2022-01-07 09:06:18 +00:00
|
|
|
---
|
|
|
|
|
|
2024-07-24 14:00:45 +01:00
|
|
|
- name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_1_1
|
2022-01-07 09:06:18 +00:00
|
|
|
tags:
|
2024-07-24 14:00:45 +01:00
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
2025-04-15 12:51:42 +01:00
|
|
|
- sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
- permissions
|
|
|
|
|
- rule_5.1.1
|
|
|
|
|
- NIST800-53R5_AC-3
|
|
|
|
|
- NIST800-53R5_MP-2
|
2023-01-12 15:01:17 +00:00
|
|
|
ansible.builtin.file:
|
2024-07-24 14:00:45 +01:00
|
|
|
path: "/etc/ssh/sshd_config"
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
2024-12-04 11:45:13 +00:00
|
|
|
mode: 'go-rwx'
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_1_2
|
2022-01-07 09:06:18 +00:00
|
|
|
tags:
|
2024-07-24 14:00:45 +01:00
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
2025-04-15 12:51:42 +01:00
|
|
|
- sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
- permissions
|
|
|
|
|
- rule_5.1.2
|
|
|
|
|
- NIST800-53R5_AC-3
|
|
|
|
|
- NIST800-53R5_MP-2
|
|
|
|
|
block:
|
|
|
|
|
- name: "5.1.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find the SSH private host keys"
|
|
|
|
|
ansible.builtin.find:
|
|
|
|
|
paths: /etc/ssh
|
|
|
|
|
patterns: 'ssh_host_*_key'
|
|
|
|
|
recurse: true
|
|
|
|
|
file_type: any
|
2024-09-05 17:36:07 +01:00
|
|
|
register: discovered_ssh_private_host_key
|
2022-01-07 09:06:18 +00:00
|
|
|
|
2024-07-24 14:00:45 +01:00
|
|
|
- name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys"
|
|
|
|
|
ansible.builtin.file:
|
|
|
|
|
path: "{{ item.path }}"
|
|
|
|
|
owner: root
|
2025-10-03 08:19:07 +01:00
|
|
|
group: "{{ 'ssh_keys' if (item.gr_name == 'ssh_keys') else 'root' }}"
|
|
|
|
|
mode: "{{ 'u-x,g-wx,o-rwx' if (item.gr_name == 'ssh_keys') else 'u-x,go-rwx' }}"
|
2024-09-05 17:36:07 +01:00
|
|
|
loop: "{{ discovered_ssh_private_host_key.files }}"
|
2024-07-24 14:00:45 +01:00
|
|
|
loop_control:
|
|
|
|
|
label: "{{ item.path }}"
|
|
|
|
|
|
|
|
|
|
- name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_1_3
|
2022-01-07 09:06:18 +00:00
|
|
|
tags:
|
2024-07-24 14:00:45 +01:00
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
2025-04-15 12:51:42 +01:00
|
|
|
- sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
- rule_5.1.3
|
|
|
|
|
- NIST800-53R5_AC-3
|
|
|
|
|
- NIST800-53R5_MP-2
|
|
|
|
|
block:
|
|
|
|
|
- name: "5.1.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find the SSH public host keys"
|
|
|
|
|
ansible.builtin.find:
|
|
|
|
|
paths: /etc/ssh
|
|
|
|
|
patterns: 'ssh_host_*_key.pub'
|
|
|
|
|
recurse: true
|
|
|
|
|
file_type: any
|
2024-09-05 17:36:07 +01:00
|
|
|
register: discovered_ssh_public_host_key
|
2022-01-07 09:06:18 +00:00
|
|
|
|
2024-07-24 14:00:45 +01:00
|
|
|
- name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys"
|
|
|
|
|
ansible.builtin.file:
|
|
|
|
|
path: "{{ item.path }}"
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
|
|
|
|
mode: 'u-x,go-wx'
|
2024-09-05 17:36:07 +01:00
