diff options
33 files changed, 770 insertions, 2 deletions
diff --git a/company/ad-templates/krb5.conf.CentOS b/company/ad-templates/krb5.conf.CentOS new file mode 100644 index 0000000..74570ae --- /dev/null +++ b/company/ad-templates/krb5.conf.CentOS @@ -0,0 +1,35 @@ +# Ansible controlled filename: /etc/krb5.conf +# Source: ansible bgstack15-ad/templates/krb5.conf.CentOS +# Date: 2016-03-04 +# Reference: Building the Centos 7 Template.docx +# NOTE: This file is managed via Ansible: manual changes will be lost + +[logging] + default = FILE:/var/log/krb5libs.log + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmind.log + +[libdefaults] + dns_lookup_realm = false + ticket_lifetime = 24h + renew_lifetime = 7d + forwardable = true + rdns = false + default_ccache_name = KEYRING:persistent:%{uid} + + default_realm = EXAMPLE.COM +[realms] + EXAMPLE.COM = { + kdc = dc1.example.com + kdc = dc2.example.com + kdc = dc3.example.com + kdc = dc4.example.com + admin_server = dc1.example.com + admin_server = dc2.example.com + admin_server = dc3.example.com + admin_server = dc4.example.com + } + +[domain_realm] +example.com = EXAMPLE.COM + .example.com = EXAMPLE.COM diff --git a/company/ad-templates/krb5.conf.FreeBSD b/company/ad-templates/krb5.conf.FreeBSD new file mode 100644 index 0000000..e6b8a3a --- /dev/null +++ b/company/ad-templates/krb5.conf.FreeBSD @@ -0,0 +1,37 @@ +# Ansible controlled filename: /etc/krb5.conf +# Source: ansible bgstack15-ad/templates/krb5.conf.FreeBSD +# Date: 2016-03-04 +# Reference: Building the Centos 7 Template.docx +# NOTE: This file is managed via Ansible: manual changes will be lost + +[logging] + default = FILE:/var/log/krb5libs.log + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmind.log + +[libdefaults] + dns_lookup_realm = false + ticket_lifetime = 24h + renew_lifetime = 7d + forwardable = true + rdns = false + default_ccache_name = FILE:/tmp/krb5cc_%u + proxiable = true + ccache_type = 4 + + default_realm = EXAMPLE.COM +[realms] + EXAMPLE.COM = { + kdc = dc1.example.com + kdc = dc2.example.com + kdc = dc3.example.com + kdc = dc4.example.com + admin_server = dc1.example.com + admin_server = dc2.example.com + admin_server = dc3.example.com + admin_server = dc4.example.com + } + +[domain_realm] +example.com = EXAMPLE.COM + .example.com = EXAMPLE.COM diff --git a/company/ad-templates/krb5.conf.Ubuntu b/company/ad-templates/krb5.conf.Ubuntu new file mode 100644 index 0000000..6a4c23b --- /dev/null +++ b/company/ad-templates/krb5.conf.Ubuntu @@ -0,0 +1,35 @@ +# Ansible controlled filename: /etc/krb5.conf +# Source: ansible bgstack15-ad/templates/krb5.conf.Ubuntu +# Date: 2016-03-04 +# Reference: Building the Centos 7 Template.docx +# NOTE: This file is managed via Ansible: manual changes will be lost + +[logging] + default = FILE:/var/log/krb5libs.log + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmind.log + +[libdefaults] + dns_lookup_realm = false + ticket_lifetime = 24h + renew_lifetime = 7d + forwardable = true + rdns = false + default_ccache_name = KEYRING:persistent:%{uid} + + default_realm = EXAMPLE.COM +[realms] + EXAMPLE.COM = { + kdc = dc1.example.com + kdc = dc2.example.com + kdc = dc3.example.com + kdc = dc4.example.com + admin_server = dc1.example.com + admin_server = dc2.example.com + admin_server = dc3.example.com + admin_server = dc4.example.com + } + +[domain_realm] +example.com = EXAMPLE.COM + .example.com = EXAMPLE.COM diff --git a/company/ad-templates/sssd.conf.CentOS b/company/ad-templates/sssd.conf.CentOS new file mode 100644 index 0000000..dafb287 --- /dev/null +++ b/company/ad-templates/sssd.conf.CentOS @@ -0,0 +1,42 @@ +# Ansible-controlled filename: /etc/sssd/sssd.conf +# Source: ansible sssd.conf.CentOS +# Date: 2016-03-04 +# Reference: Building the Centos 7 Template.docx +# NOTE: This file is managed via Ansible: manual changes will be lost + +[domain/default] +autofs_provider = ldap +cache_credentials = True +krb5_realm = EXAMPLE.COM +ldap_search_base = dc=example,dc=com +krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com +id_provider = ldap +auth_provider = krb5 +chpass_provider = krb5 +krb5_store_password_if_offline = True +ldap_uri = ldap://example.com +krb5_kpasswd = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com +ldap_tls_cacertdir = /etc/openldap/cacerts + +[sssd] +domains = default, example.com +config_file_version = 2 +services = nss, pam, autofs + +[domain/example.com] +ad_domain = example.com +krb5_realm = EXAMPLE.COM +realmd_tags = manages-system joined-with-samba +cache_credentials = True +id_provider = ad +krb5_store_password_if_offline = True +default_shell = /bin/bash +ldap_id_mapping = False +use_fully_qualified_names = False +fallback_homedir = /home/%d/%u +access_provider = ad +ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=com)(unixHomeDirectory=*)) +simple_allow_users = bgstack15, bgstack15, user16, user16 +case_sensitive = true +ad_gpo_access_control = disabled +[autofs] diff --git a/company/ad-templates/sssd.conf.FreeBSD b/company/ad-templates/sssd.conf.FreeBSD new file mode 100644 index 0000000..9add0ed --- /dev/null +++ b/company/ad-templates/sssd.conf.FreeBSD @@ -0,0 +1,41 @@ +# Ansible-controlled filename: /etc/sssd/sssd.conf +# Source: ansible sssd.conf.FreeBSD +# Date: 2016-03-04 +# Reference: Building the Centos 7 Template.docx +# NOTE: This file is managed via Ansible: manual changes will be lost + +[domain/default] +autofs_provider = ldap +cache_credentials = True +krb5_realm = EXAMPLE.COM +ldap_search_base = dc=example,dc=com +krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com +id_provider = ldap +auth_provider = krb5 +chpass_provider = krb5 +krb5_store_password_if_offline = True +ldap_uri = ldap://example.com +krb5_kpasswd = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com +ldap_tls_cacertdir = /etc/openldap/cacerts + +[sssd] +domains = default, example.com +config_file_version = 2 +services = nss, pam + +[domain/example.com] +ad_domain = example.com +krb5_realm = EXAMPLE.COM +realmd_tags = manages-system joined-with-samba +cache_credentials = True +id_provider = ad +krb5_store_password_if_offline = True +default_shell = /bin/bash +ldap_id_mapping = False +use_fully_qualified_names = False +fallback_homedir = /home/%d/%u +access_provider = ad +ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=com)(unixHomeDirectory=*)) +simple_allow_users = bgstack15, bgstack15, user16, user16 +case_sensitive = true +ad_gpo_access_control = disabled diff --git a/company/ad-templates/sssd.conf.Ubuntu b/company/ad-templates/sssd.conf.Ubuntu new file mode 100644 index 0000000..7b7dae3 --- /dev/null +++ b/company/ad-templates/sssd.conf.Ubuntu @@ -0,0 +1,42 @@ +# Ansible-controlled filename: /etc/sssd/sssd.conf +# Source: ansible sssd.conf.Ubuntu +# Date: 2016-03-04 +# Reference: Building the Centos 7 Template.docx +# NOTE: This file is managed via Ansible: manual changes will be lost + +[domain/default] +autofs_provider = ldap +cache_credentials = True +krb5_realm = EXAMPLE.COM +ldap_search_base = dc=example,dc=com +krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com +id_provider = ldap +auth_provider = krb5 +chpass_provider = krb5 +krb5_store_password_if_offline = True +ldap_uri = ldap://example.com +krb5_kpasswd = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com +ldap_tls_cacertdir = /etc/openldap/cacerts + +[sssd] +domains = default, example.com +config_file_version = 2 +services = nss, pam, autofs + +[domain/example.com] +ad_domain = example.com +krb5_realm = EXAMPLE.COM +realmd_tags = manages-system joined-with-samba +cache_credentials = True +id_provider = ad +krb5_store_password_if_offline = True +default_shell = /bin/bash +ldap_id_mapping = False +use_fully_qualified_names = False +fallback_homedir = /home/%d/%u +access_provider = ad +ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=com)(unixHomeDirectory=*)) +simple_allow_users = bgstack15, bgstack15, user16, user16 +case_sensitive = true +ad_gpo_access_control = disabled +[autofs] diff --git a/company/ad-vars/FreeBSD.yml b/company/ad-vars/FreeBSD.yml new file mode 100644 index 0000000..77e2a9c --- /dev/null +++ b/company/ad-vars/FreeBSD.yml @@ -0,0 +1,4 @@ +--- +sssd_dir: /usr/local/etc/sssd +ad_access_filter: (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=com)(unixHomeDirectory=*)) +simple_allow_users: bgstack15, bgstack15, bgstack15-local diff --git a/company/ad-vars/default.yml b/company/ad-vars/default.yml new file mode 100644 index 0000000..cb65db8 --- /dev/null +++ b/company/ad-vars/default.yml @@ -0,0 +1,3 @@ +--- +sssd_dir: /etc/sssd +krb5_conf_dir: /etc diff --git a/company/fail2ban-files/filter.d/20_bju-blns.filter b/company/fail2ban-files/filter.d/20_bju-blns.filter new file mode 100644 index 0000000..c39cefa --- /dev/null +++ b/company/fail2ban-files/filter.d/20_bju-blns.filter @@ -0,0 +1,32 @@ +# Ansible controlled filename: /etc/fail2ban/filter.d/20_example-blns.filter +# Source: ansible bgstack15-fail2ban/files/example-blns.filter +# Date: 2016-04-19 +# Reference: +# NOTE: This file is managed via Ansible: manual changes will be lost + +[Definition] +failregex = ^.*<HOST>.*(GET|POST).*/etc/passwd.*$ + ^.*<HOST>.*(GET|POST).*/etc/group.*$ + ^.*<HOST>.*(GET|POST).*/etc/hosts.*$ + ^.*<HOST>.*(GET|POST).*/proc/self/environ.*$ + ^.*<HOST>.*(GET|POST).*(?i)admin.*admin.*$ + ^.*<HOST>.*(GET|POST).*(?i)(php|db|pma|web|sql).*admin.*$ + ^.*<HOST>.*(GET|POST).*(?i)admin.*(php|db|pma|web|sql).*$ + ^.*<HOST>.*(GET|POST).*(?i)DELETE_comment.*$ + ^.*<HOST>.*(GET|POST).*(?i)pma/scripts.*setup.*$ + ^.*<HOST>.*(GET|POST).*(?i)pma([0-9]{4})?/? HTTP.*$ + ^.*<HOST>.*(GET|POST).*(?i)(database|myadmin|mysql)/? HTTP.*$ + ^.*<HOST>.*(GET|POST).*(?i)(dbweb|webdb|websql|sqlweb).*$ + ^.*<HOST>.*(GET|POST).*(?i)(my)?sql.*manager.*$ + ^.*<HOST>.*(GET|POST).*(?i)wp-(admin|login|signup|config).*$ + ^.*<HOST>.*(GET|POST).*president/.*wp-cron\.php*$ + ^.*<HOST>.*(GET|POST).*w00t.*blackhats.*$ + ^.*<HOST>.*(GET|POST).*\+\+liker.profile_URL\+\+.*$ + ^.*<HOST>.*(GET|POST).*muieblackcat.*$ + ^.*<HOST>.*(GET|POST).*(?i)ldlogon.*$ + ^.*<HOST>.*(GET|POST).*(?i)\.cobalt$ + ^.*<HOST>.*(GET|POST).*(?i)\.intruvert\/jsp\/admin\/Login\.jsp$ + ^.*<HOST>.*(GET|POST).*(?i)MSWSMTP\/Common\/Authentication\/Logon\.aspx$ + ^.*<HOST>.*(GET|POST).*(?i)php\?password=[0-9]*\&re_password=.*\&login=var.*$ + +ignoreregex = diff --git a/company/fail2ban-files/filter.d/30_bju-max3.filter b/company/fail2ban-files/filter.d/30_bju-max3.filter new file mode 100644 index 0000000..af692af --- /dev/null +++ b/company/fail2ban-files/filter.d/30_bju-max3.filter @@ -0,0 +1,13 @@ +# Ansible controlled filename: /etc/fail2ban/filter.d/30_example-max3.filter +# Source: ansible bgstack15-fail2ban/files/example-max3.filter +# Date: 2016-07-12 +# Reference: example-blns.filter +# NOTE: This file is managed via Ansible: manual changes will be lost + +[Definition] +failregex = ^.*<HOST>.*(GET|POST).*(?i)\.cobalt$ + ^.*<HOST>.*(GET|POST).*(?i)\.intruvert\/jsp\/admin\/Login\.jsp$ + ^.*<HOST>.*(GET|POST).*(?i)MSWSMTP\/Common\/Authentication\/Logon\.aspx$ + ^.*<HOST>.*(GET|POST).*(?i)php\?password=[0-9]*\&re_password=.*\&login=var.