ansible-playbook批量加固Linux主机安全基线

批量执行Linux主机安全基线加固

随着业务OS数量的剧增,原有的手动安全加固方式效率低,准确性差。基于上述问题,编制了基于ansible playbook的自动化批量加固方法。文中的安全加固项较少,只是提供一个思路,大家根据自己的需求,自行完善加固项即可。

1. 环境

Ansible Version: 2.7.9
Client Host: Centos 6.x/7.x RedHat 6.x/7.x

2. 安全基线加固项

编号 分类 安全加固项
001 配置 设置系统超时时间为300秒
002 配置 修改默认的umask为027
003 用户 禁止root用户SSH登录操作系统
004 用户 禁止除wheel组之外的其他用户切换至root用户
005 用户 创建一个属于wheel组的普通用户,用作OS管理
006 账户 修改密码最长使用周期90天
007 账户 修改密码最短长度为8位
008 账户 密码复杂度配置,至少包含数字,字母,特殊符号3种字符类型
009 日志 配置rsyslog服务器
010 日志 配置syslog服务器
011 服务 重启rsyslog及sshd服务,使配置文件生效

3. ansible-playbook的设计

本文采取总分的设计模式,先设计一个总的playbook,在playbook中,OS版本作为判断条件,不同的OS版本调用不同的tasks,最终实现多版本操作系统的基线加固。实验环境目录结构如下:

/security
	- os_reinforce.yml
	- task/
		- RedHat6.yml
		- RedHat7.yml
#1. 总的playbookos_reinforce.yml
---
- name: Server System Reinforcement
  hosts: all 
  tasks:
    - name: RedHat6 Server System Reinforcement
      import_tasks: tasks/RedHat6.yml
      when: (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "6") or 
            (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "6")

    - name: RedHat7 Server System Reinforcement 
      import_tasks: tasks/RedHat7.yml
      when: (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "7") or
            (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "7")
#2. RedHat6.x系列版本的安全加固脚本RedHat6.yml
---
  - name: create system admin user
    user:
      name: ICNOC
      uid: 1099
      groups: wheel
      password: syAphDStxyaxU

  - name: session timeout
    lineinfile:
      path: /etc/profile
      regexp: '^export TMOUT=600'
      line: export TMOUT=300

  - name: generate syslogfile
    copy:
      content: "*.* @10.142.82.187:514\n"
      dest: /etc/syslog.conf

  - name: append content into rsyslogfile
    lineinfile:
      path: /etc/rsyslog.conf 
      line: '*.* @10.142.82.187:514'

  - name: set PermitRootLogin no
    lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '^#PermitRootLogin yes'
      line: PermitRootLogin no

  - name: set PASS_MAX_DAYS 90
    lineinfile:
      path: /etc/login.defs
      regexp: '^PASS_MAX_DAYS'
      line: PASS_MAX_DAYS   90

  - name: set PASS_MIN_LEN 5
    lineinfile:
      path: /etc/login.defs
      regexp: '^PASS_MIN_LEN'
      line: PASS_MIN_LEN    8

  - name: set PASS minlen minclass
    lineinfile:
      path: /etc/pam.d/system-auth
      regexp: "pam_cracklib.so"
      line: "password    requisite     pam_cracklib.so try_first_pass retry=5 type=  minlen=8 minclass=3"

  - name: set su permission
    lineinfile:
      path: /etc/pam.d/su
      insertafter: "pam_rootok.so"
      line: "auth            required        pam_wheel.so     group=wheel"

  - name: set umask 
    lineinfile:
      path: /etc/profile
      regexp: '002'
      line: "    umask 027"

  - name: restart services
    service: name={{ item }}  state=restarted
    with_items:
      - sshd
      - rsyslog
#3. RedHat7.x系列版本的安全加固方法RedHat7.yml
---
  - name: create system admin user
    user:
      name: ICNOC
      uid: 1099
      groups: wheel
      password: syAphDStxyaxU

  - name: session timeout
    lineinfile:
      path: /etc/profile
      regexp: '^export TMOUT=600'
      line: export TMOUT=300

  - name: generate syslogfile
    copy:
      content: "*.* @10.142.82.187:514\n"
      dest: /etc/syslog.conf

  - name: append content into rsyslogfile
    lineinfile:
      path: /etc/rsyslog.conf 
      line: '*.* @10.142.82.187:514'

  - name: set PermitRootLogin no
    lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '^#PermitRootLogin yes'
      line: PermitRootLogin no

  - name: set PASS_MAX_DAYS 90
    lineinfile:
      path: /etc/login.defs
      regexp: '^PASS_MAX_DAYS'
      line: PASS_MAX_DAYS   90

  - name: set PASS_MIN_LEN 5
    lineinfile:
      path: /etc/login.defs
      regexp: '^PASS_MIN_LEN'
      line: PASS_MIN_LEN    8

  - name: set PASS minlen minclass
    lineinfile:
      path: /etc/pam.d/system-auth
      insertbefore: "pam_pwquality.so"
      line: "password    requisite     pam_cracklib.so try_first_pass retry=5 type=  minlen=8 minclass=3"

  - name: set su permission
    lineinfile:
      path: /etc/pam.d/su
      insertafter: "pam_rootok.so"
      line: "auth            required        pam_wheel.so     group=wheel"

  - name: set umask 
    lineinfile:
      path: /etc/profile
      regexp: '002'
      line: "    umask 027"

  - name: restart services
    service: name={{ item }}  state=restarted
    with_items:
      - sshd
      - rsyslog

4. 执行playbook

# cd /security
# ansible-playbook -v os_reinforce.yml

你可能感兴趣的:(Ansible,安全基线,批量安全加固,自动化安全加固,linux安全加固,合规检查)