therion/demo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

all demo

Browse Source
This commit is contained in:
Pavel Guzaev
2024-03-09 17:36:50 +05:00
commit 431b4f5cfd
44 changed files with 3239 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
ansible/playbook/roles/ldap-auth/defaults/main.yml Normal file
View File

@@ -0,0 +1,16 @@
---
# ldap
ldap_server: "ldap://<some_server>"
ldap_port: "389"
ldap_base: dc=naumen,dc=ru
base_group: ou=groups,dc=naumen,dc=ru
base_passwd: ou=users,dc=naumen,dc=ru
filter_group: (|(objectClass=posixGroup)(objectClass=groupOfNames))
filter_passwd: (&(objectClass=posixAccount)(shadowInactive=0)(memberOf=cn=users,ou=groups,dc=naumen,dc=ru))
nss_nested_groups: on
reconnect_invalidate: passwd,group,nfsidmap
uid: nslcd
gid: nslcd
ssl_type: start_tls
ssl: "no"
tls_reqcert: "allow"

0
ansible/playbook/roles/ldap-auth/files/key.pub Normal file
View File

14
ansible/playbook/roles/ldap-auth/files/nsswitch.conf.Debian Normal file
View File

@@ -0,0 +1,14 @@
passwd: compat ldap
group: compat ldap
shadow: compat ldap
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis ldap

23
ansible/playbook/roles/ldap-auth/files/nsswitch.conf.RedHat Normal file
View File

@@ -0,0 +1,23 @@
passwd: files sss ldap
shadow: files sss ldap
group: files sss ldap
#initgroups: files
#hosts: db files nisplus nis dns
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files
aliases: files nisplus

7
ansible/playbook/roles/ldap-auth/files/sudoers Normal file
View File

@@ -0,0 +1,7 @@
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
root ALL=(ALL:ALL) ALL
%sudo ALL=(ALL:ALL) NOPASSWD: ALL
%<some_group> ALL=(ALL) NOPASSWD: ALL
administrator ALL=(root) NOPASSWD: /bin/systemctl * dev_branch*_hornetq*

19
ansible/playbook/roles/ldap-auth/handlers/main.yml Normal file
View File

@@ -0,0 +1,19 @@
---
- name: restart nscd
service:
name: nscd
enabled: true
state: restarted
- name: restart nslcd
service:
name: nslcd
enabled: true
state: restarted
- name: restart sshd
service:
name: sshd
enabled: true
state: restarted

