Browse Source

init commit

master
citty 3 months ago
commit
395e4dd471
  1. 3
      .vscode/settings.json
  2. 0
      README.md
  3. 2
      handlers.yml
  4. 0
      inventory
  5. 123
      library/get_users
  6. 1
      roles/immortal/files/burnedid_rsa.pub
  7. 84
      roles/immortal/tasks/main.yml
  8. 4
      setup.yml

3
.vscode/settings.json

@ -0,0 +1,3 @@
{
"editor.rulers": [80, 120]
}

0
README.md

2
handlers.yml

@ -0,0 +1,2 @@
- name: restart ufw
service: name=ufw state=restarted

0
inventory

123
library/get_users

@ -0,0 +1,123 @@
#!/usr/bin/env python
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Get user facts."""
import grp
import pwd
import spwd
from ansible.module_utils.basic import AnsibleModule
DOCUMENTATION = """
---
module: get_users
short_description:
- A module for gathering facts about Linux users.
description:
- This module gathers facts about the Linux users and groups that exist
on the system.
author: major@mhtx.net
"""
EXAMPLES = '''
- get_users:
min_uid: 1000
max_uid: 2000
'''
RETURN = '''
users:
description: users matching arguments provided
returned: success
type: list
'''
def make_user_dict(user_record):
"""Create a dictionary of user attributes."""
user_dict = {
'name': user_record.pw_name,
'uid': user_record.pw_uid,
'gid': user_record.pw_gid,
'gecos': user_record.pw_gecos,
'dir': user_record.pw_dir,
'shell': user_record.pw_shell,
'group': make_group_dict(user_record.pw_gid),
'shadow': make_shadow_dict(user_record.pw_name)
}
return user_dict
def make_group_dict(gid):
"""Create dictionary from group record."""
try:
group_record = grp.getgrgid(gid)
except KeyError:
return False
group_dict = {
'name': group_record.gr_name,
'passwd': group_record.gr_passwd,
'gid': group_record.gr_gid,
}
return group_dict
def make_shadow_dict(username):
"""Create a dictionary of user shadow password database attributes."""
try:
shadow_record = spwd.getspnam(username)
except KeyError:
return False
shadow_dict = {
'last_changed': shadow_record.sp_lstchg,
'min_days': shadow_record.sp_min,
'max_days': shadow_record.sp_max,
'warn_days': shadow_record.sp_warn,
'inact_days': shadow_record.sp_inact,
'expire_days': shadow_record.sp_expire,
}
return shadow_dict
def main():
"""Ansible calls this function."""
module = AnsibleModule(
argument_spec=dict(
min_uid=dict(default=0, type='int'),
max_uid=dict(default=65535, type='int'),
),
supports_check_mode=True,
)
# Get all of the users on the system into a list of dicts. The 'pwd' module
# returns them in a struct.
all_users = [make_user_dict(x) for x in pwd.getpwall()]
# Get the users that match our criteria.
user_list = [x for x in all_users
if (x['uid'] >= module.params['min_uid']
and x['uid'] <= module.params['max_uid'])] # noqa: W503
# Return the user data to the Ansible task.
module.exit_json(
changed=False,
users=user_list
)
if __name__ == '__main__':
main()

1
roles/immortal/files/burnedid_rsa.pub

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCRkk8xkOAL5omrUASGOEEiKHaLeQDsKEnB8K8VZ6TRfDXSMciXK4ys7d+Y2sCs4pOnARoBrnDQ96B3AtiUYommoDU3byYAkGA0ouAtgJe1FReSyDEcsPHa5CJy36xPykm1uj/3m+7r6wIzAQHfwBzBFP0nm+BgnD44xypkP/luqCHAWqZLjR7ndIUVnn6WvztnZcxwkN1PPw46qTR8aK2guApNeWetoZIv1v9MwEfiL6dNxe3uRW8P9ohuv5BzeLIdxLQGgHKPXkm0ywaxUu1goObRr9EwKrzB3N1gVmsakCOJNVHy/8l/IkyrivWdHTfy+QmfAfyrTPYzzewUNCNir1rLtGPDfzPzNnOhkYNaZbBrjgQ0v50O7SxaG+QjFrsgY5IUM7Vz4OoRvtwdlrYGplcAwYOlrRNoMKnegEr9XWwVAM3X+rKsh3iKuiVOPALL3fMAMWPNLlYNnNzNpaEjbe1uE6jUdAnsYSah+7Y3wdOmYniHL9Im/iAuIMP4eU= Hello red team, how are you today

84
roles/immortal/tasks/main.yml

@ -0,0 +1,84 @@
---
- name: Generate password
delegate_to: localhost
shell: bash autopassword.sh {{ inventory_hostname }}
register: genPass
- name: Backup ssh config
fetch:
src: /etc/ssh/sshd_config
dest: "{{ inventory_hostname }}"
- name: Backup os-release
fetch:
src: /etc/os-release
dest: "{{ inventory_hostname }}"
- name: Backup etc/passwd
fetch:
src: /etc/passwd
dest: "{{ inventory_hostname }}"
- name: Get users
get_users:
min_uid: {{ (ansible_os_family == 'RedHat') | ternary(500,1000) }}
max_uid: 65000
register: users_list
- name: Give root exclusively the current controller user's SSH key
ansible.posix.authorized_key:
user: root
state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
exclusive: yes
become: yes
- name: Give all users exclusively the current controller user's SSH key
ansible.posix.authorized_key:
user: {{item}}
state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
exclusive: yes
become: yes
loop: "{{ users_list.users }}"
- name: Ensure UFW is installed
package:
name: ufw
state: present
- name: Configure ufw defaults
ufw: direction={{ item.direction }} policy={{ item.policy }}
with_items:
- { direction: 'incoming', policy: 'deny' }
- { direction: 'outgoing', policy: 'allow' }
notify:
- restart ufw
- name: Configure ufw rules
ufw: rule={{ item.rule }} port={{ item.port }} proto={{ item.proto }}
with_items:
- { rule: 'limit', port: '22', proto: 'tcp' }
notify:
- restart ufw
- name: Enable ufw logging
ufw: logging=on
notify:
- restart ufw
- name: Enable ufw
ufw: state=enabled
- name: Change root password
user:
name: root
shell: /bin/bash
password: "{{ genPass.stdout | password_hash('sha512') }}"
- name: Change admin password
user:
name: "{{ ansible_user }}"
shell: /bin/bash
password: "{{ genPass.stdout | password_hash('sha512') }}"

4
setup.yml

@ -0,0 +1,4 @@
---
hosts: all
roles:
- immortal
Loading…
Cancel
Save