-
Notifications
You must be signed in to change notification settings - Fork 44
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
3980f5f
commit f1f0855
Showing
1 changed file
with
12 additions
and
34 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -76,12 +76,16 @@ | |
| # | ||
| # Restrict cron permissions. All jobs are owned by root so there's no | ||
| # reason to allow others any level of access. This is also necessary to | ||
| # satisfy external auditing of CIS security benchmarks. | ||
| # satisfy external auditing of CIS security benchmarks. Also ensuring | ||
| # the permissions on /etc/ssh/sshd_config are configured. | ||
| # | ||
| - file: | ||
| path: /etc/crontab | ||
| path: "{{ item }}" | ||
| state: file | ||
| mode: 0600 | ||
| with_items: | ||
| - /etc/crontab | ||
| - /etc/ssh/sshd_config | ||
|
|
||
| - file: | ||
| path: "{{ item }}" | ||
|
|
@@ -247,6 +251,12 @@ | |
| - { key: "AllowTcpForwarding", value: "no" } | ||
| - { key: "X11Forwarding", value: "no" } | ||
| - { key: "HostKeyAlgorithms", value: "-ssh-rsa*" } | ||
| - { key: "MaxAuthTries", value: "6" } | ||
| - { key: "Ciphers", value: "[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]"} | ||
| - { key: "KexAlgorithms", value: "curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256"} | ||
| - { key: "LoginGraceTime", value: "120"} | ||
| - { key: "MaxStartups", value: "10:30:60"} | ||
| - { key: "MACs", value: "[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512"} | ||
| notify: "sshd config changed" | ||
|
|
||
| # | ||
|
|
@@ -338,38 +348,6 @@ | |
| regexp: '^#?[\s]*(auth[\s]+required[\s]+pam_wheel\.so.*)$' | ||
| replace: '\1' | ||
|
|
||
| # | ||
| # Prevent sshd from offering weak message authentication codes to clients. | ||
| # | ||
| # The "MACs" configuration parameter in sshd_config takes a list of algorithms | ||
| # as its parameter. This list may be prefixed by a '+' or '-' operator | ||
| # (indicating that the given list should be appended to or removed from the | ||
| # existing MAC set, respectively), or neither operator (indicating that the | ||
| # given list should replace the existing MAC set). If there already exists a | ||
| # "MACs -..." line, we can append to this list. If otherwise, we need to add | ||
| # this as a separate line in the configuration. | ||
| # | ||
| - shell: grep -c -E "^MACs(\s+)-" /etc/ssh/sshd_config || true | ||
| register: grep_sshd_config_macs_to_remove | ||
|
|
||
| - shell: grep -c -E "^MACs(\s+)-(.*)hmac-sha1\*,umac-64\*" /etc/ssh/sshd_config || true | ||
| register: grep_sshd_config_macs_already_removed | ||
|
|
||
| - lineinfile: | ||
| path: /etc/ssh/sshd_config | ||
| backrefs: yes | ||
| regexp: '^MACs[\s]+-(.*)$' | ||
| line: 'MACs -\1,hmac-sha1*,umac-64*' | ||
| notify: "sshd config changed" | ||
| when: grep_sshd_config_macs_to_remove.stdout != "0" and grep_sshd_config_macs_already_removed == "0" | ||
|
|
||
| - lineinfile: | ||
| path: /etc/ssh/sshd_config | ||
| insertafter: EOF | ||
| line: "MACs -hmac-sha1*,umac-64*" | ||
| notify: "sshd config changed" | ||
| when: grep_sshd_config_macs_to_remove.stdout == "0" | ||
|
|
||
| # | ||
| # Enable SNMP client tools to load MIBs by default. | ||
| # | ||
|
|
||