directory 구조 변경

ansible/roles/security-settings/tasks/admin_set.yml

@@ -1,14 +0,0 @@
----
-- name: key add
-  authorized_key:
-    user: ubuntu
-    state: present
-    key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
-    manage_dir: False
-
-- name: user change
-  user:
-    name: "{{ username }}"
-    password: "{{ password | password_hash('sha512') }}"
-    state: present
-

ansible/roles/security-settings/tasks/banner.yml

@@ -1,29 +0,0 @@
----
-- name: Create a tar.gz archive of a single file.
-  archive:
-    path: /etc/update-motd.d/*
-    dest: /etc/update-motd.d/motd.tar.gz
-    format: gz
-    force_archive: true
-
-- name: remove a motd.d files
-  file:
-    path: /etc/update-motd.d/{{ item }}
-    state: absent
-  with_items:
-    - 10-help-text
-    - 85-fwupd
-    - 90-updates-available
-    - 91-release-upgrade
-    - 95-hwe-eol
-    - 98-fsck-at-reboot
-    - 50-motd-news
-    - 88-esm-announce
-
-- name: Create login banner
-  copy:
-    src: login_banner
-    dest: /etc/update-motd.d/00-header
-    owner: root
-    group: root
-    mode: 0755

ansible/roles/security-settings/tasks/crictl.yml

@@ -1,18 +0,0 @@
----
-- name: Downloading and extracting {{ crictl_app }} {{ crictl_version }}
-  unarchive:
-    src: "{{ crictl_dl_url }}"
-    dest: "{{ crictl_bin_path }}"
-    owner: "{{ crictl_file_owner }}"
-    group: "{{ crictl_file_group }}"
-    extra_opts:
-      - crictl
-    remote_src: yes
-
-- name: Crictl command crontab setting
-  ansible.builtin.cron:
-    minute: "0"
-    hour: "3"
-    user: root
-    job: "/usr/local/bin/crictl rmi --prune"
- 

ansible/roles/security-settings/tasks/login_defs.yml

@@ -1,48 +0,0 @@
----
-- name: Set pass max days
-  lineinfile:
-    dest: /etc/login.defs
-    state: present
-    regexp: '^PASS_MAX_DAYS.*$'
-    line: "PASS_MAX_DAYS\t{{os_auth_pw_max_age}}"
-    backrefs: yes
-
-- name: Set pass min days
-  lineinfile:
-    dest: /etc/login.defs
-    state: present
-    regexp: '^PASS_MIN_DAYS.*$'
-    line: "PASS_MIN_DAYS\t{{os_auth_pw_min_age}}"
-    backrefs: yes
-
-- name: Set pass min length
-  lineinfile:
-    dest: /etc/login.defs
-    state: present
-    regexp: '^PASS_MIN_LEN.*$'
-    line: "PASS_MIN_LEN\t{{pwquality_minlen}}"
-    backrefs: yes
-
-- name: Set pass warn days
-  lineinfile:
-    dest: /etc/login.defs
-    state: present
-    regexp: '^PASS_WARN_AGE.*$'
-    line: "PASS_WARN_AGE\t{{os_auth_pw_warn_age}}"
-    backrefs: yes
-
-- name: Set password encryption to SHA512
-  lineinfile:
-    dest: /etc/login.defs
-    state: present
-    regexp: '^ENCRYPT_METHOD\s.*$'
-    line: "ENCRYPT_METHOD\tSHA512"
-    backrefs: yes
-
-- name: Disable MD5 crypt explicitly
-  lineinfile:
-    dest: /etc/login.defs
-    state: present
-    regexp: '^MD5_CRYPT_ENAB.*$'
-    line: "MD5_CRYPT_ENAB NO"
-    backrefs: yes

ansible/roles/security-settings/tasks/main.yml

@@ -1,21 +0,0 @@
----
-- include: login_defs.yml
-  tags: login_defs
-
-- include: pam.yml
-  tags: pam
-
-- include: sshd_config.yml
-  tags: sshd_config
-
-- include: profile.yml
-  tags: profile
-
-- include: banner.yml
-  tags: banner
-
-- include: crictl.yml
-  tags: circtl
-
-#- include: admin_set.yml
-# tags: admin_set

ansible/roles/security-settings/tasks/pam.yml

@@ -1,50 +0,0 @@
----
-- name: Add pam_tally2.so 
-  template:
-    src: common-auth.j2
-    dest: /etc/pam.d/common-auth
-    owner: root
-    group: root
-    mode: 0644
-
-- name: Create pwquality.conf password complexity configuration
-  block:
-    - apt:
-        name: libpam-pwquality
-        state: present
-        install_recommends: false
-    - template:
-        src: pwquality.conf.j2
-        dest: /etc/security/pwquality.conf
-        owner: root
-        group: root
-        mode: 0644
-
-- name: Add pam_tally2.so
-  block:
-    - lineinfile:
-        dest: /etc/pam.d/common-account
-        regexp: '^account\srequisite'
-        line: "account requisite pam_deny.so"
-
-    - lineinfile:
-        dest: /etc/pam.d/common-account
-        regexp: '^account\srequired'
-        line: "account required pam_tally2.so"
-
-- name: password reuse is limited
-  lineinfile:
-    dest: /etc/pam.d/common-password
-    line: "password required pam_pwhistory.so remember=5"
-
-- name: password hashing algorithm is SHA-512
-  lineinfile:
-    dest: /etc/pam.d/common-password
-    regexp: '^password\s+\[success'
-    line: "password [success=1 default=ignore] pam_unix.so sha512"
-
-- name: Shadow Password Suite Parameters
-  lineinfile:
-    dest: /etc/pam.d/common-password
-    regexp: '^password\s+\[success'
-    line: "password [success=1 default=ignore] pam_unix.so sha512"

ansible/roles/security-settings/tasks/profile.yml

@@ -1,24 +0,0 @@
----
-- name: Set session timeout
-  lineinfile:
-    dest: /etc/profile
-    regexp: '^TMOUT=.*'
-    insertbefore: '^readonly TMOUT'
-    line: 'TMOUT={{shell_timeout}}'
-    state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
-
-- name: Set TMOUT readonly
-  lineinfile:
-    dest: /etc/profile
-    regexp: '^readonly TMOUT'
-    insertafter: 'TMOUT={{shell_timeout}}'
-    line: 'readonly TMOUT'
-    state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
-
-- name: Set export TMOUT
-  lineinfile:
-    dest: /etc/profile
-    regexp: '^export TMOUT.*'
-    insertafter: 'readonly TMOUT'
-    line: 'export TMOUT'
-    state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"

ansible/roles/security-settings/tasks/sshd_config.yml

@@ -1,23 +0,0 @@
----
-- name: Configure ssh root login to {{sshrootlogin}}
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    regexp: '^(#)?PermitRootLogin.*'
-    line: 'PermitRootLogin {{sshrootlogin}}'
-    insertbefore: '^Match.*'
-    state: present
-    owner: root
-    group: root
-    mode: 0640
-  notify: restart sshd
-
-- name: SSH Listen on Main Port
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    insertbefore: '^#*AddressFamily'
-    line: 'Port {{sshmainport}}'
-    state: present
-    owner: root
-    group: root
-    mode: 0640
-  notify: restart sshd