Prettified Code!

2024-11-10 01:04:13 +00:00 · 2020-11-08 10:20:25 +00:00 · 2020-11-08 10:20:25 +00:00 · c94d973527
commit c94d973527
parent c8ada5c13c
12 changed files with 572 additions and 577 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -1,7 +1,6 @@
 ---
 name: Bug report
 about: Create a report to help us improve
-
 ---

 **Describe the bug**
@ -11,27 +10,37 @@ A clear and concise description of what the bug is.
 A clear and concise description of what you expected to happen.

 **Actual behavior**
+
 <!--- Paste verbatim command output between quotes -->
+
 ```paste below

 ```
+
 **Example Playbook**
+
 <!--- Paste an example playbook that can be used to reproduce the problem between quotes -->
+
 ```paste below

 ```

 **OS / Environment**
+
 <!--- Provide all relevant information below, e.g. target OS versions, network device firmware, etc. -->

 **Ansible Version**
+
 <!--- Paste verbatim output from "ansible --version" between quotes -->
+
 ```paste below

 ```

 **Role Version**
+
 <!--- Paste version of the role between quotes -->
+
 ```paste below

 ```
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@ -1,7 +1,6 @@
 ---
 name: Feature request
 about: Suggest an idea for this project
-
 ---

 **Is your feature request related to a problem? Please describe.**
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -26,28 +26,25 @@ Please follow common commit best-practices. Be explicit, have a short summary, a

 Some great guidelines can be found [here](https://wiki.openstack.org/wiki/GitCommitMessages) and [here](http://robots.thoughtbot.com/5-useful-tips-for-a-better-commit-message).

-
 ## Expectations

 ### Don't reinvent the wheel

 This hardening project doesn't intend to reinvent the configuration stack for services. Aim to use official configuration projects first and provide hardening as a layer on top. The goal is remove the need for a user to configure all aspects of services and maintain security configuration. This way, the user can still configure a service using the interface provided by the official project.

-* For Chef refer to the official [opscode community cookbooks](http://community.opscode.com/cookbooks).
-* For Puppet head to the [Puppet Forge](https://forge.puppetlabs.com/) and take a node of the Puppet supported modules.
-* For Ansible check the [Ansible Module Index](http://docs.ansible.com/list_of_all_modules.html)
+- For Chef refer to the official [opscode community cookbooks](http://community.opscode.com/cookbooks).
+- For Puppet head to the [Puppet Forge](https://forge.puppetlabs.com/) and take a node of the Puppet supported modules.
+- For Ansible check the [Ansible Module Index](http://docs.ansible.com/list_of_all_modules.html)

 These projects are generally hosted on GitHub as well.

 In some cases, we in fact create the full rollout stack, but this is generally the exception ([os-hardening](https://github.com/TelekomLabs/chef-os-hardening), [nginx-hardening](https://github.com/TelekomLabs/chef-nginx-hardening)).

-
 ### Be explicit

-* Please avoid using nonsensical property and variable names.
-* Use self-describing attribute names for user configuration.
-* In case of failures, communicate what happened and why a failure occurs to the user. Make it easy to track the code or action that produced the error. Try to catch and handle errors if possible to provide improved failure messages.
-
+- Please avoid using nonsensical property and variable names.
+- Use self-describing attribute names for user configuration.
+- In case of failures, communicate what happened and why a failure occurs to the user. Make it easy to track the code or action that produced the error. Try to catch and handle errors if possible to provide improved failure messages.

 ### Add tests

@ -59,24 +56,22 @@ You may add a new feature request by creating a test for whatever value you need

 All tests will be reviewed internally for their validity and overall project direction.

-
 ### Document your code

-As code is more often read than written, please provide documentation in all projects. 
+As code is more often read than written, please provide documentation in all projects.

 Adhere to the respective guidelines for documentation:

-* Chef generally documents code based explicit readme files. For code documentation please use [yard-chef](https://github.com/rightscale/yard-chef)
-* [Puppet module documentation](http://docs.puppetlabs.com/puppet/latest/reference/modules_documentation.html)
-
+- Chef generally documents code based explicit readme files. For code documentation please use [yard-chef](https://github.com/rightscale/yard-chef)
+- [Puppet module documentation](http://docs.puppetlabs.com/puppet/latest/reference/modules_documentation.html)

 ### Follow coding styles

 We generally include test for coding guidelines:

-* Chef follows [Foodcritic](http://acrmp.github.io/foodcritic/)
-* Puppet is checked with [puppet-lint](http://puppet-lint.com/checks/)
-* Ansible is checked by running the playbook with the syntax-check option, e.g. `ansible-playbook foo.yml --syntax-check`
+- Chef follows [Foodcritic](http://acrmp.github.io/foodcritic/)
+- Puppet is checked with [puppet-lint](http://puppet-lint.com/checks/)
+- Ansible is checked by running the playbook with the syntax-check option, e.g. `ansible-playbook foo.yml --syntax-check`

 Remember: Code is generally read much more often than written.

--- a/README.md
+++ b/README.md
@ -9,26 +9,26 @@

 This collections provides battle tested hardening for:

-* Linux operating systems:
-  * CentOS 7/8
-  * Ubuntu 16.04/18.04/20.04
-  * Debian 9/10
-  * Arch Linux (some roles supported)
-  * Suse Tumbleweed (some roles supported)
-  * Fedora (some roles supported)
-  * Amazon Linux (some roles supported)
-* OpenSSH 5.3 and later
-* Nginx 1.0.16 or later
-* MySQL
-  * MySQL >= 5.7.31, >= 8.0.3
-  * MariaDB >= 5.5.65, >= 10.1.45, >= 10.3.17
+- Linux operating systems:
+  - CentOS 7/8
+  - Ubuntu 16.04/18.04/20.04
+  - Debian 9/10
+  - Arch Linux (some roles supported)
+  - Suse Tumbleweed (some roles supported)
+  - Fedora (some roles supported)
+  - Amazon Linux (some roles supported)
+- OpenSSH 5.3 and later
+- Nginx 1.0.16 or later
+- MySQL
+  - MySQL >= 5.7.31, >= 8.0.3
+  - MariaDB >= 5.5.65, >= 10.1.45, >= 10.3.17

 The hardening is intended to be compliant with the Inspec DevSec Baselines:

-* https://github.com/dev-sec/linux-baseline
-* https://github.com/dev-sec/ssh-baseline
-* https://github.com/dev-sec/nginx-baseline
-* https://github.com/dev-sec/mysql-baseline
+- https://github.com/dev-sec/linux-baseline
+- https://github.com/dev-sec/ssh-baseline
+- https://github.com/dev-sec/nginx-baseline
+- https://github.com/dev-sec/mysql-baseline

 ## Tested with Ansible

@ -36,15 +36,15 @@ The hardening is intended to be compliant with the Inspec DevSec Baselines:

 ## Included content

-* [os_hardening](roles/os_hardening/)
-* [ssh_hardening](roles/ssh_hardening/)
-* [mysql_hardening](roles/mysql_hardening/)
-* [nginx_hardening](roles/nginx_hardening/)
+- [os_hardening](roles/os_hardening/)
+- [ssh_hardening](roles/ssh_hardening/)
+- [mysql_hardening](roles/mysql_hardening/)
+- [nginx_hardening](roles/nginx_hardening/)

 In progress, not working:
-* [apache_hardening](roles/apache_hardening/)
-* [windows_hardening](roles/windows_hardening/)

+- [apache_hardening](roles/apache_hardening/)
+- [windows_hardening](roles/windows_hardening/)

 ## Using this collection

@ -63,8 +63,9 @@ See the [changelog](https://github.com/dev-sec/ansible-os-hardening/tree/master/
 ## Roadmap

 Todos:
-* Work on [apache_hardening](roles/apache_hardening/) and [windows_hardening](roles/windows_hardening/).
-* Add support for more operating systems,
+
+- Work on [apache_hardening](roles/apache_hardening/) and [windows_hardening](roles/windows_hardening/).
+- Add support for more operating systems,

 ## More information

--- a/roles/mysql_hardening/CHANGELOG.md
+++ b/roles/mysql_hardening/CHANGELOG.md
@ -6,7 +6,7 @@

