Code Review
/
ta
/
infra-ansible.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
review
|
tree
raw
|
inline
| side by side
FIX: Compliance with Akraino security requirements
[ta/infra-ansible.git]
/
roles
/
ssh_conf_hardening
/
tasks
/
main.yaml
diff --git
a/roles/ssh_conf_hardening/tasks/main.yaml
b/roles/ssh_conf_hardening/tasks/main.yaml
index
1058a52
..
256620c
100644
(file)
--- a/
roles/ssh_conf_hardening/tasks/main.yaml
+++ b/
roles/ssh_conf_hardening/tasks/main.yaml
@@
-62,7
+62,7
@@
- name: User Alive Interval setting
ssh_conf:
regexp: '[\s]*ClientAliveInterval'
- name: User Alive Interval setting
ssh_conf:
regexp: '[\s]*ClientAliveInterval'
- values: "ClientAliveInterval
9
00\n"
+ values: "ClientAliveInterval
3
00\n"
- name: Disable the X11forwarding
ssh_conf:
- name: Disable the X11forwarding
ssh_conf:
@@
-107,13
+107,23
@@
- name: MaxAuthTries setting
ssh_conf:
regexp: '[\s]*MaxAuthTries'
- name: MaxAuthTries setting
ssh_conf:
regexp: '[\s]*MaxAuthTries'
- values: "MaxAuthTries 6\n"
+ values: "MaxAuthTries 3\n"
+
+- name: "Limit interactive session count to 2"
+ ssh_conf:
+ regexp: '[\s]*MaxSessions"
+ values: "MaxSessions 2\n"
- name: Banner creation
ssh_conf:
regexp: '[\s]*Banner'
values: "Banner /etc/banner\n"
- name: Banner creation
ssh_conf:
regexp: '[\s]*Banner'
values: "Banner /etc/banner\n"
+- name: "Disable Keepalive"
+ ssh_conf:
+ regexp: '[\s]*TCPKeepAlive'
+ values: "TCPKeepAlive no\n"
+
- name: "Enable the Ipv6"
lineinfile:
path: /etc/ssh/sshd_config
- name: "Enable the Ipv6"
lineinfile:
path: /etc/ssh/sshd_config
@@
-140,6
+150,11
@@
regexp: '[\s]*ClientAliveCountMax'
values: "ClientAliveCountMax 0\n"
regexp: '[\s]*ClientAliveCountMax'
values: "ClientAliveCountMax 0\n"
+- name: "Limit logins to members of {{ users['admin_user_name'] }} group"
+ ssh_conf:
+ regexp: '[\s]*AllowGroups'
+ values: "AllowGroups {{ users['admin_user_name'] }}\n"
+
- name: "Disable SSH Support for User Known Hosts"
ssh_conf:
regexp: '[\s]*IgnoreUserKnownHosts'
- name: "Disable SSH Support for User Known Hosts"
ssh_conf:
regexp: '[\s]*IgnoreUserKnownHosts'