wiki

User Tools

Site Tools

Trace: ansible_sandbox
ansible:ansible_sandbox

This is an old revision of the document!

Table of Contents

Ansible sanbox

Test 1

Script shell to start the playbook 

# cat /Ansible-Playbook/scripts/cron_download_files.sh
#!/bin/bash
# Start playbook to download files
unset http_proxy
unset https_proxy

log="/var/log/ansible/$1.log"
playbook='download_file.yml'

cd ~/download
>> /var/log/ansible/$1.log
date >> /var/log/ansible/$1.log
>> /var/log/ansible/$1.log
ansible-playbook -vvvv $playbook >> /var/log/ansible/$1.log

# message monitoring
case $? in
  0)  status="0"
      message="Success - script:$playbook log:$log"   ;;
  99) status="2"
      message="Error : User interrupted execution - script:$playbook log:$log"   ;;
  *)  status="2"
      message="Error - script:$playbook log:$log"   ;;
esac

server=nagiossrv01
echo "$(hostname -s);ansible_download;$status;$message" | /usr/local/nagios/bin/send_nsca -H $server -p 5667 -c /usr/local/nagios/etc/send_nsca.cfg -d ";"

Into ~/download 

# ls -lsa ~/download
ansible.cfg
.vaultPwd.yml   --> password clear for vault
download_file.yml

# cat ansible.cfg | grep -v '^#' | sed '/^$/d'
[defaults]
inventory = ~/inventory/inventory_download
host_key_checking = False
retry_files_enabled = False
pipelining = True
ansible_python_interpreter = /usr/bin/python3
inventory_plugins = ~/.ansible/collections/ansible_collections/xxxxx
log_path=/var/log/ansible/stdout.log
vault_password_file=./.vaultPwd.yml
forks = 15
ansible_ssh_extra_args='-C -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
[inventory]
enabled_plugins = xxxxx
[privilege_escalation]
become = True
become_method = sudo
become_user = ansibuser


# cat ~/inventory/inventory_download
[linux]
linux01
linux02

Test 2 with roles

Execute only one role 

ansible-playbook setup.yml -i inventory.ini --tags "common"

setup.yml 

---
- hosts: prod
  vars_files:
    - group_vars/all.yml
    - group_vars/main.yml
    - group_vars/docker.yml
    - group_vars/monit.yml
    - group_vars/networking.yml
    - group_vars/vault.yml
  user: "{{default_username}}"  # run whole script with default user
  become: yes
  roles:  # order is not random!
    - role: nickjj.fail2ban
      tags: fail2ban
    - role: common
      tags: common
    - role: ufw
      tags: ufw
    - role: user
      tags: user
    - role: ssh
      tags: ssh
    - role: nickjj.docker
      when: install_docker == true
      tags: docker
    - role: docker
      when: install_docker == true
      tags: docker
    - role: jnv.debian-backports
      tags: common
    - role: ansible-monit
      tags: common
    - role: jnv.unattended-upgrades
      tags: common
    - role: networking
      tags: networking
    - role: reboot
      tags: reboot

cat group_vars/main.yml 

sshpub_location: SSH_PUBKEY_HERE #the full path to your SSH public key ( e.g. /Users/username/.ssh/id_ed25519.pub )
root_pw: "PASSWORD_HERE" #root password that should be set
user_name: USERNAME_HERE #username for the created user
user_pw: "PASSWORD_HERE" #password for the new user
ssh_port: 55899 #port number for ssh
mail_to: mailto@example.com #the mail address where mails should be sent to
mail_from: mailfrom@example.com #the mail address where mails are sent from 
mail_smtp_server: smtp.example.com #mail server, e.g. smtp.gmail.com
mail_pw: PASSWORD_HERE #password for the mail_from mail address
mail_port: 587 #the port where mails are sent to the mail server, e.g. 587

cat roles/ssh/main.yml 

    - name: secure ssh configuration 
      become: true
      blockinfile:
        path: /etc/ssh/sshd_config
        block: |
          ########################################################################################################
          # start settings from https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67 as of 2019-01-01
          ########################################################################################################
          # Supported HostKey algorithms by order of preference.
          HostKey /etc/ssh/ssh_host_ed25519_key
          HostKey /etc/ssh/ssh_host_rsa_key
          HostKey /etc/ssh/ssh_host_ecdsa_key
          KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
          Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
          MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
          # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
          LogLevel VERBOSE
          # Use kernel sandbox mechanisms where possible in unprivileged processes
          # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
          # Note: This setting is deprecated in OpenSSH 7.5 (https://www.openssh.com/txt/release-7.5)
          # UsePrivilegeSeparation sandbox
          ########################################################################################################
          # end settings from https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67 as of 2019-01-01
          ########################################################################################################
          # don't let users set environment variables
          PermitUserEnvironment no
          # only use the newer, more secure protocol
          Protocol 2
          # disable port forwarding
          AllowTcpForwarding no
          AllowStreamLocalForwarding no
          GatewayPorts no
          PermitTunnel no
          # don't allow login if the account has an empty password
          PermitEmptyPasswords no
          # ignore .rhosts and .shosts
          IgnoreRhosts yes
          # verify hostname matches IP
          UseDNS yes
          Compression no
          TCPKeepAlive no
          AllowAgentForwarding no
          # don't allow .rhosts or /etc/hosts.equiv
          HostbasedAuthentication no
      notify: restart ssh service

    - name: secure ssh configuration part 2
      become: true
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
      loop:
        - { regexp: '^AllowGroups', line: 'AllowGroups sshusers' }
        - { regexp: '^ClientAliveCountMax', line: 'ClientAliveCountMax 0'}
        - { regexp: '^ClientAliveInterval', line: 'ClientAliveInterval 300'}
        - { regexp: '^ListenAddress', line: 'ListenAddress 0.0.0.0'}
        - { regexp: '^LoginGraceTime', line: 'LoginGraceTime 30'}
        - { regexp: '^MaxAuthTries', line: 'MaxAuthTries 2'}
        - { regexp: '^MaxSessions', line: 'MaxSessions 2'}
        - { regexp: '^MaxStartups', line: 'MaxStartups 2'}
        - { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no'}
        - { regexp: '^Port', line: 'Port {{ ssh_port }}'}
        - { regexp: '^PermitRootLogin', line: 'PermitRootLogin no'}
        - { regexp: '^X11Forwarding', line: 'X11Forwarding no'}
        - { regexp: '^Subsystem', line: 'Subsystem sftp  internal-sftp -f AUTHPRIV -l INFO'}
      notify: restart ssh service

    - name: remove short diffie diffie-hellman
      become: true
      shell: |
        awk '$5 >= 3071' /etc/ssh/moduli | sudo tee /etc/ssh/moduli.tmp
        mv /etc/ssh/moduli.tmp /etc/ssh/moduli
      notify: restart ssh service
ansible/ansible_sandbox.1740151603.txt.gz · Last modified: 2025/02/21 16:26 by manu

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki