diff --git a/defaults/main.yml b/defaults/main.yml index f5adb49f..ea1b4830 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -522,6 +522,8 @@ security_enable_gpgcheck_packages_local: yes # RHEL-07-020151 security_enable_gpgcheck_repo: no # RHEL-07-020152 ## ssh server (sshd) +# Ensure sshd is running and enabled at boot time. +security_enable_sshd: yes # RHEL-07-040261 # Disallow logins from users with empty/null passwords. security_sshd_disallow_empty_password: yes # RHEL-07-010270 / RHEL-07-010440 # Disallow users from overriding the ssh environment variables. diff --git a/doc/metadata/rhel7/RHEL-07-040261.rst b/doc/metadata/rhel7/RHEL-07-040261.rst index 3304d284..95f8320b 100644 --- a/doc/metadata/rhel7/RHEL-07-040261.rst +++ b/doc/metadata/rhel7/RHEL-07-040261.rst @@ -1,7 +1,23 @@ --- id: RHEL-07-040261 -status: not implemented -tag: misc +status: implemented +tag: sshd --- -This STIG requirement is not yet implemented. +The STIG has a requirement that the ``sshd`` daemon is running and enabled at +boot time. The tasks in the security role ensure that these requirements are +met. + +Some deployers may not have ``sshd`` enabled on highly specialized systems and +those deployers should opt out of this change by setting the following Ansible +variable: + +.. code-block:: yaml + + security_enable_sshd: no + +.. note:: + + Setting ``security_enable_sshd`` to ``no`` causes the tasks to ignore the + state of the service entirely. A setting of ``no`` does not stop or alter + the ``sshd`` service. diff --git a/tasks/rhel7stig/sshd.yml b/tasks/rhel7stig/sshd.yml index 6ad44d69..56f9cd0b 100644 --- a/tasks/rhel7stig/sshd.yml +++ b/tasks/rhel7stig/sshd.yml @@ -72,3 +72,15 @@ - RHEL-07-040700 - RHEL-07-040670 - RHEL-07-040680 + +- name: Ensure sshd is running and enabled + service: + name: "{{ ssh_service }}" + state: started + enabled: yes + when: + - security_enable_sshd | bool + tags: + - medium + - sshd + - RHEL-07-040261