119 lines
3.6 KiB
YAML
119 lines
3.6 KiB
YAML
---
|
|
- name: Security Hardening and Backup
|
|
hosts: all
|
|
become: yes
|
|
gather_facts: yes
|
|
|
|
tasks:
|
|
# SSH 安全配置检查
|
|
- name: Check SSH configuration security
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
backup: yes
|
|
loop:
|
|
- { regexp: '^#?PermitRootLogin', line: 'PermitRootLogin no' }
|
|
- { regexp: '^#?PasswordAuthentication', line: 'PasswordAuthentication no' }
|
|
- { regexp: '^#?X11Forwarding', line: 'X11Forwarding no' }
|
|
- { regexp: '^#?MaxAuthTries', line: 'MaxAuthTries 3' }
|
|
notify: restart ssh
|
|
when: ansible_os_family == "Debian"
|
|
|
|
# 防火墙状态检查
|
|
- name: Check UFW firewall status
|
|
shell: ufw status
|
|
register: ufw_status
|
|
changed_when: false
|
|
failed_when: false
|
|
when: ansible_os_family == "Debian"
|
|
|
|
- name: Display firewall status
|
|
debug:
|
|
msg: "🔥 Firewall Status: {{ ufw_status.stdout_lines }}"
|
|
when: ansible_os_family == "Debian" and ufw_status.stdout_lines is defined
|
|
|
|
# 检查可疑登录
|
|
- name: Check for failed login attempts
|
|
shell: grep "Failed password" /var/log/auth.log | tail -10
|
|
register: failed_logins
|
|
changed_when: false
|
|
failed_when: false
|
|
|
|
- name: Report suspicious login attempts
|
|
debug:
|
|
msg: "🚨 Recent failed logins: {{ failed_logins.stdout_lines }}"
|
|
when: failed_logins.stdout_lines | length > 0
|
|
|
|
# 检查 root 用户活动
|
|
- name: Check recent root activity
|
|
shell: grep "sudo.*root" /var/log/auth.log | tail -5
|
|
register: root_activity
|
|
changed_when: false
|
|
failed_when: false
|
|
|
|
- name: Display root activity
|
|
debug:
|
|
msg: "👑 Recent root activity: {{ root_activity.stdout_lines }}"
|
|
when: root_activity.stdout_lines | length > 0
|
|
|
|
# 备份重要配置文件
|
|
- name: Create backup directory
|
|
file:
|
|
path: /backup/configs
|
|
state: directory
|
|
mode: '0700'
|
|
|
|
- name: Backup important configuration files
|
|
copy:
|
|
src: "{{ item }}"
|
|
dest: "/backup/configs/{{ item | basename }}.{{ ansible_date_time.epoch }}"
|
|
remote_src: yes
|
|
backup: yes
|
|
loop:
|
|
- /etc/ssh/sshd_config
|
|
- /etc/hosts
|
|
- /etc/fstab
|
|
- /etc/crontab
|
|
failed_when: false
|
|
|
|
# 检查系统完整性
|
|
- name: Check for world-writable files
|
|
shell: find /etc /usr /bin /sbin -type f -perm -002 2>/dev/null | head -10
|
|
register: world_writable
|
|
changed_when: false
|
|
|
|
- name: Report world-writable files
|
|
debug:
|
|
msg: "⚠️ World-writable files found: {{ world_writable.stdout_lines }}"
|
|
when: world_writable.stdout_lines | length > 0
|
|
|
|
# 检查 SUID 文件
|
|
- name: Check for SUID files
|
|
shell: find /usr /bin /sbin -type f -perm -4000 2>/dev/null
|
|
register: suid_files
|
|
changed_when: false
|
|
|
|
- name: Display SUID files count
|
|
debug:
|
|
msg: "🔐 Found {{ suid_files.stdout_lines | length }} SUID files"
|
|
|
|
# 更新系统时间
|
|
- name: Sync system time
|
|
shell: timedatectl set-ntp true
|
|
failed_when: false
|
|
|
|
- name: Check time synchronization
|
|
shell: timedatectl status
|
|
register: time_status
|
|
|
|
- name: Display time sync status
|
|
debug:
|
|
msg: "🕐 Time sync: {{ time_status.stdout_lines | select('match', '.*synchronized.*') | list }}"
|
|
|
|
handlers:
|
|
- name: restart ssh
|
|
systemd:
|
|
name: ssh
|
|
state: restarted
|
|
when: ansible_os_family == "Debian" |