all demo

ansible/playbook/roles/ldap-auth/tasks/sec_ssh.yml

@@ -0,0 +1,108 @@
+---
+- name: sec_ssh start!
+  hosts: ldap-auth
+  become: yes
+  tasks:
+
+    - name: Update sshd.conf PermitRootLogin
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: "^PermitRootLogin"
+        line: 'PermitRootLogin No'
+      tags:
+        - sec_ssh
+
+    - name: Update sshd.conf Match All
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#Match User'
+        insertbefore: '^AuthorizedKeysCommand /usr/bin/get_ldap_ssh_key.sh'
+        line: 'Match All'
+      tags:
+        - sec_ssh
+
+    - name: Update sshd.conf PasswordAuthentication no
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#Match User'
+        insertbefore: '^Match All'
+        line: '    PasswordAuthentication no'
+      tags:
+        - sec_ssh
+
+    - name: Update sshd.conf Match User administrator,oracle,postgres,mssql,nausd4,ansible
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#Match User'
+        insertbefore: '^    PasswordAuthentication no'
+        line: 'Match User administrator,oracle,postgres,mssql,nausd4,ansible'
+      tags:
+        - sec_ssh
+
+    - name: Update sshd.conf AllowGroups
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: "^AllowGroups"
+        line: 'AllowGroups sd-all root administrator postgres mssql oinstall ansible nausd4'
+      tags:
+        - sec_ssh
+
+    - name: Update sudoes users for sd-devel-321 group
+      lineinfile:
+        path: /etc/sudoers
+        line: "%sd-devel-321       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
+        state: present
+
+    - name: Update sudoes users for sd-devel-322 group
+      lineinfile:
+        path: /etc/sudoers
+        line: "%sd-devel-322       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
+        state: present
+
+    - name: Update sudoes users for sd-devel-323 group
+      lineinfile:
+        path: /etc/sudoers
+        line: "%sd-devel-323       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
+        state: present
+
+    - name: Update sudoes users for sd-devel-324 group
+      lineinfile:
+        path: /etc/sudoers
+        line: "%sd-devel-324       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
+        state: present
+
+    - name: Update sudoes users for sd-devel-325 group
+      lineinfile:
+        path: /etc/sudoers
+        line: "%sd-devel-325       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
+        state: present
+
+    - name: Update sudoes users for sd-devel-326 group
+      lineinfile:
+        path: /etc/sudoers
+        line: "%sd-devel-326       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
+        state: present
+
+    - name: Update sudoes users for sd-devel-327 group
+      lineinfile:
+        path: /etc/sudoers
+        line: "%sd-devel-327       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
+        state: present
+
+    - name: Update sudoes users for sd-devel-328 group
+      lineinfile:
+        path: /etc/sudoers
+        line: "%sd-devel-328       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
+        state: present
+
+    - name: Update sudoes users for sd-devel-329 group
+      lineinfile:
+        path: /etc/sudoers
+        line: "%sd-devel-329       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
+        state: present
+
+    - name: restart sshd
+      service:
+        name: sshd
+        enabled: true
+        state: restarted