bastion update

ansible/bastion.yml

@@ -0,0 +1,95 @@
+---
+- hosts: bastion
+  become: true
+  gather_facts: true
+  roles:
+    - role: bastion
+  vars:
+    - sshmainport: 2222
+      admin_users:
+        - name: "minchulahn"
+          ip: "10.20.142.22"
+          description: "안민철"
+          key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKDxtkcfx2ITlT2Yh7ZCT79do/25YQ2vROz38m8veAuBhOw+75oZJ4nN//zOWaaMvpC3Z7NIzOR+3UeukhnLZ591q8AaHcKjV8JEJMo2pvpH1vdLcTL9baLqWrxzgRimnZUNf5n5HNr+AKoXuPp//aVSJSoeznb66r04/rJSetT0QGDC8Kj5Q+MNvdd0/3U/nu7JxW9LIEaLoeiX6mVb4PpV7kl3rI3Vut/GnWakOhbS4yNvIFdR6d8rv305/BXJOz/aWy+0j7qK+NBzbSsI/l0vVUHfeD3whYGePCpWmj73ZsMTMjIjrC8DpRQlOJlAZ0GVpQnd/ayIWi4+V8VjvFcd6vSqrhhsNoOyo0Y/6cyO6iyvKqohMK6+HF1w6aXoaGCFFSl/3gw63saNAsdZPArnwf5yZ6GfPa/9bRn2k9g5xfp97Itpo6Iqq+PuRcZOes0EiIQe2hOoYQEIHIRhf8CZ+Xf6W1+XZB+WxEzUe4GCCwgUdTB6RIr4ThDxwCBV0="
+
+        - name: "havelight"
+          ip: "10.20.142.21"
+          description: "정재희"
+          key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDUAppqxDLltrMsYMwIxGi0FA5STA/R+H6oy7myfiJP2Lt4woCogMi3ELVKEhFkeJx4i8y9G80lynEYCHRH1kAQ/7YaJEVFrPXTvBw+OVxYdVS/gLl0rL89ky+n0dv6A9mancrvUOMacI5aN7/W+EhoLohRjRbWlsPGNnvAmO0AZnt595aMUjFkdhusGyBVunDUFSitj9TFkjxDhr6cx8Bi0FLpvdsoAvfqiw/MVKW2pMgj56AT5UCT0wvtSHSNY/C731jP/RKrxP0fnVhIkVys/XmLV/6SVEqL1XwqMTvRfi5+Q8cPsXrnPuUFHiNN4e/MGJkYi0lg7XbX8jDXv3ybdxZ7lGiUDebxjTKBCCghFae3eAwpJADEDfrzb8DHJZFwJVVdKGXvStTWTibcs14ilRPcB4SWIBx/cFCzwOBK/iw8CfEfsbVe6WQbDc4T4LrgL8cUzHPOO8CQcC4DV/O3BuoqQExu6xTmU8rhLT9kgatIdX0K5jgGbuqz7c2lelU="
+
+        - name: "sa_8001"
+          ip: "10.20.142.50"
+          description: "변정훈"
+          key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgvFtLP7A1bR2ANxHiyTalgaI2pvxnCAzsqTAAh/+egIOi2vUIC2jRWGQXyoiTlupdNWQli2D93tEJBvG3VO5LOVocOHsFnFcV8RsiR4QGhqMeXRfMBWbf7Prby0qWv/VQ00gNWEgEjZUhOfBQeJsozGTd3dS4AgRnQkQmnvCT6TWD7+GwMg1SDlu/23y5aKLmpLkVT9kEG3yxZ3rWQfepjAubt+/saZPtyhkmc9+qhe2K+6PCZU2MCh6TYoKrcRUhVaJLvWqS35/Cv/9oxLg7lZwsasHFO9ANXWV9gBelCXLpYosN5hylUvl4JmSN+/qiOH3hpEbOtTCY/ZU0o1/xXLr0pmbYpZoT6zMKZ5fkweW7xidrg/bI1s/4+DVf4c/NJehw4PL3sqRmVdJsriFUifywh05Up5j1NQANiFlFngwEWy81cWRyvSL5q/plJHSvpd6g+WbsyC/QqYNAhxjnEosOb52QGZmLL7GqaC1hdKDOlJYZK63EBQ8YpHqGHo0="
