Linux主机基线整改playbook(部分)

2023年 8月 26日 49.8k 0

Linux主机基线整改playbook(部分)

---
- hosts: all
  tasks:
  - name: "判断是否存在PermitRootLogin no"
    shell: if [[ `grep ^PermitRootLogin /etc/ssh/sshd_config | awk '{ print $2 }'` == 'no' ]];then echo OK;else echo NG;fi
    register: result
#  - debug:
#        var: result
  - name: "修改为PermitRootLogin no "
    lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '^PermitRootLogin'
      line: 'PermitRootLogin no'
      backup: yes
    when: result.stdout == 'NG'
  - name: "检查登录提示-是否设置登录成功后警告Banner"
    lineinfile:
      path: /etc/motd
      line: 'Authorized users only. All activity may be monitored and reported'
      backup: yes
#ansible all -m lineinfile -a "dest=/etc/login.defs   regexp='^PASS_MAX_DAYS' line='PASS_MAX_DAYS    90'"
#ansible all -m lineinfile -a "dest=/etc/login.defs   regexp='^PASS_MIN_LEN' line='PASS_MIN_LEN    8'"
#ansible all -m lineinfile -a "dest=/etc/login.defs   regexp='^PASS_WARN_AGE' line='PASS_WARN_AGE    7'"
  - name: "检查口令生存周期要求"
    lineinfile:
      path: /etc/login.defs
      regexp: '{{ item.regexp }}'
      line: '{{ item.line }}'
      backup: yes
    with_items:
      - {regexp: "^PASS_MAX_DAYS", line: "PASS_MAX_DAYS    90"}
      - {regexp: "^PASS_MIN_LEN", line: "PASS_MIN_LEN    8"}
      - {regexp: "^PASS_WARN_AGE", line: "PASS_WARN_AGE    7"}
#ansible all -m lineinfile -a "path=/etc/pam.d/system-auth regexp='^password *requisite *pam_cracklib' line='password requisite pam_cracklib.so try_first_pass retry=5 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minlen=8'"
  - name: "密码复杂度要求"
    lineinfile:
      path: /etc/pam.d/system-auth
      regexp: '^password *requisite *pam_cracklib'
      line: 'password    requisite     pam_cracklib.so try_first_pass retry=5 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minlen=8'
      backup: yes
#ansible all -m lineinfile -a "path=/etc/pam.d/su  regexp='^auth *required *pam_wheel.so *group=wheel' line='auth required pam_wheel.so group=wheel'"
  - name: "su命令使用进行限制设置"
    lineinfile:
      path: /etc/pam.d/su
      regexp: '^auth required pam_wheel.so group=wheel'
      line: 'auth required pam_wheel.so group=wheel'
      backup: yes
#ansible all -m lineinfile -a "dest=/etc/profile regexp='^export *TMOUT' line='export TMOUT=300'"
  - name: "检查是否设置登录超时退出"
    lineinfile:
      path: /etc/profile
      regexp: '^export *TMOUT'
      line: 'export TMOUT=300'
      backup: yes

ansible-playbook基线.png

相关文章

服务器端口转发,带你了解服务器端口转发
服务器开放端口,服务器开放端口的步骤
产品推荐:7月受欢迎AI容器镜像来了,有Qwen系列大模型镜像
如何使用 WinGet 下载 Microsoft Store 应用
百度搜索:蓝易云 – 熟悉ubuntu apt-get命令详解
百度搜索:蓝易云 – 域名解析成功但ping不通解决方案

发布评论