본문 바로가기
A101[1기]

Ansible 스터디 4주차 - 보안설정 자동화

frankly 2024. 2. 5. 21:51

패스워드 변경 주기 설정

 

ansible builtin user 모듈을 활용한다.

 

*centos 계정이 NOPASSWD:ALL 설정이 되어있다고 가정함.

 

/home/ansible/ansible-project/20240205/1/ansible.cfg

[defaults]
inventory = ./inventory
remote_user = centos
ask_pass = false

[privilege_escalation]
become = true
become_method = sudo
become_user = root
become_ask_pass = false

/home/ansible/ansible-project/20240205/1/inventory

[compute]
node01 ansible_host=192.168.122.231
node02 ansible_host=192.168.122.132

[control]
node03 ansible_host=192.168.122.245


[db]
node04 ansible_host=192.168.122.63

[all:children]
compute
control
db

 

 

user 모듈 document를 참조.

 

https://docs.ansible.com/ansible/latest/collections/ansible/builtin/user_module.html

 

ansible.builtin.user module – Manage user accounts — Ansible Documentation

If provided, set the user’s password to the provided encrypted hash (Linux) or plain text password (macOS). Linux/Unix/POSIX: Enter the hashed password as the value. See FAQ entry for details on various ways to generate the hash of a password. To create

docs.ansible.com

 

 

 

password_expire_max 파라미터를 통하여 비밀번호 변경주기 설정가능.

 

 

/home/ansible/ansible-project/20240205/1/var_max_days.yml 

 

---

Userinfo:
  - username: ansible
    maxdays: 90
  - username: stack
    maxdays: 90

 

maxdays 변수를 통해 password_expire_max  파라미터 값 설정

 

/home/ansible/ansible-project/20240205/1/set_chage_password.yml

 

---

- hosts: all
  vars_files: var_max_days.yml
  
  tasks:
    - name: Change Password Maxdays
      ansible.builtin.user:
        name: "{{ item.username }}"
        password_expire_max: "{{ item.maxdays }}"
      loop: "{{ Userinfo }}"

 

 

var_max_days yaml파일에서 변수를 불러와 각 User name 별 password_expire_max 값 설정

 

 

ansible 문법체크 => 문법 이상 없을시 output으로 Playbook이름이 나옴.

 

 

각 노드 별 Expire 시간 확인. 현재 expire되는 시간 설정되지 않았음.

 

 

playbook 실행

 

 

변경된것 확인.

 

 패스워드 생성 법칙 적용

 

 

이전 실습과 같은 설정 사용.

 

/home/ansible/ansible-project/20240205/2/ansible.cfg

[defaults]
inventory = ./inventory
remote_user = centos
ask_pass = false

[privilege_escalation]
become = true
become_method = sudo
become_user = root
become_ask_pass = false

/home/ansible/ansible-project/20240205/2/inventory

[compute]
node01 ansible_host=192.168.122.231
node02 ansible_host=192.168.122.132

[control]
node03 ansible_host=192.168.122.245


[db]
node04 ansible_host=192.168.122.63

[all:children]
compute
control
db

 

/home/ansible/ansible-project/20240205/2/vars_pw_rule.yml

---

minlen: 8
dcredit: -1
ucredit: -1
lcredit: -1
ocredit: -1
enforce_for_root: false

 

비밀번호 규칙에 사용할 변수 설정.

 

 

/home/ansible/ansible-project/20240205/2/pwquality.conf.j2 

 

# Created by ansible

{% if minlen is defined %}
# Minimum acceptable size for the new password
minlen = {{ minlen }}
{% endif %}

{% if dcredit is defined %}
# The maximum credit for having digits in the new password
dcredit = {{ dcredit }}
{% endif %}

{% if ucredit is defined %}
# The maximum credit for having uppercase characters in the new password
ucredit = {{ ucredit }}
{% endif %}

{% if lcredit is defined %}
# The maximum credit for having lowercase characters in the new password
lcredit = {{ lcredit }}
{% endif %}

{% if ocredit is defined %}
# The maximum credit for having other characters in the new password
ocredit = {{ ocredit }}
{% endif %}

{% if minclass is defined %}
# The minimum number of required classes of characters for the new password
minclass = {{ minclass }}
{% endif %}

{% if maxrepeat is defined %}
# The maximum number of allowed consecutive same characters in the new password
maxrepeat = {{ maxrepeat}}
{% endif %}

{% if maxclassrepeat is defined %}
# The maximum number of allowed consecutive characters of the same class in the new password
maxclassrepeat = {{ maxclassreapt }}
{% endif %}

{% if retry is defined %}
# Prompt user at most N times before returning with error
retry = {{ retry }}
{% endif %}

{% if enforce_for_root is defined %}
# Enforces pwquality checks on the root user password.
enforce_for_root
{% endif %}

 

 

jinja2 템플릿 설정.

