[![logo](https://www.hongsnet.net/images/logo.gif)](https://www.hongsnet.net)

# Ansible을 이용한 보안취약점 조치

> 시스템사용자 데이터베이스 파일인 /etc/passwd, /etc/group, /etc/shadow 파일에 대한 권한을 점검한다.


## Inventory 설정

```bash
# cat hosts
[ALL_HOSTS]
172.16.0.100 managed_ip=172.16.0.100 des="2020-12-03"

[ALL_HOSTS_OK]
```

대상 호스트는 172.16.0.100이며, 추가는 2020-12-03에 수행한다. 참고적으로 **ALL_HOSTS_OK** 호스트 그룹은 작업이 완료된 호스트의 history를 위한 그룹이다.


## Host Variables 설정

```bash
# cat host_vars/172.16.0.100
ansible_ssh_host: 172.16.0.100
ansible_ssh_port: SSH_포트번호
ansible_ssh_user: 사용자 아이디
ansible_ssh_pass: "사용자 패스워드"
ansible_become: yes
ansible_become_method: su
ansible_become_user: root
ansible_become_pass: "!root_패스워드"
ansible_python_interpreter: python2.7
```

## Playbook 설정

```python
---
- name: OS User Database File Secure Check & Fix
  hosts: ALL_HOSTS
  tasks:
    - name: /etc/passwd file check
      stat: path=/etc/passwd
      register: passwd_check

    - name: /etc/passwd permission set Execute...
      command: chmod 644 /etc/passwd
      when: passwd_check.stat.mode != 644

    - name: /etc/passwd owner set Execute...
      command: chown root. /etc/shadow
      when: passwd_check.stat.pw_name != 'root'

    - name: /etc/passwd group set Execute...
      command: chown .root /etc/shadow
      when: passwd_check.stat.gr_name != 'root'

    - name: /etc/group file check
      stat: path=/etc/group
      register: group_check

    - name: /etc/group permission set Execute...
      command: chmod 644 /etc/group
      when: group_check.stat.mode != 644

    - name: /etc/group owner set Execute...
      command: chown root. /etc/group
      when: group_check.stat.pw_name != 'root'

    - name: /etc/group group set Execute...
      command: chown .root /etc/group
      when: group_check.stat.gr_name != 'root'

    - name: /etc/shadow file check
      stat: path=/etc/shadow
      register: shadow_check
    
    - name: /etc/shadow permission set Execute...
      command: chmod 640 /etc/shadow
      when: shadow_check.stat.mode != 640

    - name: /etc/shadow owner set Execute...
      command: chown root. /etc/shadow
      when: shadow_check.stat.pw_name != 'root'

    - name: /etc/shadow group set Execute...
      command: chown .shadow /etc/shadow
      when: shadow_check.stat.gr_name != 'shadow'
```

`보안취약점 조치`에 대한 Playbook 분석

* [ ] 각 파일에 대한 권한,소유자,그룹 권한을 점검(stat)하여, 정책에 맞지 않다면(when) 설정을 수행한다.


## playbook 실행

```bash
# ansible-playbook -i hosts os_user_files.yml
```