用Ansible完成Linux安全基线加固整改

[root@localhost /]# tree  ansible/ -L 2ansible/├── alias.yml├── ansible.cfg├── backup.yml├── banner.yml├── categraf.yml├── chmod.yml├── chrony.yml├── csh.yml├── firewalld.yml├── host_conf.yml├── hosts_auth.yml├── inventory│   ├── all.yml│   └── hosts├── jixian_check.yml├── keepalived.yml├── lock_user.yml├── login_defs.yml├── logrotate.yml├── logserver.yml├── messages.yml├── mongodb_shard.yml├── mountdisk.yml├── mysql.yml├── nginx.yml├── ntp.yml├── pam_auth.yml├── pam_passwd.yml├── pam_su.yml├── password.yml├── profile.yml├── README.md├── redis_cluster.yml├── redis.yml├── roles│   ├── alias│   ├── backup│   ├── banner│   ├── categraf│   ├── chmod│   ├── chrony│   ├── csh│   ├── firewalld│   ├── host_conf│   ├── hosts_auth│   ├── jixian_check│   ├── keepalived│   ├── lock_user│   ├── login_defs│   ├── logrotate│   ├── logserver│   ├── messages│   ├── mongodb_shard│   ├── mountdisk│   ├── mysql│   ├── nginx│   ├── ntp│   ├── pam_auth│   ├── pam_passwd│   ├── pam_su│   ├── password│   ├── profile│   ├── redis│   ├── redis_cluster│   ├── route_add│   ├── rsyslog│   ├── selinux│   ├── ssh│   ├── sysctl│   ├── ulimit│   ├── useradd│   ├── yum_repository│   └── yum_security├── route_add.yml├── rsyslog.yml├── selinux.yml├── ssh.yml├── sysctl.yml├── ulimit.yml├── useradd.yml├── yum_repository.yml└── yum_security.yml

[root@localhost ansible]# cat roles/alias/tasks/config.yml- name: 针对root用户在/root/.bashrc文件中为ls命令设置别名ls='ls -al'lineinfile:  path: /root/.bashrc  regexp: '^alias\s+ls='  line: "alias ls='ls -al'"  backup: yesignore_errors: yes
- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=config alias.yml

#检查针对root用户在/root/.bashrc文件中为ls命令设置别名是否为ls='ls -al'ansible-playbook -i inventory/ -e operation=check alias.yml

[root@localhost ansible]# cat roles/banner/tasks/config.yml- name: 在/etc/motd文件中配置系统banner提示信息lineinfile:  path: /etc/motd  line: 'Authorized users only. All activity may be monitored and reported'  backup: yesignore_errors: yes- name: 在/etc/issue文件中配置系统banner提示信息lineinfile:  path: /etc/issue  line: 'Authorized users only. All activity may be monitored and reported'ignore_errors: yes- name: 在/etc/issue.net文件中配置系统banner提示信息lineinfile:  path: /etc/issue.net  line: 'Authorized users only. All activity may be monitored and reported'ignore_errors: yes
- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=config banner.yml

#检查在/etc/motd、/etc/issue及/etc/issue.net文件中配置的系统banner提示信息内容ansible-playbook -i inventory/ -e operation=check banner.yml

[root@localhost ansible]# cat roles/chrony/tasks/config.yml- name: 配置chronyd时钟同步服务器为{{ ntp_server }}lineinfile:  path: /etc/chrony.conf  state: present  regexp: '^server {{ ntp_server }} iburst'  line: "server {{ ntp_server }} iburst"  backup: yesnotify: restart chronyd    ignore_errors: yes   - import_tasks: check.yml

ansible-playbook -i inventory/ -e ntp_server=192.168.0.11 -e operation=config chrony.yml

#检查chronyd时钟同步服务器配置ansible-playbook -i inventory/ -e operation=check chrony.yml

[root@localhost ansible]# cat roles/csh/tasks/config.yml- name: 在/etc/csh.cshrc文件中设置csh shell 下的自动超时变量autologout为600slineinfile:  path: /etc/csh.cshrc  insertafter: 'EOF'  line: "{{ item }}"  backup: yesignore_errors: yeswith_items:  - "set autologout=600"
- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=config csh.yml

