public-health-ch/ansible/roles/dev-sec.ssh-hardening/tasks/hardening.yml

---
- name: Set OS dependent variables
  include_vars: '{{ item }}'
  with_first_found:
   - '{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml'
   - '{{ ansible_distribution }}.yml'
   - '{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml'
   - '{{ ansible_os_family }}.yml'

- name: get openssh-version
  shell: ssh -V 2>&1 | sed -r 's/.*_([0-9]*\.[0-9]).*/\1/g'
  args:
    executable: /bin/sh
  changed_when: false
  register: sshd_version
  check_mode: no

- name: include tasks to create crypo-vars
  include_tasks: crypto.yml

- name: create revoked_keys and set permissions to root/600
  template:
    src: 'revoked_keys.j2'
    dest: '/etc/ssh/revoked_keys'
    mode: '0600'
    owner: '{{ ssh_owner }}'
    group: '{{ ssh_group }}'
  notify: restart sshd
  when: ssh_server_hardening

- name: create sshd_config and set permissions to root/600
  template:
    src: 'opensshd.conf.j2'
    dest: '/etc/ssh/sshd_config'
    mode: '0600'
    owner: '{{ ssh_owner }}'
    group: '{{ ssh_group }}'
    validate: '/usr/sbin/sshd -T -f %s'
  notify: restart sshd
  when: ssh_server_hardening

- name: create ssh_config and set permissions to root/644
  template:
    src: 'openssh.conf.j2'
    dest: '/etc/ssh/ssh_config'
    mode: '0644'
    owner: '{{ ssh_owner }}'
    group: '{{ ssh_group }}'
  when: ssh_client_hardening

- name: Check if {{ sshd_moduli_file }} contains weak DH parameters
  shell: awk '$5 < {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }}
  register: sshd_register_moduli
  changed_when: false
  check_mode: no

- name: remove all small primes
  shell: awk '$5 >= {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }} > {{ sshd_moduli_file }}.new ;
         [ -r {{ sshd_moduli_file }}.new -a -s {{ sshd_moduli_file }}.new ] && mv {{ sshd_moduli_file }}.new {{ sshd_moduli_file }} || true
  notify: restart sshd
  when: sshd_register_moduli.stdout

- name: include tasks to setup ca keys and principals
  include_tasks: ca_keys_and_principals.yml
  when: ssh_trusted_user_ca_keys_file != ''

- name: include tasks to setup 2FA
  include_tasks: 2fa.yml
  when:
    - ssh_use_pam
    - ssh_challengeresponseauthentication
    - ssh_google_auth

- name: test to see if selinux is installed and running
  command: getenforce
  register: sestatus
  failed_when: false
  changed_when: false
  check_mode: no

- name: include selinux specific tasks
  include_tasks: selinux.yml
  when: sestatus.rc == 0
Updated Ansible roles 2018-12-17 12:50:15 +00:00			`---`
			`- name: Set OS dependent variables`
			`include_vars: '{{ item }}'`
			`with_first_found:`
			`- '{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml'`
			`- '{{ ansible_distribution }}.yml'`
			`- '{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml'`
			`- '{{ ansible_os_family }}.yml'`

			`- name: get openssh-version`
			`shell: ssh -V 2>&1 \| sed -r 's/._([0-9]\.[0-9]).*/\1/g'`
			`args:`
			`executable: /bin/sh`
			`changed_when: false`
			`register: sshd_version`
			`check_mode: no`

			`- name: include tasks to create crypo-vars`
			`include_tasks: crypto.yml`

			`- name: create revoked_keys and set permissions to root/600`
			`template:`
			`src: 'revoked_keys.j2'`
			`dest: '/etc/ssh/revoked_keys'`
			`mode: '0600'`
			`owner: '{{ ssh_owner }}'`
			`group: '{{ ssh_group }}'`
			`notify: restart sshd`
			`when: ssh_server_hardening`

			`- name: create sshd_config and set permissions to root/600`
			`template:`
			`src: 'opensshd.conf.j2'`
			`dest: '/etc/ssh/sshd_config'`
			`mode: '0600'`
			`owner: '{{ ssh_owner }}'`
			`group: '{{ ssh_group }}'`
			`validate: '/usr/sbin/sshd -T -f %s'`
			`notify: restart sshd`
			`when: ssh_server_hardening`

			`- name: create ssh_config and set permissions to root/644`
			`template:`
			`src: 'openssh.conf.j2'`
			`dest: '/etc/ssh/ssh_config'`
			`mode: '0644'`
			`owner: '{{ ssh_owner }}'`
			`group: '{{ ssh_group }}'`
			`when: ssh_client_hardening`

			`- name: Check if {{ sshd_moduli_file }} contains weak DH parameters`
			`shell: awk '$5 < {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }}`
			`register: sshd_register_moduli`
			`changed_when: false`
			`check_mode: no`

			`- name: remove all small primes`
			`shell: awk '$5 >= {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }} > {{ sshd_moduli_file }}.new ;`
			`[ -r {{ sshd_moduli_file }}.new -a -s {{ sshd_moduli_file }}.new ] && mv {{ sshd_moduli_file }}.new {{ sshd_moduli_file }} \|\| true`
			`notify: restart sshd`
			`when: sshd_register_moduli.stdout`

			`- name: include tasks to setup ca keys and principals`
			`include_tasks: ca_keys_and_principals.yml`
			`when: ssh_trusted_user_ca_keys_file != ''`

			`- name: include tasks to setup 2FA`
			`include_tasks: 2fa.yml`
			`when:`
			`- ssh_use_pam`
			`- ssh_challengeresponseauthentication`
			`- ssh_google_auth`

			`- name: test to see if selinux is installed and running`
			`command: getenforce`
			`register: sestatus`
			`failed_when: false`
			`changed_when: false`
			`check_mode: no`

			`- name: include selinux specific tasks`
			`include_tasks: selinux.yml`
			`when: sestatus.rc == 0`