Code Review / ta / infra-ansible.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
Initial commit
[ta/infra-ansible.git] / roles / ssh_conf_hardening / tasks / main.yaml
1 ---
2
3 # Copyright 2019 Nokia
4
5 # Licensed under the Apache License, Version 2.0 (the "License");
6 # you may not use this file except in compliance with the License.
7 # You may obtain a copy of the License at
8 #
9 #     http://www.apache.org/licenses/LICENSE-2.0
10 #
11 # Unless required by applicable law or agreed to in writing, software
12 # distributed under the License is distributed on an "AS IS" BASIS,
13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 # See the License for the specific language governing permissions and
15 # limitations under the License.
16
17 - name: Ssh protocol setting
18   ssh_conf:
19     regexp: '[\s]*Protocol'
20     values: "Protocol 2\n"
21
22 - name: Disable ssh root login
23   ssh_conf:
24     regexp: '[\s]*PermitRootLogin [y|n]'
25     values: "PermitRootLogin no\n"
26
27 - name: Listening address setting
28   ssh_conf:
29     regexp: '[\s]*ListenAddress'
30     values: "ListenAddress 0.0.0.0\n"
31
32 - name: Disable the hostbasedauthentication
33   ssh_conf:
34     regexp: '[\s]*HostbasedAuthentication [y|n]'
35     values: "HostbasedAuthentication no\n"
36
37 - name: Disable the passwordauthentication
38   ssh_conf:
39     regexp: '[\s]*PasswordAuthentication [y|n]'
40     values: "PasswordAuthentication yes\n"
41
42 - name: Disable the empty password
43   ssh_conf:
44     regexp: '[\s]*PermitEmptyPasswords [y|n]'
45     values: "PermitEmptyPasswords no\n"
46
47 - name: Ciphers setting
48   ssh_conf:
49     regexp: '[\s]*Ciphers'
50     values: "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\n"
51
52 - name: MACs setting
53   ssh_conf:
54     regexp: '[\s]*MACs'
55     values: "MACs hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com\n"
56
57 - name: Login Gracetime setting
58   ssh_conf:
59     regexp: '[\s]*LoginGraceTime'
60     values: "LoginGraceTime 60\n"
61
62 - name: User Alive Interval setting
63   ssh_conf:
64     regexp: '[\s]*ClientAliveInterval'
65     values: "ClientAliveInterval 900\n"
66
67 - name: Disable the X11forwarding
68   ssh_conf:
69     regexp: '[\s]*X11Forwarding [y|n]'
70     values: "X11Forwarding no\n"
71
72 - name: Disable SSH agent forwarding
73   ssh_conf:
74     regexp: '[\s]*AllowAgentForwarding [y|n]'
75     values: "AllowAgentForwarding no\n"
76
77 - name: Disable TCP forwarding
78   ssh_conf:
79     regexp: '[\s]*AllowTcpForwarding [y|n]'
80     values: "AllowTcpForwarding no\n"
81
82 - name: Activate the strict mode
83   ssh_conf:
84     regexp: '[\s]*StrictModes [y|n]'
85     values: "StrictModes yes\n"
86
87 - name: Port setting
88   ssh_conf:
89     regexp: '[\s]*Port'
90     values: "Port 22\n"
91
92 - name: HostKeyAlgorithms setting
93   ssh_conf:
94     regexp: '[\s]*HostKeyAlgorithms'
95     values: "HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-ed25519\n"
96
97 - name: PubkeyAcceptedKeyTypes setting
98   ssh_conf:
99     regexp: '[\s]*PubkeyAcceptedKeyTypes'
100     values: "PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-ed25519\n"
101
102 - name: KexAlgorithms
103   ssh_conf:
104     regexp: '[\s]*KexAlgorithms'
105     values: "KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256\n"
106
107 - name: MaxAuthTries setting
108   ssh_conf:
109     regexp: '[\s]*MaxAuthTries'
110     values: "MaxAuthTries 6\n"
111
112 - name: Banner creation
113   ssh_conf:
114     regexp: '[\s]*Banner'
115     values: "Banner /etc/banner\n"
116
117 - name: "Enable the Ipv6"
118   lineinfile:
119     path: /etc/ssh/sshd_config
120     insertafter: '^[\s]*ListenAddress 0.0.0.0'
121     line: 'ListenAddress ::'
122
123 - name: "Disable Kerberos Authentication"
124   ssh_conf:
125     regexp: '[\s]*KerberosAuthentication'
126     values: "KerberosAuthentication no\n"
127
128 - name: "Enable Use of Privilege Separation"
129   ssh_conf:
130     regexp: '[\s]*UsePrivilegeSeparation'
131     values: "UsePrivilegeSeparation sandbox\n"
132
133 - name: "Disable Compression"
134   ssh_conf:
135     regexp: '[\s]*Compression'
136     values: "Compression no\n"
137
138 - name: "Set SSH Client Alive Count"
139   ssh_conf:
140     regexp: '[\s]*ClientAliveCountMax'
141     values: "ClientAliveCountMax 0\n"
142
143 - name: "Disable SSH Support for User Known Hosts"
144   ssh_conf:
145     regexp: '[\s]*IgnoreUserKnownHosts'
146     values: "IgnoreUserKnownHosts yes\n"
147
148 - name: "Do Not Allow SSH Environment Options"
149   ssh_conf:
150     regexp: '[\s]*PermitUserEnvironment'
151     values: "PermitUserEnvironment no\n"
152
153 - service:
154     name: sshd
155     state: restarted
156
157 - name : create a banner file
158   lineinfile:
159     path: /etc/banner
160     create: yes
161     regexp: '^.*'
162     state: present
163     line: "This is a PRIVATE computer system. All unauthorized use or unauthorized access is prohibited according to local laws and may lead to prosecution. Your operations are logged."
164
165 - name: "Set the maximum number of days a ssh password may be used."
166   lineinfile:
167     path: /etc/login.defs
168     regexp: '^PASS_MAX_DAYS[\s]*[0-9]*$'
169     line: 'PASS_MAX_DAYS   90'
170
171 - name: "Set the number of days warning given before a password expires."
172   lineinfile:
173     path: /etc/login.defs
174     regexp: '^PASS_WARN_AGE[\s]*[0-9]*$'
175     line: 'PASS_WARN_AGE   5'
176
177 - name: "Set the unique last password count."
178   lineinfile:
179     path: /etc/pam.d/system-auth-ac
180     regexp: '^password[\s]*sufficient.*pam_unix.so(.*)$'
181     line: 'password    sufficient    pam_unix.so\1 remember=12'
182     backrefs: yes
This repository contains all the generic deployment playbooks, which configure services running directly on the host. Includes playbooks for disk partitioning, Ceph configuration, hardening, security, SSH, operating system level user management etc.