|
|
|
loop: "{{ discovered_ssh_public_host_key.files }}"
|
2024-07-24 14:00:45 +01:00
|
|
|
loop_control:
|
|
|
|
|
label: "{{ item.path }}"
|
|
|
|
|
|
|
|
|
|
- name: "5.1.4 | PATCH | Ensure sshd Ciphers are configured"
|
2022-01-07 09:06:18 +00:00
|
|
|
when:
|
2024-07-24 14:00:45 +01:00
|
|
|
- rhel9cis_rule_5_1_4
|
|
|
|
|
- "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module"
|
2025-09-08 11:54:57 -04:00
|
|
|
- rhel9cis_crypto_policy_ansiblemanaged
|
2022-01-07 09:06:18 +00:00
|
|
|
tags:
|
2024-07-24 14:00:45 +01:00
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- automated
|
|
|
|
|
- patch
|
|
|
|
|
- crypto
|
|
|
|
|
- rule_5.1.4
|
|
|
|
|
- NIST800-53R5_SC-8
|
|
|
|
|
block:
|
|
|
|
|
- name: "5.1.4 | PATCH | Ensure sshd Ciphers are configured | Add submodule exclusion"
|
|
|
|
|
ansible.builtin.template:
|
|
|
|
|
src: etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2
|
|
|
|
|
dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
2024-12-04 11:45:13 +00:00
|
|
|
mode: 'g-wx,o-rwx'
|
2024-07-24 14:00:45 +01:00
|
|
|
notify:
|
|
|
|
|
- Update Crypto Policy
|
|
|
|
|
- Set Crypto Policy
|
2022-01-07 09:06:18 +00:00
|
|
|
|
2024-07-24 14:00:45 +01:00
|
|
|
- name: "5.1.4 | PATCH | Ensure sshd Ciphers are configured | submodule to crypto policy modules"
|
|
|
|
|
ansible.builtin.set_fact:
|
|
|
|
|
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SSHWEAKCIPHERS' }}"
|
|
|
|
|
|
|
|
|
|
- name: "5.1.5 | PATCH | Ensure sshd KexAlgorithms is configured"
|
2022-01-07 09:06:18 +00:00
|
|
|
when:
|
2024-07-24 14:00:45 +01:00
|
|
|
- rhel9cis_rule_5_1_5
|
|
|
|
|
- "'NO-SHA1' not in rhel9cis_crypto_policy_module"
|
2025-09-08 11:54:57 -04:00
|
|
|
- rhel9cis_crypto_policy_ansiblemanaged
|
2022-01-07 09:06:18 +00:00
|
|
|
tags:
|
2024-07-24 14:00:45 +01:00
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- automated
|
|
|
|
|
- patch
|
|
|
|
|
- crypto
|
|
|
|
|
- rule_5.1.5
|
|
|
|
|
- NIST800-53R5_SC-6
|
|
|
|
|
block:
|
|
|
|
|
- name: "5.1.5 | PATCH | Ensure sshd KexAlgorithms is configured | Add submodule exclusion"
|
|
|
|
|
ansible.builtin.template:
|
|
|
|
|
src: etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2
|
|
|
|
|
dest: /etc/crypto-policies/policies/modules/NO-SHA1.pmod
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
2024-12-04 11:45:13 +00:00
|
|
|
mode: 'g-wx,o-rwx'
|
2024-07-24 14:00:45 +01:00
|
|
|
notify:
|
|
|
|
|
- Update Crypto Policy
|
|
|
|
|
- Set Crypto Policy
|
2022-01-07 09:06:18 +00:00
|
|
|
|
2024-07-24 14:00:45 +01:00
|
|
|
- name: "5.1.5 | PATCH | Ensure sshd KexAlgorithms is configured | submodule to crypto policy modules"
|
|
|
|
|
ansible.builtin.set_fact:
|
|
|
|
|
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SHA1' }}"
|
|
|
|
|
|
|
|
|
|
- name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured"
|
2022-01-07 09:06:18 +00:00
|
|
|
when:
|
2024-07-24 14:00:45 +01:00
|
|
|
- rhel9cis_rule_5_1_6
|
|
|
|
|
- "'NO-SSHWEAKMACS' not in rhel9cis_crypto_policy_module"
|
2025-09-08 11:54:57 -04:00
|
|
|
- rhel9cis_crypto_policy_ansiblemanaged
|
2022-01-07 09:06:18 +00:00
|
|
|
tags:
|
2024-07-24 14:00:45 +01:00
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- automated
|
|
|
|
|
- patch
|
|
|
|
|
- crypto
|
|
|
|
|
- rule_5.1.6
|
|
|
|
|
- NIST800-53R5_SC-6
|
|
|
|
|
block:
|
|
|
|
|
- name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured | Add submodule exclusion"
|
|
|
|
|
ansible.builtin.template:
|
|
|
|
|
src: etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2
|
|
|
|
|
dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod
|
|
|
|
|
owner: root
|
|
|
|
|
group: root
|
2024-12-04 11:45:13 +00:00
|
|
|
mode: 'g-wx,o-rwx'
|
2024-07-24 14:00:45 +01:00
|
|
|
notify:
|
|
|
|
|
- Update Crypto Policy
|
|
|
|
|
- Set Crypto Policy
|
2022-01-07 09:06:18 +00:00
|
|
|
|
2024-07-24 14:00:45 +01:00
|
|
|
- name: "5.1.6 | PATCH | Ensure sshd KexAlgorithms is configured | submodule to crypto policy modules"
|
|
|
|
|
ansible.builtin.set_fact:
|
2024-08-07 14:05:59 +01:00
|
|
|
rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKMACS' }}"
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.1.7 | PATCH | Ensure sshd access is configured"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_1_7
|
2022-01-07 09:06:18 +00:00
|
|
|
tags:
|
2024-07-24 14:00:45 +01:00
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
2025-04-15 12:51:42 +01:00
|
|
|
- sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
- rule_5.1.7
|
|
|
|
|
- NIST800-53R5_AC-3
|
|
|
|
|
- NIST800-53R5_MP-2
|
|
|
|
|
block:
|
|
|
|
|
- name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for allowusers"
|
|
|
|
|
when: "rhel9cis_sshd_allowusers | length > 0"
|
|
|
|
|
ansible.builtin.lineinfile:
|
2024-09-06 14:49:41 +01:00
|
|
|
path: "{{ rhel9cis_sshd_config_file }}"
|
2024-07-24 14:00:45 +01:00
|
|
|
regexp: "^AllowUsers"
|
|
|
|
|
line: "AllowUsers {{ rhel9cis_sshd_allowusers }}"
|
|
|
|
|
validate: sshd -t -f %s
|
|
|
|
|
notify: Restart sshd
|
2022-01-07 09:06:18 +00:00
|
|
|
|
2024-07-24 14:00:45 +01:00
|
|
|
- name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for allowgroups"
|
|
|
|
|
when: "rhel9cis_sshd_allowgroups | length > 0"
|
|
|
|
|
ansible.builtin.lineinfile:
|
2024-09-06 14:49:41 +01:00
|
|
|
path: "{{ rhel9cis_sshd_config_file }}"
|
2024-07-24 14:00:45 +01:00
|
|
|
regexp: "^AllowGroups"
|
|
|
|
|
line: "AllowGroups {{ rhel9cis_sshd_allowgroups }}"
|
|
|
|
|
validate: sshd -t -f %s
|
|
|
|
|
notify: Restart sshd
|
|
|
|
|
|
|
|
|
|
- name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for denyusers"
|
2024-08-07 10:29:03 +01:00
|
|
|
when: "rhel9cis_sshd_denyusers | length > 0"
|
2024-07-24 14:00:45 +01:00
|
|
|
ansible.builtin.lineinfile:
|
2024-09-06 14:49:41 +01:00
|
|
|
path: "{{ rhel9cis_sshd_config_file }}"
|
2024-07-24 14:00:45 +01:00
|
|
|
regexp: "^DenyUsers"
|
|
|
|
|
line: "DenyUsers {{ rhel9cis_sshd_denyusers }}"
|
2025-04-15 12:51:42 +01:00
|
|
|
insertbefore: "^Match"
