1. 修改文件权限
[root@localhost]# cat mod-sudo-1.yml
---
- hosts: all
tasks:
- name: chmod u+w
file:
path: /etc/sudoers
mode: u+w
2. 修改文件,在特定行下面插入一行
[root@localhost]# cat mod-sudo-2.yml
---
- hosts: all
tasks:
- name: change file context
lineinfile:
path: /etc/sudoers
state: present
insertafter: 'root\tALL'
line: 'osmaster ALL=(ALL) ALL'
3. 修改回原来文件权限
[root@localhost]# cat mod-sudo-3.yml
---
- include: mod-sudo-1.yml
- include: mod-sudo-2.yml
- hosts: all
tasks:
- name: chmod u-w
file:
path: /etc/sudoers
mode: u-w
2 编辑seLinux关闭
[root@localhost]# cat selinux-off.yml
---
- hosts: all
tasks:
- name: selinux off
selinux:
state: disabled
notify:
- selinux-off
handlers:
- name: selinux-off
shell: setenforce 0
3 关闭防火墙
[root@localhost]# cat firewalld-off.yml
---
- hosts: all
tasks:
- name: firewalld off
service:
name: firewalld
state: stopped
enabled: false
register: result
ignore_errors: true
- name: phase1
service: name=firewalld state=stopped
when: (result|failed) and (result.msg.find("Could not find the requested service") != 0)
4 编辑无响应注销
[root@localhost]# cat timeout.yml
---
- hosts: all
tasks:
- name: remove former define
lineinfile:
path: /etc/profile
state: absent
line: 'export TMOUT'
- name: change file context
lineinfile:
path: /etc/profile
state: present
line: 'export TMOUT=3600'
5 编辑history时间戳
[root@localhost]# cat 0307-history-format.yml
---
- hosts: all
tasks:
- name: remove former define
lineinfile:
path: /etc/bashrc
state: absent
line: 'export HISTTIMEFORMAT'
- name: change file context
lineinfile:
path: /etc/bashrc
state: present
line: 'export HISTTIMEFORMAT="%F %T"'
6 修改SNMP默认团体名public为snmp_ciitc
[root@localhost]# cat0308-snmp.yml
---
- hosts: all
tasks:
- name: if the file is there
file:
path: /etc/snmp/snmpd.conf
state: file
register: result
ignore_errors: true
- name: change file context
lineinfile:
path: /etc/snmp/snmpd.conf
state: present
backrefs: yes
regexp: 'com2sec notConfigUser default public'
line: 'com2sec notConfigUser default snmp_ciitc'
when: result|success
7 编辑访问控制
[root@localhost]# cat 0309-access-control.yml
---
- hosts: all
tasks:
- name: change /etc/bashrc
lineinfile:
path: /etc/bashrc
state: present
insertafter:
line: 'umask 027'
- name: change /etc/profile
lineinfile:
path: /etc/profile
state: present
backrefs: yes
regexp: ' umask 022'
line: ' umask 027'
8 编辑登录失败用户锁定策略
[root@localhost]# cat 0310-user-lock.yml
---
- hosts: all
tasks:
- name: add /etc/pam.d/system-auth
lineinfile:
path: /etc/pam.d/system-auth
state: present
insertafter:
line: 'auth required pam_tally2.so onerr=fail deny=10 unlock_time=180 root_unlock_time=1'
[root@localhost]# cat password-policy.yml
---
- hosts: all
tasks:
- name: add /etc/pam.d/system-auth
lineinfile:
path: /etc/pam.d/system-auth
state: present
backrefs: yes
regexp: 'password requisite'
line: 'password requisite pam_cracklib.so dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 retry=3'
- name: add /etc/pam.d/passwd
lineinfile:
path: /etc/pam.d/passwd
state: present
insertafter:
line: 'password required pam_unix.so remember=5 use_authtok md5'
[root@localhost]# cat password-rule.yml
---
- hosts: all
tasks:
- name: change /etc/login.defs
lineinfile:
path: /etc/login.defs
state: present
backrefs: yes
regexp: 'PASS_MIN_LEN\t5'
line: 'PASS_MIN_LEN\t8'
[root@localhost]# cat 0313-tcp-trans.yml
---
- hosts: all
tasks:
- name: change SCP
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: 'GSSAPIAuthentication yes'
backrefs: yes
line: 'GSSAPIAuthentication no'
- name: change SSH Rhosts
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: '#IgnoreRhosts yes'
backrefs: yes
line: 'IgnoreRhosts yes'
- name: change SSH empty password
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: '#PermitEmptyPasswords no'
backrefs: yes
line: 'PermitEmptyPasswords no'
- name: change SSH Rhosts RSA Auth
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: '#RhostsRSAAuthentication no'
backrefs: yes
line: 'RhostsRSAAuthentication no'
- name: change SSH Rhosts
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: '#HostbasedAuthentication no'
backrefs: yes
line: 'HostbasedAuthentication no'
[root@localhost]# cat tcp-dns.yml
---
- hosts: all
tasks:
- name: change SSH DNS
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: '#UseDNS yes'
backrefs: yes
line: 'UseDNS no'
[root@localhost]# cat ssh-login.yml
---
- hosts: all
tasks:
- name: change SSH empty password
lineinfile:
path: /etc/ssh/sshd_config
state: present
regexp: '#PermitEmptyPasswords no'
backrefs: yes
line: 'PermitEmptyPasswords no'
- name: change SSH banner
lineinfile:
path: /etc/ssh/sshd_config
state: present
insertafter: "#Banner none"
line: 'Banner /etc/motd'
[root@localhost]# cat 0314-directory-access.yml
---
- hosts: all
tasks:
- name: /etc/passwd 644
file:
path: /etc/passwd
mode: 0644
- name: /etc/shadow 600
file:
path: /etc/shadow
mode: 0600
- name: /etc/group 644
file:
path: /etc/group
mode: 0644
[root@localhost]# cat 0316-tcp-connections.yml
---
- hosts: all
tasks:
- name: soft nofile
lineinfile:
path: /etc/security/limits.conf
state: present
insertafter:
line: '* soft nofile 65536'
- name: hard nofile
lineinfile:
path: /etc/security/limits.conf
state: present
insertafter:
line: '* hard nofile 65536'
- name: soft nproc
lineinfile:
path: /etc/security/limits.conf
state: present
insertafter:
line: '* soft nproc 65536'
- name: hard nproc
lineinfile:
path: /etc/security/limits.conf
state: present
insertafter:
line: '* hard nproc 65536'
[root@localhost]# cat 0317-kernel-param.yml
---
- hosts: all
tasks:
- name: kernel panic
lineinfile:
path: /etc/sysctl.conf
state: present
insertafter:
line: 'kernel.panic_on_oops=1'
- name: vm.min
lineinfile:
path: /etc/sysctl.conf
state: present
insertafter:
line: 'vm.min_free_kbytes=819200'
- name: vm.max
lineinfile:
path: /etc/sysctl.conf
state: present
insertafter:
line: 'vm.max_map_count=131060'
- name: fs.file-max
lineinfile:
path: /etc/sysctl.conf
state: present
insertafter:
line: 'fs.file-max = 6815744'
- name: fs.aio-max-nr
lineinfile:
path: /etc/sysctl.conf
state: present
insertafter:
line: 'fs.aio-max-nr = 1048576'
- name: session
lineinfile:
path: /etc/pam.d/login
state: present
insertafter:
line: 'session required /lib64/security/pam_limits.so'
[root@localhost]# cat 0318-service-close.yml
---
- hosts: all
tasks:
- name: service off
service: name=avahi-daemon state=stopped enabled=no
register: result
ignore_errors: true
- name: phase1
service: name=avahi-daemon state=stopped enabled=no
when: (result|failed) and (result.msg.find("Could not find the requested service") != 0)
- name: service off
service: name=bluetooth state=stopped enabled=no
register: result
ignore_errors: true
- name: phase1
service: name=bluetooth state=stopped enabled=no
when: (result|failed) and (result.msg.find("Could not find the requested service") != 0)
[root@localhost]# cat config-dns.yml
---
- hosts: all
tasks:
- name: config DNS
lineinfile:
path: /etc/resolv.conf
state: present
insertafter:
line: 'nameserver 10.19.249.104'
- name: config DNS2
lineinfile:
path: /etc/resolv.conf
state: present
insertafter:
line: 'nameserver 10.19.249.105'
[root@localhost]# cat 0322-config-ntp.yml
---
- hosts: all
tasks:
- name: copy files
become: true
copy:
src: /var/lib/awx/projects/0322-config-ntp/example.conf
dest: /etc/ntp.conf
backup: yes
具体配置文件如下:
[root@localhost]# cat /var/lib/awx/projects/0322-config-ntp/example.conf
server ntp.ciitc.com.cn prefer
server 10.19.250.1
driftfile /var/lib/ntp/drift
logfile /var/log/ntp.log
keys /etc/ntp/keys
includefile /etc/ntp/crypto/pw
[root@localhost]# cat 0323-hwclock.yml
---
- hosts: all
tasks:
- name: hwclock
lineinfile:
path: /etc/sysconfig/ntpd
state: present
insertafter:
line: 'SYNC_HWCLOCK=yes'
[root@localhost]# cat repo-create.yml
---
- hosts: all
tasks:
- name: test connection
ping:
- name: Add repository
yum_repository:
name: rhel
description: RHEL YUM repo
file: rhel
baseurl: http://172.20.16.227:8090/rhel/
gpgcheck: no
enabled: yes
[root@localhost]# cat check-rpm-info.yml
---
- hosts: all
tasks:
- name: install ntp
package:
name: ntp-4.2.6p5
state: present
when: ansible_distribution_major_version == "7"
notify:
- restart ntpd
- name: install openssh
package:
name: openssh-7.4p1
state: present
when: ansible_distribution_major_version == "7"
notify:
- restart sshd
handlers:
- name: restart ntpd
service: name=ntpd state=restarted
- name: restart sshd
service: name=sshd state=restarted