Clean out SSH options we managing

With current behaviour we duplicate SSH options and don't care if same thing is defined anywhere down the line. With that change we change how options are defined - instead of the template we use a list of mappings. With that we can select and remove options that playbook supposed to manage. With that we also keep playbook idempotency. As side effect we still can have options duplicated but only if they have exact same value. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/840353 Change-Id: I140606f7e724fbe2a4f0b03f6a0501da7bdd5964 Closes-Bug: #1958649
2022-05-13 13:02:27 +02:00 · 2022-05-13 13:02:27 +02:00 · aa1feb4527
commit aa1feb4527
parent 7b7e25b0a8
3 changed files with 112 additions and 62 deletions
--- a/tasks/rhel7stig/sshd.yml
+++ b/tasks/rhel7stig/sshd.yml
@ -25,6 +25,38 @@
    - V-71861
    - V-72225

+- name: Drop options from SSH config that we manage
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    state: absent
+    regexp: '^{{ item.name }}\s+(?!{{ item.value }})'
+    validate: '/usr/sbin/sshd -T -f %s'
+  with_items: "{{ sshd_settings_rhel7 | selectattr('enabled') }}"
+  notify:
+    - restart ssh
+  tags:
+    - high
+    - sshd
+    - V-71939
+    - V-71957
+    - V-71959
+    - V-72221
+    - V-72225
+    - V-72237
+    - V-72241
+    - V-72245
+    - V-72247
+    - V-72249
+    - V-72243
+    - V-72243
+    - V-72303
+    - V-72251
+    - V-72253
+    - V-72265
+    - V-72267
+    - V-72261
+    - V-72263
+
 - name: Adjust ssh server configuration based on STIG requirements
  blockinfile:
    dest: /etc/ssh/sshd_config
@ -32,7 +64,12 @@
    marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
    insertbefore: "BOF"
    validate: '/usr/sbin/sshd -T -f %s'
-    block: "{{ lookup('template', 'sshd_config_block.j2') }}"
+    block: |-
+      {% set options = sshd_settings_rhel7 | selectattr('enabled') %}
+      {% for option in options %}
+      # {{ option['stig_id'] }}
+      {{ option['name'] ~ ' ' ~ option['value'] }}
+      {% endfor %}
  notify:
    - restart ssh
  tags:
--- a/templates/sshd_config_block.j2
+++ b/templates/sshd_config_block.j2
@ -1,61 +0,0 @@
-{% if security_sshd_disallow_empty_password | bool %}
-# V-71939 / RHEL-07-010440
-PermitEmptyPasswords no
-{% endif %}
-{% if security_sshd_disallow_environment_override | bool %}
-# V-71957
-PermitUserEnvironment no
-{% endif %}
-{% if security_sshd_disallow_host_based_auth | bool %}
-# V-71959
-HostbasedAuthentication no
-{% endif %}
-# V-72221
-Ciphers {{ security_sshd_cipher_list }}
-# V-72237
-ClientAliveInterval {{ security_sshd_client_alive_interval }}
-# V-72241
-ClientAliveCountMax {{ security_sshd_client_alive_count_max }}
-{% if security_sshd_print_last_log | bool %}
-# V-72245
-PrintLastLog yes
-{% endif %}
-{% if security_sshd_permit_root_login | string in ['False', 'True', 'without-password', 'prohibit-password', 'forced-commands-only', 'no', 'yes' ] %}
-{%   if security_sshd_permit_root_login | string in ['False', 'True'] %}
-{%     set _security_sshd_permit_root_login = ((security_sshd_permit_root_login | bool) | ternary('yes','no')) %}
-{%   else %}
-{%     set _security_sshd_permit_root_login = security_sshd_permit_root_login %}
-{%   endif %}
-# V-72247
-PermitRootLogin {{ _security_sshd_permit_root_login }}
-{% endif %}
-{% if security_sshd_disallow_known_hosts_auth | bool %}
-# V-72249 / V-72239
