Ubuntu 20.04 OS 취약점 자동 조치를 위한 playbook
---
- hosts: "{{ host }}"
become: true
tasks:
- name: set shadow file 400
file:
path: "/etc/shadow"
mode: 0400
- name: set unix_chkpwd file 755
file:
path: "/sbin/unix_chkpwd"
mode: 0755
- name: set at file 755
file:
path: "/usr/bin/at"
mode: 0755
- name: set newgrp 755
file:
path: "/usr/bin/newgrp"
mode: 0755
- name: set PASS MAX DAYS 90
lineinfile:
path: '/etc/login.defs'
regexp: '^PASS_MAX_DAYS'
line: 'PASS_MAX_DAYS\t90'
backrefs: yes
- name: set PASS MIN DAYS 7
lineinfile:
path: '/etc/login.defs'
regexp: '^PASS_MIN_DAYS'
line: 'PASS_MIN_DAYS\t7'
backrefs: yes
- name: set PASS MIN LEN 8
lineinfile:
path: '/etc/login.defs'
regexp: '^#PASS_MIN_LEN'
line: 'PASS_MIN_LEN\t8'
backrefs: yes
- name: set common-password pam_file - password len 8
lineinfile:
path: '/etc/pam.d/common-password'
regexp: '^password\t\[success=1 default=ignore\](.*)'
line: 'password\t[success=1 default=ignore]\tpam_unix.so obscure sha512 password\trequisite\tpam_cracklib.so retry=3 minlen=8 difok=3 lcredit=1 ucredit=1 dcredit=-1 ocredit=-1'
backrefs: yes
- name: set common-auth pam_file - password 4 fail and lock account
lineinfile:
path: '/etc/pam.d/common-auth'
insertafter: '^auth\t\[success=1 default=ignore\](.*)'
line: "auth\trequired\t\t\tpam_tally2.so onerr=fail even_deny_root deny=4 unlock_time=1200"
- name: set ssh security root x
lineinfile:
path: '/etc/ssh/sshd_config'
regexp: '^#PermitRootLogin'
line: 'PermitRootLogin no'
backrefs: yes
- name: restart ssh
systemd: state=restarted name=sshd
become: yes'DevOps __' 카테고리의 다른 글
| Ansible 서버 window 호스트 관리. (1) | 2020.10.26 |
|---|---|
| SSH copy-id 자동화 방법? (0) | 2020.10.26 |
| Kubernetes - 구성 (0) | 2020.04.22 |
| GCP LB ssl offload (0) | 2019.11.04 |
| ELK 설치 및 실행 (0) | 2019.11.04 |