*$ + +ignoreregex = diff --git a/company/fail2ban-files/filter.d/60_sshd.filter b/company/fail2ban-files/filter.d/60_sshd.filter new file mode 100644 index 0000000..33b8ba8 --- /dev/null +++ b/company/fail2ban-files/filter.d/60_sshd.filter @@ -0,0 +1,31 @@ +# Ansible-controlled filename: /etc/fail2ban/filter.d/60_sshd.filter +# Source: ansible bgstack15-fail2ban/files/sshd.filter +# Date: 2016-06-23 +# Reference: Ubuntu 16.04 fail2ban package sshd filter +# NOTE: This file is managed via Ansible: manual changes will be lost + +[INCLUDES] +before = common.conf + +[Definition] +_daemon = sshd +failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$ + ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$ + ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$ + ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$ + ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$ + ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$ + ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$ + ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$ + ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$ + ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$ + ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$ + ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$ + ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$ + ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$ + ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$ + ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$ +ignoreregex = +[Init] +maxlines = 10 +journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd diff --git a/company/fail2ban-files/jail.d/00_default.jail b/company/fail2ban-files/jail.d/00_default.jail new file mode 100644 index 0000000..71cd3e8 --- /dev/null +++ b/company/fail2ban-files/jail.d/00_default.jail @@ -0,0 +1,10 @@ +# Ansible controlled filename: /etc/fail2ban/jail.d/00_default.filter +# Source: ansible bgstack15-fail2ban/files/00_default.conf +# Date: 2016-06-23 +# Reference: +# NOTE: This file is managed via Ansible: manual changes will be lost + +[DEFAULT] +ignoreip = 127.0.0.1/8 203.0.0.0/16 10.0.0.0/8 192.168.0.0/16 204.13.201.0/24 64.37.231.0/24 +# TrustKeeper Vulnerability Scan IPs = 204.13.201.0/24 64.37.231.0/24 + diff --git a/company/fail2ban-files/jail.d/20_bju-blns.jail b/company/fail2ban-files/jail.d/20_bju-blns.jail new file mode 100644 index 0000000..eb1d1c9 --- /dev/null +++ b/company/fail2ban-files/jail.d/20_bju-blns.jail @@ -0,0 +1,21 @@ +# Ansible controlled filename: /etc/fail2ban/jail.d/20_example-blns.jail +# Source: ansible bgstack15-fail2ban/files/example-blns.jail +# Date: 2016-04-19 +# Reference: +# NOTE: This file is managed via Ansible: manual changes will be lost + +[example-blns] +enabled = true +action = iptables-allports + sendmail[name=exampleblns, dest=linuxadmin@example.com] +filter = 20_example-blns +logpath = /var/log/httpd/access_log + /var/log/httpd/error_log + /var/log/httpd/ssl_access_log + /var/log/httpd/ssl_error_log + /var/log/apache2/access_log + /var/log/apache2/error_log + /var/log/apache2/ssl_access_log + /var/log/apache2/ssl_error_log +maxretry = 1 +bantime = 86400 diff --git a/company/fail2ban-files/jail.d/30_bju-max3.jail b/company/fail2ban-files/jail.d/30_bju-max3.jail new file mode 100644 index 0000000..6ca7781 --- /dev/null +++ b/company/fail2ban-files/jail.d/30_bju-max3.jail @@ -0,0 +1,21 @@ +# Ansible controlled filename: /etc/fail2ban/jail.d/30_example-max3.jail +# Source: ansible bgstack15-fail2ban/files/example-max3.jail +# Date: 2016-07-12 +# Reference: example-blns.jail +# NOTE: This file is managed via Ansible: manual changes will be lost + +[example-max3] +enabled = true +action = iptables-allports + sendmail[name=examplemax3, dest=linuxadmin@example.com] +filter = 30_example-max3 +logpath = /var/log/httpd/access_log + /var/log/httpd/error_log + /var/log/httpd/ssl_access_log + /var/log/httpd/ssl_error_log + /var/log/apache2/access_log + /var/log/apache2/error_log + /var/log/apache2/ssl_access_log + /var/log/apache2/ssl_error_log +maxretry = 3 +bantime = 86400 diff --git a/company/fail2ban-files/jail.d/60_sshd.jail b/company/fail2ban-files/jail.d/60_sshd.jail new file mode 100644 index 0000000..aeb2751 --- /dev/null +++ b/company/fail2ban-files/jail.d/60_sshd.jail @@ -0,0 +1,16 @@ +# Ansible controlled filename: /etc/fail2ban/jail.d/60_sshd.jail +# Source: ansible bgstack15-fail2ban/files/sshd.jail +# Date: 2016-06-23 +# Reference: Ubuntu 16.04 fail2ban package sshd jail +# NOTE: This file is managed via Ansible: manual changes will be lost + +[ssh-iptables] + +enabled = true +filter = sshd +action = iptables[name=SSH, port=ssh, protocol=tcp] + sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com] +logpath = %(sshd_log)s +maxretry = 5 + +ignoreip = 203.0.193.232/24 diff --git a/company/pubkeys/bgirton.pubkeys b/company/pubkeys/bgirton.pubkeys new file mode 100644 index 0000000..85abeb0 --- /dev/null +++ b/company/pubkeys/bgirton.pubkeys @@ -0,0 +1,3 @@ +# version 3.0 +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDG8xc7BV1xCcKrzQvQwDhAAX6uDne5lSpgCURg4Vx8Au8fsaiFSVlCky+OOQAJipgucG0QBPiL60sNNsY03sKIAh7TMKsoUZuQ5sJM6EpyKGEYaOKFXjaShDFMtdvwGIANh/e86qpVGRkje+p8fvNxbHOXsQpYF+HpAv8u/HbaQQYtdkWaeR6nIO8LXWOapgO7t5pMdRQJa67+4Yyc7IQQM66WMXX5Ik3nGMMHog2PgrpTtaEdKOV2TzSynLBlp3UmOkLa4D0euvMsTwjTmqeORfCMVyVeYwHhZoz4V99L1aYCeI1jDwhD5GEf/DKOhMNVsw7OhqTSfVz3sYGbq0or bgstack15@aluminum.example.com +ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAgURLzjIKMmN0Aq8YZTQp1N/6GMEuEs8WeOx2eg/lEXEFTxIQMMKYXxPDgzp2QLCQuuzgKOXBKw7KtnxtqTkmlAUWMDExSd7U1q/vZnDIubUFzZKbORJHWUOrI4Os/r9GPmnFro8kMCYjvmkUWIO82+JQHFBunICJcGKPJutcbSU= rsa-key-20130722 diff --git a/company/pubkeys/lcroce.pubkey b/company/pubkeys/lcroce.pubkey new file mode 100644 index 0000000..8ed442d --- /dev/null +++ b/company/pubkeys/lcroce.pubkey @@ -0,0 +1 @@ +FOO 2016-09-22 08:49 this is the contents of user16.pubkey diff --git a/company/resolv_conf-templates/resolv.conf b/company/resolv_conf-templates/resolv.conf new file mode 100644 index 0000000..7a647b0 --- /dev/null +++ b/company/resolv_conf-templates/resolv.conf @@ -0,0 +1,8 @@ +# File managed by ansible + +search example.com +nameserver 10.1.16.1 +nameserver 10.2.16.1 +nameserver 10.1.16.2 +nameserver 10.2.16.2 +options timeout:3 rotate diff --git a/company/sudo-files/40_BGIRTON b/company/sudo-files/40_BGIRTON new file mode 100644 index 0000000..5e27584 --- /dev/null +++ b/company/sudo-files/40_BGIRTON @@ -0,0 +1,2 @@ +User_Alias bgstack15 = bgstack15, bgstack15, bgstack15-local +bgstack15 ALL=(ALL) NOPASSWD: ALL @@ -0,0 +1,30 @@ +# file: /etc/ansible/hosts + +one.example.com +two.example.com +three.example.com +four.example.com +five.example.com +six.example.com + +[centos] +one.example.com +two.example.com +three.example.com + +[ubuntu] +four.example.com + +[freebsd:vars] +ansible_python_interpreter=/usr/local/bin/python2.7 + +[freebsd] +five.example.com +six.example.com + +[webservers] +one.example.com + +[test] +one.example.com +six.example.com diff --git a/inc/scrub.py b/inc/scrub.py new file mode 100755 index 0000000..a0e9c70 --- /dev/null +++ b/inc/scrub.py @@ -0,0 +1,109 @@ +#!