-
Notifications
You must be signed in to change notification settings - Fork 0
/
playbook.yaml
162 lines (140 loc) · 4.24 KB
/
playbook.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
- name: Configure users
hosts: linux
gather_facts: false
vars:
ansible_ssh_pass: "{{ old_password }}"
service_accounts:
- suconf
- cadm
- sadmin
tasks:
- name: Backup /etc/shadow
ansible.builtin.fetch:
src: /etc/shadow
dest: ./shadows.bkp/shadow-{{ inventory_hostname }}
flat: yes
- name: Get all users
ansible.builtin.getent:
database: passwd
- name: Filter passwd
ansible.builtin.set_fact:
login_users: "{{ login_users | default([]) + [item.key] }}"
when: ("bash" in item.value[-1] or "zsh" in item.value[-1] or "/bin/sh" in item.value[-1])
loop: "{{ lookup('dict', ansible_facts['getent_passwd']) | list }}"
loop_control:
loop_var: item
- name: Add users from inventory.ini
ansible.builtin.set_fact:
chpasswd_users: "{{ chpasswd_users|default([]) + login_users | difference(service_accounts) }}"
- name: Get chpasswd_users
ansible.builtin.debug:
msg: "{{ chpasswd_users }}"
- name: Add user {{ new_user }}
ansible.builtin.user:
name: "{{ new_user }}"
password: "{{ new_password | password_hash('sha512') }}"
shell: /bin/bash
update_password: on_create
- name: Set sudoers for {{ new_user }}
community.general.sudoers:
name: "{{ new_user }}"
user: "{{ new_user }}"
commands: ALL
nopassword: true
- name: Change password for users
ansible.builtin.user:
name: "{{ user }}"
password: "{{ new_password | password_hash('sha512') }}"
loop: "{{ chpasswd_users }}"
loop_control:
loop_var: user
- name: Configure iptables
hosts: linux
gather_facts: false
tasks:
- name: Set iptables ACCEPT ESTABLISHED
ansible.builtin.iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
comment: Allow related and established connections
- name: Set iptables ACCEPT ssh
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "22"
jump: ACCEPT
comment: Allow SSH
- name: Set iptables ACCEPT localhost
ansible.builtin.iptables:
chain: INPUT
protocol: all
destination: 127.0.0.1/8
jump: ACCEPT
- name: Set iptables ACCEPT ping
ansible.builtin.iptables:
chain: INPUT
protocol: icmp
jump: ACCEPT
comment: Allow icmp Ping
- name: Set iptables per host rules
ansible.builtin.iptables:
chain: INPUT
protocol: all
jump: ACCEPT
comment: "Allow {{ ports }}"
destination_ports: "{{ ports }}"
- name: Set iptables DROP all
ansible.builtin.iptables:
chain: INPUT
protocol: all
jump: DROP
- name: Fix FTP vuln
hosts: ftp
gather_facts: false
tasks:
- name: Fix /var/www/html mode
ansible.builtin.file:
name: /var/www/html
mode: '0660'
- name: Install tools
hosts: linux
gather_facts: false
tasks:
- name: Download KESL
ansible.builtin.get_url:
url: "{{ kesl_link }}"
dest: /tmp/kesl.sh
mode: '+x'
- name: Install KESL
ansible.builtin.command: /bin/bash /tmp/kesl.sh
args:
creates: /opt/kaspersky/kesl/bin/kesl-setup.pl
- name: Download klnagent
ansible.builtin.get_url:
url: "{{ klnagent_link }}"
dest: /tmp/klnagent.sh
mode: '+x'
- name: Install klnagent
ansible.builtin.command: /bin/bash /tmp/klnagent.sh
args:
creates: /opt/kaspersky/klnagent64/lib/bin/setup/postinstall.pl
- name: Install velociraptor
ansible.builtin.apt:
deb: "{{ velociraptor_deb_link }}"
- name: Copy audit.rules
ansible.builtin.get_url:
url: https://raw.githubusercontent.com/Neo23x0/auditd/master/audit.rules
dest: /etc/audit/rules.d/audit.rules
mode: '0660'
- name: Change log_format to ENRICHED
lineinfile:
path: /etc/audit/auditd.conf
regexp: '^log_format = RAW'
line: 'log_format = ENRICHED'
backup: yes
- name: Enable && start auditd
ansible.builtin.service:
name: auditd
enabled: true
state: restarted