ansible的系统初始化

设置密码长度

- name: Set password length
  shell: authconfig --passminle=8 --update

设置密码同一字符允许的最大长度

- name: Sets the maximum length allowed for the same character of the password
  shell: authconfig --passmaxclassrepeat=4 --update

使密码中包含小写字母

- name: Include lowercase letters in your password
  shell: authconfig --enablereqlower --update

使密码中包含大写字母

- name: Make the password contain capital letters
  shell: authconfig --enablerequpper --update

使密码中包含数字

- name: To include in the password
  shell: authconfig --enablereqdigit --update

使密码中包含特殊字符

- name: Causes the password to contain special characters
  shell: authconfig --enablereqother --update

新密码与旧密码相同的字数不能超过6个

- name: The new password can't have more than six words as the old password
  linfile: 
    path: /etc/security/pwquality.conf 
    regexp: '^difok'
    line: 'difok = 6'

修改密码不能使用上次密码

- name: You cannot use your last password if you change it
  linefile: 
    path: /etc/pam.d/system-auth-ac 
    regexp: '^password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok'
    line: 'password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=1'

设置账户密码锁定，普通用户密码连续输错6次，账户锁定600秒，root用户锁定60秒

- name: Setting the login policy
  linefile:
    path: /etc/pam.d/sshd
    regexp: '#%PAM-1.0'
    line: 'auth required pam_tally2.so deny=6 unlock_time=600 even_deny_root root_unlock_time=60'
    insertafter: '#%PAM-1.0'
    backrefs: yes

开启用户的su

- name: Setting up a common user Su
  linefile: 
    path: /etc/pam.d/su
    regexp: '^#auth           required        pam_wheel.so use_uid'
    line: 'auth            required        pam_wheel.so use_uid'

开启wheel组的免密sudo

- name: Set wheel group users free of sudo
  linefile: 
    path: /etc/sudoers
    state: present
    regexp: '^%wheel'
    line: '%wheel  ALL=(ALL)       NOPASSWD: ALL'

添加sauser用户 uid 2048 加入wheel组 shell为/bin/bash 家目录为 /home/sauser

- name: Add the user 'sauser' with a specific uid and a primary group of 'wheel'
  user:
    name: sauser
    password: '$6$cYbg7R6j$Q4uARdTl8m9MCx5RtR64xb7yPgZDGqtTsuwU8vYsAY/XloFwnLr8ezTf5eYCmzwm7Tv32PgbtDcFh0KHMZzmh1'
    uid: 2048
    groups: wheel
    shell: /bin/bash
    createhome: yes
    home: /home/sauser
    state: present

设置devuser的sudo权限

- name: Setting devuser user sudo permissions
  linefile: 
    path: /etc/sudoers
    line: 'devuser  ALL=(ALL)        NOPASSWD: ALL,!/bin/su,!/bin/su - root,!/bin/su root,!/usr/bin/passwd root,!/usr/sbin/visudo,!/bin/vi /etc/sudoers,!/usr/bin/vim /etc/sudoers,!/usr/bin/sudo -i,/bin/vi /etc/ssh/*,!/usr/bin/vim /etc/ssh/*,!/bin/chmod 777 /etc/*,!/bin/chmod 777 *,!/bin/chmod 777,!/bin/chmod -R 777 *,!/bin/bash,!/bin/sh,!/bin/tcsh'

设置ssh禁止DNS查询

- name: Set sshd DNS
  linefile: 
    path: /etc/ssh/sshd_config
    state: present
    regexp: '^#UseDNS'
    line: 'UseDNS no'

关闭防火墙

- name: Stop firewalld
  service:
    name: firewalld
    state: stopped
    enabled: no

关闭selinux

- name: Shutdown selinux
  linefile: 
    path: /etc/selinux/config
    regexp: '^SELINUX=enforcing'
    line: SELINUX=disabled

关闭postfix