terraform script add

2023-10-19 16:35:47 +09:00
commit 65f305d107
947 changed files with 81629 additions and 0 deletions
--- a/packer/ansible/roles/security-settings/tasks/admin_set.yml
+++ b/packer/ansible/roles/security-settings/tasks/admin_set.yml
@@ -0,0 +1,16 @@
+---
+- name: create user
+  user:
+    name: exemdev2
+    state: present
+    groups: sudo
+    shell: /bin/bash
+    password: "{{ 'saasadmin1234' | password_hash('sha512') }}"
+
+- name: key add
+  authorized_key:
+    user: exemdev2
+    state: present
+    key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
+    manage_dir: False
+
--- a/packer/ansible/roles/security-settings/tasks/banner.yml
+++ b/packer/ansible/roles/security-settings/tasks/banner.yml
@@ -0,0 +1,29 @@
+---
+- name: Create a tar.gz archive of a single file.
+  archive:
+    path: /etc/update-motd.d/*
+    dest: /etc/update-motd.d/motd.tar.gz
+    format: gz
+    force_archive: true
+
+- name: remove a motd.d files
+  file:
+    path: /etc/update-motd.d/{{ item }}
+    state: absent
+  with_items:
+    - 10-help-text
+    - 85-fwupd
+    - 90-updates-available
+    - 91-release-upgrade
+    - 95-hwe-eol
+    - 98-fsck-at-reboot
+    - 50-motd-news
+    - 88-esm-announce
+
+- name: Create login banner
+  copy:
+    src: login_banner
+    dest: /etc/update-motd.d/00-header
+    owner: root
+    group: root
+    mode: 0755
--- a/packer/ansible/roles/security-settings/tasks/crictl.yml
+++ b/packer/ansible/roles/security-settings/tasks/crictl.yml
@@ -0,0 +1,19 @@
+---
+- name: Downloading and extracting {{ crictl_app }} {{ crictl_version }}
+  unarchive:
+    src: "{{ crictl_dl_url }}"
+    dest: "{{ crictl_bin_path }}"
+    owner: "{{ crictl_file_owner }}"
+    group: "{{ crictl_file_group }}"
+    extra_opts:
+      - crictl
+    remote_src: yes
+
+- name: Crictl command crontab setting
+  ansible.builtin.cron:
+    name: "crictl prune"
+    minute: "0"
+    hour: "3"
+    user: root
+    job: "/usr/local/bin/crictl rmi --prune"
+ 
--- a/packer/ansible/roles/security-settings/tasks/login_defs.yml
+++ b/packer/ansible/roles/security-settings/tasks/login_defs.yml
@@ -0,0 +1,48 @@
+---
+- name: Set pass max days
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^PASS_MAX_DAYS.*$'
+    line: "PASS_MAX_DAYS\t{{os_auth_pw_max_age}}"
+    backrefs: yes
+
+- name: Set pass min days
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^PASS_MIN_DAYS.*$'
+    line: "PASS_MIN_DAYS\t{{os_auth_pw_min_age}}"
+    backrefs: yes
+
+- name: Set pass min length
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^PASS_MIN_LEN.*$'
+    line: "PASS_MIN_LEN\t{{pwquality_minlen}}"
+    backrefs: yes
+
+- name: Set pass warn days
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^PASS_WARN_AGE.*$'
+    line: "PASS_WARN_AGE\t{{os_auth_pw_warn_age}}"
+    backrefs: yes
+
+- name: Set password encryption to SHA512
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^ENCRYPT_METHOD\s.*$'
+    line: "ENCRYPT_METHOD\tSHA512"
+    backrefs: yes
+
+- name: Disable MD5 crypt explicitly
+  lineinfile:
+    dest: /etc/login.defs
+    state: present
+    regexp: '^MD5_CRYPT_ENAB.*$'
+    line: "MD5_CRYPT_ENAB NO"
+    backrefs: yes
--- a/packer/ansible/roles/security-settings/tasks/main.yml
+++ b/packer/ansible/roles/security-settings/tasks/main.yml
@@ -0,0 +1,24 @@
+---
+- include: login_defs.yml
+  tags: login_defs
+
+- include: pam.yml
+  tags: pam
+
+- include: sshd_config.yml
+  tags: sshd_config
+
+- include: profile.yml
+  tags: profile
+
+- include: banner.yml
+  tags: banner
+
+- include: crictl.yml
+  tags: crictl
+
+- include: admin_set.yml
+  tags: admin_set
+
+- include: python.yml
+  tags: python
--- a/packer/ansible/roles/security-settings/tasks/pam.yml
+++ b/packer/ansible/roles/security-settings/tasks/pam.yml
