106 lines
4.3 KiB
YAML
106 lines
4.3 KiB
YAML
---
|
|
- name: Set OS dependent variables
|
|
include_vars: "{{ item }}"
|
|
with_first_found:
|
|
- "{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml"
|
|
- "{{ ansible_distribution }}.yml"
|
|
- "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml"
|
|
- "{{ ansible_os_family }}.yml"
|
|
|
|
- name: get openssh-version
|
|
shell: ssh -V 2>&1 | sed -r 's/.*_([0-9]*\.[0-9]).*/\1/g'
|
|
changed_when: false
|
|
register: sshd_version
|
|
|
|
- name: set hostkeys according to openssh-version
|
|
set_fact:
|
|
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key']
|
|
when: sshd_version.stdout >= '5.3'
|
|
|
|
- name: set hostkeys according to openssh-version
|
|
set_fact:
|
|
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key']
|
|
when: sshd_version.stdout >= '6.0'
|
|
|
|
- name: set hostkeys according to openssh-version
|
|
set_fact:
|
|
ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']
|
|
when: sshd_version.stdout >= '6.3'
|
|
|
|
- name: create sshd_config and set permissions to root/600
|
|
template: src='opensshd.conf.j2' dest='/etc/ssh/sshd_config' mode=0600 owner="{{ ssh_owner }}" group="{{ ssh_group }}" validate="/usr/sbin/sshd -T -f %s"
|
|
notify: restart sshd
|
|
when: ssh_server_hardening
|
|
|
|
- name: create ssh_config and set permissions to root/644
|
|
template: src='openssh.conf.j2' dest='/etc/ssh/ssh_config' mode=0644 owner="{{ ssh_owner }}" group="{{ ssh_group }}"
|
|
when: ssh_client_hardening
|
|
|
|
- name: Check if /etc/ssh/moduli contains weak DH parameters
|
|
shell: awk '$5 < {{ sshd_moduli_minimum }}' /etc/ssh/moduli
|
|
register: sshd_register_moduli
|
|
changed_when: false
|
|
check_mode: no
|
|
|
|
- name: remove all small primes
|
|
shell: awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
|
|
[ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
|
|
notify: restart sshd
|
|
when: sshd_register_moduli.stdout
|
|
|
|
- name: test to see if selinux is running
|
|
command: getenforce
|
|
register: sestatus
|
|
failed_when: false
|
|
changed_when: false
|
|
check_mode: no
|
|
|
|
- block: # only runs when selinux is running
|
|
- name: install selinux dependencies when selinux is installed on RHEL or Oracle Linux
|
|
yum: name="{{item}}" state=installed
|
|
with_items:
|
|
- policycoreutils-python
|
|
- checkpolicy
|
|
when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'
|
|
|
|
- name: install selinux dependencies when selinux is installed on Debian or Ubuntu
|
|
apt: name="{{item}}" state=installed
|
|
with_items:
|
|
- policycoreutils
|
|
- checkpolicy
|
|
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
|
|
|
|
- name: check if ssh_password module is already installed
|
|
shell: "semodule -l| grep ssh_password"
|
|
register: ssh_password_module
|
|
failed_when: false
|
|
changed_when: false
|
|
check_mode: no
|
|
|
|
# The following tasks only get executed when selinux is in state enforcing, UsePam is "no" and the ssh_password module is installed.
|
|
# See this issue for more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23
|
|
- block:
|
|
- name: Create selinux custom policy drop folder
|
|
file: path='{{ ssh_custom_selinux_dir }}' state=directory owner=root group=root mode=0750
|
|
|
|
- name: Distributing custom selinux policies
|
|
copy: src='ssh_password' dest='{{ ssh_custom_selinux_dir }}'
|
|
|
|
- name: check and compile policy
|
|
shell: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password
|
|
|
|
- name: create selinux policy module package
|
|
shell: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp -m {{ ssh_custom_selinux_dir }}/ssh_password.mod
|
|
|
|
- name: install selinux policy
|
|
shell: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp
|
|
|
|
when: not ssh_use_pam and sestatus.stdout != 'Disabled' and ssh_password_module.stdout.find('ssh_password') != 0
|
|
|
|
# The following tasks only get executed when selinux is in state enforcing, UsePam is "yes" and the ssh_password module is installed.
|
|
- name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk (http://danwalsh.livejournal.com/12333.html)
|
|
shell: semodule -r ssh_password
|
|
when: ssh_use_pam and ssh_password_module.stdout.find('ssh_password') == 0
|
|
|
|
when: sestatus.rc == 0
|