mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2025-12-24 22:23:06 +00:00
7d7b6132f4
* Issue #170, PR #181 thanks to @ipruteanu-sie * issue #182, PR #183 thansk to @ipruteanu-sie * PR #180 thanks to @ipruteanu-sie and @raabf * Addressed PR #165 thanks to @ipruteanu-sie * PT #184 addressed thansk to @ipruteanu-sie * updated credits * typo and ssh allow_deny comments * enable OS check --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
391 lines
12 KiB
YAML
391 lines
12 KiB
YAML
---
|
|
|
|
- name: "5.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured"
|
|
ansible.builtin.file:
|
|
path: "/etc/ssh/sshd_config"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
when:
|
|
- rhel9cis_rule_5_2_1
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- ssh
|
|
- permissions
|
|
- rule_5.2.1
|
|
|
|
- name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured"
|
|
block:
|
|
- name: "5.2.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find the SSH private host keys"
|
|
ansible.builtin.find:
|
|
paths: /etc/ssh
|
|
patterns: 'ssh_host_*_key'
|
|
recurse: true
|
|
file_type: any
|
|
register: rhel9cis_5_2_2_ssh_private_host_key
|
|
|
|
- name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys"
|
|
ansible.builtin.file:
|
|
path: "{{ item.path }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
loop: "{{ rhel9cis_5_2_2_ssh_private_host_key.files }}"
|
|
loop_control:
|
|
label: "{{ item.path }}"
|
|
when:
|
|
- rhel9cis_rule_5_2_2
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- ssh
|
|
- permissions
|
|
- rule_5.2.2
|
|
|
|
- name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured"
|
|
block:
|
|
- name: "5.2.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find the SSH public host keys"
|
|
ansible.builtin.find:
|
|
paths: /etc/ssh
|
|
patterns: 'ssh_host_*_key.pub'
|
|
recurse: true
|
|
file_type: any
|
|
register: rhel9cis_5_2_3_ssh_public_host_key
|
|
|
|
- name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys"
|
|
ansible.builtin.file:
|
|
path: "{{ item.path }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
loop: "{{ rhel9cis_5_2_3_ssh_public_host_key.files }}"
|
|
loop_control:
|
|
label: "{{ item.path }}"
|
|
when:
|
|
- rhel9cis_rule_5_2_3
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- ssh
|
|
- rule_5.2.3
|
|
|
|
- name: "5.2.4 | PATCH | Ensure SSH access is limited"
|
|
block:
|
|
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers"
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
|
regexp: "^AllowUsers"
|
|
line: "AllowUsers {{ rhel9cis_sshd['allowusers'] }}"
|
|
validate: sshd -t -f %s
|
|
notify: Restart sshd
|
|
when: "rhel9cis_sshd['allowusers']|default('') | length > 0"
|
|
|
|
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups"
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
|
regexp: "^AllowGroups"
|
|
line: "AllowGroups {{ rhel9cis_sshd['allowgroups'] }}"
|
|
validate: sshd -t -f %s
|
|
notify: Restart sshd
|
|
when: "rhel9cis_sshd['allowgroups']|default('') | length > 0"
|
|
|
|
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers"
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
|
regexp: "^DenyUsers"
|
|
line: "DenyUsers {{ rhel9cis_sshd['denyusers'] }}"
|
|
validate: sshd -t -f %s
|
|
notify: Restart sshd
|
|
when: "rhel9cis_sshd['denyusers']|default('') | length > 0"
|
|
|
|
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups"
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
|
regexp: "^DenyGroups"
|
|
line: "DenyGroups {{ rhel9cis_sshd['denygroups'] }}"
|
|
validate: sshd -t -f %s
|
|
notify: Restart sshd
|
|
when: "rhel9cis_sshd['denygroups']|default('') | length > 0"
|
|
when:
|
|
- rhel9cis_rule_5_2_4
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- ssh
|
|
- rule_5.2.4
|
|
|
|
- name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate"
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
|
regexp: "^#LogLevel|^LogLevel"
|
|
line: 'LogLevel {{ rhel9cis_ssh_loglevel }}'
|
|
validate: sshd -t -f %s
|
|
when:
|
|
- rhel9cis_rule_5_2_5
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- sshs
|
|
- rule_5.2.5
|
|
|
|
- name: "5.2.6 | PATCH | Ensure SSH PAM is enabled"
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
|
regexp: "^#UsePAM|^UsePAM"
|
|
line: 'UsePAM yes'
|
|
validate: sshd -t -f %s
|
|
when:
|
|
- rhel9cis_rule_5_2_6
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- ssh
|
|
- rule_5.2.6
|
|
|
|
- name: "5.2.7 | PATCH | Ensure SSH root login is disabled"
|
|
block:
|
|
- name: "5.2.7 | PATCH | Ensure SSH root login is disabled | config file"
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
|
regexp: "^#PermitRootLogin|^PermitRootLogin"
|
|
line: 'PermitRootLogin no'
|
|
validate: sshd -t -f %s
|
|
|
|
- name: "5.2.7 | PATCH | Ensure SSH root login is disabled | override file"
|
|
ansible.builtin.file:
|
|
path: /etc/ssh/sshd_config.d/01-permitrootlogin.conf
|
|
state: absent
|
|
when:
|
|
- rhel9cis_rule_5_2_7
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- ssh
|
|
- rule_5.2.7
|
|
|
|
- name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled"
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
|
regexp: "^#HostbasedAuthentication|^HostbasedAuthentication"
|
|
line: 'HostbasedAuthentication no'
|
|
validate: sshd -t -f %s