|
|
|
|
|
firstmatch: true
|
2024-07-24 14:00:45 +01:00
|
|
|
validate: sshd -t -f %s
|
|
|
|
|
notify: Restart sshd
|
|
|
|
|
|
|
|
|
|
- name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for denygroups"
|
2024-08-07 10:29:03 +01:00
|
|
|
when: "rhel9cis_sshd_denygroups | length > 0"
|
2024-07-24 14:00:45 +01:00
|
|
|
ansible.builtin.lineinfile:
|
2024-09-06 14:49:41 +01:00
|
|
|
path: "{{ rhel9cis_sshd_config_file }}"
|
2024-07-24 14:00:45 +01:00
|
|
|
regexp: "^DenyGroups"
|
|
|
|
|
line: "DenyGroups {{ rhel9cis_sshd_denygroups }}"
|
|
|
|
|
validate: sshd -t -f %s
|
|
|
|
|
notify: Restart sshd
|
|
|
|
|
|
|
|
|
|
- name: "5.1.8 | PATCH | Ensure sshd Banner is configured"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_1_8
|
2024-07-24 14:00:45 +01:00
|
|
|
tags:
|
|
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
2025-04-15 12:51:42 +01:00
|
|
|
- sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
- rule_5.1.8
|
|
|
|
|
- NIST800-53R5_CM-1
|
|
|
|
|
- NIST800-53R5_CM-2
|
|
|
|
|
- NIST800-53R5_CM-6
|
|
|
|
|
- NIST800-53R5_CM-7
|
|
|
|
|
- NIST800-53R5_IA-5
|
|
|
|
|
ansible.builtin.lineinfile:
|
2024-09-06 14:49:41 +01:00
|
|
|
path: "{{ rhel9cis_sshd_config_file }}"
|
2024-07-24 14:00:45 +01:00
|
|
|
regexp: '^Banner'
|
|
|
|
|
line: 'Banner /etc/issue.net'
|
|
|
|
|
|
|
|
|
|
- name: "5.1.9 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_1_9
|
2024-07-24 14:00:45 +01:00
|
|
|
tags:
|
|
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
2025-04-15 12:51:42 +01:00
|
|
|
- sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
- rule_5.1.9
|
|
|
|
|
- NIST800-53R5_CM-1
|
|
|
|
|
- NIST800-53R5_CM-2
|
|
|
|
|
- NIST800-53R5_CM-6
|
|
|
|
|
- NIST800-53R5_CM-7
|
|
|
|
|
- NIST800-53R5_IA-5
|
2022-01-07 09:06:18 +00:00
|
|
|
block:
|
2024-07-24 14:00:45 +01:00
|
|
|
- name: "5.1.9 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured | Add line in sshd_config for ClientAliveInterval"
|
|
|
|
|
ansible.builtin.lineinfile:
|
2024-09-06 14:49:41 +01:00
|
|
|
path: "{{ rhel9cis_sshd_config_file }}"
|
2024-07-24 14:00:45 +01:00
|
|
|
regexp: '^ClientAliveInterval'
|
|
|
|
|
line: "ClientAliveInterval {{ rhel9cis_sshd_clientaliveinterval }}"
|
|
|
|
|
validate: sshd -t -f %s
|
2024-08-08 11:07:16 +01:00
|
|
|
notify: Restart sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.1.9 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured | Ensure SSH ClientAliveCountMax set to <= 3"
|
|
|
|
|
ansible.builtin.lineinfile:
|
2024-09-06 14:49:41 +01:00
|
|
|
path: "{{ rhel9cis_sshd_config_file }}"
|
2024-07-24 14:00:45 +01:00
|
|
|
regexp: '^ClientAliveCountMax'
|
|
|
|
|
line: "ClientAliveCountMax {{ rhel9cis_sshd_clientalivecountmax }}"
|
|
|
|
|
validate: sshd -t -f %s
|
2024-08-08 11:07:16 +01:00
|
|
|
notify: Restart sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_1_10
|
2024-07-24 14:00:45 +01:00
|
|
|
tags:
|
|
|
|
|
- level2-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
2025-04-15 12:51:42 +01:00
