FIX: Syntax error in SSH hardening playbook
[ta/infra-ansible.git] / roles / ssh_conf_hardening / tasks / main.yaml
1 ---
2
3 # Copyright 2019 Nokia
4
5 # Licensed under the Apache License, Version 2.0 (the "License");
6 # you may not use this file except in compliance with the License.
7 # You may obtain a copy of the License at
8 #
9 #     http://www.apache.org/licenses/LICENSE-2.0
10 #
11 # Unless required by applicable law or agreed to in writing, software
12 # distributed under the License is distributed on an "AS IS" BASIS,
13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 # See the License for the specific language governing permissions and
15 # limitations under the License.
16
17 - name: Ssh protocol setting
18   ssh_conf:
19     regexp: '[\s]*Protocol'
20     values: "Protocol 2\n"
21
22 - name: Disable ssh root login
23   ssh_conf:
24     regexp: '[\s]*PermitRootLogin [y|n]'
25     values: "PermitRootLogin no\n"
26
27 - name: Listening address setting
28   ssh_conf:
29     regexp: '[\s]*ListenAddress'
30     values: "ListenAddress 0.0.0.0\n"
31
32 - name: Disable the hostbasedauthentication
33   ssh_conf:
34     regexp: '[\s]*HostbasedAuthentication [y|n]'
35     values: "HostbasedAuthentication no\n"
36
37 - name: Disable the passwordauthentication
38   ssh_conf:
39     regexp: '[\s]*PasswordAuthentication [y|n]'
40     values: "PasswordAuthentication yes\n"
41
42 - name: Disable the empty password
43   ssh_conf:
44     regexp: '[\s]*PermitEmptyPasswords [y|n]'
45     values: "PermitEmptyPasswords no\n"
46
47 - name: Ciphers setting
48   ssh_conf:
49     regexp: '[\s]*Ciphers'
50     values: "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\n"
51
52 - name: MACs setting
53   ssh_conf:
54     regexp: '[\s]*MACs'
55     values: "MACs hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com\n"
56
57 - name: Login Gracetime setting
58   ssh_conf:
59     regexp: '[\s]*LoginGraceTime'
60     values: "LoginGraceTime 60\n"
61
62 - name: User Alive Interval setting
63   ssh_conf:
64     regexp: '[\s]*ClientAliveInterval'
65     values: "ClientAliveInterval 300\n"
66
67 - name: Disable the X11forwarding
68   ssh_conf:
69     regexp: '[\s]*X11Forwarding [y|n]'
70     values: "X11Forwarding no\n"
71
72 - name: Disable SSH agent forwarding
73   ssh_conf:
74     regexp: '[\s]*AllowAgentForwarding [y|n]'
75     values: "AllowAgentForwarding no\n"
76
77 - name: Disable TCP forwarding
78   ssh_conf:
79     regexp: '[\s]*AllowTcpForwarding [y|n]'
80     values: "AllowTcpForwarding no\n"
81
82 - name: Activate the strict mode
83   ssh_conf:
84     regexp: '[\s]*StrictModes [y|n]'
85     values: "StrictModes yes\n"
86
87 - name: Port setting
88   ssh_conf:
89     regexp: '[\s]*Port'
90     values: "Port 22\n"
91
92 - name: HostKeyAlgorithms setting
93   ssh_conf:
94     regexp: '[\s]*HostKeyAlgorithms'
95     values: "HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-ed25519\n"
96
97 - name: PubkeyAcceptedKeyTypes setting
98   ssh_conf:
99     regexp: '[\s]*PubkeyAcceptedKeyTypes'
100     values: "PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-ed25519\n"
101
102 - name: KexAlgorithms
103   ssh_conf:
104     regexp: '[\s]*KexAlgorithms'
105     values: "KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256\n"
106
107 - name: MaxAuthTries setting
108   ssh_conf:
109     regexp: '[\s]*MaxAuthTries'
110     values: "MaxAuthTries 3\n"
111
112 - name: "Limit interactive session count to 2"
113   ssh_conf:
114     regexp: '[\s]*MaxSessions'
115     values: "MaxSessions 2\n"
116
117 - name: Banner creation
118   ssh_conf:
119     regexp: '[\s]*Banner'
120     values: "Banner /etc/banner\n"
121
122 - name: "Disable Keepalive"
123   ssh_conf:
124     regexp: '[\s]*TCPKeepAlive'
125     values: "TCPKeepAlive no\n"
126
127 - name: "Enable the Ipv6"
128   lineinfile:
129     path: /etc/ssh/sshd_config
130     insertafter: '^[\s]*ListenAddress 0.0.0.0'
131     line: 'ListenAddress ::'
132
133 - name: "Disable Kerberos Authentication"
134   ssh_conf:
135     regexp: '[\s]*KerberosAuthentication'
136     values: "KerberosAuthentication no\n"
137
138 - name: "Enable Use of Privilege Separation"
139   ssh_conf:
140     regexp: '[\s]*UsePrivilegeSeparation'
141     values: "UsePrivilegeSeparation sandbox\n"
142
143 - name: "Disable Compression"
144   ssh_conf:
145     regexp: '[\s]*Compression'
146     values: "Compression no\n"
147
148 - name: "Set SSH Client Alive Count"
149   ssh_conf:
150     regexp: '[\s]*ClientAliveCountMax'
151     values: "ClientAliveCountMax 0\n"
152
153 - name: "Limit logins to members of {{ users['admin_user_name'] }} group"
154   ssh_conf:
155     regexp: '[\s]*AllowGroups'
156     values: "AllowGroups {{ users['admin_user_name'] }}\n"
157
158 - name: "Disable SSH Support for User Known Hosts"
159   ssh_conf:
160     regexp: '[\s]*IgnoreUserKnownHosts'
161     values: "IgnoreUserKnownHosts yes\n"
162
163 - name: "Do Not Allow SSH Environment Options"
164   ssh_conf:
165     regexp: '[\s]*PermitUserEnvironment'
166     values: "PermitUserEnvironment no\n"
167
168 - service:
169     name: sshd
170     state: restarted
171
172 - name: create a banner file
173   lineinfile:
174     path: /etc/banner
175     create: yes
176     regexp: '^.*'
177     state: present
178     line: "This is a PRIVATE computer system. All unauthorized use or unauthorized access is prohibited according to local laws and may lead to prosecution. Your operations are logged."
179
180 - name: "Set the maximum number of days a ssh password may be used."
181   lineinfile:
182     path: /etc/login.defs
183     regexp: '^PASS_MAX_DAYS[\s]*[0-9]*$'
184     line: 'PASS_MAX_DAYS   90'
185
186 - name: "Set the number of days warning given before a password expires."
187   lineinfile:
188     path: /etc/login.defs
189     regexp: '^PASS_WARN_AGE[\s]*[0-9]*$'
190     line: 'PASS_WARN_AGE   5'
191
192 - name: "Set the unique last password count."
193   lineinfile:
194     path: /etc/pam.d/system-auth-ac
195     regexp: '^password[\s]*sufficient.*pam_unix.so(.*)$'
196     line: 'password    sufficient    pam_unix.so\1 remember=12'
197     backrefs: yes