 **Implemented enhancements:**

- Use mysql\_query module instead of temporary files [\#56](https://github.com/dev-sec/ansible-mysql-hardening/pull/56) ([szEvEz](https://github.com/szEvEz))
+- Use mysql_query module instead of temporary files [\#56](https://github.com/dev-sec/ansible-mysql-hardening/pull/56) ([szEvEz](https://github.com/szEvEz))
 - update readme to new layout for vars [\#53](https://github.com/dev-sec/ansible-mysql-hardening/pull/53) ([rndmh3ro](https://github.com/rndmh3ro))
 - add mode to copy task [\#51](https://github.com/dev-sec/ansible-mysql-hardening/pull/51) ([rndmh3ro](https://github.com/rndmh3ro))
 - Fix linting errors and simplivy vars-handling [\#49](https://github.com/dev-sec/ansible-mysql-hardening/pull/49) ([rndmh3ro](https://github.com/rndmh3ro))
@ -19,7 +19,7 @@

 **Closed issues:**

- Use mysql\_query module instead of temporary files [\#52](https://github.com/dev-sec/ansible-mysql-hardening/issues/52)
+- Use mysql_query module instead of temporary files [\#52](https://github.com/dev-sec/ansible-mysql-hardening/issues/52)
 - Add Centos 8 support for ansible-mysql-hardening [\#36](https://github.com/dev-sec/ansible-mysql-hardening/issues/36)

 **Merged pull requests:**
@ -75,7 +75,7 @@
 - Add CentOS7 with MariaDB support [\#23](https://github.com/dev-sec/ansible-mysql-hardening/issues/23)
 - Fix ansible.cfg settings [\#29](https://github.com/dev-sec/ansible-mysql-hardening/pull/29) ([fazlearefin](https://github.com/fazlearefin))
 - Add CentOS7 with MariaDB support [\#27](https://github.com/dev-sec/ansible-mysql-hardening/pull/27) ([chrispoupart](https://github.com/chrispoupart))
- - renamed 'mysql\_hardening\_mysql\_conf' var to 'mysql\_hardening\_mysql\_… [\#22](https://github.com/dev-sec/ansible-mysql-hardening/pull/22) ([agno01](https://github.com/agno01))
+- - renamed 'mysql_hardening_mysql_conf' var to 'mysql_hardening_mysql\_… [\#22](https://github.com/dev-sec/ansible-mysql-hardening/pull/22) ([agno01](https://github.com/agno01))

 **Fixed bugs:**

@ -111,10 +111,8 @@
 - New role layout [\#8](https://github.com/dev-sec/ansible-mysql-hardening/pull/8) ([rndmh3ro](https://github.com/rndmh3ro))
 - fix mysql restart not happening because of missing os specific variable [\#5](https://github.com/dev-sec/ansible-mysql-hardening/pull/5) ([fheinle](https://github.com/fheinle))
 - Update kitchen-ansible, remove separate debian install [\#4](https://github.com/dev-sec/ansible-mysql-hardening/pull/4) ([rndmh3ro](https://github.com/rndmh3ro))
- update common kitchen.yml platforms \(ansible\), kitchen\_debian.yml platforms \(ansible\) [\#3](https://github.com/dev-sec/ansible-mysql-hardening/pull/3) ([chris-rock](https://github.com/chris-rock))
+- update common kitchen.yml platforms \(ansible\), kitchen_debian.yml platforms \(ansible\) [\#3](https://github.com/dev-sec/ansible-mysql-hardening/pull/3) ([chris-rock](https://github.com/chris-rock))
 - Separate system-vars from editable vars. [\#2](https://github.com/dev-sec/ansible-mysql-hardening/pull/2) ([rndmh3ro](https://github.com/rndmh3ro))
 - Add documentation for testing, change value in vars [\#1](https://github.com/dev-sec/ansible-mysql-hardening/pull/1) ([rndmh3ro](https://github.com/rndmh3ro))

-
-
-\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*
+\* _This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)_
--- a/roles/mysql_hardening/README.md
+++ b/roles/mysql_hardening/README.md
@ -8,14 +8,14 @@ This role provides security configurations for MySQL and its derivates. It is in

 It configures:

-* Permissions for the various configuration files and folders
-* Removes anonymous users, root-users without a password and test databases
-* various hardening options inside MySQL
+- Permissions for the various configuration files and folders
+- Removes anonymous users, root-users without a password and test databases
+- various hardening options inside MySQL

 ## Requirements

-* Ansible 2.9.0
-* An existing MySQL installation
+- Ansible 2.9.0
+- An existing MySQL installation

 ### Example playbook

@ -29,51 +29,51 @@ It configures:

 This role expects an existing installation of MySQL or MariaDB. Please ensure that the following variables are set accordingly:

-* `mysql_hardening_enabled: yes` role is enabled by default and can be disabled without removing it from a playbook. You can use conditional variable, for example: `mysql_hardening_enabled: "{{ true if mysql_enabled else false }}"`
-* `mysql_hardening_user: 'mysql'` The user that mysql runs as.
-* `mysql_datadir: '/var/lib/mysql'` The MySQL data directory
-* `mysql_hardening_mysql_hardening_conf_file: '/etc/mysql/conf.d/hardening.cnf'` The path to the configuration file where the hardening will be performed
+- `mysql_hardening_enabled: yes` role is enabled by default and can be disabled without removing it from a playbook. You can use conditional variable, for example: `mysql_hardening_enabled: "{{ true if mysql_enabled else false }}"`
+- `mysql_hardening_user: 'mysql'` The user that mysql runs as.
+- `mysql_datadir: '/var/lib/mysql'` The MySQL data directory
+- `mysql_hardening_mysql_hardening_conf_file: '/etc/mysql/conf.d/hardening.cnf'` The path to the configuration file where the hardening will be performed

 ## Role Variables

-* `mysql_hardening_chroot`
-  * Default: ""
-  * Description: [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot)
-* `mysql_hardening_options.safe-user-create`
-  * Default: 1
-  * Description: [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create)
-* `mysql_hardening_options.secure-auth`
-  * Default: 1
-  * Description: [secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth)
-* `mysql_hardening_options.skip-symbolic-links`
-  * Default: 1
-  * Description: [skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links)
-* `mysql_hardening_skip_grant_tables:`
-  * Default: false
-  * Description: [skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables)
-* `mysql_hardening_skip_show_database`
-  * Default: 1
-  * Description: [skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database)
-* `mysql_hardening_options.local-infile`
-  * Default: 0
-  * Description: [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile)
-* `mysql_hardening_options.allow-suspicious-udfs`
-  * Default: 0
-  * Description: [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs)
-* `mysql_hardening_chroot.automatic-sp-privileges`
-  * Default: 0
-  * Description: [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges)
-* `mysql_hardening_options.secure-file-priv`
-  * Default: /tmp
-  * Description: [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv)
-* `mysql_allow_remote_root`
-  * Default: false
-  * Description: delete remote root users
-* `mysql_remove_anonymous_users`
-  * Default: true
-  * Description: remove users without authentication
-* `mysql_remove_test_database`
-  * Default: true
-  * Description: remove test database
+- `mysql_hardening_chroot`
+  - Default: ""
+  - Description: [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot)
+- `mysql_hardening_options.safe-user-create`
+  - Default: 1
+  - Description: [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create)
+- `mysql_hardening_options.secure-auth`
+  - Default: 1
+  - Description: [secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth)
+- `mysql_hardening_options.skip-symbolic-links`
+  - Default: 1
+  - Description: [skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links)
+- `mysql_hardening_skip_grant_tables:`
+  - Default: false
+  - Description: [skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables)
+- `mysql_hardening_skip_show_database`
+  - Default: 1
+  - Description: [skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database)
+- `mysql_hardening_options.local-infile`
+  - Default: 0
+  - Description: [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile)
+- `mysql_hardening_options.allow-suspicious-udfs`
+  - Default: 0
+  - Description: [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs)
+- `mysql_hardening_chroot.automatic-sp-privileges`
+  - Default: 0
+  - Description: [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges)
+- `mysql_hardening_options.secure-file-priv`
+  - Default: /tmp
+  - Description: [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv)
+- `mysql_allow_remote_root`
+  - Default: false
+  - Description: delete remote root users
+- `mysql_remove_anonymous_users`
+  - Default: true
+  - Description: remove users without authentication
+- `mysql_remove_test_database`
+  - Default: true
+  - Description: remove test database

