Merge "Clean out SSH options we managing"

This commit is contained in:
Zuul 2022-06-06 08:18:38 +00:00 committed by Gerrit Code Review
commit 02edef4106
3 changed files with 112 additions and 62 deletions

View File

@ -25,6 +25,38 @@
- V-71861
- V-72225
- name: Drop options from SSH config that we manage
lineinfile:
path: /etc/ssh/sshd_config
state: absent
regexp: '^{{ item.name }}\s+(?!{{ item.value }})'
validate: '/usr/sbin/sshd -T -f %s'
with_items: "{{ sshd_settings_rhel7 | selectattr('enabled') }}"
notify:
- restart ssh
tags:
- high
- sshd
- V-71939
- V-71957
- V-71959
- V-72221
- V-72225
- V-72237
- V-72241
- V-72245
- V-72247
- V-72249
- V-72243
- V-72243
- V-72303
- V-72251
- V-72253
- V-72265
- V-72267
- V-72261
- V-72263
- name: Adjust ssh server configuration based on STIG requirements
blockinfile:
dest: /etc/ssh/sshd_config
@ -32,7 +64,12 @@
marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
insertbefore: "BOF"
validate: '/usr/sbin/sshd -T -f %s'
block: "{{ lookup('template', 'sshd_config_block.j2') }}"
block: |-
{% set options = sshd_settings_rhel7 | selectattr('enabled') %}
{% for option in options %}
# {{ option['stig_id'] }}
{{ option['name'] ~ ' ' ~ option['value'] }}
{% endfor %}
notify:
- restart ssh
tags:

View File

@ -1,61 +0,0 @@
{% if security_sshd_disallow_empty_password | bool %}
# V-71939 / RHEL-07-010440
PermitEmptyPasswords no
{% endif %}
{% if security_sshd_disallow_environment_override | bool %}
# V-71957
PermitUserEnvironment no
{% endif %}
{% if security_sshd_disallow_host_based_auth | bool %}
# V-71959
HostbasedAuthentication no
{% endif %}
# V-72221
Ciphers {{ security_sshd_cipher_list }}
# V-72237
ClientAliveInterval {{ security_sshd_client_alive_interval }}
# V-72241
ClientAliveCountMax {{ security_sshd_client_alive_count_max }}
{% if security_sshd_print_last_log | bool %}
# V-72245
PrintLastLog yes
{% endif %}
{% if security_sshd_permit_root_login | string in ['False', 'True', 'without-password', 'prohibit-password', 'forced-commands-only', 'no', 'yes' ] %}
{% if security_sshd_permit_root_login | string in ['False', 'True'] %}
{% set _security_sshd_permit_root_login = ((security_sshd_permit_root_login | bool) | ternary('yes','no')) %}
{% else %}
{% set _security_sshd_permit_root_login = security_sshd_permit_root_login %}
{% endif %}
# V-72247
PermitRootLogin {{ _security_sshd_permit_root_login }}
{% endif %}
{% if security_sshd_disallow_known_hosts_auth | bool %}
# V-72249 / V-72239
IgnoreUserKnownHosts yes
{% endif %}
{% if security_sshd_disallow_rhosts_auth | bool %}
# V-72243
IgnoreRhosts yes
{% endif %}
{% if security_sshd_enable_x11_forwarding | bool %}
# V-72303
X11Forwarding yes
{% endif %}
# V-72251
Protocol {{ security_sshd_protocol }}
# V-72253
MACs {{security_sshd_allowed_macs }}
{% if security_sshd_enable_privilege_separation | bool %}
# V-72265
UsePrivilegeSeparation sandbox
{% endif %}
# V-72267
Compression {{ security_sshd_compression }}
{% if security_sshd_disable_kerberos_auth | bool %}
# V-72261
KerberosAuthentication no
{% endif %}
{% if security_sshd_enable_strict_modes| bool %}
# V-72263
StrictModes yes
{% endif %}

View File

@ -352,3 +352,77 @@ sysctl_settings_rhel7:
- name: net.ipv6.conf.all.disable_ipv6
value: 1
enabled: "{{ (security_contrib_enabled | bool) and (security_contrib_disable_ipv6 | bool) }}"
sshd_settings_rhel7:
- name: PermitEmptyPasswords
value: "no"
enabled: "{{ security_sshd_disallow_empty_password | bool }}"
stig_id: V-71939 / RHEL-07-010440
- name: PermitUserEnvironment
value: "no"
enabled: "{{ security_sshd_disallow_environment_override | bool }}"
stig_id: V-71957
- name: HostbasedAuthentication
value: "no"
enabled: "{{ security_sshd_disallow_host_based_auth | bool }}"
stig_id: V-71959
- name: Ciphers
value: "{{ security_sshd_cipher_list }}"
enabled: True
stig_id: V-72221
- name: ClientAliveInterval
value: "{{ security_sshd_client_alive_interval }}"
enabled: True
stig_id: V-72237
- name: ClientAliveCountMax
value: "{{ security_sshd_client_alive_count_max }}"
enabled: True
stig_id: V-72241
- name: PrintLastLog
value: "yes"
enabled: "{{ security_sshd_print_last_log | bool }}"
stig_id: V-72245
# NOTE(noonedeadpunk): We leave else/endif on same string not to deal with stripping of '\n' later on
- name: PermitRootLogin
value: |-
{% if security_sshd_permit_root_login | string in ['False', 'True'] %}
{{ (security_sshd_permit_root_login | bool) | ternary('yes', 'no') }}{% else %}
{{ security_sshd_permit_root_login }}{% endif %}
enabled: True
stig_id: V-72247
- name: IgnoreUserKnownHosts
value: "yes"
enabled: "{{ security_sshd_disallow_known_hosts_auth | bool }}"
stig_id: V-72249 / V-72239
- name: IgnoreRhosts
value: "yes"
enabled: "{{ security_sshd_disallow_rhosts_auth | bool }}"
stig_id: V-72243
- name: X11Forwarding
value: "yes"
enabled: "{{ security_sshd_enable_x11_forwarding | bool }}"
stig_id: V-72303
- name: Protocol
value: "{{ security_sshd_protocol }}"
enabled: yes
stig_id: V-72251
- name: MACs
value: "{{security_sshd_allowed_macs }}"
enabled: yes
stig_id: V-72253
- name: UsePrivilegeSeparation
value: sandbox
enabled: "{{ security_sshd_enable_privilege_separation | bool }}"
stig_id: V-72265
- name: Compression
value: "{{ security_sshd_compression }}"
enabled: yes
stig_id: V-72267
- name: KerberosAuthentication
value: "no"
enabled: "{{ security_sshd_disable_kerberos_auth | bool }}"
stig_id: V-72261
- name: StrictModes
value: "yes"
enabled: "{{ security_sshd_enable_strict_modes | bool }}"
stig_id: V-72263