sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

linting fqcn

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2023-01-12 15:01:17 +00:00
parent 60d01a6582
commit c18151e158
No known key found for this signature in database
GPG key ID: 1DE02A772D0908F9
7 changed files with 88 additions and 89 deletions
Download patch file Download diff file Expand all files Collapse all files

54
tasks/section_5/cis_5.2.x.yml
View file

@ -1,7 +1,7 @@
---
- name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured"
file:
ansible.builtin.file:
dest: /etc/ssh/sshd_config
state: file
owner: root
@ -21,7 +21,7 @@
- name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured"
block:
- name: "5.2.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find the SSH private host keys"
find:
ansible.builtin.find:
paths: /etc/ssh
patterns: 'ssh_host_*_key'
recurse: true
@ -29,7 +29,7 @@
register: rhel9cis_5_2_2_ssh_private_host_key
- name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys"
file:
ansible.builtin.file:
path: "{{ item.path }}"
owner: root
group: root
@ -52,7 +52,7 @@
- name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured"
block:
- name: "5.2.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find the SSH public host keys"
find:
ansible.builtin.find:
paths: /etc/ssh
patterns: 'ssh_host_*_key.pub'
recurse: true
@ -60,7 +60,7 @@
register: rhel9cis_5_2_3_ssh_public_host_key
- name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys"
file:
ansible.builtin.file:
path: "{{ item.path }}"
owner: root
group: root
@ -82,7 +82,7 @@
- name: "5.2.4 | PATCH | Ensure SSH access is limited"
block:
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^AllowUsers"
line: AllowUsers {{ rhel9cis_sshd['allowusers'] }}
@ -91,7 +91,7 @@
when: "rhel9cis_sshd['allowusers']|default('') | length > 0"
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^AllowGroups"
line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }}
@ -100,7 +100,7 @@
when: "rhel9cis_sshd['allowgroups']|default('') | length > 0"
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^DenyUsers"
line: DenyUsers {{ rhel9cis_sshd['denyusers'] }}
@ -109,7 +109,7 @@
when: "rhel9cis_sshd['denyusers']|default('') | length > 0"
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^DenyGroups"
line: DenyGroups {{ rhel9cis_sshd['denygroups'] }}
@ -127,7 +127,7 @@
- rule_5.2.4
- name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#LogLevel|^LogLevel"
line: 'LogLevel {{ rhel9cis_ssh_loglevel }}'
@ -143,7 +143,7 @@
- rule_5.2.5
- name: "5.2.6 | PATCH | Ensure SSH PAM is enabled"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#UsePAM|^UsePAM"
line: 'UsePAM yes'
@ -159,7 +159,7 @@
- rule_5.2.6
- name: "5.2.7 | PATCH | Ensure SSH root login is disabled"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#PermitRootLogin|^PermitRootLogin"
line: 'PermitRootLogin no'
@ -175,7 +175,7 @@
- rule_5.2.7
- name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#HostbasedAuthentication|^HostbasedAuthentication"
line: 'HostbasedAuthentication no'
@ -191,7 +191,7 @@
- rule_5.2.8
- name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords"
line: 'PermitEmptyPasswords no'
@ -207,7 +207,7 @@
- rule_5.2.9
- name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#PermitUserEnvironment|^PermitUserEnvironment"
line: 'PermitUserEnvironment no'
@ -223,7 +223,7 @@
- rule_5.2.10
- name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#IgnoreRhosts|^IgnoreRhosts"
line: 'IgnoreRhosts yes'
@ -239,7 +239,7 @@
- rule_5.2.11
- name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#X11Forwarding|^X11Forwarding"
line: 'X11Forwarding no'
@ -255,7 +255,7 @@
- rule_5.2.12
- name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#AllowTcpForwarding|^AllowTcpForwarding"
line: 'AllowTcpForwarding no'
@ -273,13 +273,13 @@
- name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden"
block:
- name: "5.2.14 | AUDIT | Ensure system-wide crypto policy is not over-ridden"
shell: grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd
ansible.builtin.shell: grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd
changed_when: false
failed_when: ( ssh_crypto_discovery.rc not in [ 0, 1 ] )
register: ssh_crypto_discovery
- name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden"
shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
ansible.builtin.shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
notify: restart sshd
when: ssh_crypto_discovery.stdout | length > 0
when:
@ -293,7 +293,7 @@
- rule_5.2.14
- name: "5.2.15 | PATCH | Ensure SSH warning banner is configured"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: '^Banner'
line: 'Banner /etc/issue.net'
@ -308,7 +308,7 @@
- rule_5.2.15
- name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: '^(#)?MaxAuthTries \d'
line: 'MaxAuthTries 4'
@ -324,7 +324,7 @@
- rule_5.2.16
- name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#MaxStartups|^MaxStartups"
line: 'MaxStartups 10:30:60'
@ -340,7 +340,7 @@
- rule_5.2.17
- name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#MaxSessions|^MaxSessions"
line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}'
@ -356,7 +356,7 @@
- rule_5.2.18
- name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: "^#LoginGraceTime|^LoginGraceTime"
line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}"
@ -374,14 +374,14 @@
- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured"
block:
- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: '^ClientAliveInterval'
line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}"
validate: sshd -t -f %s
- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3"
lineinfile:
ansible.builtin.linefile:
path: /etc/ssh/sshd_config
regexp: '^ClientAliveCountMax'
line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}"