356
ansible/playbook/roles/ldap-auth/tasks/main.yml Normal file
View File

@@ -0,0 +1,356 @@
---
- name: Install ldap package (Debian-like)
apt:
pkg:
- libpam-ldapd
- libnss-ldapd
- ldap-utils
- nscd
state: present
update_cache: true
cache_valid_time: 36000
when: ansible_os_family == "Debian"
- name: Install ldap package (RedHat-like)
yum:
name:
- pam_ldap
- nss-pam-ldapd
- openldap-clients
- nscd
state: present
when: ansible_os_family == "RedHat"
- name: Disable SELinux on (RedHat-like)
selinux:
state: disabled
when: ansible_os_family == "RedHat"
- name: Remove dist configs (RedHat-like)
file:
path: /etc/nslcd.conf
state: absent
when: ansible_os_family == "RedHat"
- name: Backup dist configs (Debian-like)
command: mv /etc/nslcd.conf /etc/nslcd_dist.conf
when: ansible_os_family == "Debian"
- name: Create config files (RedHat-like)
file:
src: /etc/openldap/ldap.conf
dest: /etc/nslcd.conf
state: link
when: ansible_os_family == "RedHat"
- name: Create config files (Debian-like)
file:
src: /etc/ldap/ldap.conf
dest: /etc/nslcd.conf
state: link
when: ansible_os_family == "Debian"
- name: Create ldap.conf file (RedHat-like)
template:
src: ldap.conf.j2
dest: "/etc/openldap/ldap.conf"
mode: 0440
owner: root
group: root
when: ansible_os_family == "RedHat"
- name: Create ldap.conf file (Debian-like)
template:
src: ldap.conf.j2
dest: "/etc/ldap/ldap.conf"
mode: 0440
owner: root
group: root
when: ansible_os_family == "Debian"
- name: Edit nsswitch.conf (RedHat-like)
copy:
src: "{{ role_path }}/files/nsswitch.conf.RedHat"
dest: /etc/nsswitch.conf
backup: true
when: ansible_os_family == "RedHat"
- name: Edit nsswitch.conf (Debian-like)
copy:
src: "{{ role_path }}/files/nsswitch.conf.Debian"
dest: /etc/nsswitch.conf
backup: true
when: ansible_os_family == "Debian"
notify:
- restart nslcd
- name: Create get_ldap_ssh_key.sh bash script
template:
src: get_ldap_ssh_key.sh.j2
dest: "/usr/bin/get_ldap_ssh_key.sh"
mode: 0755
owner: root
group: root
- name: Update pam.d (Debian-like)
pamd:
name: common-account
type: account
control: "required"
module_path: pam_permit.so
new_type: account
new_control: "[success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad]"
new_module_path: pam_ldap.so
module_arguments: 'minimum_uid=500'
state: after
when: ansible_os_family == "Debian"
- name: Update pam.d (Debian-like)
pamd:
name: common-auth
type: auth
control: "[success=2 default=ignore]"
module_path: pam_unix.so
new_type: auth
new_control: "[success=1 default=ignore]"
new_module_path: pam_ldap.so
module_arguments: 'minimum_uid=500 use_first_pass'
state: after
when: ansible_os_family == "Debian"
- name: Update pam.d (Debian-like)
pamd:
name: common-password
type: password
control: "[success=2 default=ignore]"
module_path: pam_unix.so
new_type: password
new_control: "[success=1 default=ignore]"
new_module_path: pam_ldap.so
module_arguments: 'minimum_uid=500 use_first_pass'
state: after
when: ansible_os_family == "Debian"
- name: Update pam.d (Debian-like)
pamd:
name: common-session
type: session
control: "required"
module_path: pam_unix.so
new_type: session
new_control: "[success=ok default=ignore]"
new_module_path: pam_ldap.so
module_arguments: 'minimum_uid=500'
state: after
when: ansible_os_family == "Debian"
- name: Update pam.d (Debian-like)
pamd:
name: common-session
type: session
control: "required"
module_path: pam_permit.so
new_type: session
new_control: optional
new_module_path: pam_mkhomedir.so
module_arguments: 'skel=/etc/skel/'
state: after
when: ansible_os_family == "Debian"
- name: Update pam.d (RedHat-like)
pamd:
name: system-auth-ac
type: session
control: "required"
module_path: pam_unix.so
new_type: session
new_control: "[success=ok default=ignore]"
new_module_path: pam_ldap.so
module_arguments: 'minimum_uid=500'
state: after
when: ansible_os_family == "RedHat"
- name: Update pam.d (RedHat-like)
pamd:
name: system-auth-ac
type: session
control: "[success=ok default=ignore]"
module_path: pam_ldap.so
new_type: session
new_control: "optional"
new_module_path: pam_ldap.so
state: after
when: ansible_os_family == "RedHat"
- name: Update pam.d (RedHat-like)
pamd:
name: password-auth-ac
type: session
control: "required"
module_path: pam_unix.so
new_type: session
new_control: "[success=ok default=ignore]"
new_module_path: pam_ldap.so
module_arguments: 'minimum_uid=500'
state: after
when: ansible_os_family == "RedHat"
- name: Update pam.d (RedHat-like)
pamd:
name: password-auth-ac
type: session
control: "[success=ok default=ignore]"
module_path: pam_ldap.so
new_type: session
new_control: "optional"
new_module_path: pam_ldap.so
state: after
when: ansible_os_family == "RedHat"
- name: Update pam.d (RedHat-like)
pamd:
name: postlogin-ac
type: session
control: "optional"
module_path: pam_lastlog.so
new_type: session
new_control: optional
new_module_path: pam_mkhomedir.so
module_arguments: 'skel=/etc/skel/'
state: after
when: ansible_os_family == "RedHat"
- name: Update nscd.conf
lineinfile:
path: /etc/nscd.conf
regexp: "^reload-count"
line: 'reload-count unlimited'
- name: Update nscd.conf
lineinfile:
path: /etc/nscd.conf
regexp: '^positive-time-to-live passwd'
line: 'positive-time-to-live passwd 2592000'
- name: Update nscd.conf
lineinfile:
path: /etc/nscd.conf
regexp: '^positive-time-to-live group'
line: "positive-time-to-live passwd 2592000"
- name: Update sudoes users for sd-tpivi group
lineinfile:
path: /etc/sudoers
line: "%sd-tpivi ALL=(ALL) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-321 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-321 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-322 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-322 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-323 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-323 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-324 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-324 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-325 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-325 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-326 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-326 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-327 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-327 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-328 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-328 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-329 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-329 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-329 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-353 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sshd_config for AuthorizedKeysCommand
lineinfile:
path: /etc/ssh/sshd_config
line: "AuthorizedKeysCommand /usr/bin/get_ldap_ssh_key.sh"
state: present
- name: Update sshd_config for AuthorizedKeysCommandUser
lineinfile:
path: /etc/ssh/sshd_config
line: "AuthorizedKeysCommandUser nobody"
state: present
- name: Update sshd_config for AuthorizedKeysCommandUser
lineinfile:
path: /etc/ssh/sshd_config
line: "AllowGroups sd-all root administrator postgres mssql oinstall ansible nausd4"
state: present
- name: Update sshd.conf PermitRootLogin
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^PermitRootLogin"
line: 'PermitRootLogin No'
- name: Update sshd.conf Match All
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#Match User'
insertbefore: '^AuthorizedKeysCommand /usr/bin/get_ldap_ssh_key.sh'
line: 'Match All'
- name: Update sshd.conf PasswordAuthentication no
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#Match User'
insertbefore: '^Match All'
line: ' PasswordAuthentication no'
- name: Update sshd.conf Match User administrator,oracle,postgres,mssql,nausd4,ansible
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#Match User'
insertbefore: '^ PasswordAuthentication no'
line: 'Match User administrator,oracle,postgres,mssql,nausd4,ansible'
notify:
- restart sshd
- restart nscd
- restart nslcd

