diff options
-rw-r--r-- | company.example/ad-vars/FreeBSD.yml | 4 | ||||
-rw-r--r-- | company.example/pubkeys/lcroce.pubkey | 1 | ||||
-rw-r--r-- | company/ad-templates/krb5.conf.CentOS (renamed from company.example/ad-templates/krb5.conf.CentOS) | 0 | ||||
-rw-r--r-- | company/ad-templates/krb5.conf.FreeBSD (renamed from company.example/ad-templates/krb5.conf.FreeBSD) | 0 | ||||
-rw-r--r-- | company/ad-templates/krb5.conf.Ubuntu (renamed from company.example/ad-templates/krb5.conf.Ubuntu) | 0 | ||||
-rw-r--r-- | company/ad-templates/sssd.conf.CentOS (renamed from company.example/ad-templates/sssd.conf.CentOS) | 6 | ||||
-rw-r--r-- | company/ad-templates/sssd.conf.FreeBSD (renamed from company.example/ad-templates/sssd.conf.FreeBSD) | 6 | ||||
-rw-r--r-- | company/ad-templates/sssd.conf.Ubuntu (renamed from company.example/ad-templates/sssd.conf.Ubuntu) | 6 | ||||
-rw-r--r-- | company/ad-vars/FreeBSD.yml | 4 | ||||
-rw-r--r-- | company/ad-vars/default.yml (renamed from company.example/ad-vars/default.yml) | 0 | ||||
-rw-r--r-- | company/fail2ban-files/filter.d/20_bju-blns.filter (renamed from company.example/fail2ban-files/filter.d/20_example-blns.filter) | 0 | ||||
-rw-r--r-- | company/fail2ban-files/filter.d/30_bju-max3.filter (renamed from company.example/fail2ban-files/filter.d/30_example-max3.filter) | 0 | ||||
-rw-r--r-- | company/fail2ban-files/filter.d/60_sshd.filter (renamed from company.example/fail2ban-files/filter.d/60_sshd.filter) | 0 | ||||
-rw-r--r-- | company/fail2ban-files/jail.d/00_default.jail (renamed from company.example/fail2ban-files/jail.d/00_default.jail) | 0 | ||||
-rw-r--r-- | company/fail2ban-files/jail.d/20_bju-blns.jail (renamed from company.example/fail2ban-files/jail.d/20_example-blns.jail) | 0 | ||||
-rw-r--r-- | company/fail2ban-files/jail.d/30_bju-max3.jail (renamed from company.example/fail2ban-files/jail.d/30_example-max3.jail) | 0 | ||||
-rw-r--r-- | company/fail2ban-files/jail.d/60_sshd.jail (renamed from company.example/fail2ban-files/jail.d/60_sshd.jail) | 0 | ||||
-rw-r--r-- | company/pubkeys/bgirton.pubkeys (renamed from company.example/pubkeys/alice.pubkeys) | 2 | ||||
-rw-r--r-- | company/pubkeys/lcroce.pubkey | 1 | ||||
-rw-r--r-- | company/resolv_conf-templates/resolv.conf (renamed from company.example/resolv_conf-templates/resolv.conf) | 0 | ||||
-rw-r--r-- | hosts (renamed from hosts.example) | 0 | ||||
-rwxr-xr-x | inc/scrub.py | 109 | ||||
-rw-r--r-- | inc/scrub.txt | 23 | ||||
-rw-r--r-- | master.yml (renamed from master.yml.example) | 2 | ||||
-rw-r--r-- | roles/ad/hosts/default.yml | 4 | ||||
-rw-r--r-- | test.yml | 12 |
26 files changed, 164 insertions, 16 deletions
diff --git a/company.example/ad-vars/FreeBSD.yml b/company.example/ad-vars/FreeBSD.yml deleted file mode 100644 index 7ff821f..0000000 --- a/company.example/ad-vars/FreeBSD.