109 lines
3.5 KiB
YAML
109 lines
3.5 KiB
YAML
---
|
|
- name: sec_ssh start!
|
|
hosts: ldap-auth
|
|
become: yes
|
|
tasks:
|
|
|
|
- name: Update sshd.conf PermitRootLogin
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "^PermitRootLogin"
|
|
line: 'PermitRootLogin No'
|
|
tags:
|
|
- sec_ssh
|
|
|
|
- name: Update sshd.conf Match All
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^#Match User'
|
|
insertbefore: '^AuthorizedKeysCommand /usr/bin/get_ldap_ssh_key.sh'
|
|
line: 'Match All'
|
|
tags:
|
|
- sec_ssh
|
|
|
|
- name: Update sshd.conf PasswordAuthentication no
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^#Match User'
|
|
insertbefore: '^Match All'
|
|
line: ' PasswordAuthentication no'
|
|
tags:
|
|
- sec_ssh
|
|
|
|
- name: Update sshd.conf Match User administrator,oracle,postgres,mssql,nausd4,ansible
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^#Match User'
|
|
insertbefore: '^ PasswordAuthentication no'
|
|
line: 'Match User administrator,oracle,postgres,mssql,nausd4,ansible'
|
|
tags:
|
|
- sec_ssh
|
|
|
|
- name: Update sshd.conf AllowGroups
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "^AllowGroups"
|
|
line: 'AllowGroups sd-all root administrator postgres mssql oinstall ansible nausd4'
|
|
tags:
|
|
- sec_ssh
|
|
|
|
- name: Update sudoes users for sd-devel-321 group
|
|
lineinfile:
|
|
path: /etc/sudoers
|
|
line: "%sd-devel-321 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
|
|
state: present
|
|
|
|
- name: Update sudoes users for sd-devel-322 group
|
|
lineinfile:
|
|
path: /etc/sudoers
|
|
line: "%sd-devel-322 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
|
|
state: present
|
|
|
|
- name: Update sudoes users for sd-devel-323 group
|
|
lineinfile:
|
|
path: /etc/sudoers
|
|
line: "%sd-devel-323 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
|
|
state: present
|
|
|
|
- name: Update sudoes users for sd-devel-324 group
|
|
lineinfile:
|
|
path: /etc/sudoers
|
|
line: "%sd-devel-324 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
|
|
state: present
|
|
|
|
- name: Update sudoes users for sd-devel-325 group
|
|
lineinfile:
|
|
path: /etc/sudoers
|
|
line: "%sd-devel-325 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
|
|
state: present
|
|
|
|
- name: Update sudoes users for sd-devel-326 group
|
|
lineinfile:
|
|
path: /etc/sudoers
|
|
line: "%sd-devel-326 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
|
|
state: present
|
|
|
|
- name: Update sudoes users for sd-devel-327 group
|
|
lineinfile:
|
|
path: /etc/sudoers
|
|
line: "%sd-devel-327 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
|
|
state: present
|
|
|
|
- name: Update sudoes users for sd-devel-328 group
|
|
lineinfile:
|
|
path: /etc/sudoers
|
|
line: "%sd-devel-328 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
|
|
state: present
|
|
|
|
- name: Update sudoes users for sd-devel-329 group
|
|
lineinfile:
|
|
path: /etc/sudoers
|
|
line: "%sd-devel-329 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
|
|
state: present
|
|
|
|
- name: restart sshd
|
|
service:
|
|
name: sshd
|
|
enabled: true
|
|
state: restarted
|