|
|
|
- sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
- rule_5.1.10
|
|
|
|
|
- NIST800-53R5_CM-7
|
2022-03-30 16:18:11 +01:00
|
|
|
block:
|
2024-07-24 14:00:45 +01:00
|
|
|
- name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled | config file"
|
|
|
|
|
ansible.builtin.lineinfile:
|
2024-09-06 14:49:41 +01:00
|
|
|
path: "{{ rhel9cis_sshd_config_file }}"
|
2024-07-24 14:00:45 +01:00
|
|
|
regexp: ^(#|)\s*DisableForwarding
|
|
|
|
|
line: 'DisableForwarding yes'
|
|
|
|
|
validate: sshd -t -f %s
|
2024-08-08 11:07:16 +01:00
|
|
|
notify: Restart sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled | override"
|
2025-06-16 10:08:56 +01:00
|
|
|
when: prelim_sshd_50_redhat_file.stat.exists
|
2024-07-24 14:00:45 +01:00
|
|
|
ansible.builtin.lineinfile:
|
|
|
|
|
path: /etc/ssh/sshd_config.d/50-redhat.conf
|
2025-06-16 10:08:56 +01:00
|
|
|
regexp: (?i)^(#|)\s*X11Forwarding
|
2024-07-24 14:00:45 +01:00
|
|
|
line: 'X11Forwarding {{ rhel9cis_sshd_x11forwarding }}'
|
|
|
|
|
validate: sshd -t -f %s
|
2024-08-08 11:07:16 +01:00
|
|
|
notify: Restart sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_1_11
|
2024-07-24 14:00:45 +01:00
|
|
|
tags:
|
|
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
2025-04-15 12:51:42 +01:00
|
|
|
- sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
- rule_5.1.11
|
|
|
|
|
- NIST800-53R5_CM-1
|
|
|
|
|
- NIST800-53R5_CM-2
|
|
|
|
|
- NIST800-53R5_CM-6
|
|
|
|
|
- NIST800-53R5_CM-7
|
|
|
|
|
- NIST800-53R5_IA-5
|
2024-08-08 11:07:16 +01:00
|
|
|
block:
|
|
|
|
|
- name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled | redhat file"
|
2025-06-16 10:08:56 +01:00
|
|
|
when: prelim_sshd_50_redhat_file.stat.exists
|
2024-08-08 11:07:16 +01:00
|
|
|
ansible.builtin.lineinfile:
|
|
|
|
|
path: /etc/ssh/sshd_config.d/50-redhat.conf
|
2025-06-16 10:08:56 +01:00
|
|
|
regexp: (?i)^(#|)\s*GSSAPIAuthentication
|
2024-08-08 11:07:16 +01:00
|
|
|
line: GSSAPIAuthentication no
|
|
|
|
|
validate: sshd -t -f %s
|
|
|
|
|
notify: Restart sshd
|
|
|
|
|
|
|
|
|
|
- name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled | ssh config"
|
|
|
|
|
ansible.builtin.lineinfile:
|
2024-09-06 14:49:41 +01:00
|
|
|
path: "{{ rhel9cis_sshd_config_file }}"
|
2025-06-16 10:08:56 +01:00
|
|
|
regexp: (?i)^(#|)\s*GSSAPIAuthentication
|
2024-08-08 11:07:16 +01:00
|
|
|
line: GSSAPIAuthentication no
|
|
|
|
|
validate: sshd -t -f %s
|
|
|
|
|
notify: Restart sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.1.12 | PATCH | Ensure sshd HostbasedAuthentication is disabled"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_1_12
|
2024-07-24 14:00:45 +01:00
|
|
|
tags:
|
|
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
2025-04-15 12:51:42 +01:00
|
|
|
- sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
- rule_5.1.12
|
|
|
|
|
- NIST800-53R5_CM-1
|
|
|
|
|
- NIST800-53R5_CM-2
|
|
|
|
|
- NIST800-53R5_CM-6
|
|
|
|
|
- NIST800-53R5_CM-7
|
|
|
|
|
- NIST800-53R5_IA-5
|
|
|
|
|
ansible.builtin.lineinfile:
|
2024-09-06 14:49:41 +01:00
|
|
|
path: "{{ rhel9cis_sshd_config_file }}"
|
2025-06-16 10:08:56 +01:00
|
|
|
regexp: (?i)^(#|)\s*HostbasedAuthentication
|
2024-07-24 14:00:45 +01:00
|
|
|
line: 'HostbasedAuthentication no'
|
|
|
|
|
validate: sshd -t -f %s
|
2024-08-08 11:07:16 +01:00
|
|
|
notify: Restart sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.1.13 | PATCH | Ensure sshd IgnoreRhosts is enabled"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_1_13
|
2024-07-24 14:00:45 +01:00
|
|
|
tags:
|
|
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
2025-04-15 12:51:42 +01:00
|
|
|
- sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
- rule_5.1.13
|
|
|
|
|
- NIST800-53R5_CM-1
|
|
|
|
|
- NIST800-53R5_CM-2
|
|
|
|
|
- NIST800-53R5_CM-6
|
|
|
|
|
- NIST800-53R5_CM-7
|
|
|
|
|
- NIST800-53R5_IA-5
|
|
|
|
|
ansible.builtin.lineinfile:
|
2024-09-06 14:49:41 +01:00
|
|
|
path: "{{ rhel9cis_sshd_config_file }}"
|
2025-06-16 10:08:56 +01:00
|
|
|
regexp: (?i)^(#|)\s*IgnoreRhosts
|
2024-07-24 14:00:45 +01:00
|
|
|
line: 'IgnoreRhosts yes'
|
2025-04-15 12:51:42 +01:00
|
|
|
insertbefore: "^Match"
|
|
|
|
|
firstmatch: true
|
2024-07-24 14:00:45 +01:00
|
|
|
validate: sshd -t -f %s
|
2024-08-08 11:07:16 +01:00
|
|
|
notify: Restart sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is set to one minute or less"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_1_14
|
2024-07-24 14:00:45 +01:00
|
|
|
tags:
|
|
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
2025-04-15 12:51:42 +01:00
|
|
|
- sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
- rule_5.1.14
|
|
|
|
|
- NIST800-53R5_CM-6
|
|
|
|
|
ansible.builtin.lineinfile:
|
2024-09-06 14:49:41 +01:00
|
|
|
path: "{{ rhel9cis_sshd_config_file }}"
|
2025-06-16 10:08:56 +01:00
|
|
|
regexp: (?i)^(#|)\s*LoginGraceTime
|
2024-07-24 14:00:45 +01:00
|
|
|
line: "LoginGraceTime {{ rhel9cis_sshd_logingracetime }}"
|
2025-04-15 12:51:42 +01:00
|
|
|
insertbefore: "^Match"
|
|
|
|
|
firstmatch: true
|
2024-07-24 14:00:45 +01:00
|
|
|
validate: sshd -t -f %s
|
2024-08-08 11:07:16 +01:00
|
|
|
notify: Restart sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.1.15 | PATCH | Ensure sshd LogLevel is appropriate"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_1_15
|
2024-07-24 14:00:45 +01:00
|
|
|
tags:
|
|
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
2025-04-15 12:51:42 +01:00
|
|
|
- sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
- rule_5.1.15
|
|
|
|
|
- NIST800-53R5_AU-3
|
|
|
|
|
- NIST800-53R5_AU-12
|
|
|
|
|
- NIST800-53R5_SI-5
|
|
|
|
|
ansible.builtin.lineinfile:
|
2024-09-06 14:49:41 +01:00
|
|
|
path: "{{ rhel9cis_sshd_config_file }}"
|
2025-06-16 10:08:56 +01:00
|
|
|
regexp: (?i)^(#|)\s*LogLevel
|
2024-07-24 14:00:45 +01:00
|
|
|
line: 'LogLevel {{ rhel9cis_ssh_loglevel }}'
|
2025-04-15 12:51:42 +01:00
|
|
|
insertbefore: "^Match"
|
|
|
|
|
firstmatch: true
|
2024-07-24 14:00:45 +01:00
|
|
|
validate: sshd -t -f %s
|
2024-08-08 11:07:16 +01:00