#检查/etc/csh.cshrc文件中csh shell的自动超时变量autologout配置ansible-playbook -i inventory/ -e operation=check csh.yml

[root@localhost ansible]# cat roles/host_conf/tasks/config.yml- name: 在/etc/host.conf文件中配置主机解析地址的顺序。先使用hosts，再使用BIND（DNS）进行解析lineinfile:  path: /etc/host.conf  regexp: '^order'  state: present  line: 'order hosts,bind'  backup: yesignore_errors: yes- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=config host_conf.yml

#检查在/etc/host.conf文件中配置主机解析地址的顺序配置ansible-playbook -i inventory/ -e operation=check host_conf.yml

[root@localhost ansible]# cat roles/hosts_auth/tasks/check.yml   config.yml main.yml    [root@localhost ansible]# cat roles/hosts_auth/tasks/config.yml- name: 在/etc/hosts.allow文件中定义允许访问本地服务的远程主机或主机范围lineinfile:  path: /etc/hosts.allow  insertafter: 'EOF'  line: "{{ item }}"  backup: yesignore_errors: yesloop:  - 'sshd: all'  - 'telnetd: all'tags: hosts_allow - name: 在/etc/hosts.deny文件中定义禁止访问本地服务的远程主机或主机范围。lineinfile:  path: /etc/hosts.deny  insertafter: 'EOF'  line: "{{ item }}"  backup: yesignore_errors: yesloop:  - 'sshd: 192.168.182.2'  - 'telnetd: 192.168.182.2'tags: hosts_deny - import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=config hosts_auth.yml

#检查在/etc/hosts.allow及/etc/hosts.deny文件中定义的访问本地服务的远程主机或主机范围地址ansible-playbook -i inventory/ -e operation=check hosts_auth.yml

[root@localhost ansible]# cat roles/login_defs/tasks/config.yml- name: 在/etc/login.defs文件中配置1、LASTLOG_ENAB：启用对用户的最后一次登录信息的记录。2、FAILLOG_ENAB：启用对用户失败登录尝试的记录lineinfile:  path: /etc/login.defs  insertafter: 'EOF'  line: "{{ item }}"  backup: yesignore_errors: yeswith_items:  - "LASTLOG_ENAB yes"  - "FAILLOG_ENAB yes"- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=config login_defs.yml

#检查在/etc/login.defs文件中定义的LASTLOG_ENAB及FAILLOG_ENAB内容ansible-playbook -i inventory/ -e operation=check login_defs.yml

[root@localhost ansible]# cat roles/sysctl/tasks/config.yml- name: 配置lo网卡禁止IP源路由net.ipv4.conf.lo.accept_source_route=0sysctl:  name: net.ipv4.conf.lo.accept_source_route  value: '0'  sysctl_set: yes  state: present- name: 配置启用路由转发net.ipv4.ip_forward=1sysctl:  name: net.ipv4.ip_forward  value: '1'  sysctl_set: yes  state: present  reload: yes- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=config sysctl.yml

#检查lo网卡net.ipv4.conf.lo.accept_source_route以及net.ipv4.ip_forward路由相关参数配置ansible-playbook -i inventory/ -e operation=check sysctl.yml

[root@localhost ansible]# cat roles/chmod/tasks/config.yml- name: 配置/etc/security文件权限为600    file:  path: "{{ item }}"  state: directory  mode: 0600ignore_errors: yeswith_items:  - /etc/security- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=config chmod.yml

#检查/etc/security文件权限ansible-playbook -i inventory/ -e operation=check chmod.yml

[root@localhost ansible]# cat roles/rsyslog/tasks/config.yml- name: 在/etc/rsyslog.conf文件中配置将authpriv类的日志记录到/var/log/authlog文件中lineinfile:  path: /etc/rsyslog.conf  insertafter: '^authpriv\.'  line: 'authpriv.*                                             /var/log/authlog'  backup: yesignore_errors: yesnotify: restart rsyslog- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=config rsyslog.yml

#检查/etc/rsyslog.conf文件中对authpriv类的日志记录配置情况ansible-playbook -i inventory/ -e operation=check rsyslog.yml