 Further information is available at [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://www.symantec.com/connect/articles/securing-mysql-step-step)
--- a/roles/nginx_hardening/CHANGELOG.md
+++ b/roles/nginx_hardening/CHANGELOG.md
@ -24,7 +24,7 @@
 **Fixed bugs:**

 - Running kitchen verify asks for 'roots' password [\#11](https://github.com/dev-sec/ansible-nginx-hardening/issues/11)
- Fix duplicate ssl\_prefer\_server\_ciphers error [\#16](https://github.com/dev-sec/ansible-nginx-hardening/pull/16) ([oakey-b1](https://github.com/oakey-b1))
+- Fix duplicate ssl_prefer_server_ciphers error [\#16](https://github.com/dev-sec/ansible-nginx-hardening/pull/16) ([oakey-b1](https://github.com/oakey-b1))

 ## [1.0.2](https://github.com/dev-sec/ansible-nginx-hardening/tree/1.0.2) (2016-10-24)

@ -44,7 +44,7 @@

 **Fixed bugs:**

- ssl\_dhparam [\#4](https://github.com/dev-sec/ansible-nginx-hardening/issues/4)
+- ssl_dhparam [\#4](https://github.com/dev-sec/ansible-nginx-hardening/issues/4)

 **Closed issues:**

@ -60,6 +60,4 @@

 [Full Changelog](https://github.com/dev-sec/ansible-nginx-hardening/compare/1b9dcf16cfbf45ff5f50cd83509245d1527f9fd0...1.0.0)

-
-
-\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*
+\* _This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)_
--- a/roles/nginx_hardening/README.md
+++ b/roles/nginx_hardening/README.md
@ -7,73 +7,74 @@
 This role provides secure nginx configuration. It is intended to be compliant with the [DevSec Nginx Baseline](https://github.com/dev-sec/nginx-baseline).

 It works with the following nginx-roles, including, but not limited to:
-* [geerlingguy.nginx](https://galaxy.ansible.com/geerlingguy/nginx/)
-* [nginxinc.nginx](https://galaxy.ansible.com/nginxinc/nginx)
-* [jdauphant.nginx](https://galaxy.ansible.com/jdauphant/nginx/)
-* [franklinkim.nginx](https://galaxy.ansible.com/franklinkim/nginx/)
+
+- [geerlingguy.nginx](https://galaxy.ansible.com/geerlingguy/nginx/)
+- [nginxinc.nginx](https://galaxy.ansible.com/nginxinc/nginx)
+- [jdauphant.nginx](https://galaxy.ansible.com/jdauphant/nginx/)
+- [franklinkim.nginx](https://galaxy.ansible.com/franklinkim/nginx/)

 **NOTE: This role does not work with nginx 1.0.15 or older! Please use the latest version from the official nginx repositories!**

 ## Requirements

-* Ansible >= 2.9
+- Ansible >= 2.9

 ## Role Variables

-* [nginx_client_body_buffer_size][]
-  * Default: `1k`
-  * Description: Sets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file.
-* nginx_remove_default_site
-  * Default: `true`
-  * Description: Disables the default site. Set to false to enable the default site in nginx.
-* [nginx_client_max_body_size][]
-  * Default: `1k`
-  * Description: Sets the maximum allowed size of the client request body, specified in the “Content-Length” request header field. If the size in a request exceeds the configured value, the 41
-3 (Request Entity Too Large) error is returned to the client.
-* [nginx_keepalive_timeout][]
-  * Default: `5 5`
-  * Description: The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The op
-tional second parameter sets a value in the “Keep-Alive: timeout=time” response header field.
-* [nginx_server_tokens][]
-  * Default: `off`
-  * Description: Disables emitting nginx version in error messages and in the "Server" response header field. Set to on to enable the nginx version in error messages and "Server" response head
-er.
-* [nginx_client_header_buffer_size][]
-  * Default: `1k`
-  * Description:  Sets buffer size for reading client request header. For most requests, a buffer of 1K bytes is enough.
-* [nginx_large_client_header_buffers][]
-  * Default: `2 1k`
-  * Description: Sets the maximum number and size of buffers used for reading large client request header.
-* [nginx_client_body_timeout][]
-  * Default: `10`
-  * Description: Defines a timeout for reading client request body.
-* [nginx_client_header_timeout][]
-  * Default: `10`
-  * Description: Defines a timeout for reading client request header.
-* [nginx_send_timeout][]
-  * Default: `10`
-  * Description: Sets a timeout for transmitting a response to the client.
-* [nginx_limit_conn_zone][]
-  * Default: `$binary_remote_addr zone=default:10m`
-  * Description: Sets parameters for a shared memory zone that will keep states for various keys.
-* [nginx_limit_conn][]
-  * Default: `default 5`
-  * Description: Sets the shared memory zone and the maximum allowed number of connections for a given key value.
-* [nginx_add_header][]
-  * Default: `[ "X-Frame-Options SAMEORIGIN", "X-Content-Type-Options nosniff", "X-XSS-Protection \"1; mode=block\"" ]`
-  * Description:Adds the specified field to a response header provided that the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307.
-* [nginx_ssl_protocols][]
-  * Default: `TLSv1.2`
-  * Description: Specifies the SSL protocol which should be used.
-* [nginx_ssl_ciphers][]
-  * Default: *see defaults.yml*
-  * Description: Specifies the TLS ciphers which should be used.
-* [nginx_ssl_prefer_server_ciphers][]
-  * Default: `on`
-  * Description: Specifies that server ciphers should be preferred over client ciphers when using the TLS protocols. Set to false to disable it.
-* [nginx_dh_size][]
-  * Default: `2048`
-  * Description: Specifies the length of DH parameters for EDH ciphers.
+- [nginx_client_body_buffer_size][]
+  - Default: `1k`
+  - Description: Sets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file.
+- nginx_remove_default_site
+  - Default: `true`
+  - Description: Disables the default site. Set to false to enable the default site in nginx.
+- [nginx_client_max_body_size][]
+  - Default: `1k`
+  - Description: Sets the maximum allowed size of the client request body, specified in the “Content-Length” request header field. If the size in a request exceeds the configured value, the 41
+    3 (Request Entity Too Large) error is returned to the client.
+- [nginx_keepalive_timeout][]
+  - Default: `5 5`
+  - Description: The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The op
+    tional second parameter sets a value in the “Keep-Alive: timeout=time” response header field.
+- [nginx_server_tokens][]
+  - Default: `off`
+  - Description: Disables emitting nginx version in error messages and in the "Server" response header field. Set to on to enable the nginx version in error messages and "Server" response head
+    er.
+- [nginx_client_header_buffer_size][]
+  - Default: `1k`
+  - Description: Sets buffer size for reading client request header. For most requests, a buffer of 1K bytes is enough.
+- [nginx_large_client_header_buffers][]
+  - Default: `2 1k`
+  - Description: Sets the maximum number and size of buffers used for reading large client request header.
+- [nginx_client_body_timeout][]
+  - Default: `10`
+  - Description: Defines a timeout for reading client request body.
+- [nginx_client_header_timeout][]
+  - Default: `10`
+  - Description: Defines a timeout for reading client request header.
+- [nginx_send_timeout][]
+  - Default: `10`
+  - Description: Sets a timeout for transmitting a response to the client.
+- [nginx_limit_conn_zone][]
+  - Default: `$binary_remote_addr zone=default:10m`
+  - Description: Sets parameters for a shared memory zone that will keep states for various keys.
+- [nginx_limit_conn][]
+  - Default: `default 5`
+  - Description: Sets the shared memory zone and the maximum allowed number of connections for a given key value.
+- [nginx_add_header][]
+  - Default: `[ "X-Frame-Options SAMEORIGIN", "X-Content-Type-Options nosniff", "X-XSS-Protection \"1; mode=block\"" ]`
+  - Description:Adds the specified field to a response header provided that the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307.
+- [nginx_ssl_protocols][]
+  - Default: `TLSv1.2`
+  - Description: Specifies the SSL protocol which should be used.
+- [nginx_ssl_ciphers][]
+  - Default: _see defaults.yml_
+  - Description: Specifies the TLS ciphers which should be used.
+- [nginx_ssl_prefer_server_ciphers][]
+  - Default: `on`
+  - Description: Specifies that server ciphers should be preferred over client ciphers when using the TLS protocols. Set to false to disable it.
+- [nginx_dh_size][]
+  - Default: `2048`
+  - Description: Specifies the length of DH parameters for EDH ciphers.

