1. 配置sudo
1. 修改文件权限 |
|
[root@localhost]# cat mod-sudo-1.yml --- - hosts: all tasks: - name: chmod u+w file: path: /etc/sudoers mode: u+w |
2. 修改文件,在特定行下面插入一行 |
|
[root@localhost]# cat mod-sudo-2.yml --- - hosts: all tasks: - name: change file context lineinfile: path: /etc/sudoers state: present insertafter: 'root\tALL' line: 'osmaster ALL=(ALL) ALL' |
3. 修改回原来文件权限 |
|
[root@localhost]# cat mod-sudo-3.yml --- - include: mod-sudo-1.yml - include: mod-sudo-2.yml - hosts: all tasks: - name: chmod u-w file: path: /etc/sudoers mode: u-w |
2 编辑seLinux关闭
|
[root@localhost]# cat selinux-off.yml ---
- hosts: all tasks: - name: selinux off selinux: state: disabled notify: - selinux-off handlers: - name: selinux-off shell: setenforce 0 |
3 关闭防火墙
|
[root@localhost]# cat firewalld-off.yml ---
- hosts: all tasks: - name: firewalld off service: name: firewalld state: stopped enabled: false register: result ignore_errors: true
- name: phase1 service: name=firewalld state=stopped when: (result|failed) and (result.msg.find("Could not find the requested service") != 0) |
4 编辑无响应注销
|
[root@localhost]# cat timeout.yml ---
- hosts: all
tasks: - name: remove former define lineinfile: path: /etc/profile state: absent line: 'export TMOUT'
- name: change file context lineinfile: path: /etc/profile state: present line: 'export TMOUT=3600' |
5 编辑history时间戳
|
[root@localhost]# cat 0307-history-format.yml ---
- hosts: all
tasks: - name: remove former define lineinfile: path: /etc/bashrc state: absent line: 'export HISTTIMEFORMAT'
- name: change file context lineinfile: path: /etc/bashrc state: present line: 'export HISTTIMEFORMAT="%F %T"' |
6 修改SNMP默认团体名public为snmp_ciitc
|
[root@localhost]# cat0308-snmp.yml ---
- hosts: all
tasks: - name: if the file is there file: path: /etc/snmp/snmpd.conf state: file register: result ignore_errors: true
- name: change file context lineinfile: path: /etc/snmp/snmpd.conf state: present backrefs: yes regexp: 'com2sec notConfigUser default public' line: 'com2sec notConfigUser default snmp_ciitc' when: result|success |
7 编辑访问控制
|
[root@localhost]# cat 0309-access-control.yml --- - hosts: all
tasks: - name: change /etc/bashrc lineinfile: path: /etc/bashrc state: present insertafter: line: 'umask 027'
- name: change /etc/profile lineinfile: path: /etc/profile state: present backrefs: yes regexp: ' umask 022' line: ' umask 027' |
8 编辑登录失败用户锁定策略
|
[root@localhost]# cat 0310-user-lock.yml ---
- hosts: all tasks: - name: add /etc/pam.d/system-auth lineinfile: path: /etc/pam.d/system-auth state: present insertafter: line: 'auth required pam_tally2.so onerr=fail deny=10 unlock_time=180 root_unlock_time=1' |
9 编辑口令策略
|
[root@localhost]# cat password-policy.yml ---
- hosts: all tasks: - name: add /etc/pam.d/system-auth lineinfile: path: /etc/pam.d/system-auth state: present backrefs: yes regexp: 'password requisite' line: 'password requisite pam_cracklib.so dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 retry=3'
- name: add /etc/pam.d/passwd lineinfile: path: /etc/pam.d/passwd state: present insertafter: line: 'password required pam_unix.so remember=5 use_authtok md5'
|
10 编辑口令规则
|
[root@localhost]# cat password-rule.yml ---
- hosts: all tasks: - name: change /etc/login.defs lineinfile: path: /etc/login.defs state: present backrefs: yes regexp: 'PASS_MIN_LEN\t5' line: 'PASS_MIN_LEN\t8' |
11 解决通过SCP传输提示输密码慢问题
|
[root@localhost]# cat 0313-tcp-trans.yml ---
- hosts: all
tasks: - name: change SCP lineinfile: path: /etc/ssh/sshd_config state: present regexp: 'GSSAPIAuthentication yes' backrefs: yes line: 'GSSAPIAuthentication no' - name: change SSH Rhosts lineinfile: path: /etc/ssh/sshd_config state: present regexp: '#IgnoreRhosts yes' backrefs: yes line: 'IgnoreRhosts yes' - name: change SSH empty password lineinfile: path: /etc/ssh/sshd_config state: present regexp: '#PermitEmptyPasswords no' backrefs: yes line: 'PermitEmptyPasswords no' - name: change SSH Rhosts RSA Auth lineinfile: path: /etc/ssh/sshd_config state: present regexp: '#RhostsRSAAuthentication no' backrefs: yes line: 'RhostsRSAAuthentication no' - name: change SSH Rhosts lineinfile: path: /etc/ssh/sshd_config state: present regexp: '#HostbasedAuthentication no' backrefs: yes line: 'HostbasedAuthentication no' |
12 解决SSH登录慢问题,关闭DNS验证
|
[root@localhost]# cat tcp-dns.yml --- - hosts: all tasks: - name: change SSH DNS lineinfile: path: /etc/ssh/sshd_config state: present regexp: '#UseDNS yes' backrefs: yes line: 'UseDNS no' |