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -sssd_dir: /usr/local/etc/sssd -ad_access_filter: (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*)) -simple_allow_users: Alice, alice, alice-local diff --git a/company.example/pubkeys/lcroce.pubkey b/company.example/pubkeys/lcroce.pubkey deleted file mode 100644 index fc39667..0000000 --- a/company.example/pubkeys/lcroce.pubkey +++ /dev/null @@ -1 +0,0 @@ -FOO 2016-09-22 08:49 this is the contents of bob.pubkey diff --git a/company.example/ad-templates/krb5.conf.CentOS b/company/ad-templates/krb5.conf.CentOS index 74570ae..74570ae 100644 --- a/company.example/ad-templates/krb5.conf.CentOS +++ b/company/ad-templates/krb5.conf.CentOS diff --git a/company.example/ad-templates/krb5.conf.FreeBSD b/company/ad-templates/krb5.conf.FreeBSD index e6b8a3a..e6b8a3a 100644 --- a/company.example/ad-templates/krb5.conf.FreeBSD +++ b/company/ad-templates/krb5.conf.FreeBSD diff --git a/company.example/ad-templates/krb5.conf.Ubuntu b/company/ad-templates/krb5.conf.Ubuntu index 6a4c23b..6a4c23b 100644 --- a/company.example/ad-templates/krb5.conf.Ubuntu +++ b/company/ad-templates/krb5.conf.Ubuntu diff --git a/company.example/ad-templates/sssd.conf.CentOS b/company/ad-templates/sssd.conf.CentOS index 8678bd2..dafb287 100644 --- a/company.example/ad-templates/sssd.conf.CentOS +++ b/company/ad-templates/sssd.conf.CentOS @@ -8,7 +8,7 @@ autofs_provider = ldap cache_credentials = True krb5_realm = EXAMPLE.COM -ldap_search_base = dc=example,dc=edu +ldap_search_base = dc=example,dc=com krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com id_provider = ldap auth_provider = krb5 @@ -35,8 +35,8 @@ ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%d/%u access_provider = ad -ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*)) -simple_allow_users = Alice, alice, Bob, bob +ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=com)(unixHomeDirectory=*)) +simple_allow_users = bgstack15, bgstack15, user16, user16 case_sensitive = true ad_gpo_access_control = disabled [autofs] diff --git a/company.example/ad-templates/sssd.conf.FreeBSD b/company/ad-templates/sssd.conf.FreeBSD index 4b6a816..9add0ed 100644 --- a/company.example/ad-templates/sssd.conf.FreeBSD +++ b/company/ad-templates/sssd.conf.FreeBSD @@ -8,7 +8,7 @@ autofs_provider = ldap cache_credentials = True krb5_realm = EXAMPLE.COM -ldap_search_base = dc=example,dc=edu +ldap_search_base = dc=example,dc=com krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com id_provider = ldap auth_provider = krb5 @@ -35,7 +35,7 @@ ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%d/%u access_provider = ad -ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*)) -simple_allow_users = Alice, alice, Bob, bob +ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=com)(unixHomeDirectory=*)) +simple_allow_users = bgstack15, bgstack15, user16, user16 case_sensitive = true ad_gpo_access_control = disabled diff --git a/company.example/ad-templates/sssd.conf.Ubuntu b/company/ad-templates/sssd.conf.Ubuntu index a37f7b5..7b7dae3 100644 --- a/company.example/ad-templates/sssd.conf.Ubuntu +++ b/company/ad-templates/sssd.conf.Ubuntu @@ -8,7 +8,7 @@ autofs_provider = ldap cache_credentials = True krb5_realm = EXAMPLE.COM -ldap_search_base = dc=example,dc=edu +ldap_search_base = dc=example,dc=com krb5_server = dc1.example.com,dc2.example.com,dc3.example.com,dc4.example.com id_provider = ldap auth_provider = krb5 @@ -35,8 +35,8 @@ ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%d/%u access_provider = ad -ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=edu)(unixHomeDirectory=*)) -simple_allow_users = Alice, alice, Bob, bob +ad_access_filter = (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=com)(unixHomeDirectory=*)) +simple_allow_users = bgstack15, bgstack15, user16, user16 case_sensitive = true ad_gpo_access_control = disabled [autofs] diff --git a/company/ad-vars/FreeBSD.yml b/company/ad-vars/FreeBSD.yml new file mode 100644 index 0000000..77e2a9c --- /dev/null +++ b/company/ad-vars/FreeBSD.yml @@ -0,0 +1,4 @@ +--- +sssd_dir: /usr/local/etc/sssd +ad_access_filter: (&(memberOf=CN=Linux-Server-Access_grp,OU=Linux-Access,OU=Accounts-Groups,DC=example,DC=com)(unixHomeDirectory=*)) +simple_allow_users: bgstack15, bgstack15, bgstack15-local diff --git a/company.example/ad-vars/default.yml b/company/ad-vars/default.yml index cb65db8..cb65db8 100644 --- a/company.example/ad-vars/default.yml +++ b/company/ad-vars/default.yml diff --git a/company.example/fail2ban-files/filter.d/20_example-blns.filter b/company/fail2ban-files/filter.d/20_bju-blns.filter index c39cefa..c39cefa 100644 --- a/company.example/fail2ban-files/filter.d/20_example-blns.filter +++ b/company/fail2ban-files/filter.d/20_bju-blns.filter diff --git a/company.example/fail2ban-files/filter.d/30_example-max3.filter b/company/fail2ban-files/filter.d/30_bju-max3.filter index af692af..af692af 100644 --- a/company.example/fail2ban-files/filter.d/30_example-max3.filter +++ b/company/fail2ban-files/filter.d/30_bju-max3.filter diff --git a/company.example/fail2ban-files/filter.d/60_sshd.filter b/company/fail2ban-files/filter.d/60_sshd.filter index 33b8ba8..33b8ba8 100644 --- a/company.example/fail2ban-files/filter.d/60_sshd.filter +++ b/company/fail2ban-files/filter.d/60_sshd.filter diff --git a/company.example/fail2ban-files/jail.d/00_default.jail b/company/fail2ban-files/jail.d/00_default.jail index 71cd3e8..71cd3e8 100644 --- a/company.example/fail2ban-files/jail.d/00_default.jail +++ b/company/fail2ban-files/jail.d/00_default.jail diff --git a/company.example/fail2ban-files/jail.d/20_example-blns.jail b/company/fail2ban-files/jail.d/20_bju-blns.jail index eb1d1c9..eb1d1c9 100644 --- a/company.example/fail2ban-files/jail.d/20_example-blns.jail +++ b/company/fail2ban-files/jail.d/20_bju-blns.jail diff --git a/company.example/fail2ban-files/jail.d/30_example-max3.jail b/company/fail2ban-files/jail.d/30_bju-max3.jail index 6ca7781..6ca7781 100644 --- a/company.example/fail2ban-files/jail.d/30_example-max3.jail +++ b/company/fail2ban-files/jail.d/30_bju-max3.jail diff --git a/company.example/fail2ban-files/jail.d/60_sshd.jail b/company/fail2ban-files/jail.d/60_sshd.jail index aeb2751..aeb2751 100644 --- a/company.example/fail2ban-files/jail.d/60_sshd.jail +++ b/company/fail2ban-files/jail.d/60_sshd.jail diff --git a/company.example/pubkeys/alice.pubkeys b/company/pubkeys/bgirton.pubkeys index 6d807a6..85abeb0 100644 --- a/company.example/pubkeys/alice.pubkeys +++ b/company/pubkeys/bgirton.pubkeys @@ -1,3 +1,3 @@ # version 3.0 -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDG8xc7BV1xCcKrzQvQwDhAAX6uDne5lSpgCURg4Vx8Au8fsaiFSVlCky+OOQAJipgucG0QBPiL60sNNsY03sKIAh7TMKsoUZuQ5sJM6EpyKGEYaOKFXjaShDFMtdvwGIANh/e86qpVGRkje+p8fvNxbHOXsQpYF+HpAv8u/HbaQQYtdkWaeR6nIO8LXWOapgO7t5pMdRQJa67+4Yyc7IQQM66WMXX5Ik3nGMMHog2PgrpTtaEdKOV2TzSynLBlp3UmOkLa4D0euvMsTwjTmqeORfCMVyVeYwHhZoz4V99L1aYCeI1jDwhD5GEf/DKOhMNVsw7OhqTSfVz3sYGbq0or alice@aluminum.example.com +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDG8xc7BV1xCcKrzQvQwDhAAX6uDne5lSpgCURg4Vx8Au8fsaiFSVlCky+OOQAJipgucG0QBPiL60sNNsY03sKIAh7TMKsoUZuQ5sJM6EpyKGEYaOKFXjaShDFMtdvwGIANh/e86qpVGRkje+p8fvNxbHOXsQpYF+HpAv8u/HbaQQYtdkWaeR6nIO8LXWOapgO7t5pMdRQJa67+4Yyc7IQQM66WMXX5Ik3nGMMHog2PgrpTtaEdKOV2TzSynLBlp3UmOkLa4D0euvMsTwjTmqeORfCMVyVeYwHhZoz4V99L1aYCeI1jDwhD5GEf/DKOhMNVsw7OhqTSfVz3sYGbq0or bgstack15@aluminum.example.com ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAgURLzjIKMmN0Aq8YZTQp1N/6GMEuEs8WeOx2eg/lEXEFTxIQMMKYXxPDgzp2QLCQuuzgKOXBKw7KtnxtqTkmlAUWMDExSd7U1q/vZnDIubUFzZKbORJHWUOrI4Os/r9GPmnFro8kMCYjvmkUWIO82+JQHFBunICJcGKPJutcbSU= rsa-key-20130722 diff --git a/company/pubkeys/lcroce.pubkey b/company/pubkeys/lcroce.pubkey new file mode 100644 index 0000000..8ed442d --- /dev/null +++ b/company/pubkeys/lcroce.pubkey @@ -0,0 +1 @@ +FOO 2016-09-22 08:49 this is the contents of user16.pubkey diff --git a/company.example/resolv_conf-templates/resolv.conf b/company/resolv_conf-templates/resolv.conf index 7a647b0..7a647b0 100644 --- a/company.example/resolv_conf-templates/resolv.conf +++ b/company/resolv_conf-templates/resolv.conf diff --git a/inc/scrub.py b/inc/scrub.py new file mode 100755 index 0000000..a0e9c70 --- /dev/null +++ b/inc/scrub.py @@ -0,0 +1,109 @@ +#!/bin/env python3 +# Filename: scrub.py +# Location: Various +# Author: bgstack15@gmail.com +# Startdate: 2016-09-28 +# Title: Script that Simultaneously Copies and Scrubs a Directory +# Purpose: Prepare projects for publication by removing private information like usernames and hostnames +# Package: Various +# History: +# Usage: +# Store this file with any package that gets published. Adjust scrub.txt in local directory. +# # First line: source directory Second line: target directory. WILL BE OVERWRITTEN! +# /etc/ansible +# /home/bjones/ansible.clean +# # Rest of the lines are "OLD WORD" "NEW WORD" +# bjones bgstack15 +# rsmith rmstack15 +# Reference: +# http://stackoverflow.com/questions/79968/split-a-string-by-spaces-preserving-quoted-substrings-in-python/524796#524796 +# http://stackoverflow.com/questions/6706953/python-using-subprocess-to-call-sed#6707003 +# http://stackoverflow.com/questions/6584871/remove-last-character-if-its-a-backslash/6584893#6584893 +# http://stackoverflow.com/questions/2212643/python-recursive-folder-read/2212728#2212728 +# parallel lists: http://stackoverflow.com/questions/1663807/how-can-i-iterate-through-two-lists-in-parallel-in-python +# Improve: +# Add option to specify scrub file +# Add exclude option to scrub file, such as .git and so on +# Accept CLI options like source, destination, even exclusions? +# Also change filenames +import re, shlex, os, sys, shutil +from pathlib import Path + +# scrubpy version +scrubpyversion = "2016-09-29b" + +# Define functions + +def removeComments(string): + #string = re.sub(re.compile("/\*.*?\*/",re.DOTALL ) ,"", string) + #string = re.sub(re.compile("//.*?\n" ) ,"" ,string) + pattern = r"(\".*?\"|\'.*?\')|(/\*.*?