openstack/ansible-hardening
Code Issues Proposed changes

rhel7stig: sshd.yml: Respect the STIG sshd configuration

Browse Source 
Appending sshd configuration options at the end of the file doesn't work
as expected. If the same keyword is set multiple times, sshd will only
respect the first occurence. As such, all the options that we add at the
EOF will do nothing if any of them is already set in the file already.
In order to make sure that all our options are respected, we need to add
all of them at the beginning of the file. This can be easily
demonstrated if we use the following keywords in an sshd config file
assuming we have /etc/motd already.

PrintMotd yes
PrintMotd no

$ ssh root@localhost

Last login: Tue Oct 31 09:28:28 2017 from ::1
Have a lot of fun...

But if we swap the options to
PrintMotd no
PrintMotd yes

Last login: Tue Oct 31 09:29:55 2017 from ::1

Closes-Bug: #1728735
Change-Id: I02f2b9bc612d67ed7b23d853012d3b6374f65c9d
This commit is contained in:
Markos Chandras 2017-10-30 22:16:27 +00:00
parent e79c6c0594
commit 2958a406a9
1 changed files with 1 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
tasks/rhel7stig/sshd.yml
View File

@ -13,21 +13,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# Adding additional sshd configuration options is usually easy, but if a
# configuration file ends with certain configurations, like a "Match" stanza,
# we need a blank line to separate those configurations from the ones that
# are added by the security role. For that reason, we check for the existence
# of a marker line here and add a marker line to the file if it doesn't exist.
- name: Find first 'Match' line in sshd_config (if it exists)
shell: "grep '^Match' /etc/ssh/sshd_config || echo 'EOF'"
register: sshd_match_check
changed_when: False
check_mode: no
tags:
- always
- sshd
- name: Copy login warning banner
copy:
content: "{{ security_login_banner_text }}"
@ -45,7 +30,7 @@
dest: /etc/ssh/sshd_config
state: present
marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
insertbefore: "{{ sshd_match_check.stdout_lines[0] }}"
insertbefore: "BOF"
validate: '/usr/sbin/sshd -T -f %s'
block: "{{ lookup('template', 'sshd_config_block.j2') }}"
notify: