2. 首页 > Linux教程 > 正文

Linux教程FG413-Ansible安全自动化

教程整理:风哥教程  |  更新时间:2026-01-25  |  教程分类:Linux教程  |  文档学习:20

内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。

风哥提示:

本文档介绍使用Ansible进行安全自动化配置的方法。

Part01-系统安全加固

1.1 安全加固Playbook

# 系统安全加固Playbook
[root@ansible ~]# cat > /fglinux/ansible/playbooks/security_hardening.yml << 'EOF' --- - name: 系统安全加固 hosts: all become: yes vars: ssh_config: PermitRootLogin: "no" PasswordAuthentication: "no" PubkeyAuthentication: "yes" PermitEmptyPasswords: "no" X11Forwarding: "no" MaxAuthTries: 3 ClientAliveInterval: 300 ClientAliveCountMax: 2 LoginGraceTime: 60 Protocol: 2 disable_services: - telnet - rsh - rlogin - vsftpd secure_packages: - fail2ban - rkhunter - clamav tasks: - name: 配置SSH安全参数 lineinfile: path: /etc/ssh/sshd_config regexp: "^#?{{ item.key }}" line: "{{ item.key }} {{ item.value }}" state: present backup: yes loop: "{{ ssh_config | dict2items }}" notify: Restart SSHD - name: 禁用不安全服务 service: name: "{{ item }}" state: stopped enabled: no loop: "{{ disable_services }}" ignore_errors: yes - name: 安装安全软件 dnf: name: "{{ secure_packages }}" state: present - name: 配置fail2ban copy: content: | [sshd] enabled = true port = ssh filter = sshd logpath = /var/log/secure maxretry = 3 findtime = 600 bantime = 3600 dest: /etc/fail2ban/jail.d/sshd.local mode: '0644' notify: Restart fail2ban - name: 配置密码策略 lineinfile: path: /etc/login.defs regexp: "^{{ item.key }}" line: "{{ item.key }} {{ item.value }}" state: present loop: - { key: 'PASS_MAX_DAYS', value: '90' } - { key: 'PASS_MIN_DAYS', value: '7' } - { key: 'PASS_MIN_LEN', value: '12' } - { key: 'PASS_WARN_AGE', value: '14' } - name: 配置密码复杂度 lineinfile: path: /etc/security/pwquality.conf regexp: "^#?{{ item.key }}" line: "{{ item.更多学习教程公众号风哥教程itpux_comkey }} = {{ item.value }}" state: present loop: - { key: 'minlen', value: '12' } - { key: 'minclass', value: '4' } - { key: 'dcredit', value: '-1' } - { key: 'ucredit', value: '-1' } - { key: 'lcredit', value: '-1' } - { key: 'ocredit', value: '-1' } - name: 配置账户锁定策略 lineinfile: path: /etc/pam.d/password-auth line: "{{ item }}" state: present loop: - "auth required pam_faillock.so preauth audit silent deny=3 unlock_time=900" - "auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=900" - name: 设置文件权限 file: path: "{{ item.path }}" mode: "{{ item.mode }}" owner: root group: root loop: - { path: '/etc/passwd', mode: '0644' } - { path: '/etc/shadow', mode: '0000' } - { path: '/etc/group', mode: '0644' } - { path: '/etc/gshadow', mode: '0000' } - name: 配置审计规则 lineinfile: path: /etc/audit/rules.d/audit.rules line: "{{ item }}" state: present loop: - "-w /etc/passwd -p wa -k identity" - "-w /etc/shadow -p wa -k identity" - "-w /etc/sudoers -p wa -k sudoers" - "-w /var/log/secure -p wa -k logins" notify: Restart auditd - name: 启动安全服务 service: name: "{{ item }}" state: started enabled: yes loop: - fail2ban - auditd handlers: - name: Restart SSHD service: name: sshd state: restarted - name: Restart fail2ban service: name: fail2ban state: restarted - name: Restart auditd service: name: auditd state: restarted EOF # 执行安全加固 [root@ansible ~]# ansible-playbook /fglinux/ansible/playbooks/security_hardening.yml PLAY [系统安全加固] ********************************************************** TASK [Gathering Facts] ****************************************************** ok: [web1.fgedu.net.cn] TASK [配置SSH安全参数] ****************************************************** changed: [web1.fgedu.net.cn] => (item={‘key’: ‘PermitRootLogin’, ‘value’: ‘no’})
changed: [web1.fgedu.net.cn] => (item={‘key’: ‘PasswordAuthentication’, ‘value’: ‘no’})

TASK [禁用不安全服务] ********************************************************
ok: [web1.fgedu.net.cn] => (item=telnet)
ok: [web1.fgedu.net.学习交流加群风哥QQ113257174cn] => (item=rsh)

TASK [安装安全软件] ***************************************from PG视频:www.itpux.com*******************
changed: [web1.fgedu.net.cn]

TASK [配置fail2ban] *********************************************************
changed: [web1.fgedu.net.cn]

TASK [配置密码策略] **********************************************************
changed: [web1.fgedu.net.cn] => (item={‘key’: ‘PASS_MAX_DAYS’, ‘value’: ’90’})

TASK [配置密码复杂度] ********************************************************
changed: [web1.fgedu.net.cn] => (item={‘key’: ‘minlen’, ‘value’: ’12’})

TASK [配置账户锁定策略] ******************************************************
changed: [web1.fgedu.net.cn] => (item=auth required pam_faillock.so preauth audit silent deny=3 unlock_time=900)

TASK [设置文件权限] **********************************************************
changed: [web1.fgedu.net.cn] => (item={‘path’: ‘/etc/passwd’, ‘mode’: ‘0644’})

TASK [配置审计规则] **********************************************************
changed: [web1.fgedu.net.cn] => (item=-w /etc/passwd -p wa -k identity)

TASK [启动安全服务] **********************************************************
changed: [web1.fgedu.net.cn] => (item=fail2ban)
ok: [web1.fgedu.net.cn] => (item=auditd)

RUNNING HANDLER [Restart SSHD] **********************************************
changed: [web1.fgedu.更多视频学习交流加群风哥微信: itpux-com教程www.fgedu.net.cnnet.cn]

RUNNING HANDLER [Restart fail2ban] ******************************************
changed: [web1.fgedu.net.cn]

RUNNING HANDLER [Restart auditd] ********************************************
changed: [web1.fgedu.net.cn]

PLAY RECAP ******************************************************************
web1.fgedu.net.cn : ok=14 changed=11 unreachable=0 failed=0

风哥针对安全自动化建议:

  • 定期更新安全补丁
  • 配置入侵检测系统
  • 实施日志审计
  • 配置防火墙规则
  • 定期进行安全扫描

本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html

相关推荐

联系我们

在线咨询:点击这里给我发消息

微信号:itpux-com

工作日:9:30-18:30,节假日休息