 ## Example Playbook

--- a/roles/os_hardening/CHANGELOG.md
+++ b/roles/os_hardening/CHANGELOG.md
@ -118,9 +118,9 @@
 - Remove trailing whitespaces \(ansible-lint 201\) [\#254](https://github.com/dev-sec/ansible-os-hardening/pull/254) ([kravietz](https://github.com/kravietz))
 - Standardize the var ordering [\#251](https://github.com/dev-sec/ansible-os-hardening/pull/251) ([dustinmiller1337](https://github.com/dustinmiller1337))
 - Add intial support for OpenSUSE [\#250](https://github.com/dev-sec/ansible-os-hardening/pull/250) ([dustinmiller1337](https://github.com/dustinmiller1337))
- Make max\_log\_file\_action for auditd configurable [\#246](https://github.com/dev-sec/ansible-os-hardening/pull/246) ([jandd](https://github.com/jandd))
+- Make max_log_file_action for auditd configurable [\#246](https://github.com/dev-sec/ansible-os-hardening/pull/246) ([jandd](https://github.com/jandd))
 - Add exception in sysctl task [\#240](https://github.com/dev-sec/ansible-os-hardening/pull/240) ([ghost](https://github.com/ghost))
- Fedora - Use new auto ansible\_python\_interpreter for dnf [\#239](https://github.com/dev-sec/ansible-os-hardening/pull/239) ([jaredledvina](https://github.com/jaredledvina))
+- Fedora - Use new auto ansible_python_interpreter for dnf [\#239](https://github.com/dev-sec/ansible-os-hardening/pull/239) ([jaredledvina](https://github.com/jaredledvina))
 - add test support for CentOS8 [\#237](https://github.com/dev-sec/ansible-os-hardening/pull/237) ([yeoldegrove](https://github.com/yeoldegrove))
 - Support configuring SELinux and default to enforcing [\#236](https://github.com/dev-sec/ansible-os-hardening/pull/236) ([jaredledvina](https://github.com/jaredledvina))
 - Add test support for debian buster [\#234](https://github.com/dev-sec/ansible-os-hardening/pull/234) ([123Haynes](https://github.com/123Haynes))
@ -130,10 +130,10 @@
 **Fixed bugs:**

 - /etc/login.defs alters centos 7/8 default values [\#265](https://github.com/dev-sec/ansible-os-hardening/issues/265)
- Invalid Conditionals in user\_accounts.yml [\#255](https://github.com/dev-sec/ansible-os-hardening/issues/255)
+- Invalid Conditionals in user_accounts.yml [\#255](https://github.com/dev-sec/ansible-os-hardening/issues/255)
 - `auth-system` related files are created for non-RHEL systems \(e.g. Debian\) [\#247](https://github.com/dev-sec/ansible-os-hardening/issues/247)
 - NSA website links are stale [\#227](https://github.com/dev-sec/ansible-os-hardening/issues/227)
- Running ansible on python3 throughs "TypeError: '\<=' not supported between instances of 'str' and 'int'"  [\#223](https://github.com/dev-sec/ansible-os-hardening/issues/223)
+- Running ansible on python3 throughs "TypeError: '\<=' not supported between instances of 'str' and 'int'" [\#223](https://github.com/dev-sec/ansible-os-hardening/issues/223)
 - \[lots of\] deprecation warnings in Ansible 2.8 [\#221](https://github.com/dev-sec/ansible-os-hardening/issues/221)
 - Add a "don't fail on error" switch ? [\#148](https://github.com/dev-sec/ansible-os-hardening/issues/148)
 - Addressing issue \#255 [\#258](https://github.com/dev-sec/ansible-os-hardening/pull/258) ([ljkimmel](https://github.com/ljkimmel))
@ -166,12 +166,12 @@
 - Add note about docker under warning [\#214](https://github.com/dev-sec/ansible-os-hardening/pull/214) ([ChrisMcKee](https://github.com/ChrisMcKee))
 - change minimize access tasks to speed them up [\#209](https://github.com/dev-sec/ansible-os-hardening/pull/209) ([rndmh3ro](https://github.com/rndmh3ro))
 - Added fedora support [\#206](https://github.com/dev-sec/ansible-os-hardening/pull/206) ([jonaswre](https://github.com/jonaswre))
- Pass package list directly to apt and yum modules without using with\_items loop [\#200](https://github.com/dev-sec/ansible-os-hardening/pull/200) ([Normo](https://github.com/Normo))
+- Pass package list directly to apt and yum modules without using with_items loop [\#200](https://github.com/dev-sec/ansible-os-hardening/pull/200) ([Normo](https://github.com/Normo))

 **Fixed bugs:**

- login.defs.j2 template: ENV\_PATH is missing ':' before variable substitution [\#202](https://github.com/dev-sec/ansible-os-hardening/issues/202)
- 'sysctl\_rhel\_config' is undefined [\#167](https://github.com/dev-sec/ansible-os-hardening/issues/167)
+- login.defs.j2 template: ENV_PATH is missing ':' before variable substitution [\#202](https://github.com/dev-sec/ansible-os-hardening/issues/202)
+- 'sysctl_rhel_config' is undefined [\#167](https://github.com/dev-sec/ansible-os-hardening/issues/167)
 - RHEL 7.4: Too many setuid bits removed [\#140](https://github.com/dev-sec/ansible-os-hardening/issues/140)
 - Fix typo [\#212](https://github.com/dev-sec/ansible-os-hardening/pull/212) ([ruslo](https://github.com/ruslo))
 - Update modprobe to 0644 [\#211](https://github.com/dev-sec/ansible-os-hardening/pull/211) ([joshuatalb](https://github.com/joshuatalb))
@ -193,9 +193,9 @@
 **Fixed bugs:**

 - auditd causing v5.0 to fail on unpriviledged LXC's [\#191](https://github.com/dev-sec/ansible-os-hardening/issues/191)
- Setting os\_security\_users\_allow has no effect [\#175](https://github.com/dev-sec/ansible-os-hardening/issues/175)
- add /usr/bin/su to suid\_guid whitelist [\#199](https://github.com/dev-sec/ansible-os-hardening/pull/199) ([ccolic](https://github.com/ccolic))
- ensure that permissions to su-binary are not restricted to root user and group only, if os\_security\_users\_allow contains the value change\_user [\#197](https://github.com/dev-sec/ansible-os-hardening/pull/197) ([szEvEz](https://github.com/szEvEz))
+- Setting os_security_users_allow has no effect [\#175](https://github.com/dev-sec/ansible-os-hardening/issues/175)
+- add /usr/bin/su to suid_guid whitelist [\#199](https://github.com/dev-sec/ansible-os-hardening/pull/199) ([ccolic](https://github.com/ccolic))
+- ensure that permissions to su-binary are not restricted to root user and group only, if os_security_users_allow contains the value change_user [\#197](https://github.com/dev-sec/ansible-os-hardening/pull/197) ([szEvEz](https://github.com/szEvEz))