-IgnoreUserKnownHosts yes
-{% endif %}
-{% if security_sshd_disallow_rhosts_auth | bool %}
-# V-72243
-IgnoreRhosts yes
-{% endif %}
-{% if security_sshd_enable_x11_forwarding | bool %}
-# V-72303
-X11Forwarding yes
-{% endif %}
-# V-72251
-Protocol {{ security_sshd_protocol }}
-# V-72253
-MACs {{security_sshd_allowed_macs }}
-{% if security_sshd_enable_privilege_separation | bool %}
-# V-72265
-UsePrivilegeSeparation sandbox
-{% endif %}
-# V-72267
-Compression {{ security_sshd_compression }}
-{% if security_sshd_disable_kerberos_auth | bool %}
-# V-72261
-KerberosAuthentication no
-{% endif %}
-{% if security_sshd_enable_strict_modes| bool %}
-# V-72263
-StrictModes yes
-{% endif %}
--- a/vars/main.yml
+++ b/vars/main.yml
@ -352,3 +352,77 @@ sysctl_settings_rhel7:
  - name: net.ipv6.conf.all.disable_ipv6
    value: 1
    enabled: "{{ (security_contrib_enabled | bool) and (security_contrib_disable_ipv6 | bool) }}"
+
+sshd_settings_rhel7:
+  - name: PermitEmptyPasswords
+    value: "no"
+    enabled: "{{ security_sshd_disallow_empty_password | bool }}"
+    stig_id: V-71939 / RHEL-07-010440
+  - name: PermitUserEnvironment
+    value: "no"
+    enabled: "{{ security_sshd_disallow_environment_override | bool }}"
+    stig_id: V-71957
+  - name: HostbasedAuthentication
+    value: "no"
+    enabled: "{{ security_sshd_disallow_host_based_auth | bool }}"
+    stig_id: V-71959
+  - name: Ciphers
+    value: "{{ security_sshd_cipher_list }}"
+    enabled: True
+    stig_id: V-72221
+  - name: ClientAliveInterval
+    value: "{{ security_sshd_client_alive_interval }}"
+    enabled: True
+    stig_id: V-72237
+  - name: ClientAliveCountMax
+    value: "{{ security_sshd_client_alive_count_max }}"
+    enabled: True
+    stig_id: V-72241
+  - name: PrintLastLog
+    value: "yes"
+    enabled: "{{ security_sshd_print_last_log | bool }}"
+    stig_id: V-72245
+  # NOTE(noonedeadpunk): We leave else/endif on same string not to deal with stripping of '\n' later on
+  - name: PermitRootLogin
+    value: |-
+      {% if security_sshd_permit_root_login | string in ['False', 'True'] %}
+      {{ (security_sshd_permit_root_login | bool) | ternary('yes', 'no') }}{% else %}
+      {{ security_sshd_permit_root_login }}{% endif %}
+    enabled: True
+    stig_id: V-72247
+  - name: IgnoreUserKnownHosts
+    value: "yes"
+    enabled: "{{ security_sshd_disallow_known_hosts_auth | bool }}"
+    stig_id: V-72249 / V-72239
+  - name: IgnoreRhosts
+    value: "yes"
+    enabled: "{{ security_sshd_disallow_rhosts_auth | bool }}"
+    stig_id: V-72243
+  - name: X11Forwarding
+    value: "yes"
+    enabled: "{{ security_sshd_enable_x11_forwarding | bool }}"
+    stig_id: V-72303
+  - name: Protocol
+    value: "{{ security_sshd_protocol }}"
+    enabled: yes
+    stig_id: V-72251
+  - name: MACs
+    value: "{{security_sshd_allowed_macs }}"
+    enabled: yes
+    stig_id: V-72253
+  - name: UsePrivilegeSeparation
+    value: sandbox
+    enabled: "{{ security_sshd_enable_privilege_separation | bool }}"
+    stig_id: V-72265
+  - name: Compression
+    value: "{{ security_sshd_compression }}"
+    enabled: yes
+    stig_id: V-72267
+  - name: KerberosAuthentication
+    value: "no"
+    enabled: "{{ security_sshd_disable_kerberos_auth | bool }}"
+    stig_id: V-72261
+  - name: StrictModes
+    value: "yes"
+    enabled: "{{ security_sshd_enable_strict_modes | bool }}"
+    stig_id: V-72263