前言:html
本文記錄了生產環境新增用戶、修改密碼、用戶提權、用戶資源限制修改、開啓命令審計等操做。git
環境說明:github
| 主機名 | 操做系統版本 | ip | ansible version | 備註 |
|---|---|---|---|---|
| ansible-awx | Centos 7.6.1810 | 172.27.9.131 | 2.9.9 | ansible管理服務器 |
| master01/02/03 ... | Centos 7.6.1810 | 172.27.9.28/29/35/36/37/161/162/163/85 | / | 被管服務器 |
1、加密hosts
1.查看hosts列表
[root@ansible-awx ~]# more /etc/ansible/hosts
[test01]
test28 ansible_host=172.27.34.28
test29 ansible_host=172.27.34.29
test35 ansible_host=172.27.34.35
test36 ansible_host=172.27.34.36
test37 ansible_host=172.27.34.37
test161 ansible_host=172.27.34.161
test162 ansible_host=172.27.34.162
test163 ansible_host=172.27.34.163
[test02]
test85 ansible_host=172.27.34.85
[test:children]
test01
test02
[test:vars]
ansible_ssh_user=root
ansible_ssh_pass=monitor123!
2.對hosts列表加密
[root@ansible-awx ~]# cd /etc/ansible/
[root@ansible-awx ansible]# ansible-vault encrypt --vault-id test@prompt hosts
由於hosts包含密碼信息,爲保證安全,需對文件加密,這裏以交互方式輸入密碼,對hosts加密,其中test爲標記信息。加密後直接查看hosts文件顯示亂碼信息,可使用'ansible-vault view'輸入密碼查看。
web
將密碼寫進hosts文件的優點是不須要在被管服務器上作任何配置(不須要接收配置互信文件)。shell
2、新增用戶
1.查看並執行新增用戶yaml文件
[root@ansible-awx ansible]# more product/user_add.yaml
#新增用戶,用戶名和密碼經過手動輸入方式肯定,組同用戶名。
---
- hosts: "{{ hostlist }}"
remote_user: root
gather_facts: no
vars_prompt:
- name: "user_name"
prompt: "Enter user name"
private: no
- name: "user_password"
prompt: "Enter user password"
encrypt: "sha512_crypt"
confirm: yes
tasks:
- name: create user
user:
name: "{{user_name}}"
password: "{{user_password}}"
[root@ansible-awx ansible]# cd product/
[root@ansible-awx product]# ansible-playbook --vault-id prompt user_add.yaml -e hostlist=test
Vault password (default):
Enter user name: monitor
Enter user password:
confirm Enter user password:
***** VALUES ENTERED DO NOT MATCH ****
Enter user password:
confirm Enter user password:
PLAY [test] ******************************************************************************************************************************************************************************
TASK [create user] ***********************************************************************************************************************************************************************
changed: [test37]
changed: [test35]
changed: [test36]
changed: [test29]
changed: [test28]
changed: [test161]
changed: [test162]
changed: [test163]
changed: [test85]
PLAY RECAP *******************************************************************************************************************************************************************************
test161 : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
test162 : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
test163 : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
test28 : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
test29 : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
test35 : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
test36 : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
test37 : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
test85 : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
以交互方式輸入用戶名和密碼信息,其中密碼不直接顯示在終端而且須要二次確認;執行yaml文件前需以交互方式輸入host文件密碼;yaml文件中的hosts以參數方式傳入,執行的時候經過'-e hostlist=test'指定。
安全
新增用戶組同用戶名,默認家目錄爲/home/usernamebash
2.驗證執行結果
[root@ansible-awx product]# ansible -m shell -a 'id monitor' --vault-id prompt all
各主機新增了monitor,且組同用戶名。
服務器
3、用戶提權
因爲安全的緣由,禁用root用戶直接登陸,同時對monitor用戶提權,以獲取root權限。微信
1.查看提權文件並執行
[root@ansible-awx product]# more sudo_PermitRootLogin.yaml
#monitor用戶提權並禁用root用戶直接登陸
---
- hosts: "{{ hostlist }}"
remote_user: root
gather_facts: no
tasks:
- name: sudo monitor
lineinfile:
path: /etc/sudoers
regexp: 'monitor'
insertafter: 'root.*ALL=\(ALL\).*ALL'
line: 'monitor ALL=(ALL) ALL'
backup: yes
register: sudo_monitor
tags: sudo
- name: PermitRootLogin
replace:
path: /etc/ssh/sshd_config
regexp: '^#PermitRootLogin.*yes.*'
replace: 'PermitRootLogin no'
backup: yes
register: root_login
notify:
restart sshd
tags: login
- name: debug file
debug:
var: sudo_monitor
handlers:
- name: restart sshd
service:
name=sshd
state=restarted
[root@ansible-awx product]# ansible-playbook --vault-id prompt sudo_PermitRootLogin.yaml -e hostlist=test
Vault password (default):
sudo_PermitRootLogin.yaml做用:1.將monitor用戶加入到/etc/sudoers文件指定行'root ALL=(ALL) ALL'下面以實現提權;2.禁用root直接登陸運維
2.驗證執行結果
因爲root已經禁止直接登陸,再用以前的hosts文件會報錯,故新建hosts文件monitor
2.1新建monitor主機列表
[root@ansible-awx ansible]# more monitor
[test01]
test28 ansible_host=172.27.34.28
test29 ansible_host=172.27.34.29
test35 ansible_host=172.27.34.35
test36 ansible_host=172.27.34.36
test37 ansible_host=172.27.34.37
test161 ansible_host=172.27.34.161
test162 ansible_host=172.27.34.162
test163 ansible_host=172.27.34.163
[test02]
test85 ansible_host=172.27.34.85
[monitor:children]
test01
test02
[monitor:vars]
ansible_ssh_user=monitor
ansible_ssh_pass=monitor
ansible_become=true
ansible_become_method=sudo
ansible_become_user=root
ansible_sudo_pass=monitor
主機列表monitor與hosts主要差異是新增提權項,使monitor擁有root權限執行任務。
2.2加密monitor
[root@ansible-awx ansible]# ansible-vault encrypt --vault-id monitor@prompt monitor
2.3修改ansible.cfg默認配置
inventory = /etc/ansible/monitor
修改配置文件ansible.cfg,將默認主機列表修改成monitor
2.4驗證提權執行結果
[root@ansible-awx ansible]# ansible -m shell -a "more /etc/ssh/sshd_config |grep 'PermitRootLogin no';more /etc/sudoers|grep monitor" --vault-id prompt monitor
Vault password (default):
test28 | CHANGED | rc=0 >>
PermitRootLogin no
monitor ALL=(ALL) ALL
test37 | CHANGED | rc=0 >>
PermitRootLogin no
monitor ALL=(ALL) ALL
test29 | CHANGED | rc=0 >>
PermitRootLogin no
monitor ALL=(ALL) ALL
test36 | CHANGED | rc=0 >>
PermitRootLogin no
monitor ALL=(ALL) ALL
test35 | CHANGED | rc=0 >>
PermitRootLogin no
monitor ALL=(ALL) ALL
test163 | CHANGED | rc=0 >>
