前言:html
本文记录了生产环境新增用户、修改密码、用户提权、用户资源限制修改、开启命令审计等操做。git
环境说明:github
| 主机名 | 操做系统版本 | ip | ansible version | 备注 |
|---|---|---|---|---|
| ansible-awx | Centos 7.6.1810 | 172.27.9.131 | 2.9.9 | ansible管理服务器 |
| master01/02/03 ... | Centos 7.6.1810 | 172.27.9.28/29/35/36/37/161/162/163/85 | / | 被管服务器 |
1、加密hosts
1.查看hosts列表
[root@ansible-awx ~]# more /etc/ansible/hosts
[test01]
test28 ansible_host=172.27.34.28
test29 ansible_host=172.27.34.29
test35 ansible_host=172.27.34.35
test36 ansible_host=172.27.34.36
test37 ansible_host=172.27.34.37
test161 ansible_host=172.27.34.161
test162 ansible_host=172.27.34.162
test163 ansible_host=172.27.34.163
[test02]
test85 ansible_host=172.27.34.85
[test:children]
test01
test02
[test:vars]
ansible_ssh_user=root
ansible_ssh_pass=monitor123!
2.对hosts列表加密
[root@ansible-awx ~]# cd /etc/ansible/
[root@ansible-awx ansible]# ansible-vault encrypt --vault-id test@prompt hosts
由于hosts包含密码信息,为保证安全,需对文件加密,这里以交互方式输入密码,对hosts加密,其中test为标记信息。加密后直接查看hosts文件显示乱码信息,可使用'ansible-vault view'输入密码查看。
web
将密码写进hosts文件的优点是不须要在被管服务器上作任何配置(不须要接收配置互信文件)。shell
2、新增用户
1.查看并执行新增用户yaml文件
[root@ansible-awx ansible]# more product/user_add.yaml
#新增用户,用户名和密码经过手动输入方式肯定,组同用户名。
---
- hosts: "{{ hostlist }}"
remote_user: root
gather_facts: no
vars_prompt:
- name: "user_name"
prompt: "Enter user name"
private: no
- name: "user_password"
prompt: "Enter user password"
encrypt: "sha512_crypt"
confirm: yes
tasks:
- name: create user
user:
name: "{{user_name}}"
password: "{{user_password}}"
[root@ansible-awx ansible]# cd product/
[root@ansible-awx product]# ansible-playbook --vault-id prompt user_add.yaml -e hostlist=test
Vault password (default):
Enter user name: monitor
Enter user password:
confirm Enter user password:
***** VALUES ENTERED DO NOT MATCH ****
Enter user password:
confirm Enter user password:
PLAY [test] ******************************************************************************************************************************************************************************
TASK [create user] ***********************************************************************************************************************************************************************
changed: [test37]
changed: [test35]
changed: [test36]
changed: [test29]
changed: [test28]
changed: [test161]
changed: [test162]
changed: [test163]
changed: [test85]
PLAY RECAP *******************************************************************************************************************************************************************************
test161 : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
test162 : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
test163 : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
test28 : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
test29 : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
