Ansible/ssh-hardening
1
0
Fork 0
Code Issues 9 Pull requests 1 Projects Releases Wiki Activity

Split server part into "server.yml" tasks

Browse source
This commit is contained in:
Sven Velt 2022-05-12 15:39:41 +02:00
parent 8c96e48deb
commit 9cb7172cda
2 changed files with 60 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

58
tasks/main.yml
View file

@ -32,62 +32,8 @@
- "os_{{ (ansible_os_family|lower).split(' ')[0] }}.yml" - "os_{{ (ansible_os_family|lower).split(' ')[0] }}.yml"
- "os_default.yml" - "os_default.yml"
- name: Backup sshd_config
copy:
src: "{{ ssh_hardening_sshd_config }}"
dest: "{{ ssh_hardening_sshd_config }}.{{ ssh_hardening_backup_suffix }}"
remote_src: yes
owner: root
group: root
mode: 0600
#################### ####################
- name: "Hostkeys: Disable (EC)DSA (and maybe RSA)" - name: "INCLUDE: Server hardening"
lineinfile: include_tasks: server.yml
dest: "{{ ssh_hardening_sshd_config }}"
regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key'
state: absent
loop: "{{ ssh_hardening_hostkeys_all|difference(ssh_hardening_hostkeys) }}"
notify: Restart SSH
- name: "Hostkeys: Enable (RSA &) ED25519"
lineinfile:
dest: "{{ ssh_hardening_sshd_config }}"
regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key'
line: 'HostKey /etc/ssh/ssh_host_{{ item }}_key'
loop: '{{ ssh_hardening_hostkeys }}'
notify: Restart SSH
- name: "Renew RSA hostkeys if too short"
openssh_keypair:
path: /etc/ssh/ssh_host_rsa_key
type: rsa
size: 4096
when: '"rsa" in ssh_hardening_hostkeys'
####################
- name: "INCLUDE: Remove small Diffie-Hellman moduli"
include_tasks: moduli.yml
####################
- name: "Check for crypto-policies"
stat:
path: /etc/crypto-policies/back-ends/opensshserver.config
register: ssh_hardening_use_policies
- name: "The (RedHat) crypto policy way..."
include_tasks: restrictions_crypto_policy.yml
when: ssh_hardening_use_policies.stat.exists
- name: "The standard config way..."
include_tasks: restrictions_configfile.yml
when: not ssh_hardening_use_policies.stat.exists

58
tasks/server.yml Normal file
View file

@ -0,0 +1,58 @@
---
- name: Backup sshd_config
copy:
src: "{{ ssh_hardening_sshd_config }}"
dest: "{{ ssh_hardening_sshd_config }}.{{ ssh_hardening_backup_suffix }}"
remote_src: yes
owner: root
group: root
mode: 0600
- name: "Hostkeys: Disable (EC)DSA (and maybe RSA)"
lineinfile:
dest: "{{ ssh_hardening_sshd_config }}"
regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key'
state: absent
loop: "{{ ssh_hardening_hostkeys_all|difference(ssh_hardening_hostkeys) }}"
notify: Restart SSH
- name: "Hostkeys: Enable (RSA &) ED25519"
lineinfile:
dest: "{{ ssh_hardening_sshd_config }}"
regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key'
line: 'HostKey /etc/ssh/ssh_host_{{ item }}_key'
loop: '{{ ssh_hardening_hostkeys }}'
notify: Restart SSH
- name: "Renew RSA hostkeys if too short"
openssh_keypair:
path: /etc/ssh/ssh_host_rsa_key
type: rsa
size: 4096
when: '"rsa" in ssh_hardening_hostkeys'
####################
- name: "INCLUDE: Remove small Diffie-Hellman moduli"
include_tasks: moduli.yml
####################
- name: "Check for crypto-policies"
stat:
path: /etc/crypto-policies/back-ends/opensshserver.config
register: ssh_hardening_use_policies
- name: "The (RedHat) crypto policy way..."
include_tasks: restrictions_crypto_policy.yml
when: ssh_hardening_use_policies.stat.exists
- name: "The standard config way..."
include_tasks: restrictions_configfile.yml
when: not ssh_hardening_use_policies.stat.exists