+
+      allow_users:
+        - name: "wkd1994"
+          ip: "10.20.142.28"
+          description: "김동우"
+          key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDtmuAhVVyVJ87+t2xVtiS3bvTxxn0dmD7t4D2iSvSErIjRsXRCPLdc/yGWiezj+oVZtRPLJ2mjKToGUerdkcW8oqiQeL0+x/CjdlS2rQXvQa2HXCjB+MejwZyJ2bl7VDtIMdLianJBn7+XVc48+bIf7yait8yVH1aVWcS/AXOSo9LwX/uNW5VCL5BeXSGwXdwkuhjeJurR4WIVSBXuh1ql5Vy6BdSxcmLMihNlIL/DyuzfPLuQZbuSeaJ7eJKiHu63/SwBA1cPzj9tgI7zNvguapIHKXvoK8n5gNUXVRDGnD4J6xbzUQB3DbU8kaz7pDClxzgpkf3MnvP9QvnTyqV+aftYlb02as0PrwIxlTlW/sBxyEGdFe+JwoTctHkrSfp0lYRpyCv3eXJcdDu2l3dTJXAHlpcJuQRH2j9herURxML0w6re1iKJ8MAjOqUvh+B3A1U3x116zEGdsCNCRcfwehEir7fmGKaPvrmOiDOTlNswdL/OJ1RHKFuEZJPlUr8="
+
+        - name: "djkim"
+          ip: "10.20.142.36"
+          description: "김득진"
+          key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9Go9pLADJUQtq+ptTAcSIpi+VYv5/Kik0lBuV8xEc++vNtix5kwi+XSsNShHM3MVeiE8J27rYfyNn79r5pVKMuasMRyP3mTDZtRKr7/piM8MXuGSu1jCsVrTBZX0Sf4wuOA1tSkG9QgjBMZfvE9jOSYozA1K85mVE28m2rTihPnL5zYsDKnx+xIcwUBTpkOCoHiAfAX9b5ADAfScJigSZDjFLvexJ1aapPV2Iajh8huIhWvCUhrqUv/ldUm+b1iiOT7GXdrM/cam3FnLZ0b5KI9CQb7084+4l0BlmtPkuFcIlTDm1K6YO7+Mewd+F9uQZwvxGuElBPg8NVgFLD7+nrf2VlJYYCAeChyDV5+ZD70pSTcvHpJbmLKMtRFGov73ZPJ3vld9XCGUCajaoZz5Kz+ANmSC9nl3FpxnYgvFWfS7iwyC+VkGRKUg96/crXz4D8fW/wIskt+3cVrW9Z66psH41ll979mC8xly0ITWwbQZv7rvbdWSDVKVRgbXQOSc="
+
+        - name: "sanghee1357"
+          ip: "10.20.142.40"
+          description: "김상희"
+          key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC45maYW137cwvdS8AE9UzNHq9AMYrkEJtoNDAOVkUXtpVQITqvBCc4B4FfR5JK2h+imnBDng5fu728YAB7q31BE3Wub8I+QWhnQgv+kH1yMWj2s329tkHvcyNWIHSBqw4z1N74Zba+7mojKioju27HdcRcN1L7tpXSCHrq5bU6++CMShpZ7a3wo20RfikFWd563Y15mE3uDqlbkcuzE0KGSNrdY6Gy9aiE3/poVQRLaCmXnUKNw9wM3UGN9DanJi6iosXrlZRkpwhV+tHh2x+BWCbyY8jj94RDJgMwoKw71tzlEp+B1k6a7g+lEo3KFP//3PQxc9fdKBdg1YzSAKGKjsqATEVclmQHVskk6wZQC/wcjFxrSOreSp6knswX9AhIvGhMtoVo9iMy9cm+F4AauzjjfszCMO484983hIYwsh321VB14Wg7NroCYMUh7krATeKmNWhK0YicYCXINVMphBAcXFhuJduPejz19ZN356t+F/LDqlCxW7kO9QfYUy0="
+
+        - name: "jinbekim"
+          ip: "10.10.142.48"
+          description: "김진범"
+
+        - name: "bypark"
