directory 구조 변경

ansible/roles/security-settings/defaults/main.yml

@@ -1,43 +0,0 @@
-# Password aging settings
-os_auth_pw_max_age: 90
-os_auth_pw_min_age: 10
-os_auth_pw_warn_age: 7
-passhistory: 2
-
-# Inactivity and Failed attempts lockout settings
-fail_deny: 5
-fail_unlock: 0
-inactive_lock: 0
-shell_timeout: 300
-
-# tally settings
-onerr: 'fail'
-deny: 5
-unlock_time: 300
-
-# Password complexity settings
-pwquality_minlen: 9
-pwquality_maxrepeat: 3
-pwquality_lcredit: -1
-pwquality_ucredit: -1
-pwquality_dcredit: -1
-pwquality_ocredit: -1
-
-# SSH settings
-sshrootlogin: 'no'
-sshmainport: 22
-ssh_service_name: sshd
-
-# Crictl setup
-crictl_app: crictl
-crictl_version: 1.25.0
-crictl_os: linux
-crictl_arch: amd64
-crictl_dl_url: https://github.com/kubernetes-sigs/cri-tools/releases/download/v{{ crictl_version }}/{{ crictl_app }}-v{{ crictl_version }}-{{ crictl_os }}-{{ crictl_arch }}.tar.gz
-crictl_bin_path: /usr/local/bin
-crictl_file_owner: root
-crictl_file_group: root
-
-# temp
-username: 
-password: 

ansible/roles/security-settings/files/login_banner

@@ -1,20 +0,0 @@
-#!/bin/sh
-printf '''
-  |-----------------------------------------------------------------|
-  | This system is for the use of authorized users only.            |
-  | Individuals using this computer system without authority, or in |
-  | excess of their authority, are subject to having all of their   |
-  | activities on this system monitored and recorded by system      |
-  | personnel.                                                      |
-  |                                                                 |
-  | In the course of monitoring individuals improperly using this   |
-  | system, or in the course of system maintenance, the activities  |
-  | of authorized users may also be monitored.                      |
-  |                                                                 |
-  | Anyone using this system expressly consents to such monitoring  |
-  | and is advised that if such monitoring reveals possible         |
-  | evidence of criminal activity, system personnel may provide the |
-  | evidence of such monitoring to law enforcement officials.       |
-  |-----------------------------------------------------------------|
-'''
-

ansible/roles/security-settings/handlers/main.yml

@@ -1,6 +0,0 @@
----
-- name: restart sshd
-  service:
-    name: "{{ ssh_service_name }}"
-    state: restarted
-    enabled: true

ansible/roles/security-settings/tasks/admin_set.yml

@@ -1,14 +0,0 @@
----
-- name: key add
-  authorized_key:
-    user: ubuntu
-    state: present
-    key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
-    manage_dir: False
-
-- name: user change
-  user:
-    name: "{{ username }}"
-    password: "{{ password | password_hash('sha512') }}"
-    state: present
-

ansible/roles/security-settings/tasks/banner.yml

@@ -1,29 +0,0 @@
----
-- name: Create a tar.gz archive of a single file.
-  archive:
-    path: /etc/update-motd.d/*
-    dest: /etc/update-motd.d/motd.tar.gz
-    format: gz
-    force_archive: true
-
-- name: remove a motd.d files
-  file:
-    path: /etc/update-motd.d/{{ item }}
-    state: absent
-  with_items:
-    - 10-help-text
-    - 85-fwupd
-    - 90-updates-available
-    - 91-release-upgrade
-    - 95-hwe-eol
-    - 98-fsck-at-reboot
-    - 50-motd-news
-    - 88-esm-announce
-
-- name: Create login banner
-  copy:
-    src: login_banner
-    dest: /etc/update-motd.d/00-header
-    owner: root
-    group: root
-    mode: 0755

ansible/roles/security-settings/tasks/crictl.yml

@@ -1,18 +0,0 @@
----
-- name: Downloading and extracting {{ crictl_app }} {{ crictl_version }}
-  unarchive:
-    src: "{{ crictl_dl_url }}"
-    dest: "{{ crictl_bin_path }}"
-    owner: "{{ crictl_file_owner }}"
-    group: "{{ crictl_file_group }}"
-    extra_opts:
-      - crictl
-    remote_src: yes
-
-- name: Crictl command crontab setting
-  ansible.builtin.cron:
-    minute: "0"
-    hour: "3"
-    user: root
-    job: "/usr/local/bin/crictl rmi --prune"
- 

ansible/roles/security-settings/tasks/login_defs.yml

@@ -1,48 +0,0 @@
----
-- name: Set pass max days
-  lineinfile:
-    dest: /etc/login.defs
-    state: present
-    regexp: '^PASS_MAX_DAYS.*$'
-    line: "PASS_MAX_DAYS\t{{os_auth_pw_max_age}}"
-    backrefs: yes
-
-- name: Set pass min days
-  lineinfile:
-    dest: /etc/login.defs
-    state: present
-    regexp: '^PASS_MIN_DAYS.*$'
-    line: "PASS_MIN_DAYS\t{{os_auth_pw_min_age}}"
-    backrefs: yes
-
-- name: Set pass min length
-  lineinfile:
-    dest: /etc/login.defs
-    state: present
-    regexp: '^PASS_MIN_LEN.*$'
-    line: "PASS_MIN_LEN\t{{pwquality_minlen}}"
-    backrefs: yes
-
-- name: Set pass warn days
-  lineinfile:
-    dest: /etc/login.defs
-    state: present
-    regexp: '^PASS_WARN_AGE.*$'
-    line: "PASS_WARN_AGE\t{{os_auth_pw_warn_age}}"
-    backrefs: yes
-
-- name: Set password encryption to SHA512
-  lineinfile:
-    dest: /etc/login.defs
-    state: present
-    regexp: '^ENCRYPT_METHOD\s.*$'
-    line: "ENCRYPT_METHOD\tSHA512"
-    backrefs: yes
-
-- name: Disable MD5 crypt explicitly
-  lineinfile:
-    dest: /etc/login.defs
-    state: present
-    regexp: '^MD5_CRYPT_ENAB.*$'
-    line: "MD5_CRYPT_ENAB NO"
-    backrefs: yes

ansible/roles/security-settings/tasks/main.yml

@@ -1,21 +0,0 @@
----
-- include: login_defs.yml
-  tags: login_defs
-
-- include: pam.yml
-  tags: pam
-
-- include: sshd_config.yml
-  tags: sshd_config
-
-- include: profile.yml
-  tags: profile
-
-- include: banner.yml
-  tags: banner
-
-- include: crictl.yml
-  tags: circtl
-
-#- include: admin_set.yml
-# tags: admin_set

ansible/roles/security-settings/tasks/pam.yml

@@ -1,50 +0,0 @@
----
-- name: Add pam_tally2.so 
-  template:
-    src: common-auth.j2
-    dest: /etc/pam.d/common-auth
-    owner: root
-    group: root
-    mode: 0644
-
-- name: Create pwquality.conf password complexity configuration
-  block:
-    - apt:
-        name: libpam-pwquality
-        state: present
-        install_recommends: false
-    - template:
-        src: pwquality.conf.j2
-        dest: /etc/security/pwquality.conf
-        owner: root
-        group: root
-        mode: 0644
-
-- name: Add pam_tally2.so
-  block:
-    - lineinfile:
-        dest: /etc/pam.d/common-account
-        regexp: '^account\srequisite'
-        line: "account requisite pam_deny.so"
-
-    - lineinfile:
-        dest: /etc/pam.d/common-account
-        regexp: '^account\srequired'
-        line: "account required pam_tally2.so"
-
-- name: password reuse is limited
-  lineinfile:
-    dest: /etc/pam.d/common-password
-    line: "password required pam_pwhistory.so remember=5"
-
-- name: password hashing algorithm is SHA-512
-  lineinfile:
-    dest: /etc/pam.d/common-password
-    regexp: '^password\s+\[success'
-    line: "password [success=1 default=ignore] pam_unix.so sha512"
-
-- name: Shadow Password Suite Parameters
-  lineinfile:
-    dest: /etc/pam.d/common-password
-    regexp: '^password\s+\[success'
-    line: "password [success=1 default=ignore] pam_unix.so sha512"

