mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2025-12-25 14:43:06 +00:00
Add handler
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
d5b688caac
commit
9598139f4c
1 changed files with 34 additions and 7 deletions
|
|
@ -251,6 +251,7 @@
|
||||||
regexp: '^ClientAliveInterval'
|
regexp: '^ClientAliveInterval'
|
||||||
line: "ClientAliveInterval {{ rhel9cis_sshd_clientaliveinterval }}"
|
line: "ClientAliveInterval {{ rhel9cis_sshd_clientaliveinterval }}"
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
notify: Restart sshd
|
||||||
|
|
||||||
- name: "5.1.9 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured | Ensure SSH ClientAliveCountMax set to <= 3"
|
- name: "5.1.9 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured | Ensure SSH ClientAliveCountMax set to <= 3"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
|
|
@ -258,6 +259,7 @@
|
||||||
regexp: '^ClientAliveCountMax'
|
regexp: '^ClientAliveCountMax'
|
||||||
line: "ClientAliveCountMax {{ rhel9cis_sshd_clientalivecountmax }}"
|
line: "ClientAliveCountMax {{ rhel9cis_sshd_clientalivecountmax }}"
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
notify: Restart sshd
|
||||||
|
|
||||||
- name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled"
|
- name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled"
|
||||||
when:
|
when:
|
||||||
|
|
@ -276,6 +278,7 @@
|
||||||
regexp: ^(#|)\s*DisableForwarding
|
regexp: ^(#|)\s*DisableForwarding
|
||||||
line: 'DisableForwarding yes'
|
line: 'DisableForwarding yes'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
notify: Restart sshd
|
||||||
|
|
||||||
- name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled | override"
|
- name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled | override"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
|
|
@ -283,6 +286,7 @@
|
||||||
regexp: ^(?i)(#|)\s*X11Forwarding
|
regexp: ^(?i)(#|)\s*X11Forwarding
|
||||||
line: 'X11Forwarding {{ rhel9cis_sshd_x11forwarding }}'
|
line: 'X11Forwarding {{ rhel9cis_sshd_x11forwarding }}'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
notify: Restart sshd
|
||||||
|
|
||||||
- name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled"
|
- name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled"
|
||||||
when:
|
when:
|
||||||
|
|
@ -298,11 +302,22 @@
|
||||||
- NIST800-53R5_CM-6
|
- NIST800-53R5_CM-6
|
||||||
- NIST800-53R5_CM-7
|
- NIST800-53R5_CM-7
|
||||||
- NIST800-53R5_IA-5
|
- NIST800-53R5_IA-5
|
||||||
ansible.builtin.lineinfile:
|
block:
|
||||||
path: "{{ rhel9_cis_sshd_config_file }}"
|
- name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled | redhat file"
|
||||||
regexp: ^(?i)(#|)\s*GSSAPIAuthentication
|
ansible.builtin.lineinfile:
|
||||||
line: 'GSSAPIAuthentication no'
|
path: /etc/ssh/sshd_config.d/50-redhat.conf
|
||||||
validate: sshd -t -f %s
|
regexp: ^(?i)(#|)\s*GSSAPIAuthentication
|
||||||
|
line: GSSAPIAuthentication no
|
||||||
|
validate: sshd -t -f %s
|
||||||
|
notify: Restart sshd
|
||||||
|
|
||||||
|
- name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled | ssh config"
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
|
regexp: ^(?i)(#|)\s*GSSAPIAuthentication
|
||||||
|
line: GSSAPIAuthentication no
|
||||||
|
validate: sshd -t -f %s
|
||||||
|
notify: Restart sshd
|
||||||
|
|
||||||
- name: "5.1.12 | PATCH | Ensure sshd HostbasedAuthentication is disabled"
|
- name: "5.1.12 | PATCH | Ensure sshd HostbasedAuthentication is disabled"
|
||||||
when:
|
when:
|
||||||
|
|
@ -323,6 +338,7 @@
|
||||||
regexp: ^(?i)(#|)\s*HostbasedAuthentication
|
regexp: ^(?i)(#|)\s*HostbasedAuthentication
|
||||||
line: 'HostbasedAuthentication no'
|
line: 'HostbasedAuthentication no'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
notify: Restart sshd
|
||||||
|
|
||||||
- name: "5.1.13 | PATCH | Ensure sshd IgnoreRhosts is enabled"
|
- name: "5.1.13 | PATCH | Ensure sshd IgnoreRhosts is enabled"
|
||||||
when:
|
when:
|
||||||
|
|
@ -343,6 +359,7 @@
|
||||||
regexp: ^(?i)(#|)\s*IgnoreRhosts
|
regexp: ^(?i)(#|)\s*IgnoreRhosts
|
||||||
line: 'IgnoreRhosts yes'
|
line: 'IgnoreRhosts yes'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
notify: Restart sshd
|
||||||
|
|
||||||
- name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is set to one minute or less"
|
- name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is set to one minute or less"
|
||||||
when:
|
when:
|
||||||
|
|
@ -359,6 +376,7 @@
|
||||||
regexp: ^(?i)(#|)\s*LoginGraceTime
|
regexp: ^(?i)(#|)\s*LoginGraceTime
|
||||||
line: "LoginGraceTime {{ rhel9cis_sshd_logingracetime }}"