 ## [5.0.0](https://github.com/dev-sec/ansible-os-hardening/tree/5.0.0) (2018-09-02)

@ -205,23 +205,23 @@

 - Warning about "include" for tasks for ansible-playbook 2.4.0 \(devel f0a5854e39\) [\#131](https://github.com/dev-sec/ansible-os-hardening/issues/131)
 - fix problems with efi and vfat [\#190](https://github.com/dev-sec/ansible-os-hardening/pull/190) ([rndmh3ro](https://github.com/rndmh3ro))
- added os\_hardening\_enabled flag [\#186](https://github.com/dev-sec/ansible-os-hardening/pull/186) ([jcheroske](https://github.com/jcheroske))
+- added os_hardening_enabled flag [\#186](https://github.com/dev-sec/ansible-os-hardening/pull/186) ([jcheroske](https://github.com/jcheroske))
 - add amazon run opts to travis [\#183](https://github.com/dev-sec/ansible-os-hardening/pull/183) ([rndmh3ro](https://github.com/rndmh3ro))
 - use package instead of yum and apt [\#180](https://github.com/dev-sec/ansible-os-hardening/pull/180) ([rndmh3ro](https://github.com/rndmh3ro))
 - add oracle7 to travis [\#178](https://github.com/dev-sec/ansible-os-hardening/pull/178) ([rndmh3ro](https://github.com/rndmh3ro))
 - fix wrong permissions passwdqc \#170 [\#176](https://github.com/dev-sec/ansible-os-hardening/pull/176) ([rndmh3ro](https://github.com/rndmh3ro))
 - ipv4 forwarding comment is inconsistent with example [\#174](https://github.com/dev-sec/ansible-os-hardening/pull/174) ([carchrae](https://github.com/carchrae))
- Rename pam\_passwdqd.j2 to pam\_passwdqc.j2 [\#172](https://github.com/dev-sec/ansible-os-hardening/pull/172) ([martinbydefault](https://github.com/martinbydefault))
+- Rename pam_passwdqd.j2 to pam_passwdqc.j2 [\#172](https://github.com/dev-sec/ansible-os-hardening/pull/172) ([martinbydefault](https://github.com/martinbydefault))
 - Use package state 'present' since 'installed' is deprecated [\#168](https://github.com/dev-sec/ansible-os-hardening/pull/168) ([Normo](https://github.com/Normo))
 - Update syntax to Ansible 2.4 [\#161](https://github.com/dev-sec/ansible-os-hardening/pull/161) ([thomasjpfan](https://github.com/thomasjpfan))
 - add amazon linux testing [\#160](https://github.com/dev-sec/ansible-os-hardening/pull/160) ([rndmh3ro](https://github.com/rndmh3ro))
 - Add support for Amazon Linux [\#158](https://github.com/dev-sec/ansible-os-hardening/pull/158) ([woneill](https://github.com/woneill))
 - install and configure auditd - fix inspec package-08 [\#144](https://github.com/dev-sec/ansible-os-hardening/pull/144) ([rndmh3ro](https://github.com/rndmh3ro))
- Remove deprecated include for static tasks and use instead import\_tasks fix \#131 [\#132](https://github.com/dev-sec/ansible-os-hardening/pull/132) ([HelioCampos](https://github.com/HelioCampos))
+- Remove deprecated include for static tasks and use instead import_tasks fix \#131 [\#132](https://github.com/dev-sec/ansible-os-hardening/pull/132) ([HelioCampos](https://github.com/HelioCampos))

 **Fixed bugs:**

- minimize\_access: maximum recursion depth exceeded on Ansible 2.5 [\#171](https://github.com/dev-sec/ansible-os-hardening/issues/171)
+- minimize_access: maximum recursion depth exceeded on Ansible 2.5 [\#171](https://github.com/dev-sec/ansible-os-hardening/issues/171)
 - wrong permissions passwdqc [\#170](https://github.com/dev-sec/ansible-os-hardening/issues/170)
 - Update deprecated `include` statements [\#166](https://github.com/dev-sec/ansible-os-hardening/issues/166)
 - Strongly recommend against disabling vfat by default [\#162](https://github.com/dev-sec/ansible-os-hardening/issues/162)
@ -254,7 +254,7 @@

 **Closed issues:**

- ansible hardening fails on ubuntu 16.04 with msg": "ERROR! 'sysctl\_rhel\_config' is undefined [\#147](https://github.com/dev-sec/ansible-os-hardening/issues/147)
+- ansible hardening fails on ubuntu 16.04 with msg": "ERROR! 'sysctl_rhel_config' is undefined [\#147](https://github.com/dev-sec/ansible-os-hardening/issues/147)
 - Enhancement: Test with TestInfra and Molecule [\#128](https://github.com/dev-sec/ansible-os-hardening/issues/128)

 **Merged pull requests:**
@ -267,7 +267,7 @@

 **Fixed bugs:**

- os\_security\_kernel\_enable\_sysrq is not implemented [\#115](https://github.com/dev-sec/ansible-os-hardening/issues/115)
+- os_security_kernel_enable_sysrq is not implemented [\#115](https://github.com/dev-sec/ansible-os-hardening/issues/115)

 ## [4.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/4.2.0) (2017-08-08)

@ -302,7 +302,7 @@
 - Change system accounts not on the user provided ignore-list items are not JSON serializable [\#125](https://github.com/dev-sec/ansible-os-hardening/issues/125)
 - Could not find gem 'ruby \(\>= 2.1.0\)' [\#116](https://github.com/dev-sec/ansible-os-hardening/issues/116)
 - The task sysctl fails when /etc/initramfs-tools is not present [\#111](https://github.com/dev-sec/ansible-os-hardening/issues/111)
- Deprecation warning always\_run [\#103](https://github.com/dev-sec/ansible-os-hardening/issues/103)
+- Deprecation warning always_run [\#103](https://github.com/dev-sec/ansible-os-hardening/issues/103)

 **Closed issues:**

@ -348,15 +348,15 @@

 - CentOS 7 selinux dependencies [\#102](https://github.com/dev-sec/ansible-os-hardening/issues/102)
 - ubuntu xenial warning during activate gpg-check for yum-repos [\#99](https://github.com/dev-sec/ansible-os-hardening/issues/99)
- rhel\_system\_auth.j2 is still using pam\_passwdqc.so for CentOS 7 [\#98](https://github.com/dev-sec/ansible-os-hardening/issues/98)
- Enable pam\_pwquality in rhel-family \> 7 [\#73](https://github.com/dev-sec/ansible-os-hardening/issues/73)
+- rhel_system_auth.j2 is still using pam_passwdqc.so for CentOS 7 [\#98](https://github.com/dev-sec/ansible-os-hardening/issues/98)
+- Enable pam_pwquality in rhel-family \> 7 [\#73](https://github.com/dev-sec/ansible-os-hardening/issues/73)
 - "irc" user always changed after reboot [\#53](https://github.com/dev-sec/ansible-os-hardening/issues/53)

 **Merged pull requests:**

 - update template [\#101](https://github.com/dev-sec/ansible-os-hardening/pull/101) ([rndmh3ro](https://github.com/rndmh3ro))
 - fix deprecation warning for undefined error. \#99 [\#100](https://github.com/dev-sec/ansible-os-hardening/pull/100) ([rndmh3ro](https://github.com/rndmh3ro))
- add rhel7 pam\_pwquality. fix \#73 [\#94](https://github.com/dev-sec/ansible-os-hardening/pull/94) ([rndmh3ro](https://github.com/rndmh3ro))
+- add rhel7 pam_pwquality. fix \#73 [\#94](https://github.com/dev-sec/ansible-os-hardening/pull/94) ([rndmh3ro](https://github.com/rndmh3ro))

 ## [3.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/3.1.0) (2016-08-03)

@ -373,18 +373,18 @@
 - Docker [\#90](https://github.com/dev-sec/ansible-os-hardening/pull/90) ([rndmh3ro](https://github.com/rndmh3ro))
 - debian 8 support [\#88](https://github.com/dev-sec/ansible-os-hardening/pull/88) ([rndmh3ro](https://github.com/rndmh3ro))
 - Ufw manage defaults [\#85](https://github.com/dev-sec/ansible-os-hardening/pull/85) ([fitz123](https://github.com/fitz123))
- replace ignore\_errors to failed\_when to supress ugly error warnings [\#81](https://github.com/dev-sec/ansible-os-hardening/pull/81) ([fitz123](https://github.com/fitz123))
+- replace ignore_errors to failed_when to supress ugly error warnings [\#81](https://github.com/dev-sec/ansible-os-hardening/pull/81) ([fitz123](https://github.com/fitz123))
 - fix bare variables usage for loops [\#79](https://github.com/dev-sec/ansible-os-hardening/pull/79) ([fitz123](https://github.com/fitz123))