{% if 변수 is defined %} {% endif %} 의 구문을 활용하여, 변수가 선언되면 해당 파라미터를 삽입해줌.

 

{% if minlen is defined %}

#Minimum acceptable size for the new password

minlen = {{ minlen }}

{% endif %}

의 경우, minlen이 vars_pw_rule.yml에서 8로 설정되었으니 플레이북에서 vars_pw_rule.yml 에서 변수를 불러온다면 목적지 파일에 minlen = 8 값 삽입.

 

 

/home/ansible/ansible-project/20240205/2/set_password_rule.yml

 

---

- hosts: all
  vars_files: vars_pw_rule.yml
  
  tasks:
    - name: Backup pwquality.conf
      ansible.builtin.copy:
        src: /etc/security/pwquality.conf
        dest: /etc/security/pwquality.conf.bak
        remote_src: yes

    - name: Copy pwquality.conf.j2 at /etc/security
      ansible.builtin.template:
        src: pwquality.conf.j2
        dest: /etc/security/pwquality.conf
        mode: '0644'

 

비밀번호 복잡도 설정을 하는 pwquality.conf 파일 백업 후 => Jinja2 템플릿을 이용하여 pwquality.conf 에 설정 삽입.

 

 

 

문법체크

 

 

각 노드별 현재값 확인 

 

 

플레이북 실행

 

 

 

해당 노드에 접속하여 정상 적용 확인

 

디렉터리 및 파일 접근 권한 변경

 

엔서블을 통한 World Writeable file(777권한..) 검색 및 Sticky bit(퍼미션 외 특수권한, 파일 만든사람이나 root만 수정 삭제가능.) 파일 검색.

 

/home/ansible/ansible-project/20240205/3/ansible.cfg

[defaults]
inventory = ./inventory
remote_user = centos
ask_pass = false

[privilege_escalation]
become = true
become_method = sudo
become_user = root
become_ask_pass = false

/home/ansible/ansible-project/20240205/3/inventory

[compute]
node01 ansible_host=192.168.122.231
node02 ansible_host=192.168.122.132

[control]
node03 ansible_host=192.168.122.245


[db]
node04 ansible_host=192.168.122.63

[all:children]
compute
control
db

 

/home/ansible/ansible-project/20240205/3/set_sticky_writable_files.yml

 

---

- hosts: all

# sticky bit가 적용된 파일 검색. grep의 e옵션을 이용한 정규식 패턴 적용.
#sfile_list에 결과값 저장
  tasks:
  - name: Find Sticky bit files
    ansible.builtin.shell: |
      find / -xdev -perm -04000 -o -perm -02000 -o -perm 01000 \
      | grep -e 'dump$' \
             -e 'lp*-lpd$' \ 
             -e 'newgrp$' \
             -e 'restore$' \
             -e 'at$' \
             -e 'traceroute$' | xargs ls
    register: sfile_list

#world writable file 검색 후 wfile_list에 저장
  - name: Find World Writable files
    ansible.builtin.shell: |
      find / -xdev -perm -2 -ls \
      | grep -v 'l..........' | awk '{print $NF}'
    register: wfile_list

  - name: Print Sticky bit files
    ansible.builtin.debug:
      msg: "{{ sfile_list.stdout_lines }}"

  - name: Print World Writable files
    ansible.builtin.debug:
      msg: "{{ wfile_list.stdout_lines }}"

#sticky bit 제거
  - name: Set Sticky bit files
    ansible.builtin.file:
      path: "{{ item }}"
      mode: "u-s,g-s,o-s"
    loop: "{{ sfile_list.stdout_lines }}"

#write 퍼미션 제거
  - name: Set World Writable files
    ansible.builtin.file:
      path: "{{ item }}"
      mode: "o-w"
    loop: "{{ wfile_list.stdout_lines }}"

 

 

문법 체크 후, 

 

Sticky bit가 적용된 폴더 확인

 

 

world writable 인 파일 확인.

 

 

Sticky bit 제거 확인

 

write권한 제거 확인.

'A101[1기]' 카테고리의 다른 글

Ansible 스터디 3주차 - 환경 설정 자동화  (0) 2024.02.03
Ansible 스터디 3주차 - 시스템 구축 자동화  (0) 2024.02.03
Ansible 스터디 2주차 반복문과 조건문, 롤과 콘텐츠 컬렉션  (0) 2024.01.19
Ansible 스터디 1주차 엔서블 기본사용  (0) 2024.01.11

'A101[1기]' Related Articles

티스토리툴바