+          ip: "10.20.142.26"
+          description: "박병욱"
+          key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCZig/9xMWR3QhwHPbkvY2b9nmHiWkJHgnztGfIyxVTmkcsr9QViIvNUINlRBlE2+I5j7R2+0qI5GkAYndJsQoZiZ3iPqxnM5KdB9bEbWS5Tv7pbGyHyzaYPMUS3g6ZRMKnbJlAmhOLuq4TNYaUSESvaiYbCbaZK2JdsfPtSC99Gez6+HNoapILeg6xkxLnMsgUG6QzGaZyRABlPRbctGfx2U7cYe/7b7T+/yNtMU2FKrAJqcy0S1IUzc/dK2m5SQ3Y2GMohuGkv8mfs16i0wi3LfgEIatsmj2KB7Y7lIYW/GEZA2I+K2uH9Pu+F/kmGvAu5jNd1ztSo9MgElyu2NMXYhM3f/eDD+PdHKjUvOtE5twNBHQooPjBpp/mja4hnxLKepTqgP1t6azncPB8m6jC6MTbkhOHpgSNXurhx0kCurLA+l9KaySidhc0mFNJZGRKAhQoMIDFgXlzkZ4GmmtbfOJ/J1k7QqHZya5x6M4mOfvlPECFKVF24vzJVEulY3E="
+
+        - name: "joonsoopark"
+          ip: "10.20.142.33"
+          description: "박준수"
+          key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETt3DbkOgMY40sI0+dOxa3A/6o4yxNpoUWuuaSuUR/P"
+
+        - name: "baekchan1024"
+          ip: "10.20.142.39"
+          description: "백승찬"
+          key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDaqqy9YVwxh37xOU0nytBPd6GEJe30e1L/K5UXDZToteNebyfQrtFogxB6MpMNaAzAk6qbyPuZA3rgP8Y+qXgRlx88cxje5P5yOCsMW2o3xD5PiJ7lluWQ9tlS5ti4B9EWurJOsGF27XKKuSHN+dx9ZIb4sDqLYzmycPNwFaEtH6GQ2vjqpPMfjmKAuYmKD4L7mdA8lXTiRS2uYDkUxwQ+6PU+axTauD9qsXuGDAnGkVHKNE0o9OCf1uoyOhy6EB2sDz5Pymr7fbRJauWNxuSJdYPKY33GdDKpioP/1nRLSLtr1nvLHVrG/5CSNO1x20WYXFEGoMTzW4T5nYSS61apHkQ/0Csv0LBeHPc9gsMPobNJpIYlvGwdODQ+fpgxyB4SAQJKtQR1YB4w5OVtXVZAMvZZKI9gQQHZ8wQ4Zk0erGxKeyLxnDrKKNHLRPyUrjkL7H2a0i8BGpdk8sxW9NVrJJGgmQQiPbJx0yvIi1n55mUq+ZVjiF5qPvxtc5D133k="
+
+        - name: "jungry"
+          ip: "10.20.142.44"
+          description: "서정우"
+
+        - name: "ose"
+          ip: "10.20.142.34"
+          description: "오승은"
+          key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAlYSGJZpOOEPZqIa1/CXxiaUNj1wsgkp0kEyD2SX8r7ovwmSAWCS24v/IOSgsUTFRpL64vIeCtcZ8sj4Hwzd3F2h+carQP0v+leCkzPpQ7aP/BoPS27+fSCzaOZv/QJ+eIcXWHIbWkXf6MYQ35PykDeJIO61OMOlWhpNV425VSwfZoB72xZmEH+rIZjXHHs8vYtIG2sXZE22BLiVw6PEL/C4QB2khBT5ZAjX2xGEzUoSknzva/8Uu20adQBalFTIdyLV7V6CxkIPkSgfmZh/fqXfbfPsxHLPK2o2ueGbx3fcN3kAqFrqpJgjEIZmNj6qhVPtbN5TSUyIjtoPhC4JR0heqckz1qLah+8lSiUfHSblGW89QuUcedHdwHp/RiZW6HQO0cqS/QPNcgPLTiv68voBapS9rav+j0tt1RynNY+AdhCOoo4BbGW0pXqi0vaHzbbfbzxp78kx/7/KXmUHkzGSkmlXVbKqzDm5k/kRn0q4pimDun42b+MjNYu3gZz0="