/bin/env python3 +# Filename: scrub.py +# Location: Various +# Author: bgstack15@gmail.com +# Startdate: 2016-09-28 +# Title: Script that Simultaneously Copies and Scrubs a Directory +# Purpose: Prepare projects for publication by removing private information like usernames and hostnames +# Package: Various +# History: +# Usage: +# Store this file with any package that gets published. Adjust scrub.txt in local directory. +# # First line: source directory Second line: target directory. WILL BE OVERWRITTEN! +# /etc/ansible +# /home/bjones/ansible.clean +# # Rest of the lines are "OLD WORD" "NEW WORD" +# bjones bgstack15 +# rsmith rmstack15 +# Reference: +# http://stackoverflow.com/questions/79968/split-a-string-by-spaces-preserving-quoted-substrings-in-python/524796#524796 +# http://stackoverflow.com/questions/6706953/python-using-subprocess-to-call-sed#6707003 +# http://stackoverflow.com/questions/6584871/remove-last-character-if-its-a-backslash/6584893#6584893 +# http://stackoverflow.com/questions/2212643/python-recursive-folder-read/2212728#2212728 +# parallel lists: http://stackoverflow.com/questions/1663807/how-can-i-iterate-through-two-lists-in-parallel-in-python +# Improve: +# Add option to specify scrub file +# Add exclude option to scrub file, such as .git and so on +# Accept CLI options like source, destination, even exclusions? +# Also change filenames +import re, shlex, os, sys, shutil +from pathlib import Path + +# scrubpy version +scrubpyversion = "2016-09-29b" + +# Define functions + +def removeComments(string): + #string = re.sub(re.compile("/\*.*?\*/",re.DOTALL ) ,"", string) + #string = re.sub(re.compile("//.*?\n" ) ,"" ,string) + pattern = r"(\".*?\"|\'.*?\')|(/\*.*?\*/|(//|#)[^\r\n]*$)" + regex = re.compile(pattern, re.MULTILINE|re.DOTALL) + def _replacer(match): + if match.group(2) is not None: + return "" + else: + return match.group(1) + return regex.sub(_replacer, string) + +# Main code +stringfile = open('scrub.txt','r') +count=0 +thisdir="" +newdir="" +oldstrings=[] +newstrings=[] + +while True: + x = stringfile.readline().rstrip() + count += 1 + if not x: break + x = removeComments(x) + #print("x=" + x) + y = shlex.split (x) + if len(y) >= 1: + if thisdir == "": + thisdir = y[0] + elif newdir == "": + newdir = y[0] + if len(y) >= 2: + #print("y[0]=" + y[0] + "\t and y[1]=" + y[1]) + oldstrings.append(y[0]) + newstrings.append(y[1]) + +# After the file is done +stringfile.close() +#newdir = thisdir.rstrip('\/') + ".scrubbed/" + +if False: + print("\nthisdir=" + thisdir) + print("newdir=" + newdir + '\n') + print("oldstrings are:") + print(oldstrings) + print("newstrings are:") + print(newstrings) + +# Clean scrubbed directory +try: + shutil.rmtree(newdir) +except: + foo=1 + +shutil.copytree(thisdir,newdir,symlinks=True) + +# Execute substitutions +for rootfolder, subdirs, files in os.walk(thisdir): + for filename in files: + sourcepath = os.path.join(rootfolder, filename) + with open( sourcepath, "r" ) as source: + if not ".swp" in source.name and not ".git" in source.name: + destdir = rootfolder.replace(thisdir.rstrip('\/'),newdir.rstrip('\/')) + destfile = os.path.join(destdir, filename) + #print("sourcefile=" + source.name) + #print("destfile=" + destfile + '\n') + with open( destfile, "w") as target: + data = source.read() + for oldword, newword in zip(oldstrings, newstrings): + data = data.replace(oldword,newword) + changed = data + target.write(changed) diff --git a/inc/scrub.txt b/inc/scrub.txt new file mode 100644 index 0000000..13922bb --- /dev/null +++ b/inc/scrub.txt @@ -0,0 +1,23 @@ +# First line: source directory Second line: target directory. WILL BE OVERWRITTEN! +/etc/ansible +/home/bgstack15/ansible.clean +# Rest of the lines are "OLD WORD" "NEW WORD" +bgstack15 bgstack15 +bgstack15 bgstack15 +bgstack15 bgstack15 +user16 user16 +user16 user16 +user16 user16 +example example +EXAMPLE EXAMPLE +".com" ".com" +"dc=com" "dc=com" +"DC=com" "DC=com" +".COM" ".COM" +"203.0." "203.0." +one one +two two +three three +four four +five five +six six diff --git a/master.yml b/master.yml new file mode 100644 index 0000000..064767e --- /dev/null +++ b/master.yml @@ -0,0 +1,18 @@ +--- +- name: All hosts + hosts: all + remote_user: root + roles: + - ad + - resolv_conf + - ssh + - ssh_keys + vars: + ssh_key_files: + - { user: 'bgstack15', file: '../../../company/pubkeys/bgstack15.pubkeys' } + +- name: Webservers + hosts: webservers + remote_user: root + roles: + - fail2ban diff --git a/roles/ad/hosts/default.yml b/roles/ad/hosts/default.yml new file mode 100644 index 0000000..d7bc1a7 --- /dev/null +++ b/roles/ad/hosts/default.yml @@ -0,0 +1,4 @@ +# This file exists to ensure the directory is generated if ever packed in a tarball or something. +# This directory, hosts/, may be used for specific hosts to get specific variables +--- +ad_access_filter: SHOULD NEVER SEE THIS diff --git a/roles/ssh_keys/main.yml b/roles/ssh_keys/main.yml index 9022768..430c387 100644 --- a/roles/ssh_keys/main.yml +++ b/roles/ssh_keys/main.yml @@ -4,5 +4,3 @@ - vars/default.yml tasks: - include: tasks/main.yml - handlers: - - handlers/main.yml diff --git a/roles/ssh_keys/tasks/main.yml.2016-10-03.01 b/roles/ssh_keys/tasks/main.yml.2016-10-03.01 new file mode 100644 index 0000000..89d8d89 --- /dev/null +++ b/roles/ssh_keys/tasks/main.yml.2016-10-03.01 @@ -0,0 +1,63 @@ +--- +- name: ssh_keys get vars + include_vars: default.yml + +- name: ssh_keys get OS vars + include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_distribution }}.yml' + - default.yml + +#- shell: echo "{{ item | basename | regex_replace('\.pubkeys?$','') }}" +# with_fileglob: +# - '*.pubkey' +# - '*.pubkeys' +# register: users_to_check + +#- debug: var=ssh_key_strings +#- debug: var=ssh_key_files + +- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh' + with_items: + - '{{ ssh_key_strings }}' + register: "s" + when: ssh_key_strings is defined + +- stat: path='{{ master_home_dir}}/{{ item.user }}/.ssh' + with_items: + - '{{ ssh_key_files }}' + register: "r" + when: ssh_key_files is defined + +#- debug: msg='{{ item.stat.exists }}' +# with_flattened: +# - '{{ r.results }}' + +- name: ssh_keys deploy keys from files + template: + src: "roles/ssh_keys/files/{{ item.item.file }}" + dest: '{{ master_home_dir }}/{{ item.item.user }}/.ssh/authorized_keys' + mode: 0600 + owner: '{{ item.item.user }}' + with_items: + - '{{ r.results }}' + when: + - item.stat.exists is defined + - '{{ item.stat.exists }}' + - r is defined + +- name: ssh_keys deploy keys from strings + lineinfile: + line: '{{ item.item.string }}' + regexp: "{{ item.item.string | regex_replace('^(.{40}).*$','\\1') }}" + dest: '{{ master_home_dir }}/{{ item.item.user }}/.ssh/authorized_keys' + mode: 0600 + owner: '{{ item.item.user }}' + create: yes + state: present + with_items: + - '{{ s.results }}' + when: + - item.stat.exists is defined + - '{{ item.stat.exists }}' + - s is defined diff --git a/roles/sudo/main.yml b/roles/sudo/main.yml new file mode 100644 index 0000000..430c387 --- /dev/null +++ b/roles/sudo/main.yml @@ -0,0 +1,6 @@ +--- +- hosts: all + vars_files: + - vars/default.yml + tasks: + - include: tasks/main.yml diff --git a/roles/sudo/tasks/2 b/roles/sudo/tasks/2 new file mode 100644 index 0000000..5dd7b7f --- /dev/null +++ b/roles/sudo/tasks/2 @@ -0,0 +1,25 @@ +--- +- name: sudo get vars + include_vars: default.yml + +- name: sudo get OS vars + include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_distribution }}.yml' + - default.yml + +- debug: msg="{{ item | regex_replace('^.*\/','') }}" + with_items: + - '{{ sudo_files }}' + +- name: sudo deploy rules from files + template: + src: "roles/sudo/files/{{ item.file }}" + dest: "{{ sudo_rules_dir }}/{{ item.file | regex_replace('^.