Ansible 스터디 4주차 - 보안설정 자동화
패스워드 변경 주기 설정
ansible builtin user 모듈을 활용한다.
*centos 계정이 NOPASSWD:ALL 설정이 되어있다고 가정함.
/home/ansible/ansible-project/20240205/1/ansible.cfg
[defaults]
inventory = ./inventory
remote_user = centos
ask_pass = false
[privilege_escalation]
become = true
become_method = sudo
become_user = root
become_ask_pass = false/home/ansible/ansible-project/20240205/1/inventory
[compute]
node01 ansible_host=192.168.122.231
node02 ansible_host=192.168.122.132
[control]
node03 ansible_host=192.168.122.245
[db]
node04 ansible_host=192.168.122.63
[all:children]
compute
control
db
user 모듈 document를 참조.
https://docs.ansible.com/ansible/latest/collections/ansible/builtin/user_module.html
ansible.builtin.user module – Manage user accounts — Ansible Documentation
If provided, set the user’s password to the provided encrypted hash (Linux) or plain text password (macOS). Linux/Unix/POSIX: Enter the hashed password as the value. See FAQ entry for details on various ways to generate the hash of a password. To create
docs.ansible.com
password_expire_max 파라미터를 통하여 비밀번호 변경주기 설정가능.
/home/ansible/ansible-project/20240205/1/var_max_days.yml
---
Userinfo:
- username: ansible
maxdays: 90
- username: stack
maxdays: 90
maxdays 변수를 통해 password_expire_max 파라미터 값 설정
/home/ansible/ansible-project/20240205/1/set_chage_password.yml
---
- hosts: all
vars_files: var_max_days.yml
tasks:
- name: Change Password Maxdays
ansible.builtin.user:
name: "{{ item.username }}"
password_expire_max: "{{ item.maxdays }}"
loop: "{{ Userinfo }}"
var_max_days yaml파일에서 변수를 불러와 각 User name 별 password_expire_max 값 설정
ansible 문법체크 => 문법 이상 없을시 output으로 Playbook이름이 나옴.
각 노드 별 Expire 시간 확인. 현재 expire되는 시간 설정되지 않았음.
playbook 실행
변경된것 확인.
패스워드 생성 법칙 적용
이전 실습과 같은 설정 사용.
/home/ansible/ansible-project/20240205/2/ansible.cfg
[defaults]
inventory = ./inventory
remote_user = centos
ask_pass = false
[privilege_escalation]
become = true
become_method = sudo
become_user = root
become_ask_pass = false/home/ansible/ansible-project/20240205/2/inventory
[compute]
node01 ansible_host=192.168.122.231
node02 ansible_host=192.168.122.132
[control]
node03 ansible_host=192.168.122.245
[db]
node04 ansible_host=192.168.122.63
[all:children]
compute
control
db
/home/ansible/ansible-project/20240205/2/vars_pw_rule.yml
---
minlen: 8
dcredit: -1
ucredit: -1
lcredit: -1
ocredit: -1
enforce_for_root: false
비밀번호 규칙에 사용할 변수 설정.
/home/ansible/ansible-project/20240205/2/pwquality.conf.j2
# Created by ansible
{% if minlen is defined %}
# Minimum acceptable size for the new password
minlen = {{ minlen }}
{% endif %}
{% if dcredit is defined %}
# The maximum credit for having digits in the new password
dcredit = {{ dcredit }}
{% endif %}
{% if ucredit is defined %}
# The maximum credit for having uppercase characters in the new password
ucredit = {{ ucredit }}
{% endif %}
{% if lcredit is defined %}
# The maximum credit for having lowercase characters in the new password
lcredit = {{ lcredit }}
{% endif %}
{% if ocredit is defined %}
# The maximum credit for having other characters in the new password
ocredit = {{ ocredit }}
{% endif %}
{% if minclass is defined %}
# The minimum number of required classes of characters for the new password
minclass = {{ minclass }}
{% endif %}
{% if maxrepeat is defined %}
# The maximum number of allowed consecutive same characters in the new password
maxrepeat = {{ maxrepeat}}
{% endif %}
{% if maxclassrepeat is defined %}
# The maximum number of allowed consecutive characters of the same class in the new password
maxclassrepeat = {{ maxclassreapt }}
{% endif %}
{% if retry is defined %}
# Prompt user at most N times before returning with error
retry = {{ retry }}
{% endif %}
{% if enforce_for_root is defined %}
# Enforces pwquality checks on the root user password.
enforce_for_root
{% endif %}
jinja2 템플릿 설정.