[root@localhost ansible]# cat roles/logserver/tasks/config.yml- name: 设置远程日志转发策略block:  - name: 检查是否已经配置了远程日志服务器{{ logserver }}    command: grep -q "{{ logserver }}" /etc/rsyslog.conf    register: rsyslog_check    failed_when: false # 即使没有找到也不报错
  - name: 在/etc/rsyslog.conf文件中配置远程日志服务器为{{ logserver }}    lineinfile:      path: /etc/rsyslog.conf      line: "*.* @{{ logserver }}"      insertafter: EOF      create: yes      backup: yes    when: rsyslog_check.rc != 0 # 只有当grep没有找到时才执行    notify: restart rsyslog
- import_tasks: check.yml

ansible-playbook -i inventory/ -e logserver=192.168.0.11 -e operation=config logserver.yml

#检查/etc/rsyslog.conf文件中是否配置{{ logserver }}为远程日志服务器地址ansible-playbook -i inventory/ -e logserver=192.168.0.11 -e operation=check logserver.yml

[root@localhost ansible]# cat roles/logrotate/tasks/config.yml- name: 在/etc/logrotate.d/目录下，将rsyslog文件重命名为syslogshell:  cmd: mv rsyslog syslog  chdir: /etc/logrotate.d/ignore_errors: yes- name: 在/etc/logrotate.d/syslog文件中配置可以对日志按大小10M进行切割lineinfile:  path: /etc/logrotate.d/syslog  insertafter: '^{'  line: '   size 10M'  backup: yesignore_errors: yes- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=config logrotate.yml

#检查在/etc/logrotate.d/syslog文件中定义配置的日志切割策略ansible-playbook -i inventory/ -e operation=check logrotate.yml

[root@localhost ansible]# cat roles/profile/tasks/config.yml- name: 在/etc/profile文件中设置命令行界面登录超时时间TMOUT为300sblock:  - name: 如果/etc/profile定义了TMOUT内容，则删除    lineinfile:      path: /etc/profile      regexp: '^TMOUT='      state: absent      backup: yes  - name: 如果/etc/profile定义了export TMOUT内容，则删除    lineinfile:      path: /etc/profile      regexp: '^export\s+TMOUT$'      state: absent  - name: 在/etc/profile文件中更新或添加一行export TMOUT=300    lineinfile:      path: /etc/profile      regexp: '^export\s+TMOUT='      line: 'export TMOUT=300'    notify: source profiletags: timeout- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=config profile.yml --tags=timeout

#检查在/etc/profile文件中定义配置的会话登录超时时间TMOUT设置ansible-playbook -i inventory/ -e operation=check profile.yml --tags=timeout

[root@localhost ansible]# cat roles/profile/tasks/config.yml- name: 在/etc/profile文件中设置用户缺省UMASK为027lineinfile:  path: /etc/profile  regexp: '^umask'  line: 'umask 027'  backup: yesnotify: source profiletags: umask- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=config profile.yml --tags=umask

#检查在/etc/profile文件中定义配置umask设置ansible-playbook -i inventory/ -e operation=check profile.yml --tags=umask

[root@localhost ansible]# cat roles/profile/tasks/config.yml- name: 在/etc/profile文件中设置在.bash_history文件中保存命令的记录总数为5条lineinfile:  path: /etc/profile  regexp: '^HISTFILESIZE'  line: '{{ item }}'  backup: yesnotify: source profilewith_items:  - HISTFILESIZE=5tags: bash_history- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=config profile.yml --tags=bash_history

#检查在/etc/profile文件中定义配置的.bash_history文件中保存命令的记录总数HISTFILESIZE设置ansible-playbook -i inventory/ -e operation=check profile.yml --tags=bash_history

[root@localhost ansible]# cat roles/profile/tasks/config.yml- name: 在/etc/profile文件中设置shell会话中history命令输出的记录总数为5条lineinfile:  path: /etc/profile  regexp: '^HISTSIZE'  line: '{{ item }}'  backup: yesnotify: source profilewith_items:  - HISTSIZE=5tags: history- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=config profile.yml --tags=history

