Initial

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2025-12-24 22:23:06 +00:00 · 2022-01-07 09:06:18 +00:00 · 2022-01-07 09:06:18 +00:00 · a54b5216eb
commit a54b5216eb
87 changed files with 7693 additions and 0 deletions
--- a/tasks/section_5/cis_5.2.x.yml
+++ b/tasks/section_5/cis_5.2.x.yml
@ -0,0 +1,345 @@
+---
+
+- name: "5.2.1 | L1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured"
+  file:
+      dest: /etc/ssh/sshd_config
+      state: file
+      owner: root
+      group: root
+      mode: 0600
+  when:
+      - rhel9cis_rule_5_2_1
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.2.1
+
+- name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited"
+  block:
+      - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers"
+        lineinfile:
+            state: present
+            dest: /etc/ssh/sshd_config
+            regexp: "^AllowUsers"
+            line: AllowUsers {{ rhel9cis_sshd['allowusers'] }}
+        notify: restart sshd
+        when: "rhel9cis_sshd['allowusers']|default('') | length > 0"
+
+      - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups"
+        lineinfile:
+            state: present
+            dest: /etc/ssh/sshd_config
+            regexp: "^AllowGroups"
+            line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }}
+        notify: restart sshd
+        when: "rhel9cis_sshd['allowgroups']|default('') | length > 0"
+
+      - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers"
+        lineinfile:
+            state: present
+            dest: /etc/ssh/sshd_config
+            regexp: "^DenyUsers"
+            line: DenyUsers {{ rhel9cis_sshd['denyusers'] }}
+        notify: restart sshd
+        when: "rhel9cis_sshd['denyusers']|default('') | length > 0"
+
+      - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups"
+        lineinfile:
+            state: present
+            dest: /etc/ssh/sshd_config
+            regexp: "^DenyGroups"
+            line: DenyGroups {{ rhel9cis_sshd['denygroups'] }}
+        notify: restart sshd
+        when: "rhel9cis_sshd['denygroups']|default('') | length > 0"
+  when:
+      - rhel9cis_rule_5_2_2
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.2.2
+
+- name: "5.2.3 | L1 | PATCH | Ensure permissions on SSH private host key files are configured"
+  block:
+      - name: "5.2.3 | L1 | AUDIT | Ensure permissions on SSH private host key files are configured | Find the SSH private host keys"
+        find:
+            paths: /etc/ssh
+            patterns: 'ssh_host_*_key'
+            recurse: true
+            file_type: any
+        register: rhel9cis_5_2_3_ssh_private_host_key
+
+      - name: "5.2.3 | L1 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys"
+        file:
+            path: "{{ item.path }}"
+            owner: root
+            group: root
+            mode: 0600
+        with_items:
+            - "{{ rhel9cis_5_2_3_ssh_private_host_key.files }}"
+  when:
+      - rhel9cis_rule_5_2_3
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.2.3
+
+- name: "5.2.4 | L1 | PATCH | Ensure permissions on SSH public host key files are configured"
+  block:
+      - name: "5.2.4 | L1 | AUDIT | Ensure permissions on SSH public host key files are configured | Find the SSH public host keys"
+        find:
+            paths: /etc/ssh
+            patterns: 'ssh_host_*_key.pub'
+            recurse: true
+            file_type: any
+        register: rhel9cis_5_2_4_ssh_public_host_key
+
+      - name: "5.2.4 | L1 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys"
+        file:
+            path: "{{ item.path }}"
+            owner: root
+            group: root
+            mode: 0644
+        with_items:
+            - "{{ rhel9cis_5_2_4_ssh_public_host_key.files }}"
+  when:
+      - rhel9cis_rule_5_2_4
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.2.4
+
+- name: "5.2.5 | L1 | PATCH | Ensure SSH LogLevel is appropriate"
+  lineinfile:
+      state: present
+      dest: /etc/ssh/sshd_config
+      regexp: "^#LogLevel|^LogLevel"
+      line: 'LogLevel {{ rhel9cis_ssh_loglevel }}'
+  when:
+      - rhel9cis_rule_5_2_5
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.2.5
+
+- name: "5.2.6 | L2 | PATCH | Ensure SSH X11 forwarding is disabled"
+  lineinfile:
+      state: present
+      dest: /etc/ssh/sshd_config
+      regexp: "^#X11Forwarding|^X11Forwarding"
+      line: 'X11Forwarding no'
+  when:
+      - rhel9cis_rule_5_2_6
+  tags:
+      - level2-server
+      - level1-workstation
+      - patch
+      - rule_5.2.6
+
+- name: "5.2.7 | L1 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less"
+  lineinfile:
+      state: present
+      dest: /etc/ssh/sshd_config
+      regexp: '^(#)?MaxAuthTries \d'
+      line: 'MaxAuthTries 4'
+  when:
+      - rhel9cis_rule_5_2_7