|
line: "LoginGraceTime {{ rhel9cis_sshd_logingracetime }}"
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
notify: Restart sshd
|
||||||
|
|
||||||
- name: "5.1.15 | PATCH | Ensure sshd LogLevel is appropriate"
|
- name: "5.1.15 | PATCH | Ensure sshd LogLevel is appropriate"
|
||||||
when:
|
when:
|
||||||
|
|
@ -377,6 +395,7 @@
|
||||||
regexp: ^(?i)(#|)\s*LogLevel
|
regexp: ^(?i)(#|)\s*LogLevel
|
||||||
line: 'LogLevel {{ rhel9cis_ssh_loglevel }}'
|
line: 'LogLevel {{ rhel9cis_ssh_loglevel }}'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
notify: Restart sshd
|
||||||
|
|
||||||
- name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is set to 4 or less"
|
- name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is set to 4 or less"
|
||||||
when:
|
when:
|
||||||
|
|
@ -393,6 +412,7 @@
|
||||||
regexp: '^(#)?MaxAuthTries \d'
|
regexp: '^(#)?MaxAuthTries \d'
|
||||||
line: 'MaxAuthTries {{ rhel9cis_ssh_maxauthtries }}'
|
line: 'MaxAuthTries {{ rhel9cis_ssh_maxauthtries }}'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
notify: Restart sshd
|
||||||
|
|
||||||
- name: "5.1.17 | PATCH | Ensure sshd MaxStartups is configured"
|
- name: "5.1.17 | PATCH | Ensure sshd MaxStartups is configured"
|
||||||
when:
|
when:
|
||||||
|
|
@ -413,6 +433,7 @@
|
||||||
regexp: ^(?i)(#|)\s*MaxStartups
|
regexp: ^(?i)(#|)\s*MaxStartups
|
||||||
line: 'MaxStartups {{ rhel9cis_ssh_maxstartups }}'
|
line: 'MaxStartups {{ rhel9cis_ssh_maxstartups }}'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
notify: Restart sshd
|
||||||
|
|
||||||
- name: "5.1.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
|
- name: "5.1.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
|
||||||
when:
|
when:
|
||||||
|
|
@ -433,6 +454,7 @@
|
||||||
regexp: ^(?i)(#|)\s*MaxSessions
|
regexp: ^(?i)(#|)\s*MaxSessions
|
||||||
line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}'
|
line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
notify: Restart sshd
|
||||||
|
|
||||||
- name: "5.1.19 | PATCH | Ensure sshd PermitEmptyPasswords is disabled"
|
- name: "5.1.19 | PATCH | Ensure sshd PermitEmptyPasswords is disabled"
|
||||||
when:
|
when:
|
||||||
|
|
@ -453,6 +475,7 @@
|
||||||
regexp: ^(?i)(#|)\s*PermitEmptyPasswords
|
regexp: ^(?i)(#|)\s*PermitEmptyPasswords
|
||||||
line: 'PermitEmptyPasswords no'
|
line: 'PermitEmptyPasswords no'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
notify: Restart sshd
|
||||||
|
|
||||||
- name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled"
|
- name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled"
|
||||||
when:
|
when:
|
||||||
|
|
@ -471,11 +494,13 @@
|
||||||
regexp: ^(?i)(#|)\s*PermitRootLogin
|
regexp: ^(?i)(#|)\s*PermitRootLogin
|
||||||
line: 'PermitRootLogin no'
|
line: 'PermitRootLogin no'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
notify: Restart sshd
|
||||||
|
|
||||||
- name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled | override file"
|
- name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled | override file"
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: /etc/ssh/sshd_config.d/01-permitrootlogin.conf
|
path: /etc/ssh/sshd_config.d/01-permitrootlogin.conf
|
||||||
state: absent
|
state: absent
|
||||||
|
notify: Restart sshd
|
||||||
|
|
||||||
- name: "5.1.21 | PATCH | Ensure sshd PermitUserEnvironment is disabled"
|
- name: "5.1.21 | PATCH | Ensure sshd PermitUserEnvironment is disabled"
|
||||||
when:
|
when:
|
||||||
|
|
@ -493,9 +518,10 @@
|
||||||
- NIST800-53R5_IA-5
|
- NIST800-53R5_IA-5
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: "{{ rhel9_cis_sshd_config_file }}"
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
regexp: "^#PermitUserEnvironment|^PermitUserEnvironment"
|
regexp: ^(?i)(#|)\s*PermitUserEnvironment
|
||||||
line: 'PermitUserEnvironment no'
|
line: 'PermitUserEnvironment no'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
notify: Restart sshd
|
||||||
|
|
||||||
- name: "5.1.22 | PATCH | Ensure SSH PAM is enabled"
|
- name: "5.1.22 | PATCH | Ensure SSH PAM is enabled"
|
||||||
when:
|
when:
|
||||||
|
|
@ -513,6 +539,7 @@
|
||||||
- NIST800-53R5_IA-5
|
- NIST800-53R5_IA-5
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: "{{ rhel9_cis_sshd_config_file }}"
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
regexp: ^(?i)(#|)\s*MaxStartupsUsePAM
|
regexp: ^(?i)(#|)\s*UsePAM
|
||||||
line: 'UsePAM yes'
|
line: 'UsePAM yes'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
notify: Restart sshd
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue