From 70ab8d6e28d0af1ca76ca6e6f11a7604052a846a Mon Sep 17 00:00:00 2001
From: Sven Velt <sven@velt.de>
Date: Mon, 20 Mar 2023 20:32:35 +0100
Subject: [PATCH] Big update to support RHEL9 & clones

Now crypto-policies include SSH options (not command line arguments)
---
 README.md                                     |  8 +--
 defaults/main.yml                             |  2 +
 handlers/main.yml                             |  2 +-
 tasks/main.yml                                | 54 +++++++++++++++++--
 tasks/restrictions_crypto_policy.yml          | 12 +----
 tasks/restrictions_crypto_policy_include.yml  | 12 +++++
 ...dhat.config.j2 => opensshserver.config.j2} |  0
 .../opensshserver_fedora.config.j2            |  1 -
 8 files changed, 70 insertions(+), 21 deletions(-)
 create mode 100644 tasks/restrictions_crypto_policy_include.yml
 rename templates/crypto-policies/{opensshserver_redhat.config.j2 => opensshserver.config.j2} (100%)
 delete mode 120000 templates/crypto-policies/opensshserver_fedora.config.j2

diff --git a/README.md b/README.md
index 0bfa0c8..6299121 100644
--- a/README.md
+++ b/README.md
@@ -39,7 +39,7 @@ Example Playbook
 SSH versions
 ------------
 - 6.0: [_] Debian 7 "wheezy"
-- 6.5: - (support for `curve25519-sha256@libssh.org`, `ssh-ed25519`, `chacha20-poly1305@openssh.com`)
+- 6.5: (support for `curve25519-sha256@libssh.org`, `ssh-ed25519`, `chacha20-poly1305@openssh.com`)
 - 6.6: Ubuntu 14.04 "trusty"
 - 6.7: [_] Debian 8 "jessie"
 - 7.0:
@@ -58,9 +58,11 @@ SSH versions
 - 8.5: (added `sntrup761x25519-sha512@openssh.com`)
 - 8.6: Alpine 3.14, Fedora 34
 - 8.7: Fedora 35
-- 8.8: Alpine 3.15, Fedora 36
+- 8.8: Alpine 3.15, Fedora 36, Fedora 37
 - 8.9: Ubuntu 22.04 "jammy"
-- 9.0: Archlinux, Voidlinux, Alpine 3.16, Ubuntu 22.10 "kinetic"
+- 9.0: Alpine 3.16, Ubuntu 22.10 "kinetic"
+- 9.1: Alpine 3.17
+- 9.2: Archlinux, Voidlinux, (Debian 12 "bookworm")
 
 License
 -------
diff --git a/defaults/main.yml b/defaults/main.yml
index 6017ba7..844a468 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -12,5 +12,7 @@ ssh_hardening_hostkeys_all:
 ssh_hardening_moduli: /etc/ssh/moduli
 ssh_hardening_moduli_backup: /etc/ssh/moduli.not-hardened
 
+ssh_hardening_service_name: sshd
+
 ssh_hardening_sshd_config: /etc/ssh/sshd_config
 
diff --git a/handlers/main.yml b/handlers/main.yml
index f7f3796..00cf8cc 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,7 +1,7 @@
 ---
 - name: Restart SSH
   service:
-    name: "{{ ssh_hardening_service_name|default('sshd') }}"
+    name: "{{ ssh_hardening_service_name }}"
     state: restarted
 
 
diff --git a/tasks/main.yml b/tasks/main.yml
index 96ea536..8ac0771 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -76,18 +76,62 @@
 
 ####################
 
-- name: "Check for crypto-policies"
+- name: "Check for SSH include directory"
+  stat:
+    path: /etc/ssh/sshd_config.d
+  register: ssh_hardening_sshd_include_dir
+
+
+#- name: "SSH include directory exists"
+#  find:
+#    path: /etc/ssh/sshd_config.d
+#    pattern: "*.conf"
+#  register: ssh_hardening_sshd_include_files
+
+
+- name: "Check for crypto-policy file"
   stat:
     path: /etc/crypto-policies/back-ends/opensshserver.config
-  register: ssh_hardening_use_policies
+  register: ssh_hardening_policy_file
 