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.2.7
+
+- name: "5.2.8 | L1 | PATCH | Ensure SSH IgnoreRhosts is enabled"
+  lineinfile:
+      state: present
+      dest: /etc/ssh/sshd_config
+      regexp: "^#IgnoreRhosts|^IgnoreRhosts"
+      line: 'IgnoreRhosts yes'
+  when:
+      - rhel9cis_rule_5_2_8
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.2.8
+
+- name: "5.2.9 | L1 | PATCH | Ensure SSH HostbasedAuthentication is disabled"
+  lineinfile:
+      state: present
+      dest: /etc/ssh/sshd_config
+      regexp: ^#HostbasedAuthentication|^HostbasedAuthentication"
+      line: 'HostbasedAuthentication no'
+  when:
+      - rhel9cis_rule_5_2_9
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.2.9
+
+- name: "5.2.10 | L1 | PATCH | Ensure SSH root login is disabled"
+  lineinfile:
+      state: present
+      dest: /etc/ssh/sshd_config
+      regexp: "^#PermitRootLogin|^PermitRootLogin"
+      line: 'PermitRootLogin no'
+  when:
+      - rhel9cis_rule_5_2_10
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.2.10
+
+- name: "5.2.11 | L1 | PATCH | Ensure SSH PermitEmptyPasswords is disabled"
+  lineinfile:
+      state: present
+      dest: /etc/ssh/sshd_config
+      regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords"
+      line: 'PermitEmptyPasswords no'
+  when:
+      - rhel9cis_rule_5_2_11
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.2.11
+
+- name: "5.2.12 | L1 | PATCH | Ensure SSH PermitUserEnvironment is disabled"
+  lineinfile:
+      state: present
+      dest: /etc/ssh/sshd_config
+      regexp: "^#PermitUserEnvironment|^PermitUserEnvironment"
+      line: 'PermitUserEnvironment no'
+  when:
+      - rhel9cis_rule_5_2_12
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.2.12
+
+- name: "5.2.13 | L1 | PATCH | Ensure SSH Idle Timeout Interval is configured"
+  block:
+      - name: "5.2.13 | L1 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval"
+        lineinfile:
+            state: present
+            dest: /etc/ssh/sshd_config
+            regexp: '^ClientAliveInterval'
+            line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}"
+
+      - name: "5.2.13 | L1 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3"
+        lineinfile:
+            state: present
+            dest: /etc/ssh/sshd_config
+            regexp: '^ClientAliveCountMax'
+            line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}"
+  when:
+      - rhel9cis_rule_5_2_13
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.2.13
+
+- name: "5.2.14 | L1 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less"
+  lineinfile:
+      state: present
+      dest: /etc/ssh/sshd_config
+      regexp: "^#LoginGraceTime|^LoginGraceTime"
+      line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}"
+  when:
+      - rhel9cis_rule_5_2_14
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.2.14
+
+- name: "5.2.15 | L1 | PATCH | Ensure SSH warning banner is configured"
+  lineinfile:
+      state: present
+      dest: /etc/ssh/sshd_config
+      regexp: '^Banner'
+      line: 'Banner /etc/issue.net'
+  when:
+      - rhel9cis_rule_5_2_15
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.2.15
+
+- name: "5.2.16 | L1 | PATCH | Ensure SSH PAM is enabled"
+  lineinfile:
+      state: present
+      dest: /etc/ssh/sshd_config
+      regexp: "^#UsePAM|^UsePAM"
+      line: 'UsePAM yes'
+  when:
+      - rhel9cis_rule_5_2_16
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.2.16
+
+- name: "5.2.17 | L2 | PATCH | Ensure SSH AllowTcpForwarding is disabled"
+  lineinfile:
+      state: present
+      dest: /etc/ssh/sshd_config
+      regexp: "^#AllowTcpForwarding|^AllowTcpForwarding"
+      line: 'AllowTcpForwarding no'
+  when:
+      - rhel9cis_rule_5_2_17
+  tags:
+      - level2-server
+      - level2-workstation
+      - patch
+      - rule_5.2.17
+
+- name: "5.2.18 | L1 | PATCH | Ensure SSH MaxStartups is configured"
+  lineinfile:
+      state: present
+      dest: /etc/ssh/sshd_config
+      regexp: "^#MaxStartups|^MaxStartups"
+      line: 'MaxStartups 10:30:60'
+  when:
+      - rhel9cis_rule_5_2_18
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.2.18
+
+- name: "5.2.19 | L1 | PATCH | Ensure SSH MaxSessions is set to 4 or less"
+  lineinfile:
+      state: present
+      dest: /etc/ssh/sshd_config
+      regexp: "^#MaxSessions|^MaxSessions"
+      line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}'
+  when:
+      - rhel9cis_rule_5_2_19
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.2.19
+
+- name: "5.2.20 | L1 | PATCH | Ensure system-wide crypto policy is not over-ridden"
+  shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
+  args:
+      warn: no
+  notify: restart sshd
+  when:
+      - rhel9cis_rule_5_2_20
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.2.20