|
|
|
notify: Restart sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is set to 4 or less"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_1_16
|
2024-07-24 14:00:45 +01:00
|
|
|
tags:
|
|
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
2025-04-15 12:51:42 +01:00
|
|
|
- sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
- rule_5.1.16
|
|
|
|
|
- NIST800-53R5_AU-3
|
|
|
|
|
ansible.builtin.lineinfile:
|
2024-09-06 14:49:41 +01:00
|
|
|
path: "{{ rhel9cis_sshd_config_file }}"
|
2024-07-24 14:00:45 +01:00
|
|
|
regexp: '^(#)?MaxAuthTries \d'
|
|
|
|
|
line: 'MaxAuthTries {{ rhel9cis_ssh_maxauthtries }}'
|
|
|
|
|
validate: sshd -t -f %s
|
2024-08-08 11:07:16 +01:00
|
|
|
notify: Restart sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.1.17 | PATCH | Ensure sshd MaxStartups is configured"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_1_17
|
2024-07-24 14:00:45 +01:00
|
|
|
tags:
|
|
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
2025-04-15 12:51:42 +01:00
|
|
|
- sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
- rule_5.1.17
|
|
|
|
|
- NIST800-53R5_CM-1
|
|
|
|
|
- NIST800-53R5_CM-2
|
|
|
|
|
- NIST800-53R5_CM-6
|
|
|
|
|
- NIST800-53R5_CM-7
|
|
|
|
|
- NIST800-53R5_IA-5
|
|
|
|
|
ansible.builtin.lineinfile:
|
2024-09-06 14:49:41 +01:00
|
|
|
path: "{{ rhel9cis_sshd_config_file }}"
|
2025-06-16 10:08:56 +01:00
|
|
|
regexp: (?i)^(#|)\s*MaxStartups
|
2024-07-24 14:00:45 +01:00
|
|
|
line: 'MaxStartups {{ rhel9cis_ssh_maxstartups }}'
|
|
|
|
|
validate: sshd -t -f %s
|
2024-08-08 11:07:16 +01:00
|
|
|
notify: Restart sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.1.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_1_18
|
2024-07-24 14:00:45 +01:00
|
|
|
tags:
|
|
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
2025-04-15 12:51:42 +01:00
|
|
|
- sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
- rule_5.1.18
|
|
|
|
|
- NIST800-53R5_CM-1
|
|
|
|
|
- NIST800-53R5_CM-2
|
|
|
|
|
- NIST800-53R5_CM-6
|
|
|
|
|
- NIST800-53R5_CM-7
|
|
|
|
|
- NIST800-53R5_IA-5
|
|
|
|
|
ansible.builtin.lineinfile:
|
2024-09-06 14:49:41 +01:00
|
|
|
path: "{{ rhel9cis_sshd_config_file }}"
|
2025-06-16 10:08:56 +01:00
|
|
|
regexp: (?i)^(#|)\s*MaxSessions
|
2024-07-24 14:00:45 +01:00
|
|
|
line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}'
|
|
|
|
|
validate: sshd -t -f %s
|
2024-08-08 11:07:16 +01:00
|
|
|
notify: Restart sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.1.19 | PATCH | Ensure sshd PermitEmptyPasswords is disabled"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_1_19
|
2024-07-24 14:00:45 +01:00
|
|
|
tags:
|
|
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
2025-04-15 12:51:42 +01:00
|
|
|
- sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
- rule_5.1.19
|
|
|
|
|
- NIST800-53R5_CM-1
|
|
|
|
|
- NIST800-53R5_CM-2
|
|
|
|
|
- NIST800-53R5_CM-6
|
|
|
|
|
- NIST800-53R5_CM-7
|
|
|
|
|
- NIST800-53R5_IA-5
|
|
|
|
|
ansible.builtin.lineinfile:
|
