openstack/ansible-hardening
Code Issues Proposed changes
4488a5474a
ansible-hardening/tasks/sshd.yml
Jesse Pretorius 58ac7a8a7a Enable role testing and make structure ansible-galaxy compatible 
This patch adds the bits needed to implement automated syntax/lint
role testing. It also moves the role into the base repository so
that the role becomes fully compatible with ansible-galaxy to
improve the role's consumability.

Change-Id: Ia79cd5dedbbe50dfdf46688830a989ff0897832a
2015-10-09 11:47:23 +00:00

161 lines
3.7 KiB
YAML
Raw Blame History

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: V-38484 - User must get date/time of last successful login
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?PrintLastLog'
line: 'PrintLastLog yes'
notify:
- restart ssh
tags:
- ssh
- cat2
- V-38484
- name: V-38607 - The SSH daemon must be configured to use only the SSHv2 protocol
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?Protocol \d'
line: 'Protocol 2'
notify:
- restart ssh
tags:
- ssh
- cat1
- V-38607
- name: V-38614 - The SSH daemon must not allow authentication using an empty password
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?PermitEmptyPasswords'
line: 'PermitEmptyPasswords no'
notify:
- restart ssh
tags:
- ssh
- cat1
- V-38614
- name: V-38612 Medium The SSH daemon must not allow host-based authentication
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?HostbasedAuthentication'
line: 'HostbasedAuthentication no'
notify:
- restart ssh
tags:
- ssh
- cat2
- V-38612
- name: V-38608 - Set a timeout interval for idle ssh sessions
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?ClientAliveInterval'
line: 'ClientAliveInterval {{ ssh_client_alive_interval }}'
notify:
- restart ssh
tags:
- ssh
- cat2
- V-38608
- name: V-38610 - Set a timeout count on idle ssh sessions
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?ClientAliveCountMax'
line: 'ClientAliveCountMax {{ ssh_client_alive_count_max }}'
notify:
- restart ssh
tags:
- ssh
- cat2
- V-38610
- name: V-38611 - The sshd daemon must ignore .rhosts files
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?IgnoreRhosts'
line: 'IgnoreRhosts yes'
notify:
- restart ssh
tags:
- ssh
- cat2
- V-38611
- name: V-38613 - The ssh daemon must not permit root logins
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?PermitRootLogin'
line: 'PermitRootLogin {{ ssh_permit_root_login }}'
notify:
- restart ssh
tags:
- ssh
- cat2
- V-38613
- name: Copy the login banner for sshd (for V-38615)
copy:
src: login_banner.txt
dest: /etc/issue.net
tags:
- ssh
- cat2
- V-38615
- name: V-38615 - The ssh daemon must display a login banner
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?Banner'
line: 'Banner /etc/issue.net'
tags:
- ssh
- cat2
- V-38615
- name: V-38616 - The ssh daemon must not permit user environment settings
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?PermitUserEnvironment'
line: 'PermitUserEnvironment no'
tags:
- ssh
- cat3
- V-38616
- name: V-38617 - The ssh daemon must be configured to use approved ciphers
lineinfile:
state: present
dest: /etc/ssh/sshd_config
regexp: '^(#)?Ciphers'
line: 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc'
tags:
- ssh
- cat2
- V-38617
View Git Blame Copy Permalink