Home Explore Help
Sign In
mhutchinson
/
Ansible_repo-pub
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 33a9e86b02
Branches Tags
Ansible_repo-pu...
/
playbooks
/
usermanagement
/
add_scan_user_for_Nessus.yaml

add_scan_user_for_Nessus.yaml 2.4 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879 
  1. ---
    2. 

  2. - name: Add or modify the scan user for use by the Nessus scanner (ONLY if ansible_facts.system=='Linux')
    3. 

  3.   hosts: all
    4. 

  4.   gather_facts: true
    5. 

  5.   become: True
    6. 

  6.   tasks:
    7. 

  7. 

  8.   - name: Create a group "sshprohibitpasswd"
    9. 

  9.     group:
    10. 

  10.       name: sshprohibitpasswd
    11. 

  11.       state: present
    12. 

  12. #        local: true
    13. 

  13.       system: true
    14. 

  14. #        gid: 967  <-- gid 967 is already in use by many systems
    15. 

  15.     when: ansible_facts.system == 'Linux'
    16. 

  16. 

  17.   - name: Add or modify the the scan user
    18. 

  18.     user:
    19. 

  19.       name: scan
    20. 

  20.       state: present
    21. 

  21.       system: true
    22. 

  22.       comment: "user for internal security scans"
    23. 

  23.       create_home: true
    24. 

  24. #        local: true
    25. 

  25. #        group: scan <-- "Group scan does not exist"
    26. 

  26.       groups: sshprohibitpasswd
    27. 

  27.       shell: "/bin/bash"
    28. 

  28. #        uid: 968 <-- can't predict which systems are already using this UID
    29. 

  29. #10-02-2024: New scan user passwrod created and stored by cmiloro
    30. 

  30.       password: "$6$00000000$00000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
    31. 

  31.       update_password: always
    32. 

  32.       password_lock: false
    33. 

  33.       expires: -1
    34. 

  34.       password_expire_max: 99999
    35. 

  35.       password_expire_min: 0
    36. 

  36.     when: ansible_facts.system == 'Linux'
    37. 

  37. 

  38.   - name: Add the public keys for scan to the user scan
    39. 

  39.     authorized_key:
    40. 

  40.       user: scan
    41. 

  41.       manage_dir: true
    42. 

  42.       state: present
    43. 

  43.       key: '{{ item }}'
    44. 

  44.     with_file:
    45. 

  45.       - include/scan_user/id_rsa.pub
    46. 

  46.       - include/scan_user/id_ed25519.pub
    47. 

  47.     when: ansible_facts.system == 'Linux'
    48. 

  48. 

  49.   - name: Add the scan user to the sudoers file (ALL commands, password Required) and validate
    50. 

  50.     sudoers:
    51. 

  51.       host: ALL
    52. 

  52.       name: "Allow the scan user to run commands using sudo"
    53. 

  53.       user: scan
    54. 

  54.       commands: ALL
    55. 

  55.       state: present
    56. 

  56.       nopassword: false
    57. 

  57.       validation: detect
    58. 

  58.     when: ansible_facts.system == 'Linux'
    59. 

  59. 

  60.   - name: Enable public key authentication within /etc/ssh/sshd_config, backing file up if a change is made, and validate
    61. 

  61.     lineinfile:
    62. 

  62.       path: /etc/ssh/sshd_config
    63. 

  63.       regexp: '^#PubkeyAuthentication yes'
    64. 

  64.       line: PubkeyAuthentication yes
    65. 

  65.       state: present
    66. 

  66.       backup: yes
    67. 

  67.       validate: 'sshd -t -f %s'
    68. 

  68.     when: ansible_facts.system == 'Linux'
    69. 

  69. 

  70.   - name: Ensure scan account has nothing locking it
    71. 

  71.     shell:  |
    72. 

  72.       usermod -U scan
    73. 

  73.       usermod -e "" scan
    74. 

  74.       chage -E -1 scan
    75. 

  75.       chage -I -1 scan
    76. 

  76.       exit 0
    77. 

  77.     args:
    78. 

  78.       executable: /bin/bash
    79. 

  79.     when: ansible_facts.system == 'Linux'
    80.