terraform script add
This commit is contained in:
ByeonJungHun
27
packer/ansible/roles/security-settings/templates/common-auth.j2
Executable file
27
packer/ansible/roles/security-settings/templates/common-auth.j2
Executable file
@@ -0,0 +1,27 @@
|
||||
#
|
||||
# /etc/pam.d/common-auth - authentication settings common to all services
|
||||
#
|
||||
# This file is included from other service-specific PAM config files,
|
||||
# and should contain a list of the authentication modules that define
|
||||
# the central authentication scheme for use on the system
|
||||
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
|
||||
# traditional Unix authentication mechanisms.
|
||||
#
|
||||
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
|
||||
# To take advantage of this, it is recommended that you configure any
|
||||
# local modules either before or after the default block, and use
|
||||
# pam-auth-update to manage selection of other modules. See
|
||||
# pam-auth-update(8) for details.
|
||||
auth required pam_tally2.so onerr={{onerr}} even_deny_root deny={{deny}} unlock_time={{unlock_time}}
|
||||
|
||||
# here are the per-package modules (the "Primary" block)
|
||||
auth [success=1 default=ignore] pam_unix.so nullok
|
||||
# here's the fallback if no module succeeds
|
||||
auth requisite pam_deny.so
|
||||
# prime the stack with a positive return value if there isn't one already;
|
||||
# this avoids us returning an error just because nothing sets a success code
|
||||
auth required pam_permit.so
|
||||
# since the modules above will each just jump around
|
||||
# and here are more per-package modules (the "Additional" block)
|
||||
auth optional pam_cap.so
|
||||
# end of pam-auth-update config
|
||||
50
packer/ansible/roles/security-settings/templates/pwquality.conf.j2
Executable file
50
packer/ansible/roles/security-settings/templates/pwquality.conf.j2
Executable file
@@ -0,0 +1,50 @@
|
||||
# Configuration for systemwide password quality limits
|
||||
# Defaults:
|
||||
#
|
||||
# Number of characters in the new password that must not be present in the
|
||||
# old password.
|
||||
# difok = 5
|
||||
#
|
||||
# Minimum acceptable size for the new password (plus one if
|
||||
# credits are not disabled which is the default). (See pam_cracklib manual.)
|
||||
# Cannot be set to lower value than 6.
|
||||
minlen = {{pwquality_minlen}}
|
||||
#
|
||||
# The maximum credit for having digits in the new password. If less than 0
|
||||
# it is the minimum number of digits in the new password.
|
||||
dcredit = {{pwquality_dcredit}}
|
||||
#
|
||||
# The maximum credit for having uppercase characters in the new password.
|
||||
# If less than 0 it is the minimum number of uppercase characters in the new
|
||||
# password.
|
||||
ucredit = {{pwquality_ucredit}}
|
||||
#
|
||||
# The maximum credit for having lowercase characters in the new password.
|
||||
# If less than 0 it is the minimum number of lowercase characters in the new
|
||||
# password.
|
||||
lcredit = {{pwquality_lcredit}}
|
||||
#
|
||||
# The maximum credit for having other characters in the new password.
|
||||
# If less than 0 it is the minimum number of other characters in the new
|
||||
# password.
|
||||
ocredit = {{pwquality_ocredit}}
|
||||
#
|
||||
# The minimum number of required classes of characters for the new
|
||||
# password (digits, uppercase, lowercase, others).
|
||||
# minclass = 0
|
||||
#
|
||||
# The maximum number of allowed consecutive same characters in the new password.
|
||||
# The check is disabled if the value is 0.
|
||||
maxrepeat = {{pwquality_maxrepeat}}
|
||||
#
|
||||
# The maximum number of allowed consecutive characters of the same class in the
|
||||
# new password.
|
||||
# The check is disabled if the value is 0.
|