*\/','a') }}" + mode: 0440 + owner: '{{ sudo_root_user }}' + group: '{{ sudo_root_group }}' + with_items: + - '{{ sudo_files }}' + when: + - sudo_files is defined diff --git a/roles/sudo/tasks/main.yml b/roles/sudo/tasks/main.yml new file mode 100644 index 0000000..07fda25 --- /dev/null +++ b/roles/sudo/tasks/main.yml @@ -0,0 +1,63 @@ +--- +- name: sudo get vars + include_vars: default.yml + +- name: sudo get OS vars + include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_distribution }}.yml' + - default.yml + +- stat: path='{{ sudo_rules_dir }}/{{ item.priority }}_{{ item.name }}' #' + with_items: + - '{{ sudo_strings }}' + register: "s" + when: sudo_strings is defined + +- name: sudo deploy rules from files + template: + src: "roles/sudo/files/{{ item.file }}" + dest: "{{ sudo_rules_dir }}/{{ item.file | regex_replace('.*/','') }}" + mode: 0440 + owner: '{{ sudo_root_user }}' + group: '{{ sudo_root_group }}' + with_items: + - '{{ sudo_files }}' + when: + - sudo_files is defined + +- name: sudo remove rules from files + file: path='{{ sudo_rules_dir }}/{{ item.file | regex_replace('.*/','') }}' state='absent' + with_items: + - '{{ sudo_files }}' + when: + - sudo_files is defined + - ( not item.exists ) or ( '{{ item.exists | lower }}' == 'false' ) + +#- debug: msg='foo' +# with_items: '{{ s.results }}' + +- name: sudo deploy rules from strings + lineinfile: + line: "{{ item.item.content }}" + regexp: "{{ item.item.content | regex_replace('^(.{8}).*$','\\1') }}" + dest: '{{ sudo_rules_dir }}/{{ item.item.priority }}_{{ item.item.name }}' + mode: 0600 + owner: '{{ sudo_root_user }}' + group: '{{ sudo_root_group }}' + create: yes + state: present + with_items: + - '{{ s.results }}' + when: + - item.stat.exists is defined + - s is defined + - '{{ item.item.exists }}' + +- name: sudo remove rules from strings + file: path='{{ sudo_rules_dir }}/{{ item.item.priority }}_{{ item.item.name }}' state='absent' + with_items: + - '{{ s.results }}' + when: + - s is defined + - ( not item.item.exists ) or ( '{{ item.item.exists | lower }}' == 'false' ) diff --git a/roles/sudo/tests/test.yml b/roles/sudo/tests/test.yml new file mode 100644 index 0000000..e15f798 --- /dev/null +++ b/roles/sudo/tests/test.yml @@ -0,0 +1,12 @@ +--- +- name: Test playbook for sudo + hosts: test + remote_user: root + roles: + - sudo + vars: + sudo_strings: + - { priority: 42, exists: 'false', name: 'admins-do-all', content: 'User_Alias ADMINS = bgstack15, bgstack15, user16, user16' } + - { priority: 43, exists: false, name: 'a', content: "ADMINS ALL=(ALL) ALL" } + sudo_files: + - { exists: 'false', file: '../../../company/sudo-files/40_bgstack15' } diff --git a/roles/sudo/vars/FreeBSD.yml b/roles/sudo/vars/FreeBSD.yml new file mode 100644 index 0000000..0205496 --- /dev/null +++ b/roles/sudo/vars/FreeBSD.yml @@ -0,0 +1,4 @@ +--- +sudo_rules_dir: /usr/local/etc/sudoers.d/ +sudo_root_user: root +sudo_root_group: wheel diff --git a/roles/sudo/vars/default.yml b/roles/sudo/vars/default.yml new file mode 100644 index 0000000..80e6de4 --- /dev/null +++ b/roles/sudo/vars/default.yml @@ -0,0 +1,4 @@ +--- +sudo_rules_dir: /etc/sudoers.d/ +sudo_root_user: root +sudo_root_group: root diff --git a/test.yml b/test.yml new file mode 100644 index 0000000..e15f798 --- /dev/null +++ b/test.yml @@ -0,0 +1,12 @@ +--- +- name: Test playbook for sudo + hosts: test + remote_user: root + roles: + - sudo + vars: + sudo_strings: + - { priority: 42, exists: 'false', name: 'admins-do-all', content: 'User_Alias ADMINS = bgstack15, bgstack15, user16, user16' } + - { priority: 43, exists: false, name: 'a', content: "ADMINS ALL=(ALL) ALL" } + sudo_files: + - { exists: 'false', file: '../../../company/sudo-files/40_bgstack15' } |