{% if 변수 is defined %} {% endif %} 의 구문을 활용하여, 변수가 선언되면 해당 파라미터를 삽입해줌.
{% if minlen is defined %}
#Minimum acceptable size for the new password
minlen = {{ minlen }}
{% endif %}
의 경우, minlen이 vars_pw_rule.yml에서 8로 설정되었으니 플레이북에서 vars_pw_rule.yml 에서 변수를 불러온다면 목적지 파일에 minlen = 8 값 삽입.
/home/ansible/ansible-project/20240205/2/set_password_rule.yml
---
- hosts: all
vars_files: vars_pw_rule.yml
tasks:
- name: Backup pwquality.conf
ansible.builtin.copy:
src: /etc/security/pwquality.conf
dest: /etc/security/pwquality.conf.bak
remote_src: yes
- name: Copy pwquality.conf.j2 at /etc/security
ansible.builtin.template:
src: pwquality.conf.j2
dest: /etc/security/pwquality.conf
mode: '0644'
비밀번호 복잡도 설정을 하는 pwquality.conf 파일 백업 후 => Jinja2 템플릿을 이용하여 pwquality.conf 에 설정 삽입.
문법체크
각 노드별 현재값 확인
플레이북 실행
해당 노드에 접속하여 정상 적용 확인
디렉터리 및 파일 접근 권한 변경
엔서블을 통한 World Writeable file(777권한..) 검색 및 Sticky bit(퍼미션 외 특수권한, 파일 만든사람이나 root만 수정 삭제가능.) 파일 검색.
/home/ansible/ansible-project/20240205/3/ansible.cfg
[defaults]
inventory = ./inventory
remote_user = centos
ask_pass = false
[privilege_escalation]
become = true
become_method = sudo
become_user = root
become_ask_pass = false/home/ansible/ansible-project/20240205/3/inventory
[compute]
node01 ansible_host=192.168.122.231
node02 ansible_host=192.168.122.132
[control]
node03 ansible_host=192.168.122.245
[db]
node04 ansible_host=192.168.122.63
[all:children]
compute
control
db
/home/ansible/ansible-project/20240205/3/set_sticky_writable_files.yml
---
- hosts: all
# sticky bit가 적용된 파일 검색. grep의 e옵션을 이용한 정규식 패턴 적용.
#sfile_list에 결과값 저장
tasks:
- name: Find Sticky bit files
ansible.builtin.shell: |
find / -xdev -perm -04000 -o -perm -02000 -o -perm 01000 \
| grep -e 'dump$' \
-e 'lp*-lpd$' \
-e 'newgrp$' \
-e 'restore$' \
-e 'at$' \
-e 'traceroute$' | xargs ls
register: sfile_list
#world writable file 검색 후 wfile_list에 저장
- name: Find World Writable files
ansible.builtin.shell: |
find / -xdev -perm -2 -ls \
| grep -v 'l..........' | awk '{print $NF}'
register: wfile_list
- name: Print Sticky bit files
ansible.builtin.debug:
msg: "{{ sfile_list.stdout_lines }}"
- name: Print World Writable files
ansible.builtin.debug:
msg: "{{ wfile_list.stdout_lines }}"
#sticky bit 제거
- name: Set Sticky bit files
ansible.builtin.file:
path: "{{ item }}"
mode: "u-s,g-s,o-s"
loop: "{{ sfile_list.stdout_lines }}"
#write 퍼미션 제거
- name: Set World Writable files
ansible.builtin.file:
path: "{{ item }}"
mode: "o-w"
loop: "{{ wfile_list.stdout_lines }}"
문법 체크 후,
Sticky bit가 적용된 폴더 확인
world writable 인 파일 확인.
Sticky bit 제거 확인
write권한 제거 확인.