test35 : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
test36 : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
test37 : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
test85 : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
以交互方式输入用户名和密码信息,其中密码不直接显示在终端而且须要二次确认;执行yaml文件前需以交互方式输入host文件密码;yaml文件中的hosts以参数方式传入,执行的时候经过'-e hostlist=test'指定。
安全
新增用户组同用户名,默认家目录为/home/usernamebash
2.验证执行结果
[root@ansible-awx product]# ansible -m shell -a 'id monitor' --vault-id prompt all
各主机新增了monitor,且组同用户名。
服务器
3、用户提权
因为安全的缘由,禁用root用户直接登陆,同时对monitor用户提权,以获取root权限。微信
1.查看提权文件并执行
[root@ansible-awx product]# more sudo_PermitRootLogin.yaml
#monitor用户提权并禁用root用户直接登陆
---
- hosts: "{{ hostlist }}"
remote_user: root
gather_facts: no
tasks:
- name: sudo monitor
lineinfile:
path: /etc/sudoers
regexp: 'monitor'
insertafter: 'root.*ALL=\(ALL\).*ALL'
line: 'monitor ALL=(ALL) ALL'
backup: yes
register: sudo_monitor
tags: sudo
- name: PermitRootLogin
replace:
path: /etc/ssh/sshd_config
regexp: '^#PermitRootLogin.*yes.*'
replace: 'PermitRootLogin no'
backup: yes
register: root_login
notify:
restart sshd
tags: login
- name: debug file
debug:
var: sudo_monitor
handlers:
- name: restart sshd
service:
name=sshd
state=restarted
[root@ansible-awx product]# ansible-playbook --vault-id prompt sudo_PermitRootLogin.yaml -e hostlist=test
Vault password (default):
sudo_PermitRootLogin.yaml做用:1.将monitor用户加入到/etc/sudoers文件指定行'root ALL=(ALL) ALL'下面以实现提权;2.禁用root直接登陆运维
2.验证执行结果
因为root已经禁止直接登陆,再用以前的hosts文件会报错,故新建hosts文件monitor
2.1新建monitor主机列表
[root@ansible-awx ansible]# more monitor
[test01]
test28 ansible_host=172.27.34.28
test29 ansible_host=172.27.34.29
test35 ansible_host=172.27.34.35
test36 ansible_host=172.27.34.36
test37 ansible_host=172.27.34.37
test161 ansible_host=172.27.34.161
test162 ansible_host=172.27.34.162
test163 ansible_host=172.27.34.163
[test02]
test85 ansible_host=172.27.34.85
[monitor:children]
test01
test02
[monitor:vars]
ansible_ssh_user=monitor
ansible_ssh_pass=monitor
ansible_become=true
ansible_become_method=sudo
ansible_become_user=root
ansible_sudo_pass=monitor
主机列表monitor与hosts主要差异是新增提权项,使monitor拥有root权限执行任务。
2.2加密monitor
[root@ansible-awx ansible]# ansible-vault encrypt --vault-id monitor@prompt monitor
2.3修改ansible.cfg默认配置
inventory = /etc/ansible/monitor
修改配置文件ansible.cfg,将默认主机列表修改成monitor
2.4验证提权执行结果
[root@ansible-awx ansible]# ansible -m shell -a "more /etc/ssh/sshd_config |grep 'PermitRootLogin no';more /etc/sudoers|grep monitor" --vault-id prompt monitor
Vault password (default):
test28 | CHANGED | rc=0 >>
PermitRootLogin no
monitor ALL=(ALL) ALL
test37 | CHANGED | rc=0 >>
PermitRootLogin no
monitor ALL=(ALL) ALL
test29 | CHANGED | rc=0 >>
PermitRootLogin no
monitor ALL=(ALL) ALL
test36 | CHANGED | rc=0 >>
PermitRootLogin no
monitor ALL=(ALL) ALL
test35 | CHANGED | rc=0 >>
PermitRootLogin no
monitor ALL=(ALL) ALL
test163 | CHANGED | rc=0 >>
