secure fix complete

8b019929 · JooHan Hong · 8e1d6136 · 8b019929
Commit 8b019929 authored Mar 10, 2021 by JooHan Hong
Hide whitespace changes
Inline Side-by-side

Showing with 238 additions and 0 deletions

README.md ANSIBLE/SECURE/README.md +238 -0

No files found.
--- a/ANSIBLE/SECURE/README.md
+++ b/ANSIBLE/SECURE/README.md
@@ -20,3 +20,241 @@
 | 10 | rsyslog 설정 취약점 | [GO](./LOGS/) | |
 | 11 | TMOUT (/etc/profile) 설정 취약점 | [GO](./PROFILE/) | |
 | 12 | World Writealbe 설정 취약점 | [GO](./PERMISSION/WWR) | |
+## 전체 Playbook
+위의 각 항목별 Playbook은 해당 보안취약점에 대한 조치 검증으로 살펴보았으며, 위의 항목을 모두 통합한 Playbook은 다음과 같다.
+단, **World Write Able 조치는 12번에 명시된 Playbook을 별도로 수행**한다.
+```python
+---
+- name: OS Secure Fix
+  hosts: ALL_HOSTS
+  vars:
+    time: "{{lookup('pipe','date \"+%Y%m%d\"')}}"
+  tasks:
+    - name: Disable root remote access - commenting pts
+      replace: dest=/etc/securetty
+         regexp="^pts"
+         replace="#pts"
+    - name: Disable root login over SSH Comment absent
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        regexp: "^#PermitRootLogin"
+        line: ""
+        state: absent
+    - name: Disable root login over SSH
+      lineinfile:
+       dest: /etc/ssh/sshd_config
+       regexp: "^PermitRootLogin"
+       line: "PermitRootLogin no"
+       state: present
+      notify:
+       - reload sshd
+    - name: /root/test Directory Create
+      command: mkdir -p /root/test
+    - name: /root/test/common-password_{{ time }} file copy check
+      stat:
+        path: /root/test/common-password_{{ time }}
+      register: common_password_config_backup
+    - name: /etc/pam.d/common-password_{{ time }} file backup
+      command: cp -rf /etc/pam.d/common-password /root/test/common-password_{{ time }}
+      when: common_password_config_backup.stat.exists == False
+    - name: Copy the /etc/pam.d/common-password file in remote node
+      copy:
+       src: templates/common-password
+       dest: /etc/pam.d/common-password
+       owner: root
+       group: root
+       mode: 0644
+      register: common_password_config
+    - name: Restrict Access to the su Command
+      lineinfile:
+        dest: /etc/pam.d/su
+        regexp: '# auth       required   pam_wheel.so'
+        line: 'auth            required        pam_wheel.so use_uid'
+        state: present
+    - name: Account Pam_tally2 Setting
+      lineinfile:
+        path: /etc/pam.d/common-auth
+        insertbefore: BOF
+        regexp: "pam_tally2.so"
+        line: "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900"
+      when: ansible_distribution == "Debian"
+    - name: Account Pam_tally2 Setting
+      lineinfile:
+        dest: '/etc/pam.d/system-auth'
+        regexp: "pam_tally2.so"
+        line: "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900"
+        state: present
+      when: ansible_distribution == "CentOS"
+    - name: /etc/passwd file check
+      stat: path=/etc/passwd
+      register: passwd_check
+    - name: /etc/passwd permission set Execute...
+      command: chmod 644 /etc/passwd
+      when: passwd_check.stat.mode != 644
+    - name: /etc/passwd owner set Execute...
+      command: chown root. /etc/shadow
+      when: passwd_check.stat.pw_name != 'root'
+    - name: /etc/passwd group set Execute...
+      command: chown .root /etc/shadow
+      when: passwd_check.stat.gr_name != 'root'
+    - name: /etc/group file check
+      stat: path=/etc/group
+      register: group_check
+    - name: /etc/group permission set Execute...
+      command: chmod 644 /etc/group
+      when: group_check.stat.mode != 644
+    - name: /etc/group owner set Execute...
