citty/roswaal
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: citty:master
Branches Tags
citty:master
...
compare: citty:3b875f7c830e6be872d78c96f2010be8262100cd
Branches Tags
citty:master

No commits in common. "master" and "3b875f7c830e6be872d78c96f2010be8262100cd" have entirely different histories.
master ... 3b875f7c83

8 changed files with 48 additions and 186 deletions
Show Stats Expand all files Collapse all files

5
autopassword.sh
View File

@ -1,5 +0,0 @@
#!/bin/bash
key=hello
name=$1
hash=$(echo -n "$name$key" | sha256sum | xxd -r -p | base64 | tr -d '+/')
echo "${hash:0:8}-${hash:8:8}"

1
handlers.yml
View File

@ -1,3 +1,2 @@
- name: restart ufw - name: restart ufw
service: name=ufw state=restarted service: name=ufw state=restarted
become: yes

17
hosts
View File

@ -1,17 +0,0 @@
[forensics]
10.8.2.12 ansible_user=administrator
[database]
10.8.2.3 ansible_user=administrator
[workstations]
10.8.1.10 ansible_user=administrator
10.8.1.40 ansible_user=administrator
[workstations:children]
web
[web]
10.8.1.90 ansible_user=administrator

8
roles/database/tasks/main.yml
View File

@ -1,8 +0,0 @@
---
- name: Allow MySQL traffic
ufw: rule={{ item.rule }} port={{ item.port }} proto={{ item.proto }}
with_items:
- { rule: 'allow', port: '3306', proto: 'tcp' }
notify:
- restart ufw
become: yes