PermitRootLogin no
monitor ALL=(ALL) ALL
test162 | CHANGED | rc=0 >>
PermitRootLogin no
monitor ALL=(ALL) ALL
test85 | CHANGED | rc=0 >>
PermitRootLogin no
monitor ALL=(ALL) ALL
test161 | CHANGED | rc=0 >>
PermitRootLogin no
monitor ALL=(ALL) ALL
/etc/sudoers新增'monitor ALL=(ALL) ALL';/etc/ssh/sshd_config將'#PermitRootLogin yes'修改成'PermitRootLogin no'。
4、修改密碼
1.查看並執行密碼修改文件
[root@ansible-awx product]# more user_pass_change.yaml
#修改用戶密碼,用戶名和密碼經過手動輸入方式肯定
---
- hosts: "{{ hostlist }}"
remote_user: monitor
gather_facts: no
vars_prompt:
- name: "user_name"
prompt: "Enter user name"
private: no
- name: "user_password"
prompt: "Enter user password"
encrypt: "sha512_crypt"
confirm: yes
tasks:
- name: pass user
user:
name: "{{user_name}}"
password: "{{user_password}}"
update_password: always
[root@ansible-awx product]# ansible-playbook user_pass_change.yaml -e hostlist=monitor --vault-id prompt
Vault password (default):
Enter user name: root
Enter user password:
confirm Enter user password:
經過交互方式修改用戶密碼,密碼不在控制檯顯示且需二次確認。
2.驗證密碼
因爲修改的是root密碼,以前已設置root不能直接登陸,因此這裏沒法經過ansible管理服務器驗證,須要手動登陸服務器進行驗證。
5、資源限制配置文件修改
某些應用對用戶的資源使用限制有要求,好比最大打開文件數、進程最大數等。
1.查看並執行修改用戶資源限制文件
[root@ansible-awx product]# more user_limits_modify.yaml
#monitor用戶打開最大文件數修改
---
- hosts: "{{ hostlist }}"
remote_user: monitor
gather_facts: no
tasks:
- name: monitor limits
lineinfile:
path: /etc/security/limits.conf
regexp: "{{item.0}}"
line: "{{item.1}}"
with_together:
-
- monitor.*soft.*nproc
- monitor.*hard.*nproc
- monitor.*soft.*nofile
- monitor.*hard.*nofile
-
- monitor soft nproc 16384
- monitor hard nproc 16384
- monitor soft nofile 65536
- monitor hard nofile 65536
register: modify
tags: modify
- name: debug file
debug:
var: modify
[root@ansible-awx product]# ansible-playbook user_limits_modify.yaml -e hostlist=monitor --vault-id prompt
Vault password (default):
執行結果內容不少,截圖省略了中間部份內容。
該文件主要做用爲修改monitor用戶資源使用限制。
2.執行結果驗證
[root@ansible-awx product]# ansible -m shell -a " more /etc/security/limits.conf |grep monitor" --vault-id prompt monitor
在limits.conf文件末尾新增內容:
monitor soft nproc 16384
monitor hard nproc 16384
monitor soft nofile 65536
monitor hard nofile 65536
6、開啓命令審計
記錄執行命令的時間、登錄用戶、執行的返回碼、執行目錄、終端鏈接的ip等在生產故障時能夠幫助咱們排障。
1.查看並執行命令審計文件
[root@ansible-awx product]# more shell_audit.yaml
#開啓命令審計
---
- hosts: "{{ hostlist }}"
remote_user: monitor
gather_facts: no
tasks:
- name: make director audit
file:
path: /var/log/shell_audit
state: directory
register: director_create
- name: make file log
file:
path: /var/log/shell_audit/audit.log
state: touch
owner: nobody
group: nobody
mode: 002
attributes: +a
register: file_create
tags: file
- name: modify profile
lineinfile:
path: /etc/profile
regexp: "{{item.0}}"
line: "{{item.1}}"
with_together:
-
- HISTSIZE=
- HISTTIMEFORMAT=
- HISTORY_FILE=
- PROMPT_COMMAND=
-
- HISTSIZE=2048
- export HISTTIMEFORMAT="[%Y/%m/%d %T] "