 **Fixed bugs:**

- Centos 7.1 fails at  \[Change various sysctl-settings on rhel-hosts...\] [\#74](https://github.com/dev-sec/ansible-os-hardening/issues/74)
+- Centos 7.1 fails at \[Change various sysctl-settings on rhel-hosts...\] [\#74](https://github.com/dev-sec/ansible-os-hardening/issues/74)
 - Hardening fails on Centos 7.1 at task 'minimize access' [\#71](https://github.com/dev-sec/ansible-os-hardening/issues/71)

 **Closed issues:**

 - Permissions on /etc/shadow can lock out GUI users [\#86](https://github.com/dev-sec/ansible-os-hardening/issues/86)
- network related sysctl rewritten by ufw in ubuntu  [\#82](https://github.com/dev-sec/ansible-os-hardening/issues/82)
+- network related sysctl rewritten by ufw in ubuntu [\#82](https://github.com/dev-sec/ansible-os-hardening/issues/82)
 - ansible \>= 2.0 complains: Using bare variables is deprecated [\#78](https://github.com/dev-sec/ansible-os-hardening/issues/78)

 **Merged pull requests:**
@ -401,7 +401,7 @@
 - update platforms in meta-file [\#69](https://github.com/dev-sec/ansible-os-hardening/pull/69) ([rndmh3ro](https://github.com/rndmh3ro))
 - add webhook for ansible galaxy [\#68](https://github.com/dev-sec/ansible-os-hardening/pull/68) ([rndmh3ro](https://github.com/rndmh3ro))
 - Move sysctl vars to defaults [\#67](https://github.com/dev-sec/ansible-os-hardening/pull/67) ([rndmh3ro](https://github.com/rndmh3ro))
- make sys\_uid and sys\_gid configurable [\#62](https://github.com/dev-sec/ansible-os-hardening/pull/62) ([rndmh3ro](https://github.com/rndmh3ro))
+- make sys_uid and sys_gid configurable [\#62](https://github.com/dev-sec/ansible-os-hardening/pull/62) ([rndmh3ro](https://github.com/rndmh3ro))
 - Ansible 2.0 support [\#59](https://github.com/dev-sec/ansible-os-hardening/pull/59) ([rndmh3ro](https://github.com/rndmh3ro))
 - use inspec as test framework [\#58](https://github.com/dev-sec/ansible-os-hardening/pull/58) ([chris-rock](https://github.com/chris-rock))
 - Packages as attributes [\#57](https://github.com/dev-sec/ansible-os-hardening/pull/57) ([rndmh3ro](https://github.com/rndmh3ro))
@ -449,7 +449,7 @@

 **Closed issues:**

- ansible-os-hardening/tasks/minimize\_access.yml [\#38](https://github.com/dev-sec/ansible-os-hardening/issues/38)
+- ansible-os-hardening/tasks/minimize_access.yml [\#38](https://github.com/dev-sec/ansible-os-hardening/issues/38)
 - Role configuration. vars/main.yml? [\#34](https://github.com/dev-sec/ansible-os-hardening/issues/34)
 - Sysctl reloading [\#18](https://github.com/dev-sec/ansible-os-hardening/issues/18)
 - Add conditions for disabling of ip forwarding [\#15](https://github.com/dev-sec/ansible-os-hardening/issues/15)
@ -459,19 +459,19 @@

 - Update kitchen-ansible, remove separate debian install [\#40](https://github.com/dev-sec/ansible-os-hardening/pull/40) ([rndmh3ro](https://github.com/rndmh3ro))
 - Add mode to su-binary task. Fix \#38 [\#39](https://github.com/dev-sec/ansible-os-hardening/pull/39) ([rndmh3ro](https://github.com/rndmh3ro))
- update common kitchen.yml platforms \(ansible\), kitchen\_debian.yml platforms \(ansible\) [\#37](https://github.com/dev-sec/ansible-os-hardening/pull/37) ([chris-rock](https://github.com/chris-rock))
+- update common kitchen.yml platforms \(ansible\), kitchen_debian.yml platforms \(ansible\) [\#37](https://github.com/dev-sec/ansible-os-hardening/pull/37) ([chris-rock](https://github.com/chris-rock))
 - Change oneliner if-statements to be more readable [\#36](https://github.com/dev-sec/ansible-os-hardening/pull/36) ([rndmh3ro](https://github.com/rndmh3ro))
 - Separate system-vars from editable vars. Fix \#34 [\#35](https://github.com/dev-sec/ansible-os-hardening/pull/35) ([rndmh3ro](https://github.com/rndmh3ro))
 - Create limits.d-directory if it does not exist. [\#33](https://github.com/dev-sec/ansible-os-hardening/pull/33) ([rndmh3ro](https://github.com/rndmh3ro))
 - Add correct CONTRIB-file [\#32](https://github.com/dev-sec/ansible-os-hardening/pull/32) ([rndmh3ro](https://github.com/rndmh3ro))
 - Add Ansible Galaxy badge [\#31](https://github.com/dev-sec/ansible-os-hardening/pull/31) ([rndmh3ro](https://github.com/rndmh3ro))
-  Update readme, todo, changelog, vars [\#30](https://github.com/dev-sec/ansible-os-hardening/pull/30) ([rndmh3ro](https://github.com/rndmh3ro))
+- Update readme, todo, changelog, vars [\#30](https://github.com/dev-sec/ansible-os-hardening/pull/30) ([rndmh3ro](https://github.com/rndmh3ro))
 - List-cleanup and follow symlinks added [\#29](https://github.com/dev-sec/ansible-os-hardening/pull/29) ([rndmh3ro](https://github.com/rndmh3ro))
 - Add module configuration [\#28](https://github.com/dev-sec/ansible-os-hardening/pull/28) ([rndmh3ro](https://github.com/rndmh3ro))
 - Fix two sysctl-settings [\#27](https://github.com/dev-sec/ansible-os-hardening/pull/27) ([rndmh3ro](https://github.com/rndmh3ro))
 - Add meta-files for Ansible Galaxy [\#26](https://github.com/dev-sec/ansible-os-hardening/pull/26) ([rndmh3ro](https://github.com/rndmh3ro))
 - Disable System Accounts. Fix \#6 [\#25](https://github.com/dev-sec/ansible-os-hardening/pull/25) ([rndmh3ro](https://github.com/rndmh3ro))
- Use changed\_when to avoid changed tasks [\#24](https://github.com/dev-sec/ansible-os-hardening/pull/24) ([rndmh3ro](https://github.com/rndmh3ro))
+- Use changed_when to avoid changed tasks [\#24](https://github.com/dev-sec/ansible-os-hardening/pull/24) ([rndmh3ro](https://github.com/rndmh3ro))
 - Delete authconfig-task on rhel-systems [\#23](https://github.com/dev-sec/ansible-os-hardening/pull/23) ([rndmh3ro](https://github.com/rndmh3ro))
 - Add missing rhosts-include task [\#21](https://github.com/dev-sec/ansible-os-hardening/pull/21) ([rndmh3ro](https://github.com/rndmh3ro))
 - Change sysctl-task. Fix \#18 [\#20](https://github.com/dev-sec/ansible-os-hardening/pull/20) ([rndmh3ro](https://github.com/rndmh3ro))
@ -491,6 +491,4 @@
 - Add Securetty-support [\#2](https://github.com/dev-sec/ansible-os-hardening/pull/2) ([rndmh3ro](https://github.com/rndmh3ro))
 - Add profile.conf configuration [\#1](https://github.com/dev-sec/ansible-os-hardening/pull/1) ([rndmh3ro](https://github.com/rndmh3ro))

-
-
-\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*
+\* _This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)_
--- a/roles/os_hardening/README.md
+++ b/roles/os_hardening/README.md
@ -2,7 +2,6 @@

 ![devsec.os_hardening](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.os_hardening/badge.svg)

-
 ## Looking for the old ansible-os-hardening role?