3
roles/immortal/handlers/main.yml
View File

@ -1,3 +0,0 @@
- name: restart ufw
service: name=ufw state=restarted
become: yes

151
roles/immortal/tasks/main.yml
View File

@ -1,14 +1,13 @@
--- ---
# - name: Generate password - name: Generate password
# delegate_to: localhost delegate_to: localhost
# shell: bash autopassword.sh {{ inventory_hostname }} shell: bash autopassword.sh {{ inventory_hostname }}
# register: genPass register: genPass
- name: Backup ssh config - name: Backup ssh config
fetch: fetch:
src: /etc/ssh/sshd_config src: /etc/ssh/sshd_config
dest: "{{ inventory_hostname }}" dest: "{{ inventory_hostname }}"
become: yes
- name: Backup os-release - name: Backup os-release
fetch: fetch:
@ -20,57 +19,11 @@
src: /etc/passwd src: /etc/passwd
dest: "{{ inventory_hostname }}" dest: "{{ inventory_hostname }}"
- name: Collect disk space data
block:
- name: lsblk
shell: lsblk
register: lsblk_output
become: yes
- name: Store results
copy:
content: "{{lsblk_output.stdout}}"
dest: "{{ inventory_hostname }}/lsblk.out"
delegate_to: localhost
become: no
- name: Collect netstat
block:
- name: Run command
shell: netstat -peanut
register: netstat_output
become: yes
- name: Store results
copy:
content: "{{netstat_output.stdout}}"
dest: "{{ inventory_hostname }}/netstat.out"
delegate_to: localhost
become: no
- name: Collect process data
block:
- name: Run command
shell: ps aux
register: ps_output
become: yes
- name: Store results
copy:
content: "{{ps_output.stdout}}"
dest: "{{ inventory_hostname }}/ps.out"
delegate_to: localhost
become: no
- name: Get users - name: Get users
get_users: get_users:
#min_uid: "{{ (ansible_os_family == 'RedHat') | ternary(500,1000) }}" min_uid: {{ (ansible_os_family == 'RedHat') | ternary(500,1000) }}
min_uid: 1000
max_uid: 65000 max_uid: 65000
become: yes register: users_list
register: users_list
- name: Backup all users authorized keys
fetch:
src: "{{item['dir']}}/.ssh/authorized_keys"
dest: "{{ inventory_hostname }}"
ignore_errors: yes
loop: "{{ users_list.users }}"
- name: Give root exclusively the current controller user's SSH key - name: Give root exclusively the current controller user's SSH key
ansible.posix.authorized_key: ansible.posix.authorized_key:
@ -78,72 +31,54 @@
state: present state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}" key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
exclusive: yes exclusive: yes
become: yes become: yes
- name: Give all users exclusively the current controller user's SSH key - name: Give all users exclusively the current controller user's SSH key
ansible.posix.authorized_key: ansible.posix.authorized_key:
user: "{{item['name']}}" user: {{item}}
state: present state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}" key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
exclusive: yes exclusive: yes
become: yes become: yes
loop: "{{ users_list.users }}" loop: "{{ users_list.users }}"
- block: - name: Ensure UFW is installed
- name: Ensure EPEL if RHEL based package:
yum: name: ufw
name: epel-release state: present
state: present
when: ansible_os_family == "RedHat"
- name: Disable firewalld if RHEL based - name: Configure ufw defaults
shell: "systemctl disable firewalld; systemctl stop firewalld" ufw: direction={{ item.direction }} policy={{ item.policy }}
when: ansible_os_family == "RedHat" with_items:
- { direction: 'incoming', policy: 'deny' }
- { direction: 'outgoing', policy: 'allow' }
notify:
- restart ufw
- name: Ensure UFW is installed - name: Configure ufw rules
package: ufw: rule={{ item.rule }} port={{ item.port }} proto={{ item.proto }}
name: ufw with_items:
state: present - { rule: 'limit', port: '22', proto: 'tcp' }
notify:
- restart ufw
- name: Ensure UFW is disabled - name: Enable ufw logging
ufw: state=disabled ufw: logging=on
notify:
- restart ufw
- name: Reset UFW - name: Enable ufw
ufw: state=reset ufw: state=enabled
- name: Configure ufw defaults - name: Change root password
ufw: direction={{ item.direction }} policy={{ item.policy }} user:
with_items: name: root
- { direction: 'incoming', policy: 'deny' } shell: /bin/bash
- { direction: 'outgoing', policy: 'allow' } password: "{{ genPass.stdout | password_hash('sha512') }}"
notify:
- restart ufw
- name: Configure ufw rules - name: Change admin password
ufw: rule={{ item.rule }} port={{ item.port }} proto={{ item.proto }} user:
with_items: name: "{{ ansible_user }}"
- { rule: 'limit', port: '22', proto: 'tcp' } shell: /bin/bash
notify: password: "{{ genPass.stdout | password_hash('sha512') }}"
- restart ufw
- name: Enable ufw logging
ufw: logging=on
notify:
- restart ufw
- name: Enable ufw
ufw: state=enabled
- name: Change root password
user:
name: root
shell: /bin/bash
password: "{{ password | password_hash('sha512') }}"
- name: Change admin password
user:
name: "{{ ansible_user }}"
shell: /bin/bash
password: "{{ password | password_hash('sha512') }}"
become: yes

8
roles/web/tasks/main.yml
View File

@ -1,8 +0,0 @@
---
- name: Allow Web traffic
ufw: rule={{ item.rule }} port={{ item.port }} proto={{ item.proto }}
with_items:
- { rule: 'allow', port: '80', proto: 'tcp' }
notify:
- restart ufw
become: yes

37
setup.yml
View File

@ -1,35 +1,4 @@
--- ---
hosts: all
- hosts: all roles:
handlers: - immortal
- import_tasks: handlers.yml
vars_prompt:
- name: password
prompt: "Enter new root and admin password"
roles:
- immortal
become: yes
- hosts: web
handlers:
- import_tasks: handlers.yml
roles:
- web
become: yes
- hosts: database
handlers:
- import_tasks: handlers.yml
roles:
- database
become: yes
- hosts: all
vars:
pip_install_packages:
- name: docker
roles:
- geerlingguy.pip
- geerlingguy.docker
become: yes