Merge "Clean out SSH options we managing"

tasks/rhel7stig/sshd.yml

@@ -25,6 +25,38 @@
     - V-71861
     - V-72225
 
+- name: Drop options from SSH config that we manage
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    state: absent
+    regexp: '^{{ item.name }}\s+(?!{{ item.value }})'
+    validate: '/usr/sbin/sshd -T -f %s'
+  with_items: "{{ sshd_settings_rhel7 | selectattr('enabled') }}"
+  notify:
+    - restart ssh
+  tags:
+    - high
+    - sshd
+    - V-71939
+    - V-71957
+    - V-71959
+    - V-72221
+    - V-72225
+    - V-72237
+    - V-72241
+    - V-72245
+    - V-72247
+    - V-72249
+    - V-72243
+    - V-72243
+    - V-72303
+    - V-72251
+    - V-72253
+    - V-72265
+    - V-72267
+    - V-72261
+    - V-72263
+
 - name: Adjust ssh server configuration based on STIG requirements
   blockinfile:
     dest: /etc/ssh/sshd_config
@@ -32,7 +64,12 @@
     marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
     insertbefore: "BOF"
     validate: '/usr/sbin/sshd -T -f %s'
-    block: "{{ lookup('template', 'sshd_config_block.j2') }}"
+    block: |-
+      {% set options = sshd_settings_rhel7 | selectattr('enabled') %}
+      {% for option in options %}
+      # {{ option['stig_id'] }}
+      {{ option['name'] ~ ' ' ~ option['value'] }}
+      {% endfor %}
   notify:
     - restart ssh
   tags:

templates/sshd_config_block.j2

@@ -1,61 +0,0 @@
-{% if security_sshd_disallow_empty_password | bool %}
-# V-71939 / RHEL-07-010440
-PermitEmptyPasswords no
-{% endif %}
-{% if security_sshd_disallow_environment_override | bool %}
-# V-71957
-PermitUserEnvironment no
-{% endif %}
-{% if security_sshd_disallow_host_based_auth | bool %}
-# V-71959
-HostbasedAuthentication no
-{% endif %}
-# V-72221
-Ciphers {{ security_sshd_cipher_list }}
-# V-72237
-ClientAliveInterval {{ security_sshd_client_alive_interval }}
-# V-72241
-ClientAliveCountMax {{ security_sshd_client_alive_count_max }}
-{% if security_sshd_print_last_log | bool %}
-# V-72245
-PrintLastLog yes
-{% endif %}
-{% if security_sshd_permit_root_login | string in ['False', 'True', 'without-password', 'prohibit-password', 'forced-commands-only', 'no', 'yes' ] %}
-{%   if security_sshd_permit_root_login | string in ['False', 'True'] %}
-{%     set _security_sshd_permit_root_login = ((security_sshd_permit_root_login | bool) | ternary('yes','no')) %}
-{%   else %}
-{%     set _security_sshd_permit_root_login = security_sshd_permit_root_login %}
-{%   endif %}
-# V-72247
-PermitRootLogin {{ _security_sshd_permit_root_login }}
-{% endif %}
-{% if security_sshd_disallow_known_hosts_auth | bool %}
-# V-72249 / V-72239
-IgnoreUserKnownHosts yes
-{% endif %}
-{% if security_sshd_disallow_rhosts_auth | bool %}
-# V-72243
-IgnoreRhosts yes
-{% endif %}
-{% if security_sshd_enable_x11_forwarding | bool %}
-# V-72303
-X11Forwarding yes
-{% endif %}
-# V-72251
-Protocol {{ security_sshd_protocol }}
-# V-72253
-MACs {{security_sshd_allowed_macs }}
-{% if security_sshd_enable_privilege_separation | bool %}
-# V-72265
-UsePrivilegeSeparation sandbox
-{% endif %}
-# V-72267
-Compression {{ security_sshd_compression }}
-{% if security_sshd_disable_kerberos_auth | bool %}
-# V-72261
-KerberosAuthentication no
-{% endif %}
-{% if security_sshd_enable_strict_modes| bool %}
-# V-72263
-StrictModes yes
-{% endif %}

vars/main.yml

@@ -352,3 +352,77 @@ sysctl_settings_rhel7:
   - name: net.ipv6.conf.all.disable_ipv6
     value: 1
     enabled: "{{ (security_contrib_enabled | bool) and (security_contrib_disable_ipv6 | bool) }}"
+
+sshd_settings_rhel7:
+  - name: PermitEmptyPasswords
+    value: "no"
+    enabled: "{{ security_sshd_disallow_empty_password | bool }}"
+    stig_id: V-71939 / RHEL-07-010440
+  - name: PermitUserEnvironment
+    value: "no"
+    enabled: "{{ security_sshd_disallow_environment_override | bool }}"
+    stig_id: V-71957
+  - name: HostbasedAuthentication
+    value: "no"
+    enabled: "{{ security_sshd_disallow_host_based_auth | bool }}"
+    stig_id: V-71959
+  - name: Ciphers
+    value: "{{ security_sshd_cipher_list }}"
+    enabled: True
+    stig_id: V-72221
+  - name: ClientAliveInterval
+    value: "{{ security_sshd_client_alive_interval }}"
+    enabled: True
+    stig_id: V-72237
+  - name: ClientAliveCountMax
+    value: "{{ security_sshd_client_alive_count_max }}"
+    enabled: True
+    stig_id: V-72241
+  - name: PrintLastLog
+    value: "yes"
+    enabled: "{{ security_sshd_print_last_log | bool }}"
+    stig_id: V-72245
+  # NOTE(noonedeadpunk): We leave else/endif on same string not to deal with stripping of '\n' later on
+  - name: PermitRootLogin
+    value: |-
+      {% if security_sshd_permit_root_login | string in ['False', 'True'] %}
+      {{ (security_sshd_permit_root_login | bool) | ternary('yes', 'no') }}{% else %}
+      {{ security_sshd_permit_root_login }}{% endif %}
+    enabled: True
+    stig_id: V-72247
+  - name: IgnoreUserKnownHosts
+    value: "yes"
+    enabled: "{{ security_sshd_disallow_known_hosts_auth | bool }}"
+    stig_id: V-72249 / V-72239
+  - name: IgnoreRhosts
+    value: "yes"
+    enabled: "{{ security_sshd_disallow_rhosts_auth | bool }}"
+    stig_id: V-72243
+  - name: X11Forwarding
+    value: "yes"
+    enabled: "{{ security_sshd_enable_x11_forwarding | bool }}"
+    stig_id: V-72303
+  - name: Protocol
+    value: "{{ security_sshd_protocol }}"
+    enabled: yes
+    stig_id: V-72251
+  - name: MACs
+    value: "{{security_sshd_allowed_macs }}"
+    enabled: yes
+    stig_id: V-72253
+  - name: UsePrivilegeSeparation
+    value: sandbox
+    enabled: "{{ security_sshd_enable_privilege_separation | bool }}"
+    stig_id: V-72265
+  - name: Compression
+    value: "{{ security_sshd_compression }}"
+    enabled: yes
+    stig_id: V-72267
+  - name: KerberosAuthentication
+    value: "no"
+    enabled: "{{ security_sshd_disable_kerberos_auth | bool }}"
+    stig_id: V-72261
+  - name: StrictModes
+    value: "yes"
+    enabled: "{{ security_sshd_enable_strict_modes | bool }}"
+    stig_id: V-72263