 This role is now part of the hardening-collection. You can find the old role in the branch `legacy`.
@ -13,30 +12,30 @@ This role provides numerous security-related configurations, providing all-round

 It configures:

-* Remove unused yum repositories and enable GPG key-checking
-* Remove packages with known issues
-* Configures pam for strong password checks
-* Installs and configures auditd
-* Disable core dumps via soft limits
-* sets a restrictive umask
-* Configures execute permissions of files in system paths
-* Hardens access to shadow and passwd files
-* Disables unused filesystems
-* Disables rhosts
-* Configures secure ttys
-* Configures kernel parameters via sysctl
-* Enables selinux on EL-based systems
-* Remove SUIDs and GUIDs
-* Configures login and passwords of system accounts
+- Remove unused yum repositories and enable GPG key-checking
+- Remove packages with known issues
+- Configures pam for strong password checks
+- Installs and configures auditd
+- Disable core dumps via soft limits
+- sets a restrictive umask
+- Configures execute permissions of files in system paths
+- Hardens access to shadow and passwd files
+- Disables unused filesystems
+- Disables rhosts
+- Configures secure ttys
+- Configures kernel parameters via sysctl
+- Enables selinux on EL-based systems
+- Remove SUIDs and GUIDs
+- Configures login and passwords of system accounts

 It will not:

-* Update system packages
-* Install security patches
+- Update system packages
+- Install security patches

 ## Requirements

-* Ansible 2.9.0
+- Ansible 2.9.0

 ## Known Limitations

@ -76,126 +75,125 @@ We are setting this sysctl to a default of `32`, some systems only support small
 If you're using inspec to test your machines after applying this role, please make sure to add the connecting user to the `os_ignore_users`-variable.
 Otherwise inspec will fail. For more information, see [issue #124](https://github.com/dev-sec/ansible-os-hardening/issues/124).

-
 We know that this is the case on Raspberry Pi.

 ## Variables

-* `os_desktop_enable`
-  * Default: `false`
-  * Description:  true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc
-* `os_env_extra_user_paths`
-  * Default: `[]`
-  * Description: add additional paths to the user's `PATH` variable (default is empty).
-* `os_env_umask`
-  * Default: `027`
-  * Description: set default permissions for new files to `750`
-* `os_auth_pw_max_age`
-  * Default: `60`
-  * Description: maximum password age (set to `99999` to effectively disable it)
-* `os_auth_pw_min_age`
-  * Default: `7`
-  * Description: minimum password age (before allowing any other password change)
-* `os_auth_retries`
-  * Default: `5`
-  * Description: the maximum number of authentication attempts, before the account is locked for some time
-* `os_auth_lockout_time`
-  * Default: `600`
-  * Description: time in seconds that needs to pass, if the account was locked due to too many failed authentication attempts
-* `os_auth_timeout`
-  * Default: `60`
-  * Description: authentication timeout in seconds, so login will exit if this time passes
-* `os_auth_allow_homeless`
-  * Default: `false`
-  * Description: true if to allow users without home to login
-* `os_auth_pam_passwdqc_enable`
-  * Default: `true`
-  * Description: true if you want to use strong password checking in PAM using passwdqc
-* `os_auth_pam_passwdqc_options`
-  * Default: `min=disabled,disabled,16,12,8`
-  * Description: set to any option line (as a string) that you want to pass to passwdqc
-* `os_security_users_allow`
-  * Default: `[]`
-  * Description: list of things, that a user is allowed to do. May contain `change_user`.
-* `os_security_kernel_enable_module_loading`
-  * Default: `true`
-  * Description: true if you want to allowed to change kernel modules once the system is running (eg `modprobe`, `rmmod`)
-* `os_security_kernel_enable_core_dump`
-  * Default: `false`
-  * Description: kernel is crashing or otherwise misbehaving and a kernel core dump is created
-* `os_security_suid_sgid_enforce`
-  * Default: `true`
-  * Description: true if you want to reduce SUID/SGID bits. There is already a list of items which are searched for configured, but you can also add your own
-* `os_security_suid_sgid_blacklist`
-  * Default: `[]`
-  * Description: a list of paths which should have their SUID/SGID bits removed
-* `os_security_suid_sgid_whitelist`
-  * Default: `[]`
-  * Description: a list of paths which should not have their SUID/SGID bits altered
-* `os_security_suid_sgid_remove_from_unknown`
-  * Default: `false`
-  * Description: true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.
-* `os_security_packages_clean`
-  * Default: `true`
-  * Description: removes packages with known issues. See section packages.
-* `os_selinux_state`
-  * Default: `enforcing`
-  * Description: Set the SELinux state, can be either disabled, permissive, or enforcing.
-* `os_selinux_policy`
-  * Default: `targeted`
-  * Description: Set the SELinux polixy.
-* `ufw_manage_defaults`
-  * Default: `true`
-  * Description: true means apply all settings with `ufw_` prefix
-* `ufw_ipt_sysctl`
-  * Default: `''`
-  * Description: by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example `/etc/ufw/sysctl.conf`
-* `ufw_default_input_policy`
-  * Default: `DROP`
-  * Description: set default input policy of ufw to `DROP`
-* `ufw_default_output_policy`
-  * Default: `ACCEPT`
-  * Description: set default output policy of ufw to `ACCEPT`
-* `ufw_default_forward_policy`
-  * Default: `DROP`
-  * Description: set default forward policy of ufw to `DROP`
-* `os_auditd_enabled`
-  * Default: `true`
-  * Description: Set to false to disable installing and configuring auditd.
-* `os_auditd_max_log_file_action`
-  * Default: `keep_logs`
-  * Description: Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`.
-* `hidepid_option`
-  * Default: `2`
-  * Description: `0`: This is the default setting and gives you the default behaviour. `1`: With this option an normal user would not see other processes but their own about ps, top etc, but he is still able to see process IDs in /proc. `2`: Users are only able too see their own processes (like with hidepid=1), but also the other process IDs are hidden for them in /proc.
-* `proc_mnt_options`
-  * Default: `rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}`
-  * Description: Mount proc with hardenized options, including `hidepid` with variable value.
+- `os_desktop_enable`
+  - Default: `false`
+  - Description: true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc
+- `os_env_extra_user_paths`
+  - Default: `[]`
+  - Description: add additional paths to the user's `PATH` variable (default is empty).
+- `os_env_umask`
+  - Default: `027`
+  - Description: set default permissions for new files to `750`
+- `os_auth_pw_max_age`
+  - Default: `60`
+  - Description: maximum password age (set to `99999` to effectively disable it)
+- `os_auth_pw_min_age`
+  - Default: `7`
+  - Description: minimum password age (before allowing any other password change)
+- `os_auth_retries`
+  - Default: `5`
+  - Description: the maximum number of authentication attempts, before the account is locked for some time
+- `os_auth_lockout_time`
+  - Default: `600`
+  - Description: time in seconds that needs to pass, if the account was locked due to too many failed authentication attempts
+- `os_auth_timeout`
+  - Default: `60`
+  - Description: authentication timeout in seconds, so login will exit if this time passes
+- `os_auth_allow_homeless`
+  - Default: `false`
+  - Description: true if to allow users without home to login
+- `os_auth_pam_passwdqc_enable`
+  - Default: `true`
+  - Description: true if you want to use strong password checking in PAM using passwdqc
+- `os_auth_pam_passwdqc_options`
+  - Default: `min=disabled,disabled,16,12,8`
+  - Description: set to any option line (as a string) that you want to pass to passwdqc
+- `os_security_users_allow`
+  - Default: `[]`
+  - Description: list of things, that a user is allowed to do. May contain `change_user`.
+- `os_security_kernel_enable_module_loading`
+  - Default: `true`
+  - Description: true if you want to allowed to change kernel modules once the system is running (eg `modprobe`, `rmmod`)
+- `os_security_kernel_enable_core_dump`
+  - Default: `false`
+  - Description: kernel is crashing or otherwise misbehaving and a kernel core dump is created
+- `os_security_suid_sgid_enforce`
+  - Default: `true`
+  - Description: true if you want to reduce SUID/SGID bits. There is already a list of items which are searched for configured, but you can also add your own
+- `os_security_suid_sgid_blacklist`
+  - Default: `[]`
+  - Description: a list of paths which should have their SUID/SGID bits removed
+- `os_security_suid_sgid_whitelist`
+  - Default: `[]`
+  - Description: a list of paths which should not have their SUID/SGID bits altered
+- `os_security_suid_sgid_remove_from_unknown`
+  - Default: `false`
+  - Description: true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.
+- `os_security_packages_clean`
+  - Default: `true`
+  - Description: removes packages with known issues. See section packages.
+- `os_selinux_state`
+  - Default: `enforcing`
+  - Description: Set the SELinux state, can be either disabled, permissive, or enforcing.
+- `os_selinux_policy`
+  - Default: `targeted`
+  - Description: Set the SELinux polixy.
+- `ufw_manage_defaults`
+  - Default: `true`
+  - Description: true means apply all settings with `ufw_` prefix
+- `ufw_ipt_sysctl`
+  - Default: `''`
+  - Description: by default it disables IPT_SYSCTL in /etc/default/ufw. If you want to overwrite /etc/sysctl.conf values using ufw - set it to your sysctl dictionary, for example `/etc/ufw/sysctl.conf`
+- `ufw_default_input_policy`
+  - Default: `DROP`
+  - Description: set default input policy of ufw to `DROP`
+- `ufw_default_output_policy`
+  - Default: `ACCEPT`
+  - Description: set default output policy of ufw to `ACCEPT`
+- `ufw_default_forward_policy`
+  - Default: `DROP`
+  - Description: set default forward policy of ufw to `DROP`
+- `os_auditd_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring auditd.
+- `os_auditd_max_log_file_action`
+  - Default: `keep_logs`
+  - Description: Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`.
+- `hidepid_option`
+  - Default: `2`
+  - Description: `0`: This is the default setting and gives you the default behaviour. `1`: With this option an normal user would not see other processes but their own about ps, top etc, but he is still able to see process IDs in /proc. `2`: Users are only able too see their own processes (like with hidepid=1), but also the other process IDs are hidden for them in /proc.
+- `proc_mnt_options`
+  - Default: `rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}`
+  - Description: Mount proc with hardenized options, including `hidepid` with variable value.