- export HISTORY_FILE=/var/log/shell_audit/audit.log
- export PROMPT_COMMAND='{ code=$?;thisHistID=`history 1|awk "{print \\$1}"`;lastCommand=`history 1| awk "{\\$1=\"\" ;print}"`;user=`id -un`;whoStr=(`who -u am i`);realUser=${whoSt
r[0]};logDay=${whoStr[2]};logTime=${whoStr[3]};pid=${whoStr[5]};ip=${whoStr[6]};if [ ${thisHistID}x != ${lastHistID}x ];then echo -E $user\($realUser\)@$ip [PID:$pid] [LOGIN:$logDay $log
Time] --- [$PWD]$lastCommand [$code] [`date "+%Y/%m/%d %H:%M:%S"`];lastHistID=$thisHistID;fi; } >> $HISTORY_FILE'
register: modify
tags: modify
- name: debug file
debug:
var: modify
[root@ansible-awx product]# ansible-playbook shell_audit.yaml -e hostlist=monitor --vault-id prompt
Vault password (default):
shell_audit.yaml主要做用爲:新建審計文件並設置相關權限只能被追加不能被刪除或修改;修改/etc/profile文件,設定日誌格式。
2.驗證執行結果
[root@ansible-awx product]# ansible -m shell -a "tail -n10 /var/log/shell_audit/audit.log" --vault-id prompt test02
Vault password (default):
test85 | CHANGED | rc=0 >>
root(monitor)@(172.27.9.246) [PID:6410] [LOGIN:2020-07-13 09:37] --- [/root] [2020/07/13 09:42:01] df -h [0] [2020/07/13 09:42:01]
root(monitor)@(172.27.9.246) [PID:6410] [LOGIN:2020-07-13 09:37] --- [/root] [2020/07/13 09:42:02] more /var/log/shell_audit/audit.log [0] [2020/07/13 09:42:02]
root(monitor)@(172.27.9.246) [PID:6410] [LOGIN:2020-07-13 09:37] --- [/root] [2020/07/13 09:47:37] cat /etc/passwd [0] [2020/07/13 09:47:37]
monitor(monitor)@(172.27.9.246) [PID:6410] [LOGIN:2020-07-13 09:37] --- [/home/monitor] [2020/07/13 09:47:40] su - root [0] [2020/07/13 09:47:40]
monitor(monitor)@(172.27.9.246) [PID:6410] [LOGIN:2020-07-13 09:37] --- [/home/monitor] [2020/07/13 09:47:42] df -h [0] [2020/07/13 09:47:42]
monitor(monitor)@(172.27.9.246) [PID:6410] [LOGIN:2020-07-13 09:37] --- [/home/monitor] [2020/07/13 09:47:42] pwd [0] [2020/07/13 09:47:42]
monitor(monitor)@(172.27.9.246) [PID:6410] [LOGIN:2020-07-13 09:37] --- [/home/monitor] [2020/07/13 09:47:44] ls -alrt [0] [2020/07/13 09:47:44]
root(monitor)@(172.27.9.246) [PID:6410] [LOGIN:2020-07-13 09:37] --- [/root] [2020/07/13 09:47:40] su - monitor [0] [2020/07/13 09:49:22]
root(monitor)@(172.27.9.246) [PID:6410] [LOGIN:2020-07-13 09:37] --- [/root] [2020/07/13 09:49:26] id [0] [2020/07/13 09:49:26]
root(monitor)@(172.27.9.246) [PID:6410] [LOGIN:2020-07-13 09:37] --- [/root] [2020/07/13 09:49:37] whoami [0] [2020/07/13 09:49:37]
以第一條結果對審計格式說明以下:
| 條目 | 說明 |
|---|---|
| root(monitor)@(172.27.9.246) | 登錄的ip爲172.27.9.246,用戶爲root(經過monitor跳轉) |
| [PID:6410] | 登錄的pid |
| [LOGIN:2020-07-13 09:37] | 用戶登錄的時間 |
| [/root] | 執行命令的目錄 |
| [2020/07/13 09:42:01] | 命令執行的開始時間 |
| df -h | 執行的具體命令 |
| [0] | 命令執行的返回碼 |
| [2020/07/13 09:42:01] | 命令執行的完成時間 |
本文全部腳本和配置文件已上傳github,單擊‘閱讀原文’查看
更多ansible系列文章:https://blog.51cto.com/3241766/category17.html
本文分享自微信公衆號 - Linux運維實踐(gh_11cec8ef4c61)。
若有侵權,請聯繫 support@oschina.cn 刪除。
本文參與「OSC源創計劃」,歡迎正在閱讀的你也加入,一塊兒分享。