From 9cb7172cda5ee6ab320528573238045a416e6a73 Mon Sep 17 00:00:00 2001 From: Sven Velt Date: Thu, 12 May 2022 15:39:41 +0200 Subject: [PATCH] Split server part into "server.yml" tasks --- tasks/main.yml | 58 ++---------------------------------------------- tasks/server.yml | 58 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+), 56 deletions(-) create mode 100644 tasks/server.yml diff --git a/tasks/main.yml b/tasks/main.yml index 96ea536..19ee77f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -32,62 +32,8 @@ - "os_{{ (ansible_os_family|lower).split(' ')[0] }}.yml" - "os_default.yml" - -- name: Backup sshd_config - copy: - src: "{{ ssh_hardening_sshd_config }}" - dest: "{{ ssh_hardening_sshd_config }}.{{ ssh_hardening_backup_suffix }}" - remote_src: yes - owner: root - group: root - mode: 0600 - #################### -- name: "Hostkeys: Disable (EC)DSA (and maybe RSA)" - lineinfile: - dest: "{{ ssh_hardening_sshd_config }}" - regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key' - state: absent - loop: "{{ ssh_hardening_hostkeys_all|difference(ssh_hardening_hostkeys) }}" - notify: Restart SSH - - -- name: "Hostkeys: Enable (RSA &) ED25519" - lineinfile: - dest: "{{ ssh_hardening_sshd_config }}" - regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key' - line: 'HostKey /etc/ssh/ssh_host_{{ item }}_key' - loop: '{{ ssh_hardening_hostkeys }}' - notify: Restart SSH - - -- name: "Renew RSA hostkeys if too short" - openssh_keypair: - path: /etc/ssh/ssh_host_rsa_key - type: rsa - size: 4096 - when: '"rsa" in ssh_hardening_hostkeys' - -#################### - -- name: "INCLUDE: Remove small Diffie-Hellman moduli" - include_tasks: moduli.yml - -#################### - -- name: "Check for crypto-policies" - stat: - path: /etc/crypto-policies/back-ends/opensshserver.config - register: ssh_hardening_use_policies - - -- name: "The (RedHat) crypto policy way..." - include_tasks: restrictions_crypto_policy.yml - when: ssh_hardening_use_policies.stat.exists - - -- name: "The standard config way..." - include_tasks: restrictions_configfile.yml - when: not ssh_hardening_use_policies.stat.exists +- name: "INCLUDE: Server hardening" + include_tasks: server.yml diff --git a/tasks/server.yml b/tasks/server.yml new file mode 100644 index 0000000..a5d93b6 --- /dev/null +++ b/tasks/server.yml @@ -0,0 +1,58 @@ +--- +- name: Backup sshd_config + copy: + src: "{{ ssh_hardening_sshd_config }}" + dest: "{{ ssh_hardening_sshd_config }}.{{ ssh_hardening_backup_suffix }}" + remote_src: yes + owner: root + group: root + mode: 0600 + + +- name: "Hostkeys: Disable (EC)DSA (and maybe RSA)" + lineinfile: + dest: "{{ ssh_hardening_sshd_config }}" + regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key' + state: absent + loop: "{{ ssh_hardening_hostkeys_all|difference(ssh_hardening_hostkeys) }}" + notify: Restart SSH + + +- name: "Hostkeys: Enable (RSA &) ED25519" + lineinfile: + dest: "{{ ssh_hardening_sshd_config }}" + regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key' + line: 'HostKey /etc/ssh/ssh_host_{{ item }}_key' + loop: '{{ ssh_hardening_hostkeys }}' + notify: Restart SSH + + +- name: "Renew RSA hostkeys if too short" + openssh_keypair: + path: /etc/ssh/ssh_host_rsa_key + type: rsa + size: 4096 + when: '"rsa" in ssh_hardening_hostkeys' + +#################### + +- name: "INCLUDE: Remove small Diffie-Hellman moduli" + include_tasks: moduli.yml + +#################### + +- name: "Check for crypto-policies" + stat: + path: /etc/crypto-policies/back-ends/opensshserver.config + register: ssh_hardening_use_policies + + +- name: "The (RedHat) crypto policy way..." + include_tasks: restrictions_crypto_policy.yml + when: ssh_hardening_use_policies.stat.exists + + +- name: "The standard config way..." + include_tasks: restrictions_configfile.yml + when: not ssh_hardening_use_policies.stat.exists +