13 编辑SSH登录
|
[root@localhost]# cat ssh-login.yml --- - hosts: all tasks: - name: change SSH empty password lineinfile: path: /etc/ssh/sshd_config state: present regexp: '#PermitEmptyPasswords no' backrefs: yes line: 'PermitEmptyPasswords no' - name: change SSH banner lineinfile: path: /etc/ssh/sshd_config state: present insertafter: "#Banner none" line: 'Banner /etc/motd' |
14 配置关键目录权限控制
|
[root@localhost]# cat 0314-directory-access.yml --- - hosts: all tasks: - name: /etc/passwd 644 file: path: /etc/passwd mode: 0644 - name: /etc/shadow 600 file: path: /etc/shadow mode: 0600 - name: /etc/group 644 file: path: /etc/group mode: 0644 |
15 修改Linux系统TCP连接数
|
[root@localhost]# cat 0316-tcp-connections.yml ---
- hosts: all tasks: - name: soft nofile lineinfile: path: /etc/security/limits.conf state: present insertafter: line: '* soft nofile 65536' - name: hard nofile lineinfile: path: /etc/security/limits.conf state: present insertafter: line: '* hard nofile 65536' - name: soft nproc lineinfile: path: /etc/security/limits.conf state: present insertafter: line: '* soft nproc 65536' - name: hard nproc lineinfile: path: /etc/security/limits.conf state: present insertafter: line: '* hard nproc 65536' |
16 Linux系统内核参数调优
|
[root@localhost]# cat 0317-kernel-param.yml ---
- hosts: all tasks: - name: kernel panic lineinfile: path: /etc/sysctl.conf state: present insertafter: line: 'kernel.panic_on_oops=1' - name: vm.min lineinfile: path: /etc/sysctl.conf state: present insertafter: line: 'vm.min_free_kbytes=819200' - name: vm.max lineinfile: path: /etc/sysctl.conf state: present insertafter: line: 'vm.max_map_count=131060' - name: fs.file-max lineinfile: path: /etc/sysctl.conf state: present insertafter: line: 'fs.file-max = 6815744' - name: fs.aio-max-nr lineinfile: path: /etc/sysctl.conf state: present insertafter: line: 'fs.aio-max-nr = 1048576' - name: session lineinfile: path: /etc/pam.d/login state: present insertafter: line: 'session required /lib64/security/pam_limits.so' |
17 关闭Linux服务
|
[root@localhost]# cat 0318-service-close.yml --- - hosts: all tasks: - name: service off service: name=avahi-daemon state=stopped enabled=no register: result ignore_errors: true - name: phase1 service: name=avahi-daemon state=stopped enabled=no when: (result|failed) and (result.msg.find("Could not find the requested service") != 0)
- name: service off service: name=bluetooth state=stopped enabled=no register: result ignore_errors: true - name: phase1 service: name=bluetooth state=stopped enabled=no when: (result|failed) and (result.msg.find("Could not find the requested service") != 0) |
18 配置网卡DNS信息
|
[root@localhost]# cat config-dns.yml ---
- hosts: all tasks: - name: config DNS lineinfile: path: /etc/resolv.conf state: present insertafter: line: 'nameserver 10.19.249.104'
- name: config DNS2 lineinfile: path: /etc/resolv.conf state: present insertafter: line: 'nameserver 10.19.249.105'
|
19 配置服务器时间同步
|
[root@localhost]# cat 0322-config-ntp.yml --- - hosts: all tasks: - name: copy files become: true copy: src: /var/lib/awx/projects/0322-config-ntp/example.conf dest: /etc/ntp.conf backup: yes |
具体配置文件如下: |
|
[root@localhost]# cat /var/lib/awx/projects/0322-config-ntp/example.conf server ntp.ciitc.com.cn prefer server 10.19.250.1 driftfile /var/lib/ntp/drift logfile /var/log/ntp.log keys /etc/ntp/keys includefile /etc/ntp/crypto/pw |
20 把系统时间写入到硬件时间
|
[root@localhost]# cat 0323-hwclock.yml ---
- hosts: all tasks: - name: hwclock lineinfile: path: /etc/sysconfig/ntpd state: present insertafter: line: 'SYNC_HWCLOCK=yes' |
21 配置yum源
|
[root@localhost]# cat repo-create.yml ---
- hosts: all tasks: - name: test connection ping:
- name: Add repository yum_repository: name: rhel description: RHEL YUM repo file: rhel baseurl: http://172.20.16.227:8090/rhel/ gpgcheck: no enabled: yes |
22 升级特定版本补丁
|
[root@localhost]# cat check-rpm-info.yml --- - hosts: all tasks: - name: install ntp package: name: ntp-4.2.6p5 state: present when: ansible_distribution_major_version == "7" notify: - restart ntpd
- name: install openssh package: name: openssh-7.4p1 state: present when: ansible_distribution_major_version == "7" notify: - restart sshd handlers: - name: restart ntpd service: name=ntpd state=restarted - name: restart sshd service: name=sshd state=restarted |