批量执行Linux主机安全基线加固
随着业务OS数量的剧增,原有的手动安全加固方式效率低,准确性差。基于上述问题,编制了基于ansible playbook的自动化批量加固方法。文中的安全加固项较少,只是提供一个思路,大家根据自己的需求,自行完善加固项即可。
1. 环境
Ansible Version: 2.7.9
Client Host: Centos 6.x/7.x RedHat 6.x/7.x
2. 安全基线加固项
| 编号 | 分类 | 安全加固项 |
|---|---|---|
| 001 | 配置 | 设置系统超时时间为300秒 |
| 002 | 配置 | 修改默认的umask为027 |
| 003 | 用户 | 禁止root用户SSH登录操作系统 |
| 004 | 用户 | 禁止除wheel组之外的其他用户切换至root用户 |
| 005 | 用户 | 创建一个属于wheel组的普通用户,用作OS管理 |
| 006 | 账户 | 修改密码最长使用周期90天 |
| 007 | 账户 | 修改密码最短长度为8位 |
| 008 | 账户 | 密码复杂度配置,至少包含数字,字母,特殊符号3种字符类型 |
| 009 | 日志 | 配置rsyslog服务器 |
| 010 | 日志 | 配置syslog服务器 |
| 011 | 服务 | 重启rsyslog及sshd服务,使配置文件生效 |
3. ansible-playbook的设计
本文采取总分的设计模式,先设计一个总的playbook,在playbook中,OS版本作为判断条件,不同的OS版本调用不同的tasks,最终实现多版本操作系统的基线加固。实验环境目录结构如下:
/security
- os_reinforce.yml
- task/
- RedHat6.yml
- RedHat7.yml
#1. 总的playbookos_reinforce.yml
---
- name: Server System Reinforcement
hosts: all
tasks:
- name: RedHat6 Server System Reinforcement
import_tasks: tasks/RedHat6.yml
when: (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "6") or
(ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "6")
- name: RedHat7 Server System Reinforcement
import_tasks: tasks/RedHat7.yml
when: (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "7") or
(ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "7")
#2. RedHat6.x系列版本的安全加固脚本RedHat6.yml
---
- name: create system admin user
user:
name: ICNOC
uid: 1099
groups: wheel
password: syAphDStxyaxU
- name: session timeout
lineinfile:
path: /etc/profile
regexp: '^export TMOUT=600'
line: export TMOUT=300
- name: generate syslogfile
copy:
content: "*.* @10.142.82.187:514\n"
dest: /etc/syslog.conf
- name: append content into rsyslogfile
lineinfile:
path: /etc/rsyslog.conf
line: '*.* @10.142.82.187:514'
- name: set PermitRootLogin no
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#PermitRootLogin yes'
line: PermitRootLogin no
- name: set PASS_MAX_DAYS 90
lineinfile:
path: /etc/login.defs
regexp: '^PASS_MAX_DAYS'
line: PASS_MAX_DAYS 90
- name: set PASS_MIN_LEN 5
lineinfile:
path: /etc/login.defs
regexp: '^PASS_MIN_LEN'
line: PASS_MIN_LEN 8
- name: set PASS minlen minclass
lineinfile:
path: /etc/pam.d/system-auth
regexp: "pam_cracklib.so"
line: "password requisite pam_cracklib.so try_first_pass retry=5 type= minlen=8 minclass=3"
- name: set su permission
lineinfile:
path: /etc/pam.d/su
insertafter: "pam_rootok.so"
line: "auth required pam_wheel.so group=wheel"
- name: set umask
lineinfile:
path: /etc/profile
regexp: '002'
line: " umask 027"
- name: restart services
service: name={{ item }} state=restarted
with_items:
- sshd
- rsyslog
#3. RedHat7.x系列版本的安全加固方法RedHat7.yml
---
- name: create system admin user
user:
name: ICNOC
uid: 1099
groups: wheel
password: syAphDStxyaxU
- name: session timeout
lineinfile:
path: /etc/profile
regexp: '^export TMOUT=600'
line: export TMOUT=300
- name: generate syslogfile
copy:
content: "*.* @10.142.82.187:514\n"
dest: /etc/syslog.conf
- name: append content into rsyslogfile
lineinfile:
path: /etc/rsyslog.conf
line: '*.* @10.142.82.187:514'
- name: set PermitRootLogin no
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#PermitRootLogin yes'
line: PermitRootLogin no
- name: set PASS_MAX_DAYS 90
lineinfile:
path: /etc/login.defs
regexp: '^PASS_MAX_DAYS'
line: PASS_MAX_DAYS 90
- name: set PASS_MIN_LEN 5
lineinfile:
path: /etc/login.defs
regexp: '^PASS_MIN_LEN'
line: PASS_MIN_LEN 8
- name: set PASS minlen minclass
lineinfile:
path: /etc/pam.d/system-auth
insertbefore: "pam_pwquality.so"
line: "password requisite pam_cracklib.so try_first_pass retry=5 type= minlen=8 minclass=3"
- name: set su permission
lineinfile:
path: /etc/pam.d/su
insertafter: "pam_rootok.so"
line: "auth required pam_wheel.so group=wheel"
- name: set umask
lineinfile:
path: /etc/profile
regexp: '002'
line: " umask 027"
- name: restart services
service: name={{ item }} state=restarted
with_items:
- sshd
- rsyslog
4. 执行playbook
# cd /security
# ansible-playbook -v os_reinforce.yml