+
+        - name: "gurwns1540"
+          ip: "10.20.142.35"
+          description: "윤혁준"
+          key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1+kC8LzDxwc4gfiGzUQH+CeKGf+elX3oKciMmLQJmpddlcWuRthq1pszufHjypT/FfC/XVLZkGvjMDJUWro/Pen3RcdTcENteVZO/nzQ89nmS/D3tbg6nVWxiast6bDdSEdPF8CKSUAlA+8hTgSCWou7TtOuWGCKj+6HSHctBA41WFLpYInYHWTnC+LY1nwOurjG4qjmgdEzBXMhLWvuZDVE21oIUMEXbjW1dXhHNMKfyn/mUqSSG9zoXZSK0KB8OHhBsbxzFqu5cXC1TTpJOyX05730LUdwF9MevreUS3ws5NY8h0C6EVAOMQqeH5gkwVTHsyXQHtXB9nGI1g7sMIjEzJHkOygK17nAfapWhGFahhaaq42qdo7N3Pj8IjrY3S9EDXnPtQODROj3JVzo3Sgd2FUKDcAIWwJHMAwkaFqciPGIrj4ib81NbOoWn7oCjbIyDxgoxSp1vpW7C25rL22LtrCHyMWPbhV19FJIZqtg7f94JptzLND1pHDnsnfeNAxz9d6oKdcJW5bXUDeDCQxBio1RBF6nNzSRoiD0+FD29of9wNWRd2cBkR8uJV7P9XfXMzMK5q7Wqte/DABs3wJ3v/cth6kPrRV7j2h+4DGbEj5Mpz8XAFnGkZFmd/UiSbNqRBLKmp0lPpyxZrRU00xuqJ51pYB2wMwkQgOIVuw=="
+
+        - name: "yyeun"
+          ip: "10.20.142.45"
+          description: "이예은"
+
+        - name: "sujung"
+          ip: "10.20.142.27"
+          description: "정성락"
+          key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbI5DjRkABz65NnREzf5HKKIMPrIA4DrnDDXTrjnRH8"
+
+        - name: "antcho"
+          ip: "10.20.142.46"
+          description: "조혜수"
+
+        - name: "stdhsw"
+          ip: "10.20.142.32"
+          description: "한승우"
+          key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANTMTgqbTtIKKRsZU9An9D3La9Fh1bUtiLE/Y0nL4CZ"
+
+        - name: "seungjinjeong"
+          ip: "10.20.142.41"
+          description: "정승진"
+          key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDi8funYVM0eRmfplW5EdnfJOFEVDEMMw08VRn6FD9x9VuNWCEkY3iErzekBY2SRat8g6q0VXRyu7b/bhm/kD+BtI79fmz9FKxslTZCeKKN1KWfoZoXSRnvjOX1Y6NDnY2X5M+3kN40ek9ku6abN6lOtInTXJ1QOJIISa8l6vrB/j1xVVZghTYY5MBMc89cRZESGdBZWld0CtmoM+mnjh5vWCCA3VJTcDbj5LKtWllA6t58KwtGBikr8iaOpi83dQ91eXWzxTttl/LCe9bfgSxYlmvZILn0UZMu1WiWBhlIBzC6RlxorkDVRXcSRjguEt+/ys2rv6UTSkm150O4PgjgxlZPmTJt1m5y/St57LELUVbV6XGSq6+eZNTZOYBxxRkKcV0uByCBjxjsVlMmoEZoxedhSVT1Z8/AiMnjPBjXx2ease04EvtZs6rpDRd0puzcx1TKoCkyak60ymxc91X9lQg3kUl0av/G5kMKJQqW6v31GA1Vnh4K9haCVF/Ki/M="

