Code Review / ta / infra-ansible.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
FIX: typo in ssh hardening
[ta/infra-ansible.git] / roles / ssh_conf_hardening / tasks / main.yaml
1 ---
2
3 # Copyright 2019 Nokia
4
5 # Licensed under the Apache License, Version 2.0 (the "License");
6 # you may not use this file except in compliance with the License.
7 # You may obtain a copy of the License at
8 #
9 #     http://www.apache.org/licenses/LICENSE-2.0
10 #
11 # Unless required by applicable law or agreed to in writing, software
12 # distributed under the License is distributed on an "AS IS" BASIS,
13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 # See the License for the specific language governing permissions and
15 # limitations under the License.
16
17 - name: Ssh protocol setting
18   ssh_conf:
19     regexp: '[\s]*Protocol'
20     values: "Protocol 2\n"
21
22 - name: Disable ssh root login
23   ssh_conf:
24     regexp: '[\s]*PermitRootLogin [y|n]'
25     values: "PermitRootLogin no\n"
26
27 - name: Listening address setting
28   ssh_conf:
29     regexp: '[\s]*ListenAddress'
30     values: "ListenAddress 0.0.0.0\n"
31
32 - name: Disable the hostbasedauthentication
33   ssh_conf:
34     regexp: '[\s]*HostbasedAuthentication [y|n]'
35     values: "HostbasedAuthentication no\n"
36
37 - name: Disable the passwordauthentication
38   ssh_conf:
39     regexp: '[\s]*PasswordAuthentication [y|n]'
40     values: "PasswordAuthentication yes\n"
41
42 - name: Disable the empty password
43   ssh_conf:
44     regexp: '[\s]*PermitEmptyPasswords [y|n]'
45     values: "PermitEmptyPasswords no\n"
46
47 - name: Ciphers setting
48   ssh_conf:
49     regexp: '[\s]*Ciphers'
50     values: "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\n"
51
52 - name: MACs setting
53   ssh_conf:
54     regexp: '[\s]*MACs'
55     values: "MACs hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com\n"
56
57 - name: Login Gracetime setting
58   ssh_conf:
59     regexp: '[\s]*LoginGraceTime'
60     values: "LoginGraceTime 60\n"
61
62 - name: User Alive Interval setting
63   ssh_conf:
64     regexp: '[\s]*ClientAliveInterval'
65     values: "ClientAliveInterval 300\n"
66
67 - name: Disable the X11forwarding
68   ssh_conf:
69     regexp: '[\s]*X11Forwarding [y|n]'
70     values: "X11Forwarding no\n"
71
72 - name: Disable SSH agent forwarding
73   ssh_conf:
74     regexp: '[\s]*AllowAgentForwarding [y|n]'
75     values: "AllowAgentForwarding no\n"
76
77 - name: Disable TCP forwarding
78   ssh_conf:
79     regexp: '[\s]*AllowTcpForwarding [y|n]'
80     values: "AllowTcpForwarding no\n"
81
82 - name: Activate the strict mode
83   ssh_conf:
84     regexp: '[\s]*StrictModes [y|n]'
85     values: "StrictModes yes\n"
86
87 - name: Port setting
88   ssh_conf:
89     regexp: '[\s]*Port'
90     values: "Port 22\n"
91
92 - name: HostKeyAlgorithms setting
93   ssh_conf:
94     regexp: '[\s]*HostKeyAlgorithms'
95     values: "HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-ed25519\n"
96
97 - name: PubkeyAcceptedKeyTypes setting
98   ssh_conf:
99     regexp: '[\s]*PubkeyAcceptedKeyTypes'
100     values: "PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-ed25519\n"
101
102 - name: KexAlgorithms
103   ssh_conf:
104     regexp: '[\s]*KexAlgorithms'
105     values: "KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256\n"
106
107 - name: MaxAuthTries setting
108   ssh_conf:
109     regexp: '[\s]*MaxAuthTries'
110     values: "MaxAuthTries 3\n"
111
112 - name: "Limit interactive session count to 2"
113   ssh_conf:
114     regexp: '[\s]*MaxSessions'
115     values: "MaxSessions 2\n"
116
117 - name: Banner creation
118   ssh_conf:
119     regexp: '[\s]*Banner'
120     values: "Banner /etc/banner\n"
121
122 - name: "Disable Keepalive"
123   ssh_conf:
124     regexp: '[\s]*TCPKeepAlive'
125     values: "TCPKeepAlive no\n"
126
127 - name: "Enable the Ipv6"
128   lineinfile:
129     path: /etc/ssh/sshd_config
130     insertafter: '^[\s]*ListenAddress 0.0.0.0'
131     line: 'ListenAddress ::'
132
133 - name: Enable verbose logging for SSH daemon
134   ssh_conf:
135     regexp: '[\s]*LogLevel'
136     values: "LogLevel VERBOSE"
137
138 - name: "Disable Kerberos Authentication"
139   ssh_conf:
140     regexp: '[\s]*KerberosAuthentication'
141     values: "KerberosAuthentication no\n"
142
143 - name: "Enable Use of Privilege Separation"
144   ssh_conf:
145     regexp: '[\s]*UsePrivilegeSeparation'
146     values: "UsePrivilegeSeparation sandbox\n"
147
148 - name: "Disable Compression"
149   ssh_conf:
150     regexp: '[\s]*Compression'
151     values: "Compression no\n"
152
153 - name: "Set SSH Client Alive Count"
154   ssh_conf:
155     regexp: '[\s]*ClientAliveCountMax'
156     values: "ClientAliveCountMax 0\n"
157
158 - name: "Limit logins to members of admin, keystone, and ironic groups"
159   ssh_conf:
160     regexp: '[\s]*AllowGroups'
161     values: "AllowGroups {{ users['admin_user_name'] }} {{ keystone_system_group_name |default('keystone') }} {{ ironic_system_group_name | default('ironic') }}\n"
162
163 - name: "Disable SSH Support for User Known Hosts"
164   ssh_conf:
165     regexp: '[\s]*IgnoreUserKnownHosts'
166     values: "IgnoreUserKnownHosts yes\n"
167
168 - name: "Do Not Allow SSH Environment Options"
169   ssh_conf:
170     regexp: '[\s]*PermitUserEnvironment'
171     values: "PermitUserEnvironment no\n"
172
173 - service:
174     name: sshd
175     state: restarted
176
177 - name: create a banner file
178   lineinfile:
179     path: /etc/banner
180     create: yes
181     regexp: '^.*'
182     state: present
183     line: "This is a PRIVATE computer system. All unauthorized use or unauthorized access is prohibited according to local laws and may lead to prosecution. Your operations are logged."
184
185 - name: "Set the maximum number of days a ssh password may be used."
186   lineinfile:
187     path: /etc/login.defs
188     regexp: '^PASS_MAX_DAYS[\s]*[0-9]*$'
189     line: 'PASS_MAX_DAYS   90'
190
191 - name: "Set the number of days warning given before a password expires."
192   lineinfile:
193     path: /etc/login.defs
194     regexp: '^PASS_WARN_AGE[\s]*[0-9]*$'
195     line: 'PASS_WARN_AGE   5'
196
197 - name: "Set the unique last password count."
198   lineinfile:
199     path: /etc/pam.d/system-auth-ac
200     regexp: '^password[\s]*sufficient.*pam_unix.so(.*)$'
201     line: 'password    sufficient    pam_unix.so\1 remember=12'
202     backrefs: yes
This repository contains all the generic deployment playbooks, which configure services running directly on the host. Includes playbooks for disk partitioning, Ceph configuration, hardening, security, SSH, operating system level user management etc.