반응형
include_tasks를 활용한 여러 playbook 파일을 수행하는 샘플입니다.
노드 구축 후 하나의 playbook 실행을 통해 여러 서버의 설정 변경 조치 및 보안취약점 스크립트 수행, 결과 파일을 ansible을 수행하는 서버 특정 경로로 가져오고 확인하는 플레이북을 작성해서? 사용중인 playbook입니다.
내용중 "XXX"로 표시한 것은 고객사 이름이 있어서 변경하였습니다.
환경정보
main.yml : /home/stack/hkjeon
task playbook : /home/stack/hkjeon/etech
1. main.yml
cat main.yml
## This Playbook only use for rhosp13 setting and xxx security patch setting.
## If you have any questions, please talk to hk Jeon.
---
- name: Main for rhosp13 and "XXX" security patch.
hosts: dell
gather_facts: yes
tasks:
- name : Step.1 Change for Compute Node Settings
include_tasks: ./etech/01-rhosp-setting.yaml
- name : Step.2 Configuration for the "XXX" Security Step
include_tasks: ./etech/02-"XXX"-security.yaml
- name : Step.3 Create Users and Config sudoers
include_tasks: ./etech/03-create-user.yaml
- name : Step.4 Get for "XXX" Security result files
include_tasks: ./etech/04-get-result-file.yaml
- name : Step.5 Check rhosp setting and users etc..
include_tasks: ./etech/05-setting-result-check.yaml
2. 01-rhosp-setting.yaml
cat etech/01-rhosp-setting.yaml
---
- name: Change 15 to 15d in /etc/cron.daily/containers-tmpwatch file
replace:
dest: /etc/cron.daily/containers-tmpwatch
regexp: "^ 15 "
replace: " 15d "
- name: change owner 42436 for instances directory
file:
path: /var/lib/nova/instances
state: directory
recurse: yes
owner: 42436
group: 42436
- name: Copying files from local server
copy:
src: /home/stack/polkit-0.112-26.el7_9.1.x86_64.rpm
dest: /home/heat-admin/polkit-0.112-26.el7_9.1.x86_64.rpm
- name: Update for polkit rpm single file
shell: sudo rpm -Uvh /home/heat-admin/polkit-0.112-26.el7_9.1.x86_64.rpm
ignore_errors: true
- name: change permission for pkexec
command: chmod 755 /usr/bin/pkexec
- name: Copy the os-compute-check-script.sh file to remote server
copy:
src: /home/stack/os-compute-check-script.sh
dest: /home/heat-admin/os-compute-check-script.sh
mode: 0755
3. 02-"XXX"-security.yaml
cat etech/02-"XXX"-security.yaml
---
- name: Copy the "XXX" Security Step file to remote server
copy:
src: /home/stack/vul_script_all_210217.tar
dest: /home/heat-admin/vul_script_all_210217.tar
- name: Move tar file to root directory
copy:
remote_src: true
src: /home/heat-admin/vul_script_all_210217.tar
dest: /root
- name: Remove old file
file:
path: /home/heat-admin/vul_script_all_210217.tar
state: absent
- name: unarchive vul_script_all_210217.tar file
unarchive:
remote_src: true
src: /root/vul_script_all_210217.tar
dest: /root
- name: Check that the unarchive files exists
stat:
path: /root/linux64_offline_setupFile/
register: stat_result
- name: Move unarchive directory to root directory
shell: sudo mv /root/vul_script_all_210217/* /root
when: stat_result.stat.exists == False
- name: Execute scripts_os_v3.4.sh script file
command: sudo /root/script_os_v3.4.sh
- name: unarchive linux64_offline_setupFile.tar file
unarchive:
remote_src: true
src: /root/linux64_offline_setupFile.tar
dest: /root
- name: Change /etc/passwd
replace:
path: /etc/passwd
regexp: "^{{ item }}"
replace: "#{{ item }}"
backup: yes
with_items:
- adm
- lp
- sync
- mail
- operator
- games
- ftp
- name: Execute setup.sh script file
shell: echo -e 'y\n1\n1\n7'|sh setup.sh
args:
chdir: /root/linux64_offline_setupFile/
#- name: Execute setup.sh script file
# shell: echo -e 'y\n1\n1\n7'|sh /root/linux64_offline_setupFile/setup.sh
4. 03-create-user.yaml
cat etech/03-create-user.yaml
---
- name: Create test1 and test2 account
user:
name: "{{ item }}"
password: "{{ 'password1234' | password_hash('sha256') }}"
state: present
with_items:
- test1
- test2
- name: Create test3
user:
name: test3
password: "{{ 'test3' | password_hash('sha256') }}"
state: present
groups: wheel
- name: Create sudoers file for Users
file:
path: "/etc/sudoers.d/{{ item }}"
state: touch
owner: root
group: root
mode: '0440'
with_items:
- test1
- test2
- test3
- name: Add sudoers Info for Users
lineinfile:
path: "/etc/sudoers.d/{{ item }}"
line: "{{ item }} ALL=(root) NOPASSWD:ALL"
with_items:
- test1
- test2
- test3
- name: Expiring password for Users
shell: "sudo chage -E -1 -I -1 -m 0 -M 99999 {{ item }}"
with_items:
- test1
- test2
- test3
5. 04-get-result-file.yaml
cat etech/04-get-result-file.yaml
---
- name: Change Permission AC fil.
shell: sudo chown -R heat-admin:heat-admin /home/heat-admin/AC*
- name: Change Permission rhosp-xxx file.
shell: sudo chown -R heat-admin:heat-admin /home/heat-admin/rhosp-comp-*
- name: Create Director for "XXX" security result file.
file:
path: /home/stack/security_result/{{ ansible_hostname }}/
state: directory
owner: stack
group: stack
- name: find AC files to copy
find:
paths: "/home/heat-admin"
recurse: yes
patterns: "*.dat"
register: files_to_copy
- name: Copy AC files
fetch:
src: "{{ item.path }}"
dest: /home/stack/security_result/{{ ansible_hostname }}/
flat: yes
with_items: "{{ files_to_copy.files }}"
- name: find rhosp-comp-*.xml files to copy
find:
paths: "/home/heat-admin"
recurse: yes
patterns: "*.xml"
register: files_to_copy
- name: Copy rhosp-comp-*.xml files
fetch:
src: "{{ item.path }}"
dest: /home/stack/security_result/{{ ansible_hostname }}/
flat: yes
with_items: "{{ files_to_copy.files }}"
6. 05-setting-result-check.yaml
cat etech/05-setting-result-check.yaml
---
- name: Check 15 in containers-tempwatch file
command: egrep 15 /etc/cron.daily/containers-tmpwatch
register: temp
- debug: msg={{ temp.stdout_lines }}
- name: Create "XXX" result txt file in /root Directory
shell:
cmd: |
cat > /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt << EOF
#################################################
# #
# Gathering "XXX" security result info #
# Generated by HK Jeon (E-tech System) #
# Last Update 2022.03.31 #
# #
#################################################
#### egrep 15 /etc/cron.daily/containers-tmpwatch result ####
- name: save egrep 15 /etc/cron.daily/containers-tmpwatch result info in txt file
shell : sudo egrep 15 /etc/cron.daily/containers-tmpwatch >> /root/{{ ansible_hostname }}-security-result-$(date "+%Y%m%d").txt
- name: check owner for nova directory
shell: ls -alh /var/lib/nova
register: nova
- debug:
var: nova.stdout_lines
- name: save ls -alh /var/lib/nova result info in txt file
shell:
cmd: |
echo -e "\n" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo "############ ls -alh /var/lib/nova result ################" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
sudo ls -alh /var/lib/nova >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo "##############################################################" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo -e "\n" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo -e "\n" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
- name: check owner for instances directory
shell: ls -alh /var/lib/nova/instances
register: instances
- debug:
var: instances.stdout_lines
- name: save ls -alh /var/lib/nova/instances result info in txt file
shell:
cmd: |
echo "############ ls -alh /var/lib/nova/instances result ################" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
sudo ls -alh /var/lib/nova/instances >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo "##############################################################" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo -e "\n" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo -e "\n" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
- name: Check rpm version for polkit
shell: sudo rpm -qa | grep polkit-0
register: polkit
- debug:
var: polkit.stdout_lines
- name: save sudo rpm -qa | grep polkit-0 result info in txt file
shell:
cmd: |
echo "############ sudo rpm -qa | grep polkit-0 result ################" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
sudo sudo rpm -qa | grep polkit-0 >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo "##############################################################" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo -e "\n" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo -e "\n" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
- name: check permission for pkexec file
shell: ls -al /usr/bin/pkexec | awk '{print $1}'
register: pkexec1
- debug:
var: pkexec1.stdout_lines
- name: save ls -al /usr/bin/pkexec result info in txt file
shell:
cmd: |
echo "############ ls -al /usr/bin/pkexec result ################" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
sudo ls -al /usr/bin/pkexec | awk '{print $1}' >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo "##############################################################" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo -e "\n" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo -e "\n" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
- name: Check "#" adm lp sync mail operator games ftp in /etc/passwd
shell: cat /etc/passwd | grep -E "#"
register: passwd
- debug:
var: passwd.stdout_lines
- name: save cat /etc/passwd result info in txt file
shell:
cmd: |
echo "############ cat /etc/passwd result ################" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
sudo cat /etc/passwd | grep -E "#" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo "##############################################################" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo -e "\n" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo -e "\n" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
- name: period Check syslog file (weekly and rotate 32)
shell: sudo cat /etc/logrotate.d/syslog | grep -E 'weekly|rotate 32'
register: syslog
- debug:
var: syslog.stdout_lines
- name: save sudo cat /etc/logrotate.d/syslog result info in txt file
shell:
cmd: |
echo "############ sudo cat /etc/logrotate.d/syslog result ################" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
sudo cat /etc/logrotate.d/syslog | grep -E 'weekly|rotate 32' >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo "##############################################################" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo -e "\n" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo -e "\n" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
- name: Check HandlePowerkey Ignore
shell: sudo cat /etc/systemd/logind.conf | grep HandleP
register: handle
- debug:
var: handle.stdout_lines
- name: save sudo cat /etc/systemd/logind.conf result info in txt file
shell:
cmd: |
echo "############ sudo cat /etc/systemd/logind.conf | grep HandleP result ################" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
sudo cat /etc/systemd/logind.conf | grep HandleP >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo "##############################################################" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo -e "\n" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo -e "\n" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
- name: Check sysstat info
shell: sudo cat /etc/cron.d/sysstat
register: sysstat
- debug:
var: sysstat.stdout_lines
- name: save sudo cat /etc/cron.d/sysstat result info in txt file
shell:
cmd: |
echo "############ sudo cat /etc/cron.d/sysstat result ################" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
sudo cat /etc/cron.d/sysstat >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo "##############################################################" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo -e "\n" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo -e "\n" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
- name: Check the "XXX" critical rpm package
shell: sudo rpm -qa | grep "XXX"-
register: critical
- debug:
var: critical.stdout_lines
- name: save sudo rpm -qa | grep "XXX"- result info in txt file
shell:
cmd: |
sudo rpm -qa | grep "XXX"- >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo "##############################################################" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo -e "\n" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo -e "\n" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
- name: Confirm Expiring password for Users
shell: "sudo chage -l {{ item }}"
with_items:
- stack
- test1
- test2
register: expire
- debug:
var: expire
- name: save sudo chage -l for users result info in txt file
shell:
cmd: |
echo "############ sudo chage -l result ################" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
sudo chage -l stack >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
sudo chage -l test1 >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
sudo chage -l test2 >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo "##############################################################" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo -e "\n" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo -e "\n" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
- name: Confirm Users Account
shell: "sudo cat /etc/passwd | grep -E 'test1|test2|test'"
register: test
- debug:
var: test.stdout_lines
- name: save sudo cat /etc/passwd | grep -E 'test1|test2|test' result info in txt file
shell:
cmd: |
echo "############ sudo cat /etc/passwd | grep -E 'test1|test2|test' result ################" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
sudo cat /etc/passwd | grep -E 'test1|test2|test' >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo "##############################################################" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo -e "\n" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
echo -e "\n" >> /root/{{ ansible_hostname}}-security-result-$(date "+%Y%m%d").txt
- name: Change Permission "XXX" security result text file.
shell: sudo chown -R stack:stack /root/rhosp-comp-*.txt
become: yes
- name: find rhosp-*.txt files to copy
find:
paths: "/root"
recurse: yes
patterns: "rhosp-*.txt"
register: files_to_copy
- name: Copy rhosp-*.txt files
fetch:
src: "{{ item.path }}"
dest: /home/stack/"XXX"_security_result/{{ ansible_hostname }}/
flat: yes
with_items: "{{ files_to_copy.files }}"
7. 실행
[stack@rhosp-zzero-director hkjeon]$ ansible-playbook main.yml
728x90
'IaC (Automation) > Ansible-Playbook' 카테고리의 다른 글
| [Ansible] ansible when (조건문) 샘플 (0) | 2022.04.02 |
|---|---|
| [Ansible] debug - var vs stdout vs stdout_lines 차이점 (0) | 2022.04.01 |
| [playbook] kvm에 vm 생성하는 playbook (0) | 2021.10.13 |
| [playbook] kvm (virt-manager) 설치 playbook (0) | 2021.10.13 |
| [playbook] grafana 설치 playbook (0) | 2021.10.08 |
