Added OpenBSD support
This commit is contained in:
Sven Velt
parent
70ab8d6e28
commit
9650d4970a
|
|
@ -16,11 +16,19 @@ Defaults:
|
|||
- `ssh_hardening_hostkeys_all`: `dsa`, `ecdsa`, `rsa`, `ed25519`
|
||||
- `ssh_hardening_moduli`: `/etc/ssh/moduli`
|
||||
- `ssh_hardening_moduli_backup`: `/etc/ssh/moduli.not-hardened`
|
||||
- `ssh_hardening_root_group`: `root`
|
||||
- `ssh_hardening_service_name`: `sshd`
|
||||
- `ssh_hardening_sshd_config`: `/etc/ssh/sshd_config`
|
||||
|
||||
Included via `vars/ssh_*`:
|
||||
- `ssh_hardening_opts`: Parameter/Values to set for specific SSH version
|
||||
|
||||
Included via `vars/os_*`:
|
||||
- `ssh_hardening_moduli`
|
||||
- `ssh_hardening_moduli_backup`
|
||||
- `ssh_hardening_service_name`
|
||||
- `ssh_hardening_root_group`
|
||||
|
||||
Command line variables (undefined):
|
||||
- `ssh_hardening_force`: version/id to include, overwrites detected version!
|
||||
|
||||
|
|
|
|||
|
|
@ -12,6 +12,8 @@ ssh_hardening_hostkeys_all:
|
|||
ssh_hardening_moduli: /etc/ssh/moduli
|
||||
ssh_hardening_moduli_backup: /etc/ssh/moduli.not-hardened
|
||||
|
||||
ssh_hardening_root_group: root
|
||||
|
||||
ssh_hardening_service_name: sshd
|
||||
|
||||
ssh_hardening_sshd_config: /etc/ssh/sshd_config
|
||||
|
|
|
|||
|
|
@ -2,11 +2,11 @@
|
|||
- name: Set some variables
|
||||
set_fact:
|
||||
ssh_hardening_backup_suffix: "42.{{ ansible_date_time.date }}@{{ ansible_date_time.time }}~"
|
||||
ssh_hardening_distri: "{{ (ansible_distribution|lower).split(' ')[0] }}-{{ ansible_distribution_major_version }}"
|
||||
ssh_hardening_distri: "{{ (ansible_distribution|lower).split(' ')[0] }}-{{ ansible_distribution_major_version|default(ansible_distribution_version) }}"
|
||||
|
||||
|
||||
- name: Get SSH version number
|
||||
shell: 'ssh -V 2>&1 | grep -o "OpenSSH_[0-9]\+\.[0-9]" | grep -o "[0-9]\+\.[0-9]"'
|
||||
shell: 'ssh -V 2>&1 | grep -Eo "OpenSSH_[0-9]+\.[0-9]+" | grep -Eo "[0-9]+\.[0-9]+"'
|
||||
changed_when: False
|
||||
register: ssh_hardening_version
|
||||
|
||||
|
|
@ -39,7 +39,7 @@
|
|||
dest: "{{ ssh_hardening_sshd_config }}.{{ ssh_hardening_backup_suffix }}"
|
||||
remote_src: yes
|
||||
owner: root
|
||||
group: root
|
||||
group: "{{ ssh_hardening_root_group }}"
|
||||
mode: 0600
|
||||
|
||||
####################
|
||||
|
|
|
|||
|
|
@ -11,13 +11,13 @@
|
|||
|
||||
|
||||
- name: 'Moduli: Check for small Diffie-Hellman moduli'
|
||||
shell: "grep -c ' 1535 \\| 2047 ' /etc/ssh/moduli || true"
|
||||
shell: "grep -Ec ' 1535 | 2047 ' {{ ssh_hardening_moduli }} || true"
|
||||
changed_when: False
|
||||
register: ssh_hardening_moduli_small
|
||||
|
||||
|
||||
- name: 'Moduli: Remove small Diffie-Hellman moduli'
|
||||
shell: "TMPF=$(mktemp) && awk '$5 >= 3071' /etc/ssh/moduli >${TMPF} && mv ${TMPF} /etc/ssh/moduli"
|
||||
shell: "TMPF=$(mktemp) && awk '$5 >= 3071' {{ ssh_hardening_moduli }} >${TMPF} && mv ${TMPF} {{ ssh_hardening_moduli }}"
|
||||
when: ssh_hardening_moduli_small.stdout|int > 0
|
||||
|
||||
|
||||
|
|
|
|||
6
vars/os_openbsd.yml
Normal file
6
vars/os_openbsd.yml
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
ssh_hardening_root_group: wheel
|
||||
|
||||
ssh_hardening_moduli: /etc/moduli
|
||||
ssh_hardening_moduli_backup: /etc/moduli.not-hardened
|
||||
|
||||
Loading…
Reference in a new issue