ansible-playbook批量加固Linux主机安全基线

ansible-playbook批量加固Linux主机安全基线,第1张

批量执行Linux主机安全基线加固

随着业务OS数量的剧增,原有的手动安全加固方式效率低,准确性差。基于上述问题,编制了基于ansible playbook的自动化批量加固方法。文中的安全加固项较少,只是提供一个思路,大家根据自己的需求,自行完善加固项即可。

1. 环境

Ansible Version: 2.7.9
Client Host: Centos 6.x/7.x RedHat 6.x/7.x

2. 安全基线加固项
编号分类安全加固项
001配置设置系统超时时间为300秒
002配置修改默认的umask为027
003用户禁止root用户SSH登录 *** 作系统
004用户禁止除wheel组之外的其他用户切换至root用户
005用户创建一个属于wheel组的普通用户,用作OS管理
006账户修改密码最长使用周期90天
007账户修改密码最短长度为8位
008账户密码复杂度配置,至少包含数字,字母,特殊符号3种字符类型
009日志配置rsyslog服务器
010日志配置syslog服务器
011服务重启rsyslog及sshd服务,使配置文件生效
3. ansible-playbook的设计

本文采取总分的设计模式,先设计一个总的playbook,在playbook中,OS版本作为判断条件,不同的OS版本调用不同的tasks,最终实现多版本 *** 作系统的基线加固。实验环境目录结构如下:

/security
	- os_reinforce.yml
	- task/
		- RedHat6.yml
		- RedHat7.yml
#1. 总的playbookos_reinforce.yml
---
- name: Server System Reinforcement
  hosts: all 
  tasks:
    - name: RedHat6 Server System Reinforcement
      import_tasks: tasks/RedHat6.yml
      when: (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "6") or 
            (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "6")

    - name: RedHat7 Server System Reinforcement 
      import_tasks: tasks/RedHat7.yml
      when: (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "7") or
            (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "7")
#2. RedHat6.x系列版本的安全加固脚本RedHat6.yml
---
  - name: create system admin user
    user:
      name: ICNOC
      uid: 1099
      groups: wheel
      password: syAphDStxyaxU

  - name: session timeout
    lineinfile:
      path: /etc/profile
      regexp: '^export TMOUT=600'
      line: export TMOUT=300

  - name: generate syslogfile
    copy:
      content: "*.* @10.142.82.187:514\n"
      dest: /etc/syslog.conf

  - name: append content into rsyslogfile
    lineinfile:
      path: /etc/rsyslog.conf 
      line: '*.* @10.142.82.187:514'

  - name: set PermitRootLogin no
    lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '^#PermitRootLogin yes'
      line: PermitRootLogin no

  - name: set PASS_MAX_DAYS 90
    lineinfile:
      path: /etc/login.defs
      regexp: '^PASS_MAX_DAYS'
      line: PASS_MAX_DAYS   90

  - name: set PASS_MIN_LEN 5
    lineinfile:
      path: /etc/login.defs
      regexp: '^PASS_MIN_LEN'
      line: PASS_MIN_LEN    8

  - name: set PASS minlen minclass
    lineinfile:
      path: /etc/pam.d/system-auth
      regexp: "pam_cracklib.so"
      line: "password    requisite     pam_cracklib.so try_first_pass retry=5 type=  minlen=8 minclass=3"

  - name: set su permission
    lineinfile:
      path: /etc/pam.d/su
      insertafter: "pam_rootok.so"
      line: "auth            required        pam_wheel.so     group=wheel"

  - name: set umask 
    lineinfile:
      path: /etc/profile
      regexp: '002'
      line: "    umask 027"

  - name: restart services
    service: name={{ item }}  state=restarted
    with_items:
      - sshd
      - rsyslog
#3. RedHat7.x系列版本的安全加固方法RedHat7.yml
---
  - name: create system admin user
    user:
      name: ICNOC
      uid: 1099
      groups: wheel
      password: syAphDStxyaxU

  - name: session timeout
    lineinfile:
      path: /etc/profile
      regexp: '^export TMOUT=600'
      line: export TMOUT=300

  - name: generate syslogfile
    copy:
      content: "*.* @10.142.82.187:514\n"
      dest: /etc/syslog.conf

  - name: append content into rsyslogfile
    lineinfile:
      path: /etc/rsyslog.conf 
      line: '*.* @10.142.82.187:514'

  - name: set PermitRootLogin no
    lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '^#PermitRootLogin yes'
      line: PermitRootLogin no

  - name: set PASS_MAX_DAYS 90
    lineinfile:
      path: /etc/login.defs
      regexp: '^PASS_MAX_DAYS'
      line: PASS_MAX_DAYS   90

  - name: set PASS_MIN_LEN 5
    lineinfile:
      path: /etc/login.defs
      regexp: '^PASS_MIN_LEN'
      line: PASS_MIN_LEN    8

  - name: set PASS minlen minclass
    lineinfile:
      path: /etc/pam.d/system-auth
      insertbefore: "pam_pwquality.so"
      line: "password    requisite     pam_cracklib.so try_first_pass retry=5 type=  minlen=8 minclass=3"

  - name: set su permission
    lineinfile:
      path: /etc/pam.d/su
      insertafter: "pam_rootok.so"
      line: "auth            required        pam_wheel.so     group=wheel"

  - name: set umask 
    lineinfile:
      path: /etc/profile
      regexp: '002'
      line: "    umask 027"

  - name: restart services
    service: name={{ item }}  state=restarted
    with_items:
      - sshd
      - rsyslog
4. 执行playbook
# cd /security
# ansible-playbook -v os_reinforce.yml

欢迎分享,转载请注明来源:内存溢出

原文地址: http://outofmemory.cn/langs/732844.html

(0)
打赏 微信扫一扫 微信扫一扫 支付宝扫一扫 支付宝扫一扫
上一篇 2022-04-27
下一篇 2022-04-27

发表评论

登录后才能评论

评论列表(0条)

保存