|
|
when:
|
|
- rhel9cis_rule_5_2_8
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- ssh
|
|
- rule_5.2.8
|
|
|
|
- name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled"
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
|
regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords"
|
|
line: 'PermitEmptyPasswords no'
|
|
validate: sshd -t -f %s
|
|
when:
|
|
- rhel9cis_rule_5_2_9
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- ssh
|
|
- rule_5.2.9
|
|
|
|
- name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled"
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
|
regexp: "^#PermitUserEnvironment|^PermitUserEnvironment"
|
|
line: 'PermitUserEnvironment no'
|
|
validate: sshd -t -f %s
|
|
when:
|
|
- rhel9cis_rule_5_2_10
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- ssh
|
|
- rule_5.2.10
|
|
|
|
- name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled"
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
|
regexp: "^#IgnoreRhosts|^IgnoreRhosts"
|
|
line: 'IgnoreRhosts yes'
|
|
validate: sshd -t -f %s
|
|
when:
|
|
- rhel9cis_rule_5_2_11
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- ssh
|
|
- rule_5.2.11
|
|
|
|
- name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled"
|
|
block:
|
|
|
|
- name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled | config file"
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
|
regexp: "^#X11Forwarding|^X11Forwarding"
|
|
line: 'X11Forwarding no'
|
|
validate: sshd -t -f %s
|
|
|
|
- name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled | override"
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config.d/50-redhat.conf
|
|
regexp: "^#X11Forwarding|^X11Forwarding"
|
|
line: 'X11Forwarding no'
|
|
validate: sshd -t -f %s
|
|
when:
|
|
- rhel9cis_rule_5_2_12
|
|
tags:
|
|
- level2-server
|
|
- level1-workstation
|
|
- patch
|
|
- ssh
|
|
- rule_5.2.12
|
|
|
|
- name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled"
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
|
regexp: "^#AllowTcpForwarding|^AllowTcpForwarding"
|
|
line: 'AllowTcpForwarding no'
|
|
validate: sshd -t -f %s
|
|
when:
|
|
- rhel9cis_rule_5_2_13
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- ssh
|
|
- rule_5.2.13
|
|
|
|
- name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden"
|
|
block:
|
|
- name: "5.2.14 | AUDIT | Ensure system-wide crypto policy is not over-ridden"
|
|
ansible.builtin.shell: grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd
|
|
changed_when: false
|
|
failed_when: ( ssh_crypto_discovery.rc not in [ 0, 1 ] )
|
|
register: ssh_crypto_discovery
|
|
|
|
- name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden"
|
|
ansible.builtin.shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
|
|
notify: Restart sshd
|
|
when: ssh_crypto_discovery.stdout | length > 0
|
|
when:
|
|
- rhel9cis_rule_5_2_14
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- ssh
|
|
- rule_5.2.14
|
|
|
|
- name: "5.2.15 | PATCH | Ensure SSH warning banner is configured"
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
|
regexp: '^Banner'
|
|
line: 'Banner /etc/issue.net'
|
|
when:
|
|
- rhel9cis_rule_5_2_15
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- ssh
|
|
- rule_5.2.15
|
|
|
|
- name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less"
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
|
regexp: '^(#)?MaxAuthTries \d'
|
|
line: 'MaxAuthTries 4'
|
|
validate: sshd -t -f %s
|
|
when:
|
|
- rhel9cis_rule_5_2_16
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- ssh
|
|
- rule_5.2.16
|
|
|
|
- name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured"
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
|
regexp: "^#MaxStartups|^MaxStartups"
|
|
line: 'MaxStartups 10:30:60'
|
|
validate: sshd -t -f %s
|
|
when:
|
|
- rhel9cis_rule_5_2_17
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- ssh
|
|
- rule_5.2.17
|
|
|
|
- name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
|
regexp: "^#MaxSessions|^MaxSessions"
|
|
line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}'
|
|
validate: sshd -t -f %s
|
|
when:
|
|
- rhel9cis_rule_5_2_18
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- ssh
|
|
- rule_5.2.18
|
|
|
|
- name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less"
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
|
regexp: "^#LoginGraceTime|^LoginGraceTime"
|
|
line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}"
|
|
validate: sshd -t -f %s
|
|
when:
|
|
- rhel9cis_rule_5_2_19
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- ssh
|
|
- rule_5.2.19
|
|
|
|
- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured"
|
|
block:
|
|
- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval"
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
|
regexp: '^ClientAliveInterval'
|
|
line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}"
|
|
validate: sshd -t -f %s
|
|
|
|
- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3"
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
|
regexp: '^ClientAliveCountMax'
|
|
line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}"
|
|
validate: sshd -t -f %s
|
|
when:
|
|
- rhel9cis_rule_5_2_20
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- ssh
|
|
- rule_5.2.20
|