@@ -0,0 +1,50 @@
+---
+- name: Add pam_tally2.so 
+  template:
+    src: common-auth.j2
+    dest: /etc/pam.d/common-auth
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Create pwquality.conf password complexity configuration
+  block:
+    - apt:
+        name: libpam-pwquality
+        state: present
+        install_recommends: false
+    - template:
+        src: pwquality.conf.j2
+        dest: /etc/security/pwquality.conf
+        owner: root
+        group: root
+        mode: 0644
+
+- name: Add pam_tally2.so
+  block:
+    - lineinfile:
+        dest: /etc/pam.d/common-account
+        regexp: '^account\srequisite'
+        line: "account requisite pam_deny.so"
+
+    - lineinfile:
+        dest: /etc/pam.d/common-account
+        regexp: '^account\srequired'
+        line: "account required pam_tally2.so"
+
+- name: password reuse is limited
+  lineinfile:
+    dest: /etc/pam.d/common-password
+    line: "password required pam_pwhistory.so remember=5"
+
+- name: password hashing algorithm is SHA-512
+  lineinfile:
+    dest: /etc/pam.d/common-password
+    regexp: '^password\s+\[success'
+    line: "password [success=1 default=ignore] pam_unix.so sha512"
+
+- name: Shadow Password Suite Parameters
+  lineinfile:
+    dest: /etc/pam.d/common-password
+    regexp: '^password\s+\[success'
+    line: "password [success=1 default=ignore] pam_unix.so sha512"
--- a/packer/ansible/roles/security-settings/tasks/profile.yml
+++ b/packer/ansible/roles/security-settings/tasks/profile.yml
@@ -0,0 +1,24 @@
+---
+- name: Set session timeout
+  lineinfile:
+    dest: /etc/profile
+    regexp: '^TMOUT=.*'
+    insertbefore: '^readonly TMOUT'
+    line: 'TMOUT={{shell_timeout}}'
+    state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
+
+- name: Set TMOUT readonly
+  lineinfile:
+    dest: /etc/profile
+    regexp: '^readonly TMOUT'
+    insertafter: 'TMOUT={{shell_timeout}}'
+    line: 'readonly TMOUT'
+    state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
+
+- name: Set export TMOUT
+  lineinfile:
+    dest: /etc/profile
+    regexp: '^export TMOUT.*'
+    insertafter: 'readonly TMOUT'
+    line: 'export TMOUT'
+    state: "{{ 'absent' if (shell_timeout == 0) else 'present' }}"
--- a/packer/ansible/roles/security-settings/tasks/python.yml
+++ b/packer/ansible/roles/security-settings/tasks/python.yml
@@ -0,0 +1,25 @@
+---
+- name: add apt repository
+  shell: add-apt-repository ppa:deadsnakes/ppa -y
+
+- name: apt update
+  apt:
+    name: "*"
+    state: latest
+
+- name: install python 3.9
+  apt:
+    name: python3.9
+    state: present
+
+- name: install pip3
+  apt:
+    name: python3-pip
+    state: present
+
+- name: setting default 3.9 version
+  shell: |
+    update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1
+    update-alternatives --set python3 /usr/bin/python3.9
+    
+
--- a/packer/ansible/roles/security-settings/tasks/sshd_config.yml
+++ b/packer/ansible/roles/security-settings/tasks/sshd_config.yml
@@ -0,0 +1,31 @@
+---
+- name: Configure ssh root login to {{sshrootlogin}}
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(#)?PermitRootLogin.*'
+    line: 'PermitRootLogin {{sshrootlogin}}'
+    insertbefore: '^Match.*'
+    state: present
+    owner: root
+    group: root
+    mode: 0640
+  notify: restart sshd
+
+- name: SSH Listen on Main Port
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    insertbefore: '^#*AddressFamily'
+    line: 'Port {{sshmainport}}'
+    state: present
+    owner: root
+    group: root
+    mode: 0640
+  notify: restart sshd
+
+    #- name: SSH AllowUsers Setting
+    #  copy:
+    #    src: allow_users.conf
+    #    dest: /etc/ssh/sshd_config.d/allow_users.conf
+    #    owner: root
+    #    group: root
+    #    mode: 0644