Big update to support RHEL9 & clones
Now crypto-policies include SSH options (not command line arguments)
This commit is contained in:
Sven Velt
parent
9751d3f8e9
commit
70ab8d6e28
|
|
@ -39,7 +39,7 @@ Example Playbook
|
|||
SSH versions
|
||||
------------
|
||||
- 6.0: [_] Debian 7 "wheezy"
|
||||
- 6.5: - (support for `curve25519-sha256@libssh.org`, `ssh-ed25519`, `chacha20-poly1305@openssh.com`)
|
||||
- 6.5: (support for `curve25519-sha256@libssh.org`, `ssh-ed25519`, `chacha20-poly1305@openssh.com`)
|
||||
- 6.6: Ubuntu 14.04 "trusty"
|
||||
- 6.7: [_] Debian 8 "jessie"
|
||||
- 7.0:
|
||||
|
|
@ -58,9 +58,11 @@ SSH versions
|
|||
- 8.5: (added `sntrup761x25519-sha512@openssh.com`)
|
||||
- 8.6: Alpine 3.14, Fedora 34
|
||||
- 8.7: Fedora 35
|
||||
- 8.8: Alpine 3.15, Fedora 36
|
||||
- 8.8: Alpine 3.15, Fedora 36, Fedora 37
|
||||
- 8.9: Ubuntu 22.04 "jammy"
|
||||
- 9.0: Archlinux, Voidlinux, Alpine 3.16, Ubuntu 22.10 "kinetic"
|
||||
- 9.0: Alpine 3.16, Ubuntu 22.10 "kinetic"
|
||||
- 9.1: Alpine 3.17
|
||||
- 9.2: Archlinux, Voidlinux, (Debian 12 "bookworm")
|
||||
|
||||
License
|
||||
-------
|
||||
|
|
|
|||
|
|
@ -12,5 +12,7 @@ ssh_hardening_hostkeys_all:
|
|||
ssh_hardening_moduli: /etc/ssh/moduli
|
||||
ssh_hardening_moduli_backup: /etc/ssh/moduli.not-hardened
|
||||
|
||||
ssh_hardening_service_name: sshd
|
||||
|
||||
ssh_hardening_sshd_config: /etc/ssh/sshd_config
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
- name: Restart SSH
|
||||
service:
|
||||
name: "{{ ssh_hardening_service_name|default('sshd') }}"
|
||||
name: "{{ ssh_hardening_service_name }}"
|
||||
state: restarted
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -76,18 +76,62 @@
|
|||
|
||||
####################
|
||||
|
||||
- name: "Check for crypto-policies"
|
||||
- name: "Check for SSH include directory"
|
||||
stat:
|
||||
path: /etc/ssh/sshd_config.d
|
||||
register: ssh_hardening_sshd_include_dir
|
||||
|
||||
|
||||
#- name: "SSH include directory exists"
|
||||
# find:
|
||||
# path: /etc/ssh/sshd_config.d
|
||||
# pattern: "*.conf"
|
||||
# register: ssh_hardening_sshd_include_files
|
||||
|
||||
|
||||
- name: "Check for crypto-policy file"
|
||||
stat:
|
||||
path: /etc/crypto-policies/back-ends/opensshserver.config
|
||||
register: ssh_hardening_use_policies
|
||||
register: ssh_hardening_policy_file
|
||||
|
||||
|
||||
- name: "The (RedHat) crypto policy way..."
|
||||
- name: "BLOCK: what to do with crypto policy file"
|
||||
when: ssh_hardening_policy_file.stat.exists
|
||||
block:
|
||||
|
||||
- name: "Get systemd service file location"
|
||||
service:
|
||||
name: "{{ ssh_hardening_service_name }}"
|
||||
register: ssh_hardening_systemd_file
|
||||
|
||||
- name: "Check for USED crypto-policies variable"
|
||||
command: "awk '/CRYPTO_POLICY/{print}' {{ ssh_hardening_systemd_file.status.FragmentPath }}"
|
||||
changed_when: False
|
||||
register: ssh_hardening_policy_var
|
||||
# stdout == "" → SSH-Cfg in CP
|
||||
# stdout != "" → Variablen in CP
|
||||
|
||||
|
||||
# Nicht bei SUSE Tumbleweed!
|
||||
- name: "(policy file) Move original link"
|
||||
command: mv /etc/crypto-policies/back-ends/opensshserver.config /etc/crypto-policies/back-ends/opensshserver.config.not-hardened
|
||||
args:
|
||||
creates: /etc/crypto-policies/back-ends/opensshserver.config.not-hardened
|
||||
when: ssh_hardening_policy_file.stat.islnk
|
||||
|
||||
|
||||
- name: "The (RedHat-8) crypto policy variable way..."
|
||||
include_tasks: restrictions_crypto_policy.yml
|
||||
when: ssh_hardening_use_policies.stat.exists
|
||||
when: ssh_hardening_policy_var.stdout is defined and ssh_hardening_policy_var.stdout|length > 0
|
||||
|
||||
|
||||
- name: "The (RedHat-X) crypto policy include way..."
|
||||
include_tasks: restrictions_crypto_policy_include.yml
|
||||
when: ssh_hardening_policy_var.stdout is defined and ssh_hardening_policy_var.stdout|length == 0 and ssh_hardening_policy_file.stat.exists
|
||||
|
||||
|
||||
- name: "The standard config way..."
|
||||
include_tasks: restrictions_configfile.yml
|
||||
when: not ssh_hardening_use_policies.stat.exists
|
||||
when: not ssh_hardening_policy_file.stat.exists
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -1,22 +1,12 @@
|
|||
---
|
||||
- name: Move original link
|
||||
command: mv /etc/crypto-policies/back-ends/opensshserver.config /etc/crypto-policies/back-ends/opensshserver.config.not-hardened
|
||||
args:
|
||||
creates: /etc/crypto-policies/back-ends/opensshserver.config.not-hardened
|
||||
when: ssh_hardening_use_policies.stat.islnk
|
||||
|
||||
|
||||
- name: Write new crypto policies
|
||||
template:
|
||||
src: '{{ item }}'
|
||||
src: 'crypto-policies/opensshserver.config.j2'
|
||||
dest: /etc/crypto-policies/back-ends/opensshserver.config
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
backup: yes
|
||||
with_first_found:
|
||||
- 'crypto-policies/opensshserver_{{ ansible_distribution|lower }}.config.j2'
|
||||
- 'crypto-policies/opensshserver_{{ ansible_os_family|lower }}.config.j2'
|
||||
notify: Restart SSH
|
||||
|
||||
|
||||
|
|
|
|||
12
tasks/restrictions_crypto_policy_include.yml
Normal file
12
tasks/restrictions_crypto_policy_include.yml
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
- name: Write restrictions to crypto-policy file
|
||||
template:
|
||||
src: 'sshd_config_hardening.j2'
|
||||
dest: '/etc/crypto-policies/back-ends/opensshserver.config'
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
backup: yes
|
||||
notify: Restart SSH
|
||||
|
||||
|
||||
|
|
@ -1 +0,0 @@
|
|||
../sshd_config_hardening.j2
|
||||
Loading…
Reference in a new issue