#检查在/etc/profile文件中定义配置的shell会话中history命令输出的记录总数设置ansible-playbook -i inventory/ -e operation=check profile.yml --tags=history

[root@localhost ansible]# cat roles/ulimit/tasks/config.yml- name: 在/etc/security/limits.conf文件中配置core文件大小限制（* soft core 0和* hard core 0）pam_limits:  domain: '*'  limit_type: '{{ item.type }}'  limit_item: core  value: 0  dest: /etc/security/limits.conf  backup: yeswith_items:  - { type: 'soft' }  - { type: 'hard' }- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=config ulimit.yml

#检查在/etc/security/limits.conf文件中定义的core文件的限制情况ansible-playbook -i inventory/ -e operation=check ulimit.yml

[root@localhost ansible]# cat roles/messages/tasks/config.yml- name: 创建安全事件日志接收目录及文件/var/adm/messages并在/etc/rsyslog.conf文件中配置*.err;kern.debug;daemon.notice类的日志记录到/var/adm/messages文件block:  - name: 创建安全事件日志接收目录及文件/var/adm/messages    file:      path: /var/adm/messages      state: touch      mode: 0640
  - name: 在/etc/rsyslog.conf文件中配置*.err;kern.debug;daemon.notice类的日志记录到/var/adm/messages文件    lineinfile:      path: /etc/rsyslog.conf      insertafter: 'EOF'      line: '*.err;kern.debug;daemon.notice /var/adm/messages'      backup: yes    notify: restart rsyslog    ignore_errors: yestags: adm_messages- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=config messages.yml --tags=adm_messages

#检查/etc/rsyslog.conf文件中关于messages文件定义的日志记录设置ansible-playbook -i inventory/ -e operation=check messages.yml --tags=adm_messages

[root@localhost ansible]# cat roles/messages/tasks/config.yml- name: 设置关键文件的属性，配置/var/log/messages文件只可追加不可修改shell: chattr +a /var/log/messagesignore_errors: yestags: chattr_messages - import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=config messages.yml --tags=chattr_messages

#检查/var/log/messages文件隐藏权限设置情况ansible-playbook -i inventory/ -e operation=check messages.yml --tags=chattr_messages

[root@localhost ansible]# cat roles/ntp/tasks/config.yml- name: 安装ntpdnf:  name: ntp  state: latest - name: 启动ntp服务并设置开机自启service: name=ntpd state=started enabled=yesignore_errors: yes
- name: 配置ntp服务器为{{ ntp_server }}lineinfile:  path: /etc/ntp.conf  state: present  regexp: '^server {{ ntp_server }}'  line: "server {{ ntp_server }}"  backup: yesnotify: restart ntpdignore_errors: yes- import_tasks: check.yml

ansible-playbook -i inventory/ -e ntp_server=192.168.0.11 -e operation=config ntp.yml

#检查ntp时钟同步服务器配置ansible-playbook -i inventory/ -e operation=check ntp.yml

[root@localhost ansible]# cat roles/pam_su/tasks/config.yml- name: 配置限制除wheel组以外的用户通过su命令切换到rootlineinfile:  path: /etc/pam.d/su  regexp: '^auth\s*required\s*pam_wheel.so\suse_uid'  line: 'auth           required       pam_wheel.so use_uid'  backup: yesignore_errors: yes- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=config pam_su.yml

#检查/etc/pam.d/su文件认证配置情况ansible-playbook -i inventory/ -e operation=config pam_su.yml

[root@localhost ansible]# cat roles/pam_passwd/tasks/config.yml- name: 在/etc/pam.d/passwd配置使用pam_pwquality.so模块，并在/etc/security/pwquality.conf配置口令复杂度block:  - name: 在/etc/pam.d/passwd配置使用pam_pwquality.so模块    lineinfile:      path: /etc/pam.d/passwd      insertafter: EOF      line: 'password required pam_pwquality.so retry=3'      backup: yes    ignore_errors: yes    tags: pam_pwquality  - name: 在/etc/security/pwquality.conf配置口令复杂度（小写lcredit、大写ucredit、数字dcredit、特殊字符ocredit）    lineinfile:      path: /etc/security/pwquality.conf      regexp: "{{ item.regexp }}"      line: "{{ item.line }}"      backup: yes    loop:      - {regexp: '^lcredit', line: 'lcredit = 1'}      - {regexp: '^ucredit', line: 'ucredit = 1'}      - {regexp: '^dcredit', line: 'dcredit = 1'}      - {regexp: '^ocredit', line: 'ocredit = 1'}    ignore_errors: yes    tags: password- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=config pam_passwd.yml

#检查在/etc/pam.d/passwd是否配置使用pam_pwquality.so模块以及/etc/security/pwquality.conf关于口令复杂度（小写lcredit、大写ucredit、数字dcredit、特殊字符ocredit）配置情况ansible-playbook -i inventory/ -e operation=check pam_passwd.yml

[root@localhost ansible]# cat roles/password/tasks/config.yml- name: 在/etc/login.defs文件中配置口令生存周期最长为90天，最小为10天及密码最小长度为8lineinfile:  path: /etc/login.defs  regexp: "{{ item.regexp }}"  line: "{{ item.line }}"  backrefs: no  backup: yesignore_errors: yeswith_items:  - { regexp: '^PASS_MIN_LEN', line: 'PASS_MIN_LEN   8' }  - { regexp: '^PASS_MAX_DAYS', line: 'PASS_MAX_DAYS   90' }  - { regexp: '^PASS_MIN_DAYS', line: 'PASS_MIN_DAYS   10' }- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=config password.yml

#检查在/etc/login.defs文件中关于口令生存周期最长PASS_MAX_DAYS，最小PASS_MIN_DAYS及密码最小长度PASS_MIN_LEN配置情况ansible-playbook -i inventory/ -e operation=check password.yml

[root@localhost ansible]# cat roles/pam_auth/tasks/deny.yml- name: system-auth配置口令锁定策略,连续登录失败3次锁定账号lineinfile:  path: /etc/pam.d/system-auth  regexp: '^auth\s*required\s*pam_faillock.so'  line: 'auth       required     pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=60'  backup: yesignore_errors: yes- name: system-auth配置口令锁定策略,连续登录失败3次锁定账号lineinfile:  path: /etc/pam.d/system-auth  regexp: '^auth\s*\[default=die\]\s*pam_faillock.so'  line: 'auth       [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60'  backup: yesignore_errors: yes- name: system-auth配置口令锁定策略,连续登录失败3次锁定账号lineinfile:  path: /etc/pam.d/system-auth  regexp: '^auth\s*sufficient\s*pam_faillock.so'  line: 'auth       sufficient   pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=60'  backup: yesignore_errors: yes
- name: password-auth配置口令锁定策略,连续登录失败3次锁定账号lineinfile:  path: /etc/pam.d/password-auth  regexp: '^auth\s*required\s*pam_faillock.so'  line: 'auth       required     pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=60'  backup: yesignore_errors: yes- name: password-auth配置口令锁定策略,连续登录失败3次锁定账号lineinfile:  path: /etc/pam.d/password-auth  regexp: '^auth\s*\[default=die\]\s*pam_faillock.so'  line: 'auth       [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60'  backup: yesignore_errors: yes- name: password-auth配置口令锁定策略,连续登录失败3次锁定账号lineinfile:  path: /etc/pam.d/password-auth  regexp: '^auth\s*sufficient\s*pam_faillock.so'  line: 'auth       sufficient   pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=60'  backup: yesignore_errors: yes
- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=deny pam_auth.yml

#检查在/etc/pam.d/password-auth及/etc/pam.d/system-auth文件中的配置认证情况ansible-playbook -i inventory/ -e operation=check pam_auth.yml