ansible/roles/security-settings/tasks/profile.yml

@@ -1,24 +0,0 @@
----
-- name: Set session timeout
-  lineinfile:
-    dest: /etc/profile
-    regexp: '^TMOUT=.*'
-    insertbefore: '^readonly TMOUT'
-    line: 'TMOUT={{shell_timeout}}'
-    state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
-
-- name: Set TMOUT readonly
-  lineinfile:
-    dest: /etc/profile
-    regexp: '^readonly TMOUT'
-    insertafter: 'TMOUT={{shell_timeout}}'
-    line: 'readonly TMOUT'
-    state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
-
-- name: Set export TMOUT
-  lineinfile:
-    dest: /etc/profile
-    regexp: '^export TMOUT.*'
-    insertafter: 'readonly TMOUT'
-    line: 'export TMOUT'
-    state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"

ansible/roles/security-settings/tasks/sshd_config.yml

@@ -1,23 +0,0 @@
----
-- name: Configure ssh root login to {{sshrootlogin}}
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    regexp: '^(#)?PermitRootLogin.*'
-    line: 'PermitRootLogin {{sshrootlogin}}'
-    insertbefore: '^Match.*'
-    state: present
-    owner: root
-    group: root
-    mode: 0640
-  notify: restart sshd
-
-- name: SSH Listen on Main Port
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    insertbefore: '^#*AddressFamily'
-    line: 'Port {{sshmainport}}'
-    state: present
-    owner: root
-    group: root
-    mode: 0640
-  notify: restart sshd

ansible/roles/security-settings/templates/common-auth.j2

@@ -1,27 +0,0 @@
-#
-# /etc/pam.d/common-auth - authentication settings common to all services
-#
-# This file is included from other service-specific PAM config files,
-# and should contain a list of the authentication modules that define
-# the central authentication scheme for use on the system
-# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
-# traditional Unix authentication mechanisms.
-#
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
-# To take advantage of this, it is recommended that you configure any
-# local modules either before or after the default block, and use
-# pam-auth-update to manage selection of other modules.  See
-# pam-auth-update(8) for details.
-auth	required			pam_tally2.so onerr={{onerr}} even_deny_root deny={{deny}} unlock_time={{unlock_time}}
-
-# here are the per-package modules (the "Primary" block)
-auth    [success=1 default=ignore]      pam_unix.so nullok
-# here's the fallback if no module succeeds
-auth    requisite                       pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-auth    required                        pam_permit.so
-# since the modules above will each just jump around
-# and here are more per-package modules (the "Additional" block)
-auth    optional                        pam_cap.so
-# end of pam-auth-update config

ansible/roles/security-settings/templates/pwquality.conf.j2

@@ -1,50 +0,0 @@
-# Configuration for systemwide password quality limits
-# Defaults:
-#
-# Number of characters in the new password that must not be present in the
-# old password.
-# difok = 5
-#
-# Minimum acceptable size for the new password (plus one if
-# credits are not disabled which is the default). (See pam_cracklib manual.)
-# Cannot be set to lower value than 6.
-minlen = {{pwquality_minlen}}
-#
-# The maximum credit for having digits in the new password. If less than 0
-# it is the minimum number of digits in the new password.
-dcredit = {{pwquality_dcredit}}
-#
-# The maximum credit for having uppercase characters in the new password.
-# If less than 0 it is the minimum number of uppercase characters in the new
-# password.
-ucredit = {{pwquality_ucredit}}
-#
-# The maximum credit for having lowercase characters in the new password.
-# If less than 0 it is the minimum number of lowercase characters in the new
-# password.
-lcredit = {{pwquality_lcredit}}
-#
-# The maximum credit for having other characters in the new password.
-# If less than 0 it is the minimum number of other characters in the new
-# password.
-ocredit = {{pwquality_ocredit}}
-#
-# The minimum number of required classes of characters for the new
-# password (digits, uppercase, lowercase, others).
-# minclass = 0
-#
-# The maximum number of allowed consecutive same characters in the new password.
-# The check is disabled if the value is 0.
-maxrepeat = {{pwquality_maxrepeat}}
-#
-# The maximum number of allowed consecutive characters of the same class in the
-# new password.
-# The check is disabled if the value is 0.
-# maxclassrepeat = 0
-#
-# Whether to check for the words from the passwd entry GECOS string of the user.
-# The check is enabled if the value is not 0.
-# gecoscheck = 0
-#
-# Path to the cracklib dictionaries. Default is to use the cracklib default.
-# dictpath =