ansible/inventory

@@ -0,0 +1,6 @@
+[datasaker-demo]
+10.10.43.100
+10.10.43.101
+
+[bastion]
+10.10.43.43 ansible_port=2222 ansible_user=havelight

ansible/inventory.ini

@@ -24,6 +24,7 @@
 10.10.43.133
 10.10.43.134
 10.10.43.135
+10.10.43.136
 10.10.43.137
 10.10.43.138
 10.10.43.140
@@ -34,4 +35,4 @@
 10.10.43.145
 10.10.43.146
 10.10.43.147
-
+#10.10.43.148

ansible/node.yaml

@@ -4,4 +4,3 @@
   become: true
   roles:
     - node
-

ansible/roles/bastion/defaults/main.yml

@@ -0,0 +1,43 @@
+# Password aging settings
+os_auth_pw_max_age: 90
+os_auth_pw_min_age: 1
+os_auth_pw_warn_age: 7
+passhistory: 2
+
+# Inactivity and Failed attempts lockout settings
+fail_deny: 5
+fail_unlock: 0
+inactive_lock: 0
+shell_timeout: 300
+
+# tally settings
+onerr: 'fail'
+deny: 5
+unlock_time: 300
+
+# Password complexity settings
+pwquality_minlen: 9
+pwquality_maxrepeat: 3
+pwquality_lcredit: -1
+pwquality_ucredit: -1
+pwquality_dcredit: -1
+pwquality_ocredit: -1
+
+# SSH settings
+sshrootlogin: 'yes'
+sshmainport: 22
+ssh_service_name: sshd
+
+# Crictl setup
+crictl_app: crictl
+crictl_version: 1.25.0
+crictl_os: linux
+crictl_arch: amd64
+crictl_dl_url: https://github.com/kubernetes-sigs/cri-tools/releases/download/v{{ crictl_version }}/{{ crictl_app }}-v{{ crictl_version }}-{{ crictl_os }}-{{ crictl_arch }}.tar.gz
+crictl_bin_path: /usr/local/bin
+crictl_file_owner: root
+crictl_file_group: root
+
+# temp
+username: root
+password: saasadmin1234

ansible/roles/bastion/files/login_banner

@@ -0,0 +1,20 @@
+#!/bin/sh
+printf '''
+  |-----------------------------------------------------------------|
+  | This system is for the use of authorized users only.            |
+  | Individuals using this computer system without authority, or in |
+  | excess of their authority, are subject to having all of their   |
+  | activities on this system monitored and recorded by system      |
+  | personnel.                                                      |
+  |                                                                 |
+  | In the course of monitoring individuals improperly using this   |
+  | system, or in the course of system maintenance, the activities  |
+  | of authorized users may also be monitored.                      |
+  |                                                                 |
+  | Anyone using this system expressly consents to such monitoring  |
+  | and is advised that if such monitoring reveals possible         |
+  | evidence of criminal activity, system personnel may provide the |
+  | evidence of such monitoring to law enforcement officials.       |
+  |-----------------------------------------------------------------|
+'''
+

ansible/roles/bastion/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: restart sshd
+  service:
+    name: "{{ ssh_service_name }}"
+    state: restarted
+    enabled: true

ansible/roles/bastion/tasks/admin_set.yml

@@ -0,0 +1,7 @@
+---
+- name: user change
+  user:
+    name: "{{ username }}"
+    password: "{{ password | password_hash('sha512') }}"
+    state: present
+

ansible/roles/bastion/tasks/banner.yml

@@ -0,0 +1,29 @@
+---
+- name: Create a tar.gz archive of a single file.
+  archive:
+    path: /etc/update-motd.d/*
+    dest: /etc/update-motd.d/motd.tar.gz
+    format: gz
+    force_archive: true
+
+- name: remove a motd.d files
+  file:
+    path: /etc/update-motd.d/{{ item }}
+    state: absent
+  with_items:
+    - 10-help-text
+    - 85-fwupd
+    - 90-updates-available
+    - 91-release-upgrade
+    - 95-hwe-eol
+    - 98-fsck-at-reboot
+    - 50-motd-news
+    - 88-esm-announce
+
+- name: Create login banner
+  copy:
+    src: login_banner
+    dest: /etc/update-motd.d/00-header
+    owner: root
+    group: root
+    mode: 0755

ansible/roles/bastion/tasks/crictl.yml

@@ -0,0 +1,19 @@
+---
+- name: Downloading and extracting {{ crictl_app }} {{ crictl_version }}
+  unarchive:
+    src: "{{ crictl_dl_url }}"
+    dest: "{{ crictl_bin_path }}"
+    owner: "{{ crictl_file_owner }}"
+    group: "{{ crictl_file_group }}"
+    extra_opts:
+      - crictl
+    remote_src: yes
+
+- name: Crictl command crontab setting
+  ansible.builtin.cron:
+    name: crontab command
+    minute: "0"
+    hour: "3"
+    user: root
+    job: "/usr/local/bin/crictl rmi --prune"
+ 

