Code Review
/
ta
/
infra-ansible.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
review
|
tree
raw
|
inline
| side by side
More security compliance modifications
[ta/infra-ansible.git]
/
roles
/
ssh_conf_hardening
/
tasks
/
main.yaml
diff --git
a/roles/ssh_conf_hardening/tasks/main.yaml
b/roles/ssh_conf_hardening/tasks/main.yaml
index
256620c
..
b9d86f5
100644
(file)
--- a/
roles/ssh_conf_hardening/tasks/main.yaml
+++ b/
roles/ssh_conf_hardening/tasks/main.yaml
@@
-111,7
+111,7
@@
- name: "Limit interactive session count to 2"
ssh_conf:
- name: "Limit interactive session count to 2"
ssh_conf:
- regexp: '[\s]*MaxSessions
"
+ regexp: '[\s]*MaxSessions
'
values: "MaxSessions 2\n"
- name: Banner creation
values: "MaxSessions 2\n"
- name: Banner creation
@@
-130,6
+130,11
@@
insertafter: '^[\s]*ListenAddress 0.0.0.0'
line: 'ListenAddress ::'
insertafter: '^[\s]*ListenAddress 0.0.0.0'
line: 'ListenAddress ::'
+- name: Enable verbose logging for SSH daemon
+ ssh_conf:
+ regexp: '[\s]*LogLevel"
+ values: "LogLevel VERBOSE"
+
- name: "Disable Kerberos Authentication"
ssh_conf:
regexp: '[\s]*KerberosAuthentication'
- name: "Disable Kerberos Authentication"
ssh_conf:
regexp: '[\s]*KerberosAuthentication'
@@
-150,10
+155,10
@@
regexp: '[\s]*ClientAliveCountMax'
values: "ClientAliveCountMax 0\n"
regexp: '[\s]*ClientAliveCountMax'
values: "ClientAliveCountMax 0\n"
-- name: "Limit logins to members of
{{ users['admin_user_name'] }} group
"
+- name: "Limit logins to members of
admin, keystone, and ironic groups
"
ssh_conf:
regexp: '[\s]*AllowGroups'
ssh_conf:
regexp: '[\s]*AllowGroups'
- values: "AllowGroups {{ users['admin_user_name'] }}\n"
+ values: "AllowGroups {{ users['admin_user_name'] }}
{{ keystone_system_group_name |default('keystone') }} {{ ironic_system_group_name | default('ironic') }}
\n"
- name: "Disable SSH Support for User Known Hosts"
ssh_conf:
- name: "Disable SSH Support for User Known Hosts"
ssh_conf:
@@
-169,7
+174,7
@@
name: sshd
state: restarted
name: sshd
state: restarted
-- name
: create a banner file
+- name: create a banner file
lineinfile:
path: /etc/banner
create: yes
lineinfile:
path: /etc/banner
create: yes