PermitRootLogin no
monitor ALL=(ALL) ALL
test162 | CHANGED | rc=0 >>
PermitRootLogin no
monitor ALL=(ALL) ALL
test85 | CHANGED | rc=0 >>
PermitRootLogin no
monitor ALL=(ALL) ALL
test161 | CHANGED | rc=0 >>
PermitRootLogin no
monitor ALL=(ALL) ALL
/etc/sudoers新增'monitor ALL=(ALL) ALL';/etc/ssh/sshd_config将'#PermitRootLogin yes'修改成'PermitRootLogin no'。
4、修改密码
1.查看并执行密码修改文件
[root@ansible-awx product]# more user_pass_change.yaml
#修改用户密码,用户名和密码经过手动输入方式肯定
---
- hosts: "{{ hostlist }}"
remote_user: monitor
gather_facts: no
vars_prompt:
- name: "user_name"
prompt: "Enter user name"
private: no
- name: "user_password"
prompt: "Enter user password"
encrypt: "sha512_crypt"
confirm: yes
tasks:
- name: pass user
user:
name: "{{user_name}}"
password: "{{user_password}}"
update_password: always
[root@ansible-awx product]# ansible-playbook user_pass_change.yaml -e hostlist=monitor --vault-id prompt
Vault password (default):
Enter user name: root
Enter user password:
confirm Enter user password:
经过交互方式修改用户密码,密码不在控制台显示且需二次确认。
2.验证密码
因为修改的是root密码,以前已设置root不能直接登陆,因此这里没法经过ansible管理服务器验证,须要手动登陆服务器进行验证。
5、资源限制配置文件修改
某些应用对用户的资源使用限制有要求,好比最大打开文件数、进程最大数等。
1.查看并执行修改用户资源限制文件
[root@ansible-awx product]# more user_limits_modify.yaml
#monitor用户打开最大文件数修改
---
- hosts: "{{ hostlist }}"
remote_user: monitor
gather_facts: no
tasks:
- name: monitor limits
lineinfile:
path: /etc/security/limits.conf
regexp: "{{item.0}}"
line: "{{item.1}}"
with_together:
-
- monitor.*soft.*nproc
- monitor.*hard.*nproc
- monitor.*soft.*nofile
- monitor.*hard.*nofile
-
- monitor soft nproc 16384
- monitor hard nproc 16384
- monitor soft nofile 65536
- monitor hard nofile 65536
register: modify
tags: modify
- name: debug file
debug:
var: modify
[root@ansible-awx product]# ansible-playbook user_limits_modify.yaml -e hostlist=monitor --vault-id prompt
Vault password (default):
执行结果内容不少,截图省略了中间部份内容。
该文件主要做用为修改monitor用户资源使用限制。
2.执行结果验证
[root@ansible-awx product]# ansible -m shell -a " more /etc/security/limits.conf |grep monitor" --vault-id prompt monitor
在limits.conf文件末尾新增内容:
monitor soft nproc 16384
monitor hard nproc 16384
monitor soft nofile 65536
monitor hard nofile 65536
6、开启命令审计
记录执行命令的时间、登录用户、执行的返回码、执行目录、终端链接的ip等在生产故障时能够帮助咱们排障。
1.查看并执行命令审计文件
[root@ansible-awx product]# more shell_audit.yaml
#开启命令审计
---
- hosts: "{{ hostlist }}"
remote_user: monitor
gather_facts: no
tasks:
- name: make director audit
file:
path: /var/log/shell_audit
state: directory
register: director_create
- name: make file log
file:
path: /var/log/shell_audit/audit.log
state: touch
owner: nobody
group: nobody
mode: 002
attributes: +a
register: file_create
tags: file
- name: modify profile
lineinfile:
path: /etc/profile
regexp: "{{item.0}}"
line: "{{item.1}}"
with_together:
-
- HISTSIZE=
- HISTTIMEFORMAT=
- HISTORY_FILE=
- PROMPT_COMMAND=
-
- HISTSIZE=2048
- export HISTTIMEFORMAT="[%Y/%m/%d %T] "