ansible/roles/bastion/tasks/login_defs.yml

@@ -0,0 +1,48 @@
+---
+- name: Set pass max days
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^PASS_MAX_DAYS.*$'
+    line: "PASS_MAX_DAYS\t{{os_auth_pw_max_age}}"
+    backrefs: yes
+
+- name: Set pass min days
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^PASS_MIN_DAYS.*$'
+    line: "PASS_MIN_DAYS\t{{os_auth_pw_min_age}}"
+    backrefs: yes
+
+- name: Set pass min length
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^PASS_MIN_LEN.*$'
+    line: "PASS_MIN_LEN\t{{pwquality_minlen}}"
+    backrefs: yes
+
+- name: Set pass warn days
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^PASS_WARN_AGE.*$'
+    line: "PASS_WARN_AGE\t{{os_auth_pw_warn_age}}"
+    backrefs: yes
+
+- name: Set password encryption to SHA512
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^ENCRYPT_METHOD\s.*$'
+    line: "ENCRYPT_METHOD\tSHA512"
+    backrefs: yes
+
+- name: Disable MD5 crypt explicitly
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^MD5_CRYPT_ENAB.*$'
+    line: "MD5_CRYPT_ENAB NO"
+    backrefs: yes

ansible/roles/bastion/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+- include: login_defs.yml
+  tags: login_defs
+
+- include: pam.yml
+  tags: pam
+
+- include: sshd_config.yml
+  tags: sshd_config
+
+- include: sudoers.yml
+  tags: sudoers
+
+- include: profile.yml
+  tags: profile
+
+- include: banner.yml
+  tags: banner
+
+- include: crictl.yml
+  tags: crictl
+
+- include: admin_set.yml
+  tags: admin_set

ansible/roles/bastion/tasks/pam.yml

@@ -0,0 +1,50 @@
+---
+- name: Add pam_tally2.so 
+  template:
+    src: common-auth.j2
+    dest: /etc/pam.d/common-auth
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Create pwquality.conf password complexity configuration
+  block:
+    - apt:
+        name: libpam-pwquality
+        state: present
+        install_recommends: false
+    - template:
+        src: pwquality.conf.j2
+        dest: /etc/security/pwquality.conf
+        owner: root
+        group: root
+        mode: 0644
+
+- name: Add pam_tally2.so
+  block:
+    - lineinfile:
+        dest: /etc/pam.d/common-account
+        regexp: '^account\srequisite'
+        line: "account requisite pam_deny.so"
+
+    - lineinfile:
+        dest: /etc/pam.d/common-account
+        regexp: '^account\srequired'
+        line: "account required pam_tally2.so"
+
+- name: password reuse is limited
+  lineinfile:
+    dest: /etc/pam.d/common-password
+    line: "password required pam_pwhistory.so remember=5"
+
+- name: password hashing algorithm is SHA-512
+  lineinfile:
+    dest: /etc/pam.d/common-password
+    regexp: '^password\s+\[success'
+    line: "password [success=1 default=ignore] pam_unix.so sha512"
+
+- name: Shadow Password Suite Parameters
+  lineinfile:
+    dest: /etc/pam.d/common-password
+    regexp: '^password\s+\[success'
+    line: "password [success=1 default=ignore] pam_unix.so sha512"

ansible/roles/bastion/tasks/profile.yml

@@ -0,0 +1,24 @@
+---
+- name: Set session timeout
+  lineinfile:
+    dest: /etc/profile
+    regexp: '^TMOUT=.*'
+    insertbefore: '^readonly TMOUT'
+    line: 'TMOUT={{shell_timeout}}'
+    state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
+
+- name: Set TMOUT readonly
+  lineinfile:
+    dest: /etc/profile
+    regexp: '^readonly TMOUT'
+    insertafter: 'TMOUT={{shell_timeout}}'
+    line: 'readonly TMOUT'
+    state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
+
+- name: Set export TMOUT
+  lineinfile:
+    dest: /etc/profile
+    regexp: '^export TMOUT.*'
+    insertafter: 'readonly TMOUT'
+    line: 'export TMOUT'
+    state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"

ansible/roles/bastion/tasks/sshd_config.yml

@@ -0,0 +1,30 @@
+---
+- name: Configure ssh root login to {{sshrootlogin}}
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(#)?PermitRootLogin.*'
+    line: 'PermitRootLogin {{sshrootlogin}}'
+    insertbefore: '^Match.*'
+    state: present
+    owner: root
+    group: root
+    mode: 0640
+  notify: restart sshd
+
+- name: SSH Listen on Main Port
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    insertbefore: '^#*AddressFamily'
+    line: 'Port {{sshmainport}}'
+    state: present
+    owner: root
+    group: root
+    mode: 0640
+  notify: restart sshd
+
+- name: "Setting sshd allow users"
+  template:
+    src: allow_users.j2
+    dest: "/etc/ssh/sshd_config.d/allow_users.conf"
+  notify: restart sshd
+    

