init commit

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+    "editor.rulers": [80, 120]
+}

handlers.yml

@@ -0,0 +1,2 @@
+- name: restart ufw
+  service: name=ufw state=restarted

library/get_users

@@ -0,0 +1,123 @@
+#!/usr/bin/env python
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Get user facts."""
+
+import grp
+import pwd
+import spwd
+from ansible.module_utils.basic import AnsibleModule
+
+
+DOCUMENTATION = """
+---
+module: get_users
+short_description:
+    - A module for gathering facts about Linux users.
+description:
+    - This module gathers facts about the Linux users and groups that exist
+      on the system.
+author: major@mhtx.net
+"""
+
+EXAMPLES = '''
+- get_users:
+    min_uid: 1000
+    max_uid: 2000
+'''
+
+RETURN = '''
+users:
+    description: users matching arguments provided
+    returned: success
+    type: list
+'''
+
+
+def make_user_dict(user_record):
+    """Create a dictionary of user attributes."""
+    user_dict = {
+        'name': user_record.pw_name,
+        'uid': user_record.pw_uid,
+        'gid': user_record.pw_gid,
+        'gecos': user_record.pw_gecos,
+        'dir': user_record.pw_dir,
+        'shell': user_record.pw_shell,
+        'group': make_group_dict(user_record.pw_gid),
+        'shadow': make_shadow_dict(user_record.pw_name)
+    }
+    return user_dict
+
+
+def make_group_dict(gid):
+    """Create dictionary from group record."""
+    try:
+        group_record = grp.getgrgid(gid)
+    except KeyError:
+        return False
+
+    group_dict = {
+        'name': group_record.gr_name,
+        'passwd': group_record.gr_passwd,
+        'gid': group_record.gr_gid,
+    }
+    return group_dict
+
+
+def make_shadow_dict(username):
+    """Create a dictionary of user shadow password database attributes."""
+    try:
+        shadow_record = spwd.getspnam(username)
+    except KeyError:
+        return False
+
+    shadow_dict = {
+        'last_changed': shadow_record.sp_lstchg,
+        'min_days': shadow_record.sp_min,
+        'max_days': shadow_record.sp_max,
+        'warn_days': shadow_record.sp_warn,
+        'inact_days': shadow_record.sp_inact,
+        'expire_days': shadow_record.sp_expire,
+    }
+    return shadow_dict
+
+
+def main():
+    """Ansible calls this function."""
+    module = AnsibleModule(
+        argument_spec=dict(
+            min_uid=dict(default=0, type='int'),
+            max_uid=dict(default=65535, type='int'),
+        ),
+        supports_check_mode=True,
+    )
+
+    # Get all of the users on the system into a list of dicts. The 'pwd' module
+    # returns them in a struct.
+    all_users = [make_user_dict(x) for x in pwd.getpwall()]
+
+    # Get the users that match our criteria.
+    user_list = [x for x in all_users
+                 if (x['uid'] >= module.params['min_uid']
+                     and x['uid'] <= module.params['max_uid'])]   # noqa: W503
+
+    # Return the user data to the Ansible task.
+    module.exit_json(
+        changed=False,
+        users=user_list
+    )
+
+
+if __name__ == '__main__':
+    main()

roles/immortal/files/burnedid_rsa.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCRkk8xkOAL5omrUASGOEEiKHaLeQDsKEnB8K8VZ6TRfDXSMciXK4ys7d+Y2sCs4pOnARoBrnDQ96B3AtiUYommoDU3byYAkGA0ouAtgJe1FReSyDEcsPHa5CJy36xPykm1uj/3m+7r6wIzAQHfwBzBFP0nm+BgnD44xypkP/luqCHAWqZLjR7ndIUVnn6WvztnZcxwkN1PPw46qTR8aK2guApNeWetoZIv1v9MwEfiL6dNxe3uRW8P9ohuv5BzeLIdxLQGgHKPXkm0ywaxUu1goObRr9EwKrzB3N1gVmsakCOJNVHy/8l/IkyrivWdHTfy+QmfAfyrTPYzzewUNCNir1rLtGPDfzPzNnOhkYNaZbBrjgQ0v50O7SxaG+QjFrsgY5IUM7Vz4OoRvtwdlrYGplcAwYOlrRNoMKnegEr9XWwVAM3X+rKsh3iKuiVOPALL3fMAMWPNLlYNnNzNpaEjbe1uE6jUdAnsYSah+7Y3wdOmYniHL9Im/iAuIMP4eU= Hello red team, how are you today

roles/immortal/tasks/main.yml

@@ -0,0 +1,84 @@
+---
+- name: Generate password
+  delegate_to: localhost
+  shell: bash autopassword.sh {{ inventory_hostname }}
+  register: genPass 
+    
+- name: Backup ssh config
+  fetch:
+    src: /etc/ssh/sshd_config
+    dest: "{{ inventory_hostname }}"  
+
+- name: Backup os-release
+  fetch:
+    src: /etc/os-release
+    dest: "{{ inventory_hostname }}"  
+
+- name: Backup etc/passwd
+  fetch:
+    src: /etc/passwd
+    dest: "{{ inventory_hostname }}"
+
+- name: Get users
+  get_users:
+    min_uid: {{ (ansible_os_family == 'RedHat') | ternary(500,1000) }}
+    max_uid: 65000
+    register: users_list
+
+- name: Give root exclusively the current controller user's SSH key
+  ansible.posix.authorized_key:
+    user: root
+    state: present
+    key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
+    exclusive: yes
+    become: yes
+
+- name: Give all users exclusively the current controller user's SSH key
+  ansible.posix.authorized_key:
+    user: {{item}}
+    state: present
+    key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
+    exclusive: yes
+    become: yes
+    loop: "{{ users_list.users }}"
+
+- name: Ensure UFW is installed
+  package:
+    name: ufw
+    state: present
+
+- name: Configure ufw defaults
+  ufw: direction={{ item.direction }} policy={{ item.policy }}
+  with_items:
+    - { direction: 'incoming', policy: 'deny' }
+    - { direction: 'outgoing', policy: 'allow' }
+  notify:
+    - restart ufw
+
+- name: Configure ufw rules
+  ufw: rule={{ item.rule }} port={{ item.port }} proto={{ item.proto }}
+  with_items:
+    - { rule: 'limit', port: '22', proto: 'tcp' }
+  notify:
+    - restart ufw
+
+- name: Enable ufw logging
+  ufw: logging=on
+  notify:
+    - restart ufw
+
+- name: Enable ufw
+  ufw: state=enabled
+
+- name: Change root password
+  user:
+    name: root
+    shell: /bin/bash
+    password: "{{ genPass.stdout | password_hash('sha512') }}"
+
+- name: Change admin password
+  user:
+    name: "{{ ansible_user }}"
+    shell: /bin/bash
+    password: "{{ genPass.stdout | password_hash('sha512') }}"         
+

setup.yml

@@ -0,0 +1,4 @@
+---
+hosts: all
+roles:
+  - immortal