\*/|(//|#)[^\r\n]*$)" + regex = re.compile(pattern, re.MULTILINE|re.DOTALL) + def _replacer(match): + if match.group(2) is not None: + return "" + else: + return match.group(1) + return regex.sub(_replacer, string) + +# Main code +stringfile = open('scrub.txt','r') +count=0 +thisdir="" +newdir="" +oldstrings=[] +newstrings=[] + +while True: + x = stringfile.readline().rstrip() + count += 1 + if not x: break + x = removeComments(x) + #print("x=" + x) + y = shlex.split (x) + if len(y) >= 1: + if thisdir == "": + thisdir = y[0] + elif newdir == "": + newdir = y[0] + if len(y) >= 2: + #print("y[0]=" + y[0] + "\t and y[1]=" + y[1]) + oldstrings.append(y[0]) + newstrings.append(y[1]) + +# After the file is done +stringfile.close() +#newdir = thisdir.rstrip('\/') + ".scrubbed/" + +if False: + print("\nthisdir=" + thisdir) + print("newdir=" + newdir + '\n') + print("oldstrings are:") + print(oldstrings) + print("newstrings are:") + print(newstrings) + +# Clean scrubbed directory +try: + shutil.rmtree(newdir) +except: + foo=1 + +shutil.copytree(thisdir,newdir,symlinks=True) + +# Execute substitutions +for rootfolder, subdirs, files in os.walk(thisdir): + for filename in files: + sourcepath = os.path.join(rootfolder, filename) + with open( sourcepath, "r" ) as source: + if not ".swp" in source.name and not ".git" in source.name: + destdir = rootfolder.replace(thisdir.rstrip('\/'),newdir.rstrip('\/')) + destfile = os.path.join(destdir, filename) + #print("sourcefile=" + source.name) + #print("destfile=" + destfile + '\n') + with open( destfile, "w") as target: + data = source.read() + for oldword, newword in zip(oldstrings, newstrings): + data = data.replace(oldword,newword) + changed = data + target.write(changed) diff --git a/inc/scrub.txt b/inc/scrub.txt new file mode 100644 index 0000000..13922bb --- /dev/null +++ b/inc/scrub.txt @@ -0,0 +1,23 @@ +# First line: source directory Second line: target directory. WILL BE OVERWRITTEN! +/etc/ansible +/home/bgstack15/ansible.clean +# Rest of the lines are "OLD WORD" "NEW WORD" +bgstack15 bgstack15 +bgstack15 bgstack15 +bgstack15 bgstack15 +user16 user16 +user16 user16 +user16 user16 +example example +EXAMPLE EXAMPLE +".com" ".com" +"dc=com" "dc=com" +"DC=com" "DC=com" +".COM" ".COM" +"203.0." "203.0." +one one +two two +three three +four four +five five +six six diff --git a/master.yml.example b/master.yml index 1ed4fda..064767e 100644 --- a/master.yml.example +++ b/master.yml @@ -9,7 +9,7 @@ - ssh_keys vars: ssh_key_files: - - { user: 'alice', file: '../../../company/pubkeys/alice.pubkeys' } + - { user: 'bgstack15', file: '../../../company/pubkeys/bgstack15.pubkeys' } - name: Webservers hosts: webservers diff --git a/roles/ad/hosts/default.yml b/roles/ad/hosts/default.yml new file mode 100644 index 0000000..d7bc1a7 --- /dev/null +++ b/roles/ad/hosts/default.yml @@ -0,0 +1,4 @@ +# This file exists to ensure the directory is generated if ever packed in a tarball or something. +# This directory, hosts/, may be used for specific hosts to get specific variables +--- +ad_access_filter: SHOULD NEVER SEE THIS diff --git a/test.yml b/test.yml new file mode 100644 index 0000000..f4608f9 --- /dev/null +++ b/test.yml @@ -0,0 +1,12 @@ +--- +- name: Test playbook for sudo + hosts: test + remote_user: root + roles: + - sudo + vars: + sudo_strings + - { priority: 40, name: 'admins-do-all', content: 'User_Alias ADMINS = bgstack15, bgstack15, user16, user16' } + - { priority: 41, name: 'a', content: 'ADMINS ALL=(ALL) ALL' } + sudo_files + - { file: '../../../company/sudo-files/40_bgstack15' } |