ansible/roles/bastion/tasks/sudoers.yml

@@ -0,0 +1,95 @@
+---
+- name: "Create devops group"
+  ansible.builtin.group:
+    name: "devops"
+    state: present
+
+- name: "get current users"
+  shell: "cat /etc/passwd | egrep -iv '(false|nologin|sync|root)' | awk -F: '{print $1}'"
+  register: deleting_users
+
+- name: "Delete users"
+  ansible.builtin.user:
+    name: "{{ item }}"
+    state: absent
+    remove: yes
+  with_items: "{{ deleting_users.stdout_lines }}"
+  when: item != ansible_user
+  ignore_errors: true
+    
+
+- name: "Create admin user"
+  ansible.builtin.user:
+    name: "{{ item.name }}"
+    group: "devops"
+    shell: "/bin/bash"
+    system: yes
+    state: present
+  with_items: "{{ admin_users }}"
+  when: 
+  - item.name is defined
+  - item.key is defined
+  ignore_errors: true
+
+- name: user change
+  user:
+    name: "{{ item.name }}"
+    password: "{{ password | password_hash('sha512') }}"
+    state: present
+  with_items: "{{ admin_users }}"
+  when: 
+  - item.name is defined 
+  - item.key is defined
+  ignore_errors: true
+
+- name: key add
+  authorized_key:
+    user: "{{ item.name  }}"
+    state: present
+    key: "{{ item.key }}"
+  with_items: "{{ admin_users }}"
+  when: 
+  - item.name is defined
+  - item.key is defined
+  ignore_errors: true
+
+
+- name: "Create common user"
+  ansible.builtin.user:
+    name: "{{ item.name }}"
+    group: "users"
+    shell: "/bin/bash"
+    system: yes
+    state: present
+  with_items: "{{ allow_users }}"
+  when: 
+  - item.name is defined 
+  - item.key is defined
+  ignore_errors: true
+
+- name: user change
+  user:
+    name: "{{ item.name }}"
+    password: "{{ password | password_hash('sha512') }}"
+    state: present
+  with_items: "{{ allow_users }}"
+  when: 
+  - item.name is defined 
+  - item.key is defined
+  ignore_errors: true
+
+- name: key add
+  authorized_key:
+    user: "{{ item.name  }}"
+    state: present
+    key: "{{ item.key }}"
+  with_items: "{{ allow_users }}"
+  when:
+  - item.name is defined
+  - item.key is defined
+  ignore_errors: true
+
+- name: "Setting sudoers allow users"
+  template:
+    src: sudoers_users.j2
+    dest: "/etc/sudoers.d/sudoers_users"

ansible/roles/bastion/templates/allow_users.j2

@@ -0,0 +1,10 @@
+{% if admin_users is defined %}
+{% for user in admin_users %}
+AllowUsers {{ user.name }}@{{ user.ip }} 
+{% endfor %}
+{% endif %}
+{% if allow_users is defined %}
+{% for user in allow_users %}
+AllowUsers {{ user.name }}@{{ user.ip }} 
+{% endfor %}
+{% endif %}

ansible/roles/bastion/templates/common-auth.j2

@@ -0,0 +1,27 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+auth	required			pam_tally2.so onerr={{onerr}} even_deny_root deny={{deny}} unlock_time={{unlock_time}}
+
+# here are the per-package modules (the "Primary" block)
+auth    [success=1 default=ignore]      pam_unix.so nullok
+# here's the fallback if no module succeeds
+auth    requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+auth    required                        pam_permit.so
+# since the modules above will each just jump around
+# and here are more per-package modules (the "Additional" block)
+auth    optional                        pam_cap.so
+# end of pam-auth-update config