+      command: chown root. /etc/group
+      when: group_check.stat.pw_name != 'root'
+    - name: /etc/group group set Execute...
+      command: chown .root /etc/group
+      when: group_check.stat.gr_name != 'root'
+    - name: /etc/shadow file check
+      stat: path=/etc/shadow
+      register: shadow_check
+    - name: /etc/shadow permission set Execute...
+      command: chmod 640 /etc/shadow
+      when: shadow_check.stat.mode != 640
+    - name: /etc/shadow owner set Execute...
+      command: chown root. /etc/shadow
+      when: shadow_check.stat.pw_name != 'root'
+    - name: /etc/shadow group set Execute...
+      command: chown .shadow /etc/shadow
+      when: shadow_check.stat.gr_name != 'shadow'
+    - name: Remove SGID, SUID Permission Bit
+      file:
+        path: "{{ item }}"
+        owner: root
+        group: root
+        mode: 00755
+      with_items:
+        - /usr/bin/newgrp
+        - /sbin/unix_chkpwd
+        - /usr/bin/at
+    - name: Copy the CRON cron.allow file in remote node
+      copy:
+       src: templates/cron.allow.j2
+       dest: /etc/cron.allow
+       owner: root
+       group: root
+       mode: 0640
+    - name: Copy the CRON cron.deny file in remote node
+      copy:
+       src: templates/cron.deny.j2
+       dest: /etc/cron.deny
+       owner: root
+       group: root
+       mode: 0640
+    - name: Modify Password Min Length
+      lineinfile: dest=/etc/login.defs regexp="PASS_MIN_LEN" line="PASS_MIN_LEN  8" state=present
+    - name: Modify Password Max Days
+      lineinfile: dest=/etc/login.defs regexp="^PASS_MAX_DAYS[\s\x20]*[0-9]*" line="PASS_MAX_DAYS  90" state=present
+    - name: Modify Password Min Days
+      lineinfile: dest=/etc/login.defs regexp="^PASS_MIN_DAYS[\s\x20]*[0-9]*" line="PASS_MIN_DAYS  1" state=present
+    - name: Copy the banner issue file in remote node
+      copy:
+       src: templates/issue.j2
+       dest: /etc/issue
+       owner: root
+       group: root
+       mode: 0644
+    - name: Copy the banner motd file in remote node
+      copy:
+       src: templates/issue.j2
+       dest: /etc/motd
+       owner: root
+       group: root
+       mode: 0644
+    - name: Copy the banner issue.net file in remote node
+      copy:
+       src: templates/issue.j2
+       dest: /etc/issue.net
+       owner: root
+       group: root
+       mode: 0644
+    - name: /etc/ssh/sshd_config Banner Configure
+      lineinfile: dest=/etc/ssh/sshd_config regexp="^#?Banner" line="Banner /etc/issue.net" state=present
+    - name: /root/test Directory Create
+      command: mkdir -p /root/test
+    - name: /root/test/rsyslog_config_{{ time }} file copy check
+      stat:
+        path: /root/test/rsyslog.conf_{{ time }}
+      register: rsyslog_config_backup
+    - name: /etc/rsyslog.conf_{{ time }} file backup
+      command: cp -rf /etc/rsyslog.conf /root/test/rsyslog.conf_{{ time }}
+      when: rsyslog_config_backup.stat.exists == False
+    - name: Copy the Rsyslog Configs file file in remote node
+      copy:
+       src: templates/rsyslog.conf.j2
+       dest: /etc/rsyslog.conf
+       owner: root
+       group: root
+       mode: 0644
+      register: rsyslog_config
+    - name: rsyslog Daemon Reloaded Service
+      service:
+       name: rsyslog
+       state: restarted
+       enabled: yes
+      when: rsyslog_config.changed
+    - name: Login TimeOut Setting 600 seconds
+      lineinfile: dest=/etc/profile regexp="^TMOUT" line="TMOUT=600" state=present
+  handlers:
+  - name: reload sshd
+    systemd:
+      name: sshd
+      state: reloaded
+```
+## Playbook 실행
+```bash
+# ansible-playbook -i hosts linux_secure_fix.yml
+```