||||
# maxclassrepeat = 0
|
||||
#
|
||||
# Whether to check for the words from the passwd entry GECOS string of the user.
|
||||
# The check is enabled if the value is not 0.
|
||||
# gecoscheck = 0
|
||||
#
|
||||
# Path to the cracklib dictionaries. Default is to use the cracklib default.
|
||||
# dictpath =
|
||||
79
packer/ansible/roles/security-settings/templates/sysctl.j2
Normal file
79
packer/ansible/roles/security-settings/templates/sysctl.j2
Normal file
@@ -0,0 +1,79 @@
|
||||
#
|
||||
# /etc/sysctl.conf - Configuration file for setting system variables
|
||||
# See /etc/sysctl.d/ for additional system variables.
|
||||
# See sysctl.conf (5) for information.
|
||||
#
|
||||
|
||||
#kernel.domainname = example.com
|
||||
|
||||
# Uncomment the following to stop low-level messages on console
|
||||
#kernel.printk = 3 4 1 3
|
||||
|
||||
###################################################################
|
||||
# Functions previously found in netbase
|
||||
#
|
||||
|
||||
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
|
||||
# Turn on Source Address Verification in all interfaces to
|
||||
# prevent some spoofing attacks
|
||||
#net.ipv4.conf.default.rp_filter=1
|
||||
#net.ipv4.conf.all.rp_filter=1
|
||||
|
||||
# Uncomment the next line to enable TCP/IP SYN cookies
|
||||
# See http://lwn.net/Articles/277146/
|
||||
# Note: This may impact IPv6 TCP sessions too
|
||||
#net.ipv4.tcp_syncookies=1
|
||||
|
||||
# Uncomment the next line to enable packet forwarding for IPv4
|
||||
#net.ipv4.ip_forward=1
|
||||
|
||||
# Uncomment the next line to enable packet forwarding for IPv6
|
||||
# Enabling this option disables Stateless Address Autoconfiguration
|
||||
# based on Router Advertisements for this host
|
||||
#net.ipv6.conf.all.forwarding=1
|
||||
|
||||
|
||||
###################################################################
|
||||
# Additional settings - these settings can improve the network
|
||||
# security of the host and prevent against some network attacks
|
||||
# including spoofing attacks and man in the middle attacks through
|
||||
# redirection. Some network environments, however, require that these
|
||||
# settings are disabled so review and enable them as needed.
|
||||
#
|
||||
# Do not accept ICMP redirects (prevent MITM attacks)
|
||||
#net.ipv4.conf.all.accept_redirects = 0
|
||||
#net.ipv6.conf.all.accept_redirects = 0
|
||||
# _or_
|
||||
# Accept ICMP redirects only for gateways listed in our default
|
||||
# gateway list (enabled by default)
|
||||
# net.ipv4.conf.all.secure_redirects = 1
|
||||
#
|
||||
# Do not send ICMP redirects (we are not a router)
|
||||
#net.ipv4.conf.all.send_redirects = 0
|
||||
#
|
||||
# Do not accept IP source route packets (we are not a router)
|
||||
#net.ipv4.conf.all.accept_source_route = 0
|
||||
#net.ipv6.conf.all.accept_source_route = 0
|
||||
#
|
||||
# Log Martian Packets
|
||||
#net.ipv4.conf.all.log_martians = 1
|
||||
#
|
||||
|
||||
###################################################################
|
||||
# Magic system request Key
|
||||
# 0=disable, 1=enable all, >1 bitmask of sysrq functions
|
||||
# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
|
||||
# for what other values do
|
||||
#kernel.sysrq=438
|
||||
|
||||
net.core.default_qdisc = fq
|
||||
net.core.rmem_max = 268435456
|
||||
net.core.wmem_max = 268435456
|
||||
net.ipv4.conf.all.arp_announce = 2
|
||||
net.ipv4.conf.all.arp_filter = 1
|
||||
net.ipv4.conf.all.arp_ignore = 1
|
||||
net.ipv4.conf.default.arp_filter = 1
|
||||
net.ipv4.tcp_congestion_control = htcp
|
||||
net.ipv4.tcp_no_metrics_save = 1
|
||||
net.ipv4.tcp_rmem = 4096 87380 134217728
|
||||
net.ipv4.tcp_wmem = 4096 65536 134217728
|
||||
Reference in New Issue
Block a user