forked from bau-sec/ansible-openvpn-hardened
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathharden_sshd.yml
64 lines (61 loc) · 3.12 KB
/
harden_sshd.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
---
- name: OpenVPN | Harden | Set allowed SSH users
set_fact:
allowed_ssh_users: "{{ sudo_username }}"
when: ssh_on_vpn_only == true
- name: OpenVPN | Harden | Set allowed SSH users for test
set_fact:
allowed_ssh_users: "{{ sudo_username }} {{ ansible_env.SUDO_USER }}"
when: ssh_on_vpn_only != true
tags:
- ci_test
- name: OpenVPN | Harden | sshd configuration
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "{{ item.reg }}"
line: "{{ item.line }}"
state: present
validate: '/usr/sbin/sshd -T -f %s'
with_items:
- { reg: '^(#)?PasswordAuthentication', line: 'PasswordAuthentication no'}
# V-38613 - The ssh daemon must not permit root logins
- { reg: '^(#)?PermitRootLogin', line: 'PermitRootLogin no'}
- { reg: '^(#)?AllowTcpForwarding', line: 'AllowTcpForwarding no'}
- { reg: '^(#)?Compression', line: 'Compression no'}
- { reg: '^(#)?LogLevel', line: 'LogLevel VERBOSE'}
- { reg: '^(#)?MaxAuthTries', line: 'MaxAuthTries 1'}
- { reg: '^(#)?MaxSessions', line: 'MaxSessions 2'}
- { reg: '^(#)?TCPKeepAlive', line: 'TCPKeepAlive no'}
- { reg: '^(#)?UsePrivilegeSeparation', line: 'UsePrivilegeSeparation SANDBOX'}
- { reg: '^(#)?X11Forwarding', line: 'X11Forwarding no'}
- { reg: '^(#)?AllowUsers', line: 'AllowUsers {{ allowed_ssh_users }}'}
# V-38607 - The SSH daemon must be configured to use only the SSHv2 protocol
- { reg: '^(#)?PrintLastLog', line: 'PrintLastLog yes'}
# V-38607 - The SSH daemon must be configured to use only the SSHv2 protocol
- { reg: '^(#)?Protocol \d', line: 'Protocol 2'}
# V-38614 - The SSH daemon must not allow authentication using an empty password
- { reg: '^(#)?PermitEmptyPasswords', line: 'PermitEmptyPasswords no'}
# V-38612 - The SSH daemon must not allow host-based authentication
- { reg: '^(#)?HostbasedAuthentication', line: 'HostbasedAuthentication no'}
# V-38608 - Set a timeout interval for idle ssh sessions
- { reg: '^(#)?ClientAliveInterval', line: 'ClientAliveInterval 300'}
# V-38610 - Set a timeout count on idle ssh sessions
# OpenSCAP report - CCP profile suggested value of 0
- { reg: '^(#)?ClientAliveCountMax', line: 'ClientAliveCountMax 0'}
# V-38611 - The sshd daemon must ignore .rhosts files
- { reg: '^(#)?IgnoreRhosts', line: 'IgnoreRhosts yes'}
# V-38616 - The ssh daemon must not permit user environment settings
- { reg: '^(#)?PermitUserEnvironment', line: 'PermitUserEnvironment no'}
# V-38617 - The ssh daemon must be configured to use approved ciphers
- { reg: '^(#)?Ciphers', line: 'Ciphers aes256-ctr,aes256-cbc'}
# OpenSCAP report - CCP profile suggested referencing warning banner
- { reg: '^(#)?Banner', line: 'Banner /etc/issue'}
# Suggested by lynis audit
- { reg: '^(#)?UseDNS', line: 'UseDNS no'}
- { reg: '^(#)?AllowAgentForwarding', line: 'AllowAgentForwarding no'}
- name: OpenVPN | Harden | Add VPN interfaces using 'ListenAddress' to /etc/ssh/sshd_config
lineinfile:
dest: /etc/ssh/sshd_config
line: 'ListenAddress {{ item.gateway }}'
with_items: "{{ openvpn_instances }}"
when: ssh_on_vpn_only == true