RHEL9-CIS/tasks/section_5/cis_5.2.x.yml

---

- name: "5.2.1 | L1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured"
  file:
      dest: /etc/ssh/sshd_config
      state: file
      owner: root
      group: root
      mode: 0600
  when:
      - rhel9cis_rule_5_2_1
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.2.1

- name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited"
  block:
      - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers"
        lineinfile:
            state: present
            dest: /etc/ssh/sshd_config
            regexp: "^AllowUsers"
            line: AllowUsers {{ rhel9cis_sshd['allowusers'] }}
        notify: restart sshd
        when: "rhel9cis_sshd['allowusers']|default('') | length > 0"

      - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups"
        lineinfile:
            state: present
            dest: /etc/ssh/sshd_config
            regexp: "^AllowGroups"
            line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }}
        notify: restart sshd
        when: "rhel9cis_sshd['allowgroups']|default('') | length > 0"

      - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers"
        lineinfile:
            state: present
            dest: /etc/ssh/sshd_config
            regexp: "^DenyUsers"
            line: DenyUsers {{ rhel9cis_sshd['denyusers'] }}
        notify: restart sshd
        when: "rhel9cis_sshd['denyusers']|default('') | length > 0"

      - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups"
        lineinfile:
            state: present
            dest: /etc/ssh/sshd_config
            regexp: "^DenyGroups"
            line: DenyGroups {{ rhel9cis_sshd['denygroups'] }}
        notify: restart sshd
        when: "rhel9cis_sshd['denygroups']|default('') | length > 0"
  when:
      - rhel9cis_rule_5_2_2
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.2.2

- name: "5.2.3 | L1 | PATCH | Ensure permissions on SSH private host key files are configured"
  block:
      - name: "5.2.3 | L1 | AUDIT | Ensure permissions on SSH private host key files are configured | Find the SSH private host keys"
        find:
            paths: /etc/ssh
            patterns: 'ssh_host_*_key'
            recurse: true
            file_type: any
        register: rhel9cis_5_2_3_ssh_private_host_key

      - name: "5.2.3 | L1 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys"
        file:
            path: "{{ item.path }}"
            owner: root
            group: root
            mode: 0600
        with_items:
            - "{{ rhel9cis_5_2_3_ssh_private_host_key.files }}"
  when:
      - rhel9cis_rule_5_2_3
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.2.3

- name: "5.2.4 | L1 | PATCH | Ensure permissions on SSH public host key files are configured"
  block:
      - name: "5.2.4 | L1 | AUDIT | Ensure permissions on SSH public host key files are configured | Find the SSH public host keys"
        find:
            paths: /etc/ssh
            patterns: 'ssh_host_*_key.pub'
            recurse: true
            file_type: any
        register: rhel9cis_5_2_4_ssh_public_host_key

      - name: "5.2.4 | L1 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys"
        file:
            path: "{{ item.path }}"
            owner: root
            group: root
            mode: 0644
        with_items:
            - "{{ rhel9cis_5_2_4_ssh_public_host_key.files }}"
  when:
      - rhel9cis_rule_5_2_4
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.2.4

- name: "5.2.5 | L1 | PATCH | Ensure SSH LogLevel is appropriate"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: "^#LogLevel|^LogLevel"
      line: 'LogLevel {{ rhel9cis_ssh_loglevel }}'
  when:
      - rhel9cis_rule_5_2_5
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.2.5

- name: "5.2.6 | L2 | PATCH | Ensure SSH X11 forwarding is disabled"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: "^#X11Forwarding|^X11Forwarding"
      line: 'X11Forwarding no'
  when:
      - rhel9cis_rule_5_2_6
  tags:
      - level2-server
      - level1-workstation
      - patch
      - rule_5.2.6

- name: "5.2.7 | L1 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: '^(#)?MaxAuthTries \d'
      line: 'MaxAuthTries 4'
  when:
      - rhel9cis_rule_5_2_7
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.2.7

- name: "5.2.8 | L1 | PATCH | Ensure SSH IgnoreRhosts is enabled"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: "^#IgnoreRhosts|^IgnoreRhosts"
      line: 'IgnoreRhosts yes'
  when:
      - rhel9cis_rule_5_2_8
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.2.8

- name: "5.2.9 | L1 | PATCH | Ensure SSH HostbasedAuthentication is disabled"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: ^#HostbasedAuthentication|^HostbasedAuthentication"
      line: 'HostbasedAuthentication no'
  when:
      - rhel9cis_rule_5_2_9
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.2.9

- name: "5.2.10 | L1 | PATCH | Ensure SSH root login is disabled"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: "^#PermitRootLogin|^PermitRootLogin"
      line: 'PermitRootLogin no'
  when:
      - rhel9cis_rule_5_2_10
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.2.10

- name: "5.2.11 | L1 | PATCH | Ensure SSH PermitEmptyPasswords is disabled"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords"
      line: 'PermitEmptyPasswords no'
  when:
      - rhel9cis_rule_5_2_11
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.2.11

- name: "5.2.12 | L1 | PATCH | Ensure SSH PermitUserEnvironment is disabled"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: "^#PermitUserEnvironment|^PermitUserEnvironment"
      line: 'PermitUserEnvironment no'
  when:
      - rhel9cis_rule_5_2_12
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.2.12

- name: "5.2.13 | L1 | PATCH | Ensure SSH Idle Timeout Interval is configured"
  block:
      - name: "5.2.13 | L1 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval"
        lineinfile:
            state: present
            dest: /etc/ssh/sshd_config
            regexp: '^ClientAliveInterval'
            line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}"

      - name: "5.2.13 | L1 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3"
        lineinfile:
            state: present
            dest: /etc/ssh/sshd_config
            regexp: '^ClientAliveCountMax'
            line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}"
  when:
      - rhel9cis_rule_5_2_13
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.2.13

- name: "5.2.14 | L1 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: "^#LoginGraceTime|^LoginGraceTime"
      line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}"
  when:
      - rhel9cis_rule_5_2_14
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.2.14

- name: "5.2.15 | L1 | PATCH | Ensure SSH warning banner is configured"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: '^Banner'
      line: 'Banner /etc/issue.net'
  when:
      - rhel9cis_rule_5_2_15
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.2.15

- name: "5.2.16 | L1 | PATCH | Ensure SSH PAM is enabled"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: "^#UsePAM|^UsePAM"
      line: 'UsePAM yes'
  when:
      - rhel9cis_rule_5_2_16
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.2.16

- name: "5.2.17 | L2 | PATCH | Ensure SSH AllowTcpForwarding is disabled"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: "^#AllowTcpForwarding|^AllowTcpForwarding"
      line: 'AllowTcpForwarding no'
  when:
      - rhel9cis_rule_5_2_17
  tags:
      - level2-server
      - level2-workstation
      - patch
      - rule_5.2.17

- name: "5.2.18 | L1 | PATCH | Ensure SSH MaxStartups is configured"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: "^#MaxStartups|^MaxStartups"
      line: 'MaxStartups 10:30:60'
  when:
      - rhel9cis_rule_5_2_18
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.2.18

- name: "5.2.19 | L1 | PATCH | Ensure SSH MaxSessions is set to 4 or less"
  lineinfile:
      state: present
      dest: /etc/ssh/sshd_config
      regexp: "^#MaxSessions|^MaxSessions"
      line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}'
  when:
      - rhel9cis_rule_5_2_19
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.2.19

- name: "5.2.20 | L1 | PATCH | Ensure system-wide crypto policy is not over-ridden"
  shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
  args:
      warn: false
  notify: restart sshd
  when:
      - rhel9cis_rule_5_2_20
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_5.2.20