108
ansible/playbook/roles/ldap-auth/tasks/sec_ssh.yml Normal file
View File

@@ -0,0 +1,108 @@
---
- name: sec_ssh start!
hosts: ldap-auth
become: yes
tasks:
- name: Update sshd.conf PermitRootLogin
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^PermitRootLogin"
line: 'PermitRootLogin No'
tags:
- sec_ssh
- name: Update sshd.conf Match All
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#Match User'
insertbefore: '^AuthorizedKeysCommand /usr/bin/get_ldap_ssh_key.sh'
line: 'Match All'
tags:
- sec_ssh
- name: Update sshd.conf PasswordAuthentication no
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#Match User'
insertbefore: '^Match All'
line: ' PasswordAuthentication no'
tags:
- sec_ssh
- name: Update sshd.conf Match User administrator,oracle,postgres,mssql,nausd4,ansible
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#Match User'
insertbefore: '^ PasswordAuthentication no'
line: 'Match User administrator,oracle,postgres,mssql,nausd4,ansible'
tags:
- sec_ssh
- name: Update sshd.conf AllowGroups
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^AllowGroups"
line: 'AllowGroups sd-all root administrator postgres mssql oinstall ansible nausd4'
tags:
- sec_ssh
- name: Update sudoes users for sd-devel-321 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-321 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-322 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-322 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-323 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-323 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-324 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-324 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-325 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-325 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-326 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-326 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-327 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-327 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-328 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-328 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-329 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-329 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: restart sshd
service:
name: sshd
enabled: true
state: restarted

29
ansible/playbook/roles/ldap-auth/tasks/sec_test.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- hosts: sec
become: yes
gather_facts: yes
vars:
user_to_check: administrator
tasks:
- name: Check if administrator has sudo right
shell: sudo -n -l -U administrator 2>&1 | egrep -c -i "not allowed to run sudo|unknown user|неизвестный пользователь|не разрешается"
args:
executable: /bin/bash
ignore_errors: yes
register: right
- name: show administrator sudo right
debug: var=right.stdout
- name: Create temporary backup of /etc/sudoers
copy:
src: "/etc/sudoers"
remote_src: yes
dest: "/etc/sudoers_{{ now().strftime('%Y-%m-%d_%H_%M_%S') }}.bak"
# register: "sudoers_backup"
when: right.stdout == "0"
# changed_when: false
- name: Send sudoers to remote Server
copy: src="../files/sudoers" dest=/etc/sudoers
when: right.stdout == "0"

16
ansible/playbook/roles/ldap-auth/templates/get_ldap_ssh_key.sh.j2 Normal file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
SSH_USER=$1
LDAP_URI={{ ldap_server }}:{{ ldap_port }}
GROUP_DN={{ base_group }}
BASE_DN={{ base_passwd }}
ldapFilter="(&(shadowInactive=0)(uid=${SSH_USER})(memberOf=cn=users,ou=groups,dc=dc1,dc=com)(sshPublicKey=*))"
# Get "sshPublicKey":
KEY=$(ldapsearch -x -LLL -o ldif-wrap=no -H "${LDAP_URI}" -b "${BASE_DN}" "${ldapFilter}" sshPublicKey | \
grep sshPublicKey | \
perl -MMIME::Base64 -wpe 's/^sshPublicKey(:{1,2}) (.+)$/$1 eq "::" ? decode_base64($2) : $2/e')
echo "${KEY}"
exit 0

7
ansible/playbook/roles/ldap-auth/templates/ldap.conf.j2 Normal file
View File

@@ -0,0 +1,7 @@
uri {{ ldap_server }}:{{ ldap_port }}/
base {{ ldap_base }}
base group {{ base_group }}
base passwd {{ base_passwd }}
filter group {{ filter_group }}
filter passwd {{ filter_passwd }}
tls_reqcert {{ tls_reqcert }}