- export HISTORY_FILE=/var/log/shell_audit/audit.log
- export PROMPT_COMMAND='{ code=$?;thisHistID=`history 1|awk "{print \\$1}"`;lastCommand=`history 1| awk "{\\$1=\"\" ;print}"`;user=`id -un`;whoStr=(`who -u am i`);realUser=${whoSt
r[0]};logDay=${whoStr[2]};logTime=${whoStr[3]};pid=${whoStr[5]};ip=${whoStr[6]};if [ ${thisHistID}x != ${lastHistID}x ];then echo -E $user\($realUser\)@$ip [PID:$pid] [LOGIN:$logDay $log
Time] --- [$PWD]$lastCommand [$code] [`date "+%Y/%m/%d %H:%M:%S"`];lastHistID=$thisHistID;fi; } >> $HISTORY_FILE'
register: modify
tags: modify
- name: debug file
debug:
var: modify
[root@ansible-awx product]# ansible-playbook shell_audit.yaml -e hostlist=monitor --vault-id prompt
Vault password (default):
shell_audit.yaml主要做用为:新建审计文件并设置相关权限只能被追加不能被删除或修改;修改/etc/profile文件,设定日志格式。
2.验证执行结果
[root@ansible-awx product]# ansible -m shell -a "tail -n10 /var/log/shell_audit/audit.log" --vault-id prompt test02
Vault password (default):
test85 | CHANGED | rc=0 >>
root(monitor)@(172.27.9.246) [PID:6410] [LOGIN:2020-07-13 09:37] --- [/root] [2020/07/13 09:42:01] df -h [0] [2020/07/13 09:42:01]
root(monitor)@(172.27.9.246) [PID:6410] [LOGIN:2020-07-13 09:37] --- [/root] [2020/07/13 09:42:02] more /var/log/shell_audit/audit.log [0] [2020/07/13 09:42:02]
root(monitor)@(172.27.9.246) [PID:6410] [LOGIN:2020-07-13 09:37] --- [/root] [2020/07/13 09:47:37] cat /etc/passwd [0] [2020/07/13 09:47:37]
monitor(monitor)@(172.27.9.246) [PID:6410] [LOGIN:2020-07-13 09:37] --- [/home/monitor] [2020/07/13 09:47:40] su - root [0] [2020/07/13 09:47:40]
monitor(monitor)@(172.27.9.246) [PID:6410] [LOGIN:2020-07-13 09:37] --- [/home/monitor] [2020/07/13 09:47:42] df -h [0] [2020/07/13 09:47:42]
monitor(monitor)@(172.27.9.246) [PID:6410] [LOGIN:2020-07-13 09:37] --- [/home/monitor] [2020/07/13 09:47:42] pwd [0] [2020/07/13 09:47:42]
monitor(monitor)@(172.27.9.246) [PID:6410] [LOGIN:2020-07-13 09:37] --- [/home/monitor] [2020/07/13 09:47:44] ls -alrt [0] [2020/07/13 09:47:44]
root(monitor)@(172.27.9.246) [PID:6410] [LOGIN:2020-07-13 09:37] --- [/root] [2020/07/13 09:47:40] su - monitor [0] [2020/07/13 09:49:22]
root(monitor)@(172.27.9.246) [PID:6410] [LOGIN:2020-07-13 09:37] --- [/root] [2020/07/13 09:49:26] id [0] [2020/07/13 09:49:26]
root(monitor)@(172.27.9.246) [PID:6410] [LOGIN:2020-07-13 09:37] --- [/root] [2020/07/13 09:49:37] whoami [0] [2020/07/13 09:49:37]
以第一条结果对审计格式说明以下:
| 条目 | 说明 |
|---|---|
| root(monitor)@(172.27.9.246) | 登录的ip为172.27.9.246,用户为root(经过monitor跳转) |
| [PID:6410] | 登录的pid |
| [LOGIN:2020-07-13 09:37] | 用户登录的时间 |
| [/root] | 执行命令的目录 |
| [2020/07/13 09:42:01] | 命令执行的开始时间 |
| df -h | 执行的具体命令 |
| [0] | 命令执行的返回码 |
| [2020/07/13 09:42:01] | 命令执行的完成时间 |
本文全部脚本和配置文件已上传github,单击‘阅读原文’查看
更多ansible系列文章:https://blog.51cto.com/3241766/category17.html
本文分享自微信公众号 - Linux运维实践(gh_11cec8ef4c61)。
若有侵权,请联系 support@oschina.cn 删除。
本文参与“OSC源创计划”,欢迎正在阅读的你也加入,一块儿分享。