Ansible/ssh-hardening
1
0
Fork 0
Code Issues 9 Pull requests 1 Projects Releases Wiki Activity
ssh-hardening/tasks/main.yml
Sven Velt 70ab8d6e28 Big update to support RHEL9 & clones 
Now crypto-policies include SSH options (not command line arguments)
2023-03-20 20:32:35 +01:00

138 lines
4 KiB
YAML
Raw Blame History

---
- name: Set some variables
set_fact:
ssh_hardening_backup_suffix: "42.{{ ansible_date_time.date }}@{{ ansible_date_time.time }}~"
ssh_hardening_distri: "{{ (ansible_distribution|lower).split(' ')[0] }}-{{ ansible_distribution_major_version }}"
- name: Get SSH version number
shell: 'ssh -V 2>&1 | grep -o "OpenSSH_[0-9]\+\.[0-9]" | grep -o "[0-9]\+\.[0-9]"'
changed_when: False
register: ssh_hardening_version
- name: Read forced config file
include_vars: "ssh_{{ ssh_hardening_force }}.yml"
when: ssh_hardening_force is defined
- name: Read SSH version config file
include_vars: "{{ item }}"
with_first_found:
- "ssh_{{ ssh_hardening_version.stdout_lines.0 }}.yml"
- "ssh_default.yml"
when: ssh_hardening_force is not defined
- name: Read distribution specific variables
include_vars: "{{ item }}"
with_first_found:
- "os_{{ ssh_hardening_distri }}.yml"
- "os_{{ (ansible_distribution|lower).split(' ')[0] }}.yml"
- "os_{{ (ansible_os_family|lower).split(' ')[0] }}.yml"
- "os_default.yml"
- name: Backup sshd_config
copy:
src: "{{ ssh_hardening_sshd_config }}"
dest: "{{ ssh_hardening_sshd_config }}.{{ ssh_hardening_backup_suffix }}"
remote_src: yes
owner: root
group: root
mode: 0600
####################
- name: "Hostkeys: Disable (EC)DSA (and maybe RSA)"
lineinfile:
dest: "{{ ssh_hardening_sshd_config }}"
regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key'
state: absent
loop: "{{ ssh_hardening_hostkeys_all|difference(ssh_hardening_hostkeys) }}"
notify: Restart SSH
- name: "Hostkeys: Enable (RSA &) ED25519"
lineinfile:
dest: "{{ ssh_hardening_sshd_config }}"
regexp: '(?i)\s*#*\s*hostkey.*{{ item }}_key'
line: 'HostKey /etc/ssh/ssh_host_{{ item }}_key'
loop: '{{ ssh_hardening_hostkeys }}'
notify: Restart SSH
- name: "Renew RSA hostkeys if too short"
openssh_keypair:
path: /etc/ssh/ssh_host_rsa_key
type: rsa
size: 4096
when: '"rsa" in ssh_hardening_hostkeys'
####################
- name: "INCLUDE: Remove small Diffie-Hellman moduli"
include_tasks: moduli.yml
####################
- name: "Check for SSH include directory"
stat:
path: /etc/ssh/sshd_config.d
register: ssh_hardening_sshd_include_dir
#- name: "SSH include directory exists"
# find:
# path: /etc/ssh/sshd_config.d
# pattern: "*.conf"
# register: ssh_hardening_sshd_include_files
- name: "Check for crypto-policy file"
stat:
path: /etc/crypto-policies/back-ends/opensshserver.config
register: ssh_hardening_policy_file
- name: "BLOCK: what to do with crypto policy file"
when: ssh_hardening_policy_file.stat.exists
block:
- name: "Get systemd service file location"
service:
name: "{{ ssh_hardening_service_name }}"
register: ssh_hardening_systemd_file
- name: "Check for USED crypto-policies variable"
command: "awk '/CRYPTO_POLICY/{print}' {{ ssh_hardening_systemd_file.status.FragmentPath }}"
changed_when: False
register: ssh_hardening_policy_var
# stdout == "" → SSH-Cfg in CP
# stdout != "" → Variablen in CP
# Nicht bei SUSE Tumbleweed!
- name: "(policy file) Move original link"
command: mv /etc/crypto-policies/back-ends/opensshserver.config /etc/crypto-policies/back-ends/opensshserver.config.not-hardened
args:
creates: /etc/crypto-policies/back-ends/opensshserver.config.not-hardened
when: ssh_hardening_policy_file.stat.islnk
- name: "The (RedHat-8) crypto policy variable way..."
include_tasks: restrictions_crypto_policy.yml
when: ssh_hardening_policy_var.stdout is defined and ssh_hardening_policy_var.stdout|length > 0
- name: "The (RedHat-X) crypto policy include way..."
include_tasks: restrictions_crypto_policy_include.yml
when: ssh_hardening_policy_var.stdout is defined and ssh_hardening_policy_var.stdout|length == 0 and ssh_hardening_policy_file.stat.exists
- name: "The standard config way..."
include_tasks: restrictions_configfile.yml
when: not ssh_hardening_policy_file.stat.exists
Reference in a new issue View git blame Copy permalink