ansible/roles/bastion/templates/pwquality.conf.j2

@@ -0,0 +1,50 @@
+# Configuration for systemwide password quality limits
+# Defaults:
+#
+# Number of characters in the new password that must not be present in the
+# old password.
+# difok = 5
+#
+# Minimum acceptable size for the new password (plus one if
+# credits are not disabled which is the default). (See pam_cracklib manual.)
+# Cannot be set to lower value than 6.
+minlen = {{pwquality_minlen}}
+#
+# The maximum credit for having digits in the new password. If less than 0
+# it is the minimum number of digits in the new password.
+dcredit = {{pwquality_dcredit}}
+#
+# The maximum credit for having uppercase characters in the new password.
+# If less than 0 it is the minimum number of uppercase characters in the new
+# password.
+ucredit = {{pwquality_ucredit}}
+#
+# The maximum credit for having lowercase characters in the new password.
+# If less than 0 it is the minimum number of lowercase characters in the new
+# password.
+lcredit = {{pwquality_lcredit}}
+#
+# The maximum credit for having other characters in the new password.
+# If less than 0 it is the minimum number of other characters in the new
+# password.
+ocredit = {{pwquality_ocredit}}
+#
+# The minimum number of required classes of characters for the new
+# password (digits, uppercase, lowercase, others).
+# minclass = 0
+#
+# The maximum number of allowed consecutive same characters in the new password.
+# The check is disabled if the value is 0.
+maxrepeat = {{pwquality_maxrepeat}}
+#
+# The maximum number of allowed consecutive characters of the same class in the
+# new password.
+# The check is disabled if the value is 0.
+# maxclassrepeat = 0
+#
+# Whether to check for the words from the passwd entry GECOS string of the user.
+# The check is enabled if the value is not 0.
+# gecoscheck = 0
+#
+# Path to the cracklib dictionaries. Default is to use the cracklib default.
+# dictpath =

ansible/roles/bastion/templates/sudoers_users.j2

@@ -0,0 +1,5 @@
+{% if allow_users is defined %}
+{% for user in admin_users %}
+{{ user.name }} ALL=(ALL) NOPASSWD: ALL
+{% endfor %}
+{% endif %}

ansible/roles/security-settings/defaults/main.yml

@@ -39,5 +39,5 @@ crictl_file_owner: root
 crictl_file_group: root
 
 # temp
-username: 
+username: root
-password: 
+password: saasadmin1234!@#$

ansible/roles/security-settings/files/allow_users.conf

@@ -0,0 +1,2 @@
+AllowUsers *@10.20.142.*
+AllowUsers *@10.10.43.*

ansible/roles/security-settings/tasks/sshd_config.yml

@@ -21,3 +21,12 @@
     group: root
     mode: 0640
   notify: restart sshd
+
+- name: SSH AllowUsers Setting
+  copy:
+    src: allow_users.conf
+    dest: /etc/ssh/sshd_config.d/allow_users.conf
+    owner: root
+    group: root
+    mode: 0644
+    

ansible/rsa_key/asdf.sh

@@ -0,0 +1,4 @@
+while read line
+do
+		echo ${line}
+done < ip_list

ansible/rsa_key/ip_list

@@ -0,0 +1,37 @@
+10.10.43.111
+10.10.43.112
+10.10.43.113
+10.10.43.114
+10.10.43.115
+10.10.43.116
+10.10.43.117
+10.10.43.118
+10.10.43.119
+10.10.43.120
+10.10.43.121
+10.10.43.122
+10.10.43.123
+10.10.43.124
+10.10.43.125
+10.10.43.126
+10.10.43.127
+10.10.43.128
+10.10.43.129
+10.10.43.130
+10.10.43.131
+10.10.43.132
+10.10.43.133
+10.10.43.134
+10.10.43.135
+10.10.43.136
+10.10.43.137
+10.10.43.138
+10.10.43.140
+10.10.43.141
+10.10.43.142
+10.10.43.143
+10.10.43.144
+10.10.43.145
+10.10.43.146
+10.10.43.147
+10.10.43.148

ansible/rsa_key/key.sh

@@ -2,7 +2,7 @@
 set password [lindex $argv 0]
 set host [lindex $argv 1]
 
-spawn ssh-copy-id -o StrictHostKeyChecking=no ubuntu@$host
+spawn ssh-copy-id -o StrictHostKeyChecking=no root@$host
 expect "password:"
 send "$password\n"
 expect eof

ansible/rsa_key/test.sh

@@ -1,13 +1,9 @@
 #!/bin/bash
-if [ -z "$BASH_VERSION" ]; then exec bash "$0" "$@"; exit; fi
+#if [ -z "$BASH_VERSION" ]; then exec bash "$0" "$@"; exit; fi
 
-if [ $1 == '' ]; then exit
+passwd=$1
-else; passwd=$1
 
 while read ip
 do
-	echo ${ip}
+	./key.sh ${passwd} ${ip}
-	#./key.sh ${passwd} ${ip}
-
 done < ip_list
-

ansible/security.yaml

@@ -5,5 +5,5 @@
   roles:
     - security-settings
   vars:
-    sshrootlogin: 'no'
+    sshrootlogin: 'forced-commands-only'