000..ca03846 --- /dev/null +++ b/ansible/roles/bastion/tasks/sudoers.yml @@ -0,0 +1,95 @@ +--- +- name: "Create devops group" + ansible.builtin.group: + name: "devops" + state: present + +- name: "get current users" + shell: "cat /etc/passwd | egrep -iv '(false|nologin|sync|root)' | awk -F: '{print $1}'" + register: deleting_users + +- name: "Delete users" + ansible.builtin.user: + name: "{{ item }}" + state: absent + remove: yes + with_items: "{{ deleting_users.stdout_lines }}" + when: item != ansible_user + ignore_errors: true + + +- name: "Create admin user" + ansible.builtin.user: + name: "{{ item.name }}" + group: "devops" + shell: "/bin/bash" + system: yes + state: present + with_items: "{{ admin_users }}" + when: + - item.name is defined + - item.key is defined + ignore_errors: true + +- name: user change + user: + name: "{{ item.name }}" + password: "{{ password | password_hash('sha512') }}" + state: present + with_items: "{{ admin_users }}" + when: + - item.name is defined + - item.key is defined + ignore_errors: true + +- name: key add + authorized_key: + user: "{{ item.name }}" + state: present + key: "{{ item.key }}" + with_items: "{{ admin_users }}" + when: + - item.name is defined + - item.key is defined + ignore_errors: true + + +- name: "Create common user" + ansible.builtin.user: + name: "{{ item.name }}" + group: "users" + shell: "/bin/bash" + system: yes + state: present + with_items: "{{ allow_users }}" + when: + - item.name is defined + - item.key is defined + ignore_errors: true + +- name: user change + user: + name: "{{ item.name }}" + password: "{{ password | password_hash('sha512') }}" + state: present + with_items: "{{ allow_users }}" + when: + - item.name is defined + - item.key is defined + ignore_errors: true + +- name: key add + authorized_key: + user: "{{ item.name }}" + state: present + key: "{{ item.key }}" + with_items: "{{ allow_users }}" + when: + - item.name is defined + - item.key is defined + ignore_errors: true + +- name: "Setting sudoers allow users" + template: + src: sudoers_users.j2 + dest: "/etc/sudoers.d/sudoers_users" diff --git a/ansible/roles/bastion/templates/allow_users.j2 b/ansible/roles/bastion/templates/allow_users.j2 new file mode 100755 index 0000000..ad7f003 --- /dev/null +++ b/ansible/roles/bastion/templates/allow_users.j2 @@ -0,0 +1,10 @@ +{% if admin_users is defined %} +{% for user in admin_users %} +AllowUsers {{ user.name }}@{{ user.ip }} +{% endfor %} +{% endif %} +{% if allow_users is defined %} +{% for user in allow_users %} +AllowUsers {{ user.name }}@{{ user.ip }} +{% endfor %} +{% endif %} diff --git a/ansible/roles/bastion/templates/common-auth.j2 b/ansible/roles/bastion/templates/common-auth.j2 new file mode 100755 index 0000000..64a603b --- /dev/null +++ b/ansible/roles/bastion/templates/common-auth.j2 @@ -0,0 +1,27 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +auth required pam_tally2.so onerr={{onerr}} even_deny_root deny={{deny}} unlock_time={{unlock_time}} + +# here are the per-package modules (the "Primary" block) +auth [success=1 default=ignore] pam_unix.so nullok +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +auth required pam_permit.so +# since the modules above will each just jump around +# and here are more per-package modules (the "Additional" block) +auth optional pam_cap.so +# end of pam-auth-update config diff --git a/ansible/roles/bastion/templates/pwquality.conf.j2 b/ansible/roles/bastion/templates/pwquality.conf.j2 new file mode 100755 index 0000000..3ec2cbe --- /dev/null +++ b/ansible/roles/bastion/templates/pwquality.conf.j2 @@ -0,0 +1,50 @@ +# Configuration for systemwide password quality limits +# Defaults: +# +# Number of characters in the new password that must not be present in the +# old password. +# difok = 5 +# +# Minimum acceptable size for the new password (plus one if +# credits are not disabled which is the default). (See pam_cracklib manual.) +# Cannot be set to lower value than 6. +minlen = {{pwquality_minlen}} +# +# The maximum credit for having digits in the new password. If less than 0 +# it is the minimum number of digits in the new password. +dcredit = {{pwquality_dcredit}} +# +# The maximum credit for having uppercase characters in the new password. +# If less than 0 it is the minimum number of uppercase characters in the new +# password. +ucredit = {{pwquality_ucredit}} +# +# The maximum credit for having lowercase characters in the new password. +# If less than 0 it is the minimum number of lowercase characters in the new +# password. +lcredit = {{pwquality_lcredit}} +# +# The maximum credit for having other characters in the new password. +# If less than 0 it is the minimum number of other characters in the new +# password. +ocredit = {{pwquality_ocredit}} +# +# The minimum number of required classes of characters for the new +# password (digits, uppercase, lowercase, others). +# minclass = 0 +# +# The maximum number of allowed consecutive same characters in the new password. +# The check is disabled if the value is 0. +maxrepeat = {{pwquality_maxrepeat}} +# +# The maximum number of allowed consecutive characters of the same class in the +# new password. +# The check is disabled if the value is 0. +# maxclassrepeat = 0 +# +# Whether to check for the words from the passwd entry GECOS string of the user. +# The check is enabled if the value is not 0. +# gecoscheck = 0 +# +# Path to the cracklib dictionaries. Default is to use the cracklib default. +# dictpath = diff --git a/ansible/roles/bastion/templates/sudoers_users.j2 b/ansible/roles/bastion/templates/sudoers_users.j2 new file mode 100755 index 0000000..b6a1f90 --- /dev/null +++ b/ansible/roles/bastion/templates/sudoers_users.j2 @@ -0,0 +1,5 @@ +{% if allow_users is defined %} +{% for user in admin_users %} +{{ user.name }} ALL=(ALL) NOPASSWD: ALL +{% endfor %} +{% endif %} diff --git a/ansible/roles/security-settings/defaults/main.yml b/ansible/roles/security-settings/defaults/main.yml index 7a7c024..0d83d5f 100755 --- a/ansible/roles/security-settings/defaults/main.yml +++ b/ansible/roles/security-settings/defaults/main.yml @@ -39,5 +39,5 @@ crictl_file_owner: root crictl_file_group: root # temp -username: -password: +username: root +password: saasadmin1234!@#$ diff --git a/ansible/roles/security-settings/files/allow_users.conf b/ansible/roles/security-settings/files/allow_users.conf new file mode 100644 index 0000000..b8a221d --- /dev/null +++ b/ansible/roles/security-settings/files/allow_users.conf @@ -0,0 +1,2 @@ +AllowUsers *@10.20.142.* +AllowUsers *@10.10.43.* diff --git a/ansible/roles/security-settings/tasks/sshd_config.yml b/ansible/roles/security-settings/tasks/sshd_config.yml index 438a65a..58ce1cd 100755 --- a/ansible/roles/security-settings/tasks/sshd_config.yml +++ b/ansible/roles/security-settings/tasks/sshd_config.yml @@ -21,3 +21,12 @@ group: root mode: 0640 notify: restart sshd + +- name: SSH AllowUsers Setting + copy: + src: allow_users.conf + dest: /etc/ssh/sshd_config.d/allow_users.conf + owner: root + group: root + mode: 0644 + diff --git a/ansible/rsa_key/asdf.sh b/ansible/rsa_key/asdf.sh new file mode 100644 index 0000000..e376f98 --- /dev/null +++ b/ansible/rsa_key/asdf.sh @@ -0,0 +1,4 @@ +while read line +do + echo ${line} +done < ip_list diff --git a/ansible/rsa_key/ip_list b/ansible/rsa_key/ip_list new file mode 100644 index 0000000..511e083 --- /dev/null +++ b/ansible/rsa_key/ip_list @@ -0,0 +1,37 @@ +10.10.43.111 +10.10.43.112 +10.10.43.113 +10.10.43.114 +10.10.43.115 +10.10.43.116 +10.10.43.117 +10.10.43.118 +10.10.43.119 +10.10.43.120 +10.10.43.121 +10.10.43.122 +10.10.43.123 +10.10.43.124 +10.10.43.125 +10.10.43.126 +10.10.43.127 +10.10.43.128 +10.10.43.129 +10.10.43.130 +10.10.43.131 +10.10.43.132 +10.10.43.133 +10.10.43.134 +10.10.43.135 +10.10.43.136 +10.10.43.137 +10.10.43.138 +10.10.43.140 +10.10.43.141 +10.10.43.142 +10.10.43.143 +10.10.43.144 +10.10.43.145 +10.10.43.146 +10.10.43.147 +10.10.43.148 diff --git a/ansible/rsa_key/key.sh b/ansible/rsa_key/key.sh index 70cb25e..45ca457 100755 --- a/ansible/rsa_key/key.sh +++ b/ansible/rsa_key/key.sh @@ -2,7 +2,7 @@ set password [lindex $argv 0] set host [lindex $argv 1] -spawn ssh-copy-id -o StrictHostKeyChecking=no ubuntu@$host +spawn ssh-copy-id -o StrictHostKeyChecking=no root@$host expect "password:" send "$password\n" expect eof diff --git a/ansible/rsa_key/test.sh b/ansible/rsa_key/test.sh index c4f0cae..6a3b2a1 100755 --- a/ansible/rsa_key/test.sh +++ b/ansible/rsa_key/test.sh @@ -1,13 +1,9 @@ #!/bin/bash -if [ -z "$BASH_VERSION" ]; then exec bash "$0" "$@"; exit; fi +#if [ -z "$BASH_VERSION" ]; then exec bash "$0" "$@"; exit; fi -if [ $1 == '' ]; then exit -else; passwd=$1 +passwd=$1 while read ip do - echo ${ip} - #./key.sh ${passwd} ${ip} - + ./key.sh ${passwd} ${ip} done < ip_list - diff --git a/ansible/security.yaml b/ansible/security.yaml old mode 100755 new mode 100644 index efdbf8a..a3ee60a --- a/ansible/security.yaml +++ b/ansible/security.yaml @@ -5,5 +5,5 @@ roles: - security-settings vars: - sshrootlogin: 'no' + sshrootlogin: 'forced-commands-only'