ansible-hardening/tasks/rhel6stig/sshd.yml
Major Hayden a3e0f681d8 Remove deprecated always_run
The `always_run` argument has been deprecated[1] and replaced with
`check_mode: no`.

[1] http://docs.ansible.com/ansible/playbooks_checkmode.html

Change-Id: I534fbcdfe5212822f510de8fd06bd7d7337299fa
2016-11-09 11:42:30 -06:00

235 lines
6.7 KiB
YAML

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Adding additional sshd configuration options is usually easy, but if a
# configuration file ends with certain configurations, like a "Match" stanza,
# we need a blank line to separate those configurations from the ones that
# are added by the security role. For that reason, we check for the existence
# of a marker line here and add a marker line to the file if it doesn't exist.
- name: Check for security role marker in sshd_config
command: "grep '^# openstack-ansible-security configurations' /etc/ssh/sshd_config"
register: sshd_marker_check
changed_when: False
check_mode: no
failed_when: False
tags:
- ssh
# Check for "Match" stanzas in the sshd_config.
- name: Check for Match stanzas in sshd_config
command: "grep '^Match' /etc/ssh/sshd_config"
register: sshd_match_check
changed_when: False
check_mode: no
failed_when: False
tags:
- ssh
# If the marker is missing, and "Match" stanzas are present, we must carefully
# add a marker line above any "Match" stanzas in the configuration file. This
# is done by finding the first match with sed and then adding a marker
# line above it.
- name: Add security role marker with sed above Match stanza
shell: |
sed -i '0,/^Match/s/^Match/\n# openstack-ansible-security configurations\n\n&/' /etc/ssh/sshd_config
when:
- sshd_marker_check.rc != 0
- sshd_match_check.rc == 0
tags:
- ssh
# If the marker is missing, but there are no "Match" stanzas present, we can
# simply add the security role marker to the bottom of the sshd_config.
- name: Add security role marker to the end of the sshd_config
lineinfile:
dest: /etc/ssh/sshd_config
line: "\n# openstack-ansible-security configurations"
state: present
insertbefore: EOF
validate: '/usr/sbin/sshd -T -f %s'
when:
- sshd_marker_check.rc != 0
- sshd_match_check.rc != 0
tags:
- ssh
- name: V-38484 - User must get date/time of last successful login
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?PrintLastLog'
line: 'PrintLastLog yes'
insertafter: "^# openstack-ansible-security configurations"
validate: '/usr/sbin/sshd -T -f %s'
notify:
- restart ssh
tags:
- ssh
- cat2
- V-38484
- name: V-38607 - The SSH daemon must be configured to use only the SSHv2 protocol
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?Protocol \d'
line: 'Protocol 2'
insertafter: "^# openstack-ansible-security configurations"
validate: '/usr/sbin/sshd -T -f %s'
notify:
- restart ssh
tags:
- ssh
- cat1
- V-38607
- name: V-38614 - The SSH daemon must not allow authentication using an empty password
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?PermitEmptyPasswords'
line: 'PermitEmptyPasswords no'
insertafter: "^# openstack-ansible-security configurations"
validate: '/usr/sbin/sshd -T -f %s'
notify:
- restart ssh
tags:
- ssh
- cat1
- V-38614
- name: V-38612 - The SSH daemon must not allow host-based authentication
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?HostbasedAuthentication'
line: 'HostbasedAuthentication no'
insertafter: "^# openstack-ansible-security configurations"
validate: '/usr/sbin/sshd -T -f %s'
notify:
- restart ssh
tags:
- ssh
- cat2
- V-38612
- name: V-38608 - Set a timeout interval for idle ssh sessions
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?ClientAliveInterval'
line: 'ClientAliveInterval {{ security_ssh_client_alive_interval }}'
insertafter: "^# openstack-ansible-security configurations"
validate: '/usr/sbin/sshd -T -f %s'
notify:
- restart ssh
tags:
- ssh
- cat2
- V-38608
- name: V-38610 - Set a timeout count on idle ssh sessions
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?ClientAliveCountMax'
line: 'ClientAliveCountMax {{ security_ssh_client_alive_count_max }}'
insertafter: "^# openstack-ansible-security configurations"
validate: '/usr/sbin/sshd -T -f %s'
notify:
- restart ssh
tags:
- ssh
- cat2
- V-38610
- name: V-38611 - The sshd daemon must ignore .rhosts files
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?IgnoreRhosts'
line: 'IgnoreRhosts yes'
insertafter: "^# openstack-ansible-security configurations"
validate: '/usr/sbin/sshd -T -f %s'
notify:
- restart ssh
tags:
- ssh
- cat2
- V-38611
- name: V-38613 - The ssh daemon must not permit root logins
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?PermitRootLogin'
line: 'PermitRootLogin {{ security_ssh_permit_root_login }}'
insertafter: "^# openstack-ansible-security configurations"
validate: '/usr/sbin/sshd -T -f %s'
notify:
- restart ssh
tags:
- ssh
- cat2
- V-38613
- name: Copy the login banner for sshd (for V-38615)
copy:
src: login_banner.txt
dest: /etc/issue.net
tags:
- ssh
- cat2
- V-38615
- name: V-38615 - The ssh daemon must display a login banner
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?Banner'
line: 'Banner /etc/issue.net'
insertafter: "^# openstack-ansible-security configurations"
validate: '/usr/sbin/sshd -T -f %s'
tags:
- ssh
- cat2
- V-38615
- name: V-38616 - The ssh daemon must not permit user environment settings
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?PermitUserEnvironment'
line: 'PermitUserEnvironment no'
insertafter: "^# openstack-ansible-security configurations"
validate: '/usr/sbin/sshd -T -f %s'
tags:
- ssh
- cat3
- V-38616
- name: V-38617 - The ssh daemon must be configured to use approved ciphers
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?Ciphers'
line: 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc'
insertafter: "^# openstack-ansible-security configurations"
validate: '/usr/sbin/sshd -T -f %s'
tags:
- ssh
- cat2
- V-38617