diff --git a/tasks/rhel7stig/sshd.yml b/tasks/rhel7stig/sshd.yml index 1e5165da..008b04ae 100644 --- a/tasks/rhel7stig/sshd.yml +++ b/tasks/rhel7stig/sshd.yml @@ -25,6 +25,38 @@ - V-71861 - V-72225 +- name: Drop options from SSH config that we manage + lineinfile: + path: /etc/ssh/sshd_config + state: absent + regexp: '^{{ item.name }}\s+(?!{{ item.value }})' + validate: '/usr/sbin/sshd -T -f %s' + with_items: "{{ sshd_settings_rhel7 | selectattr('enabled') }}" + notify: + - restart ssh + tags: + - high + - sshd + - V-71939 + - V-71957 + - V-71959 + - V-72221 + - V-72225 + - V-72237 + - V-72241 + - V-72245 + - V-72247 + - V-72249 + - V-72243 + - V-72243 + - V-72303 + - V-72251 + - V-72253 + - V-72265 + - V-72267 + - V-72261 + - V-72263 + - name: Adjust ssh server configuration based on STIG requirements blockinfile: dest: /etc/ssh/sshd_config @@ -32,7 +64,12 @@ marker: "# {mark} MANAGED BY ANSIBLE-HARDENING" insertbefore: "BOF" validate: '/usr/sbin/sshd -T -f %s' - block: "{{ lookup('template', 'sshd_config_block.j2') }}" + block: |- + {% set options = sshd_settings_rhel7 | selectattr('enabled') %} + {% for option in options %} + # {{ option['stig_id'] }} + {{ option['name'] ~ ' ' ~ option['value'] }} + {% endfor %} notify: - restart ssh tags: diff --git a/templates/sshd_config_block.j2 b/templates/sshd_config_block.j2 deleted file mode 100644 index 69d6f745..00000000 --- a/templates/sshd_config_block.j2 +++ /dev/null @@ -1,61 +0,0 @@ -{% if security_sshd_disallow_empty_password | bool %} -# V-71939 / RHEL-07-010440 -PermitEmptyPasswords no -{% endif %} -{% if security_sshd_disallow_environment_override | bool %} -# V-71957 -PermitUserEnvironment no -{% endif %} -{% if security_sshd_disallow_host_based_auth | bool %} -# V-71959 -HostbasedAuthentication no -{% endif %} -# V-72221 -Ciphers {{ security_sshd_cipher_list }} -# V-72237 -ClientAliveInterval {{ security_sshd_client_alive_interval }} -# V-72241 -ClientAliveCountMax {{ security_sshd_client_alive_count_max }} -{% if security_sshd_print_last_log | bool %} -# V-72245 -PrintLastLog yes -{% endif %} -{% if security_sshd_permit_root_login | string in ['False', 'True', 'without-password', 'prohibit-password', 'forced-commands-only', 'no', 'yes' ] %} -{% if security_sshd_permit_root_login | string in ['False', 'True'] %} -{% set _security_sshd_permit_root_login = ((security_sshd_permit_root_login | bool) | ternary('yes','no')) %} -{% else %} -{% set _security_sshd_permit_root_login = security_sshd_permit_root_login %} -{% endif %} -# V-72247 -PermitRootLogin {{ _security_sshd_permit_root_login }} -{% endif %} -{% if security_sshd_disallow_known_hosts_auth | bool %} -# V-72249 / V-72239 -IgnoreUserKnownHosts yes -{% endif %} -{% if security_sshd_disallow_rhosts_auth | bool %} -# V-72243 -IgnoreRhosts yes -{% endif %} -{% if security_sshd_enable_x11_forwarding | bool %} -# V-72303 -X11Forwarding yes -{% endif %} -# V-72251 -Protocol {{ security_sshd_protocol }} -# V-72253 -MACs {{security_sshd_allowed_macs }} -{% if security_sshd_enable_privilege_separation | bool %} -# V-72265 -UsePrivilegeSeparation sandbox -{% endif %} -# V-72267 -Compression {{ security_sshd_compression }} -{% if security_sshd_disable_kerberos_auth | bool %} -# V-72261 -KerberosAuthentication no -{% endif %} -{% if security_sshd_enable_strict_modes| bool %} -# V-72263 -StrictModes yes -{% endif %} diff --git a/vars/main.yml b/vars/main.yml index 5d21723c..71f289df 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -352,3 +352,77 @@ sysctl_settings_rhel7: - name: net.ipv6.conf.all.disable_ipv6 value: 1 enabled: "{{ (security_contrib_enabled | bool) and (security_contrib_disable_ipv6 | bool) }}" + +sshd_settings_rhel7: + - name: PermitEmptyPasswords + value: "no" + enabled: "{{ security_sshd_disallow_empty_password | bool }}" + stig_id: V-71939 / RHEL-07-010440 + - name: PermitUserEnvironment + value: "no" + enabled: "{{ security_sshd_disallow_environment_override | bool }}" + stig_id: V-71957 + - name: HostbasedAuthentication + value: "no" + enabled: "{{ security_sshd_disallow_host_based_auth | bool }}" + stig_id: V-71959 + - name: Ciphers + value: "{{ security_sshd_cipher_list }}" + enabled: True + stig_id: V-72221 + - name: ClientAliveInterval + value: "{{ security_sshd_client_alive_interval }}" + enabled: True + stig_id: V-72237 + - name: ClientAliveCountMax + value: "{{ security_sshd_client_alive_count_max }}" + enabled: True + stig_id: V-72241 + - name: PrintLastLog + value: "yes" + enabled: "{{ security_sshd_print_last_log | bool }}" + stig_id: V-72245 + # NOTE(noonedeadpunk): We leave else/endif on same string not to deal with stripping of '\n' later on + - name: PermitRootLogin + value: |- + {% if security_sshd_permit_root_login | string in ['False', 'True'] %} + {{ (security_sshd_permit_root_login | bool) | ternary('yes', 'no') }}{% else %} + {{ security_sshd_permit_root_login }}{% endif %} + enabled: True + stig_id: V-72247 + - name: IgnoreUserKnownHosts + value: "yes" + enabled: "{{ security_sshd_disallow_known_hosts_auth | bool }}" + stig_id: V-72249 / V-72239 + - name: IgnoreRhosts + value: "yes" + enabled: "{{ security_sshd_disallow_rhosts_auth | bool }}" + stig_id: V-72243 + - name: X11Forwarding + value: "yes" + enabled: "{{ security_sshd_enable_x11_forwarding | bool }}" + stig_id: V-72303 + - name: Protocol + value: "{{ security_sshd_protocol }}" + enabled: yes + stig_id: V-72251 + - name: MACs + value: "{{security_sshd_allowed_macs }}" + enabled: yes + stig_id: V-72253 + - name: UsePrivilegeSeparation + value: sandbox + enabled: "{{ security_sshd_enable_privilege_separation | bool }}" + stig_id: V-72265 + - name: Compression + value: "{{ security_sshd_compression }}" + enabled: yes + stig_id: V-72267 + - name: KerberosAuthentication + value: "no" + enabled: "{{ security_sshd_disable_kerberos_auth | bool }}" + stig_id: V-72261 + - name: StrictModes + value: "yes" + enabled: "{{ security_sshd_enable_strict_modes | bool }}" + stig_id: V-72263