 
-- name: "The (RedHat) crypto policy way..."
+- name: "BLOCK: what to do with crypto policy file"
+  when: ssh_hardening_policy_file.stat.exists
+  block:
+
+    - name: "Get systemd service file location"
+      service:
+        name: "{{ ssh_hardening_service_name }}"
+      register: ssh_hardening_systemd_file
+
+    - name: "Check for USED crypto-policies variable"
+      command: "awk '/CRYPTO_POLICY/{print}' {{ ssh_hardening_systemd_file.status.FragmentPath }}"
+      changed_when: False
+      register: ssh_hardening_policy_var
+        # stdout == "" → SSH-Cfg in CP
+        # stdout != "" → Variablen in CP
+
+
+    # Nicht bei SUSE Tumbleweed!
+    - name: "(policy file) Move original link"
+      command: mv /etc/crypto-policies/back-ends/opensshserver.config /etc/crypto-policies/back-ends/opensshserver.config.not-hardened
+      args:
+        creates: /etc/crypto-policies/back-ends/opensshserver.config.not-hardened
+      when: ssh_hardening_policy_file.stat.islnk
+
+
+- name: "The (RedHat-8) crypto policy variable way..."
   include_tasks: restrictions_crypto_policy.yml
-  when: ssh_hardening_use_policies.stat.exists
+  when: ssh_hardening_policy_var.stdout is defined and ssh_hardening_policy_var.stdout|length > 0
+
+
+- name: "The (RedHat-X) crypto policy include way..."
+  include_tasks: restrictions_crypto_policy_include.yml
+  when: ssh_hardening_policy_var.stdout is defined and ssh_hardening_policy_var.stdout|length == 0 and ssh_hardening_policy_file.stat.exists
 
 
 - name: "The standard config way..."
   include_tasks: restrictions_configfile.yml
-  when: not ssh_hardening_use_policies.stat.exists
+  when: not ssh_hardening_policy_file.stat.exists
+
 
diff --git a/tasks/restrictions_crypto_policy.yml b/tasks/restrictions_crypto_policy.yml
index dcf3415..ffeb852 100644
--- a/tasks/restrictions_crypto_policy.yml
+++ b/tasks/restrictions_crypto_policy.yml
@@ -1,22 +1,12 @@
 ---
-- name: Move original link
-  command: mv /etc/crypto-policies/back-ends/opensshserver.config /etc/crypto-policies/back-ends/opensshserver.config.not-hardened
-  args:
-    creates: /etc/crypto-policies/back-ends/opensshserver.config.not-hardened
-  when: ssh_hardening_use_policies.stat.islnk
-
-
 - name: Write new crypto policies
   template:
-    src: '{{ item }}'
+    src: 'crypto-policies/opensshserver.config.j2'
     dest: /etc/crypto-policies/back-ends/opensshserver.config
     owner: root
     group: root
     mode: 0644
     backup: yes
-  with_first_found:
-    - 'crypto-policies/opensshserver_{{ ansible_distribution|lower }}.config.j2'
-    - 'crypto-policies/opensshserver_{{ ansible_os_family|lower }}.config.j2'
   notify: Restart SSH
 
 
diff --git a/tasks/restrictions_crypto_policy_include.yml b/tasks/restrictions_crypto_policy_include.yml
new file mode 100644
index 0000000..ed02bc5
--- /dev/null
+++ b/tasks/restrictions_crypto_policy_include.yml
@@ -0,0 +1,12 @@
+---
+- name: Write restrictions to crypto-policy file
+  template:
+    src: 'sshd_config_hardening.j2'
+    dest: '/etc/crypto-policies/back-ends/opensshserver.config'
+    owner: root
+    group: root
+    mode: 0600
+    backup: yes
+  notify: Restart SSH
+
+
diff --git a/templates/crypto-policies/opensshserver_redhat.config.j2 b/templates/crypto-policies/opensshserver.config.j2
similarity index 100%
rename from templates/crypto-policies/opensshserver_redhat.config.j2
rename to templates/crypto-policies/opensshserver.config.j2
diff --git a/templates/crypto-policies/opensshserver_fedora.config.j2 b/templates/crypto-policies/opensshserver_fedora.config.j2
deleted file mode 120000
index 8963391..0000000
--- a/templates/crypto-policies/opensshserver_fedora.config.j2
+++ /dev/null
@@ -1 +0,0 @@
-../sshd_config_hardening.j2
\ No newline at end of file