From aa1feb45271c8fbe8eba7d555ded9d41a70eff64 Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Fri, 13 May 2022 13:02:27 +0200 Subject: [PATCH] Clean out SSH options we managing With current behaviour we duplicate SSH options and don't care if same thing is defined anywhere down the line. With that change we change how options are defined - instead of the template we use a list of mappings. With that we can select and remove options that playbook supposed to manage. With that we also keep playbook idempotency. As side effect we still can have options duplicated but only if they have exact same value. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/840353 Change-Id: I140606f7e724fbe2a4f0b03f6a0501da7bdd5964 Closes-Bug: #1958649 --- tasks/rhel7stig/sshd.yml | 39 +++++++++++++++++- templates/sshd_config_block.j2 | 61 ---------------------------- vars/main.yml | 74 ++++++++++++++++++++++++++++++++++ 3 files changed, 112 insertions(+), 62 deletions(-) delete mode 100644 templates/sshd_config_block.j2 diff --git a/tasks/rhel7stig/sshd.yml b/tasks/rhel7stig/sshd.yml index 1e5165da..008b04ae 100644 --- a/tasks/rhel7stig/sshd.yml +++ b/tasks/rhel7stig/sshd.yml @@ -25,6 +25,38 @@ - V-71861 - V-72225 +- name: Drop options from SSH config that we manage + lineinfile: + path: /etc/ssh/sshd_config + state: absent + regexp: '^{{ item.name }}\s+(?!{{ item.value }})' + validate: '/usr/sbin/sshd -T -f %s' + with_items: "{{ sshd_settings_rhel7 | selectattr('enabled') }}" + notify: + - restart ssh + tags: + - high + - sshd + - V-71939 + - V-71957 + - V-71959 + - V-72221 + - V-72225 + - V-72237 + - V-72241 + - V-72245 + - V-72247 + - V-72249 + - V-72243 + - V-72243 + - V-72303 + - V-72251 + - V-72253 + - V-72265 + - V-72267 + - V-72261 + - V-72263 + - name: Adjust ssh server configuration based on STIG requirements blockinfile: dest: /etc/ssh/sshd_config @@ -32,7 +64,12 @@ marker: "# {mark} MANAGED BY ANSIBLE-HARDENING" insertbefore: "BOF" validate: '/usr/sbin/sshd -T -f %s' - block: "{{ lookup('template', 'sshd_config_block.j2') }}" + block: |- + {% set options = sshd_settings_rhel7 | selectattr('enabled') %} + {% for option in options %} + # {{ option['stig_id'] }} + {{ option['name'] ~ ' ' ~ option['value'] }} + {% endfor %} notify: - restart ssh tags: diff --git a/templates/sshd_config_block.j2 b/templates/sshd_config_block.j2 deleted file mode 100644 index 69d6f745..00000000 --- a/templates/sshd_config_block.j2 +++ /dev/null @@ -1,61 +0,0 @@ -{% if security_sshd_disallow_empty_password | bool %} -# V-71939 / RHEL-07-010440 -PermitEmptyPasswords no -{% endif %} -{% if security_sshd_disallow_environment_override | bool %} -# V-71957 -PermitUserEnvironment no -{% endif %} -{% if security_sshd_disallow_host_based_auth | bool %} -# V-71959 -HostbasedAuthentication no -{% endif %} -# V-72221 -Ciphers {{ security_sshd_cipher_list }} -# V-72237 -ClientAliveInterval {{ security_sshd_client_alive_interval }} -# V-72241 -ClientAliveCountMax {{ security_sshd_client_alive_count_max }} -{% if security_sshd_print_last_log | bool %} -# V-72245 -PrintLastLog yes -{% endif %} -{% if security_sshd_permit_root_login | string in ['False', 'True', 'without-password', 'prohibit-password', 'forced-commands-only', 'no', 'yes' ] %} -{% if security_sshd_permit_root_login | string in ['False', 'True'] %} -{% set _security_sshd_permit_root_login = ((security_sshd_permit_root_login | bool) | ternary('yes','no')) %} -{% else %} -{% set _security_sshd_permit_root_login = security_sshd_permit_root_login %} -{% endif %} -# V-72247 -PermitRootLogin {{ _security_sshd_permit_root_login }} -{% endif %} -{% if security_sshd_disallow_known_hosts_auth | bool %} -# V-72249 / V-72239 -IgnoreUserKnownHosts yes -{% endif %} -{% if security_sshd_disallow_rhosts_auth | bool %} -# V-72243 -IgnoreRhosts yes -{% endif %} -{% if security_sshd_enable_x11_forwarding | bool %} -# V-72303 -X11Forwarding yes -{% endif %} -# V-72251 -Protocol {{ security_sshd_protocol }} -# V-72253 -MACs {{security_sshd_allowed_macs }} -{% if security_sshd_enable_privilege_separation | bool %} -# V-72265 -UsePrivilegeSeparation sandbox -{% endif %} -# V-72267 -Compression {{ security_sshd_compression }} -{% if security_sshd_disable_kerberos_auth | bool %} -# V-72261 -KerberosAuthentication no -{% endif %} -{% if security_sshd_enable_strict_modes| bool %} -# V-72263 -StrictModes yes -{% endif %} diff --git a/vars/main.yml b/vars/main.yml index 5d21723c..71f289df 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -352,3 +352,77 @@ sysctl_settings_rhel7: - name: net.ipv6.conf.all.disable_ipv6 value: 1 enabled: "{{ (security_contrib_enabled | bool) and (security_contrib_disable_ipv6 | bool) }}" + +sshd_settings_rhel7: + - name: PermitEmptyPasswords + value: "no" + enabled: "{{ security_sshd_disallow_empty_password | bool }}" + stig_id: V-71939 / RHEL-07-010440 + - name: PermitUserEnvironment + value: "no" + enabled: "{{ security_sshd_disallow_environment_override | bool }}" + stig_id: V-71957 + - name: HostbasedAuthentication + value: "no" + enabled: "{{ security_sshd_disallow_host_based_auth | bool }}" + stig_id: V-71959 + - name: Ciphers + value: "{{ security_sshd_cipher_list }}" + enabled: True + stig_id: V-72221 + - name: ClientAliveInterval + value: "{{ security_sshd_client_alive_interval }}" + enabled: True + stig_id: V-72237 + - name: ClientAliveCountMax + value: "{{ security_sshd_client_alive_count_max }}" + enabled: True + stig_id: V-72241 + - name: PrintLastLog + value: "yes" + enabled: "{{ security_sshd_print_last_log | bool }}" + stig_id: V-72245 + # NOTE(noonedeadpunk): We leave else/endif on same string not to deal with stripping of '\n' later on + - name: PermitRootLogin + value: |- + {% if security_sshd_permit_root_login | string in ['False', 'True'] %} + {{ (security_sshd_permit_root_login | bool) | ternary('yes', 'no') }}{% else %} + {{ security_sshd_permit_root_login }}{% endif %} + enabled: True + stig_id: V-72247 + - name: IgnoreUserKnownHosts + value: "yes" + enabled: "{{ security_sshd_disallow_known_hosts_auth | bool }}" + stig_id: V-72249 / V-72239 + - name: IgnoreRhosts + value: "yes" + enabled: "{{ security_sshd_disallow_rhosts_auth | bool }}" + stig_id: V-72243 + - name: X11Forwarding + value: "yes" + enabled: "{{ security_sshd_enable_x11_forwarding | bool }}" + stig_id: V-72303 + - name: Protocol + value: "{{ security_sshd_protocol }}" + enabled: yes + stig_id: V-72251 + - name: MACs + value: "{{security_sshd_allowed_macs }}" + enabled: yes + stig_id: V-72253 + - name: UsePrivilegeSeparation + value: sandbox + enabled: "{{ security_sshd_enable_privilege_separation | bool }}" + stig_id: V-72265 + - name: Compression + value: "{{ security_sshd_compression }}" + enabled: yes + stig_id: V-72267 + - name: KerberosAuthentication + value: "no" + enabled: "{{ security_sshd_disable_kerberos_auth | bool }}" + stig_id: V-72261 + - name: StrictModes + value: "yes" + enabled: "{{ security_sshd_enable_strict_modes | bool }}" + stig_id: V-72263