fa11dd430b
This patch adds idempotency checking for the security role. It ensures that no changes are made when the security role runs multiple times against the same system. Change-Id: Ia5df45ddc64b1af5149df64f3483f472b06d73f7
235 lines
6.7 KiB
YAML
235 lines
6.7 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Adding additional sshd configuration options is usually easy, but if a
|
|
# configuration file ends with certain configurations, like a "Match" stanza,
|
|
# we need a blank line to separate those configurations from the ones that
|
|
# are added by the security role. For that reason, we check for the existence
|
|
# of a marker line here and add a marker line to the file if it doesn't exist.
|
|
- name: Check for security role marker in sshd_config
|
|
command: "grep '^# openstack-ansible-security configurations' /etc/ssh/sshd_config"
|
|
register: sshd_marker_check
|
|
changed_when: False
|
|
always_run: True
|
|
failed_when: False
|
|
tags:
|
|
- ssh
|
|
|
|
# Check for "Match" stanzas in the sshd_config.
|
|
- name: Check for Match stanzas in sshd_config
|
|
command: "grep '^Match' /etc/ssh/sshd_config"
|
|
register: sshd_match_check
|
|
changed_when: False
|
|
always_run: True
|
|
failed_when: False
|
|
tags:
|
|
- ssh
|
|
|
|
# If the marker is missing, and "Match" stanzas are present, we must carefully
|
|
# add a marker line above any "Match" stanzas in the configuration file. This
|
|
# is done by finding the first match with sed and then adding a marker
|
|
# line above it.
|
|
- name: Add security role marker with sed above Match stanza
|
|
shell: |
|
|
sed -i '0,/^Match/s/^Match/\n# openstack-ansible-security configurations\n\n&/' /etc/ssh/sshd_config
|
|
when:
|
|
- sshd_marker_check.rc != 0
|
|
- sshd_match_check.rc == 0
|
|
tags:
|
|
- ssh
|
|
|
|
# If the marker is missing, but there are no "Match" stanzas present, we can
|
|
# simply add the security role marker to the bottom of the sshd_config.
|
|
- name: Add security role marker to the end of the sshd_config
|
|
lineinfile:
|
|
dest: /etc/ssh/sshd_config
|
|
line: "\n# openstack-ansible-security configurations"
|
|
state: present
|
|
insertbefore: EOF
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
when:
|
|
- sshd_marker_check.rc != 0
|
|
- sshd_match_check.rc != 0
|
|
tags:
|
|
- ssh
|
|
|
|
- name: V-38484 - User must get date/time of last successful login
|
|
lineinfile:
|
|
state: present
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^(#)?PrintLastLog'
|
|
line: 'PrintLastLog yes'
|
|
insertafter: "^# openstack-ansible-security configurations"
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify:
|
|
- restart ssh
|
|
tags:
|
|
- ssh
|
|
- cat2
|
|
- V-38484
|
|
|
|
- name: V-38607 - The SSH daemon must be configured to use only the SSHv2 protocol
|
|
lineinfile:
|
|
state: present
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^(#)?Protocol \d'
|
|
line: 'Protocol 2'
|
|
insertafter: "^# openstack-ansible-security configurations"
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify:
|
|
- restart ssh
|
|
tags:
|
|
- ssh
|
|
- cat1
|
|
- V-38607
|
|
|
|
- name: V-38614 - The SSH daemon must not allow authentication using an empty password
|
|
lineinfile:
|
|
state: present
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^(#)?PermitEmptyPasswords'
|
|
line: 'PermitEmptyPasswords no'
|
|
insertafter: "^# openstack-ansible-security configurations"
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify:
|
|
- restart ssh
|
|
tags:
|
|
- ssh
|
|
- cat1
|
|
- V-38614
|
|
|
|
- name: V-38612 - The SSH daemon must not allow host-based authentication
|
|
lineinfile:
|
|
state: present
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^(#)?HostbasedAuthentication'
|
|
line: 'HostbasedAuthentication no'
|
|
insertafter: "^# openstack-ansible-security configurations"
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify:
|
|
- restart ssh
|
|
tags:
|
|
- ssh
|
|
- cat2
|
|
- V-38612
|
|
|
|
- name: V-38608 - Set a timeout interval for idle ssh sessions
|
|
lineinfile:
|
|
state: present
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^(#)?ClientAliveInterval'
|
|
line: 'ClientAliveInterval {{ security_ssh_client_alive_interval }}'
|
|
insertafter: "^# openstack-ansible-security configurations"
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify:
|
|
- restart ssh
|
|
tags:
|
|
- ssh
|
|
- cat2
|
|
- V-38608
|
|
|
|
- name: V-38610 - Set a timeout count on idle ssh sessions
|
|
lineinfile:
|
|
state: present
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^(#)?ClientAliveCountMax'
|
|
line: 'ClientAliveCountMax {{ security_ssh_client_alive_count_max }}'
|
|
insertafter: "^# openstack-ansible-security configurations"
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify:
|
|
- restart ssh
|
|
tags:
|
|
- ssh
|
|
- cat2
|
|
- V-38610
|
|
|
|
- name: V-38611 - The sshd daemon must ignore .rhosts files
|
|
lineinfile:
|
|
state: present
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^(#)?IgnoreRhosts'
|
|
line: 'IgnoreRhosts yes'
|
|
insertafter: "^# openstack-ansible-security configurations"
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify:
|
|
- restart ssh
|
|
tags:
|
|
- ssh
|
|
- cat2
|
|
- V-38611
|
|
|
|
- name: V-38613 - The ssh daemon must not permit root logins
|
|
lineinfile:
|
|
state: present
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^(#)?PermitRootLogin'
|
|
line: 'PermitRootLogin {{ security_ssh_permit_root_login }}'
|
|
insertafter: "^# openstack-ansible-security configurations"
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
notify:
|
|
- restart ssh
|
|
tags:
|
|
- ssh
|
|
- cat2
|
|
- V-38613
|
|
|
|
- name: Copy the login banner for sshd (for V-38615)
|
|
copy:
|
|
src: login_banner.txt
|
|
dest: /etc/issue.net
|
|
tags:
|
|
- ssh
|
|
- cat2
|
|
- V-38615
|
|
|
|
- name: V-38615 - The ssh daemon must display a login banner
|
|
lineinfile:
|
|
state: present
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^(#)?Banner'
|
|
line: 'Banner /etc/issue.net'
|
|
insertafter: "^# openstack-ansible-security configurations"
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
tags:
|
|
- ssh
|
|
- cat2
|
|
- V-38615
|
|
|
|
- name: V-38616 - The ssh daemon must not permit user environment settings
|
|
lineinfile:
|
|
state: present
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^(#)?PermitUserEnvironment'
|
|
line: 'PermitUserEnvironment no'
|
|
insertafter: "^# openstack-ansible-security configurations"
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
tags:
|
|
- ssh
|
|
- cat3
|
|
- V-38616
|
|
|
|
- name: V-38617 - The ssh daemon must be configured to use approved ciphers
|
|
lineinfile:
|
|
state: present
|
|
dest: /etc/ssh/sshd_config
|
|
regexp: '^(#)?Ciphers'
|
|
line: 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc'
|
|
insertafter: "^# openstack-ansible-security configurations"
|
|
validate: '/usr/sbin/sshd -T -f %s'
|
|
tags:
|
|
- ssh
|
|
- cat2
|
|
- V-38617
|