2024-09-06 14:49:41 +01:00
|
|
|
path: "{{ rhel9cis_sshd_config_file }}"
|
2025-06-16 10:08:56 +01:00
|
|
|
regexp: (?i)^(#|)\s*PermitEmptyPasswords
|
2024-07-24 14:00:45 +01:00
|
|
|
line: 'PermitEmptyPasswords no'
|
|
|
|
|
validate: sshd -t -f %s
|
2024-08-08 11:07:16 +01:00
|
|
|
notify: Restart sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_1_20
|
2024-07-24 14:00:45 +01:00
|
|
|
tags:
|
|
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
2025-04-15 12:51:42 +01:00
|
|
|
- sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
- rule_5.1.20
|
|
|
|
|
- NIST800-53R5_AC-6
|
|
|
|
|
block:
|
|
|
|
|
- name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled | config file"
|
|
|
|
|
ansible.builtin.lineinfile:
|
2024-09-06 14:49:41 +01:00
|
|
|
path: "{{ rhel9cis_sshd_config_file }}"
|
2025-06-16 10:08:56 +01:00
|
|
|
regexp: (?i)^(#|)\s*PermitRootLogin
|
2024-07-24 14:00:45 +01:00
|
|
|
line: 'PermitRootLogin no'
|
|
|
|
|
validate: sshd -t -f %s
|
2024-08-08 11:07:16 +01:00
|
|
|
notify: Restart sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled | override file"
|
|
|
|
|
ansible.builtin.file:
|
|
|
|
|
path: /etc/ssh/sshd_config.d/01-permitrootlogin.conf
|
|
|
|
|
state: absent
|
2024-08-08 11:07:16 +01:00
|
|
|
notify: Restart sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.1.21 | PATCH | Ensure sshd PermitUserEnvironment is disabled"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_1_21
|
2024-07-24 14:00:45 +01:00
|
|
|
tags:
|
|
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
2025-04-15 12:51:42 +01:00
|
|
|
- sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
- rule_5.1.21
|
|
|
|
|
- NIST800-53R5_CM-1
|
|
|
|
|
- NIST800-53R5_CM-2
|
|
|
|
|
- NIST800-53R5_CM-6
|
|
|
|
|
- NIST800-53R5_CM-7
|
|
|
|
|
- NIST800-53R5_IA-5
|
|
|
|
|
ansible.builtin.lineinfile:
|
2024-09-06 14:49:41 +01:00
|
|
|
path: "{{ rhel9cis_sshd_config_file }}"
|
2025-06-16 10:08:56 +01:00
|
|
|
regexp: (?i)^(#|)\s*PermitUserEnvironment
|
2024-07-24 14:00:45 +01:00
|
|
|
line: 'PermitUserEnvironment no'
|
|
|
|
|
validate: sshd -t -f %s
|
2024-08-08 11:07:16 +01:00
|
|
|
notify: Restart sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.1.22 | PATCH | Ensure SSH PAM is enabled"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_1_22
|
2024-07-24 14:00:45 +01:00
|
|
|
tags:
|
|
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
2025-04-15 12:51:42 +01:00
|
|
|
- sshd
|
2024-07-24 14:00:45 +01:00
|
|
|
- rule_5.1.22
|
2024-08-07 10:29:03 +01:00
|
|
|
- NIST800-53R5_CM-1
|
|
|
|
|
- NIST800-53R5_CM-2
|
|
|
|
|
- NIST800-53R5_CM-6
|
|
|
|
|
- NIST800-53R5_CM-7
|
|
|
|
|
- NIST800-53R5_IA-5
|
2024-07-24 14:00:45 +01:00
|
|
|
ansible.builtin.lineinfile:
|
2024-09-06 14:49:41 +01:00
|
|
|
path: "{{ rhel9cis_sshd_config_file }}"
|
2025-06-16 10:08:56 +01:00
|
|
|
regexp: (?i)^(#|)\s*UsePAM
|
2024-07-24 14:00:45 +01:00
|
|
|
line: 'UsePAM yes'
|
|
|
|
|
validate: sshd -t -f %s
|
2024-08-08 11:07:16 +01:00
|
|
|
notify: Restart sshd
|