[root@localhost ansible]# cat roles/pam_auth/tasks/login-auth.yml- name: system-auth文件中配置口令复杂度并限制到rootlineinfile:  path: /etc/pam.d/system-auth  regexp: '^password\s+requisite\s+pam_pwquality.so'  line: 'password   requisite     pam_pwquality.so minlen=8 minclass=3 enforce_for_root try_first_pass local_users_only retry=3 dcredit=1 ucredit=1 lcredit=1 ocredit=1'  backup: yesignore_errors: yes- name: password-auth文件中配置口令复杂度并限制到rootlineinfile:  path: /etc/pam.d/password-auth  regexp: '^password\s+requisite\s+pam_pwquality.so'  line: 'password   requisite     pam_pwquality.so minlen=8 minclass=3 enforce_for_root try_first_pass local_users_only retry=3 dcredit=1 ucredit=1 lcredit=1 ocredit=1'  backup: yesignore_errors: yes- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=login-auth pam_auth.yml

#检查在/etc/pam.d/password-auth及/etc/pam.d/system-auth文件中的配置认证情况ansible-playbook -i inventory/ -e operation=check pam_auth.yml

[root@localhost ansible]# cat roles/pam_auth/tasks/remember.yml- name: system-auth文件中配置口令重复次数限制为5并限制到rootlineinfile:  path: /etc/pam.d/system-auth  insertafter: '^password\s+requisite\s+pam_pwquality.so'  line: 'password   required     pam_pwhistory.so use_authtok remember=5 enforce_for_root'  backup: yesignore_errors: yes- name: password-auth文件中配置口令重复次数限制为5并限制到rootlineinfile:  path: /etc/pam.d/password-auth  insertafter: '^password\s+requisite\s+pam_pwquality.so'  line: 'password   required     pam_pwhistory.so use_authtok remember=5 enforce_for_root'  backup: yesignore_errors: yes- name: system-auth文件中password   sufficient   pam_unix.so行配置口令重复次数限制为5lineinfile:  path: /etc/pam.d/system-auth  regexp: '^password\s+sufficient'  line: 'password   sufficient   pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5'  backup: yesignore_errors: yes- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=remember pam_auth.yml

#检查在/etc/pam.d/password-auth及/etc/pam.d/system-auth文件中的配置认证情况ansible-playbook -i inventory/ -e operation=check pam_auth.yml

[root@localhost ansible]# cat roles/lock_user/tasks/config.yml- name: 设置lp|sync|halt|operator|games|nobody系统相关用户shell为/bin/falseuser:  name: "{{ item }}"  shell: /bin/falseignore_errors: yeswith_items:  - lp  - sync  - halt  - operator  - games  - nobody- name: 锁定lp|sync|halt|operator|games|nobody系统相关用户shell: /sbin/usermod -L {{ item }}ignore_errors: yeswith_items:  - lp  - sync  - halt  - operator  - games  - nobody- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=config lock_user.yml

#检查系统相关用户shell设置情况以及用户锁定状态ansible-playbook -i inventory/ -e operation=check lock_user.yml

[root@localhost ansible]# cat roles/ssh/tasks/ssh_banner.yml- name: 创建/etc/ssh_banner文件，设置ssh登录前警告Banner内容copy:  content: 'Authorized users only. All activity may be monitored and reported'  dest: /etc/ssh_banner  mode: '0644'  owner: bin  group: bin  backup: yesignore_errors: yestags: ssh_banner - name: 在/etc/ssh/sshd_config配置文件中应用/etc/ssh_banner配置lineinfile:  path: /etc/ssh/sshd_config  state: present  regexp: '^Banner\s'  line: 'Banner /etc/ssh_banner'  backup: yesignore_errors: yesnotify: restart sshdtags: ssh_banner- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=ssh_banner ssh.yml --tags=ssh_banner

#检查ssh登录前警告Banner内容ansible-playbook -i inventory/ -e operation=check ssh.yml --tags=ssh_banner

[root@localhost ansible]# cat roles/ssh/tasks/ssh_config.yml- name: 配置禁止root用户通过SSH进行远程登录lineinfile:  path: /etc/ssh/sshd_config  regexp: '^PermitRootLogin'  line: 'PermitRootLogin no'  backup: yesnotify: restart sshdignore_errors: yestags: PermitRootLogin- import_tasks: check.yml

ansible-playbook -i inventory/ -e operation=ssh_config ssh.yml --tags=PermitRootLogin

#检查root用户远程登录限制情况ansible-playbook -i inventory/ -e operation=check ssh.yml --tags=PermitRootLogin