 ## Packages

 We remove the following packages:

- * xinetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1)
- * inetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1)
- * tftp-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.5)
- * ypserv ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.4)
- * telnet-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.2)
- * rsh-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.3)
- * prelink ([open-scap](https://static.open-scap.org/ssg-guides/ssg-sl7-guide-ospp-rhel7-server.html#xccdf_org.ssgproject.content_rule_disable_prelink))
+- xinetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1)
+- inetd ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.1)
+- tftp-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.5)
+- ypserv ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.4)
+- telnet-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.2)
+- rsh-server ([NSA](https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/operating-systems/guide-to-the-secure-configuration-of-red-hat-enterprise.cfm), Chapter 3.2.3)
+- prelink ([open-scap](https://static.open-scap.org/ssg-guides/ssg-sl7-guide-ospp-rhel7-server.html#xccdf_org.ssgproject.content_rule_disable_prelink))

 ## Disabled filesystems

 We disable the following filesystems, because they're most likely not used:

- * "cramfs"
- * "freevxfs"
- * "jffs2"
- * "hfs"
- * "hfsplus"
- * "squashfs"
- * "udf"
- * "vfat" # only if uefi is not in use
+- "cramfs"
+- "freevxfs"
+- "jffs2"
+- "hfs"
+- "hfsplus"
+- "squashfs"
+- "udf"
+- "vfat" # only if uefi is not in use

 To prevent some of the filesystems from being disabled, add them to the `os_filesystem_whitelist` variable.

@ -238,7 +236,7 @@ For more information, please see this [upstream documentation](https://www.kerne

 This role is mostly based on guides by:

-* [Arch Linux wiki, Sysctl hardening](https://wiki.archlinux.org/index.php/Sysctl)
-* [NSA: Guide to the Secure Configuration of Red Hat Enterprise Linux 5](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf)
-* [Ubuntu Security/Features](https://wiki.ubuntu.com/Security/Features)
-* [Deutsche Telekom, Group IT Security, Security Requirements (German)](https://www.telekom.com/psa)
+- [Arch Linux wiki, Sysctl hardening](https://wiki.archlinux.org/index.php/Sysctl)
+- [NSA: Guide to the Secure Configuration of Red Hat Enterprise Linux 5](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf)
+- [Ubuntu Security/Features](https://wiki.ubuntu.com/Security/Features)
+- [Deutsche Telekom, Group IT Security, Security Requirements (German)](https://www.telekom.com/psa)
--- a/roles/ssh_hardening/CHANGELOG.md
+++ b/roles/ssh_hardening/CHANGELOG.md
@ -41,7 +41,7 @@
 **Fixed bugs:**

 - fix local kitchen tests [\#318](https://github.com/dev-sec/ansible-ssh-hardening/pull/318) ([schurzi](https://github.com/schurzi))
- fix sftp\_umask; store as literal not octal [\#317](https://github.com/dev-sec/ansible-ssh-hardening/pull/317) ([aqw](https://github.com/aqw))
+- fix sftp_umask; store as literal not octal [\#317](https://github.com/dev-sec/ansible-ssh-hardening/pull/317) ([aqw](https://github.com/aqw))

 **Closed issues:**

@ -53,12 +53,12 @@

 **Implemented enhancements:**

- add ssh\_banner\_path variable [\#316](https://github.com/dev-sec/ansible-ssh-hardening/pull/316) ([liteua](https://github.com/liteua))
- rework CRYPTO\_POLICY handling for fedora [\#314](https://github.com/dev-sec/ansible-ssh-hardening/pull/314) ([schurzi](https://github.com/schurzi))
+- add ssh_banner_path variable [\#316](https://github.com/dev-sec/ansible-ssh-hardening/pull/316) ([liteua](https://github.com/liteua))
+- rework CRYPTO_POLICY handling for fedora [\#314](https://github.com/dev-sec/ansible-ssh-hardening/pull/314) ([schurzi](https://github.com/schurzi))

 **Fixed bugs:**

- network\_ipv6\_enable: true not working [\#311](https://github.com/dev-sec/ansible-ssh-hardening/issues/311)
+- network_ipv6_enable: true not working [\#311](https://github.com/dev-sec/ansible-ssh-hardening/issues/311)

 **Closed issues:**

@ -107,7 +107,7 @@
 **Closed issues:**

 - Typo in hardening.yml [\#303](https://github.com/dev-sec/ansible-ssh-hardening/issues/303)
- Task create sshd\_config and set permissions fails [\#302](https://github.com/dev-sec/ansible-ssh-hardening/issues/302)
+- Task create sshd_config and set permissions fails [\#302](https://github.com/dev-sec/ansible-ssh-hardening/issues/302)

 ## [9.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.2.0) (2020-06-25)

@ -115,7 +115,7 @@

 **Implemented enhancements:**

- Add RHEL 8 Support  [\#261](https://github.com/dev-sec/ansible-ssh-hardening/issues/261)
+- Add RHEL 8 Support [\#261](https://github.com/dev-sec/ansible-ssh-hardening/issues/261)
 - Add option to create 'LocalPort' match blocks [\#295](https://github.com/dev-sec/ansible-ssh-hardening/pull/295) ([aisbergg](https://github.com/aisbergg))
 - Add archlinux support [\#291](https://github.com/dev-sec/ansible-ssh-hardening/pull/291) ([djesionek](https://github.com/djesionek))
 - Harmonize style [\#290](https://github.com/dev-sec/ansible-ssh-hardening/pull/290) ([aisbergg](https://github.com/aisbergg))
@ -172,7 +172,7 @@
 - Add changelog action [\#280](https://github.com/dev-sec/ansible-ssh-hardening/pull/280) ([rndmh3ro](https://github.com/rndmh3ro))
 - fix: Amazon linux build [\#279](https://github.com/dev-sec/ansible-ssh-hardening/pull/279) ([kostasns](https://github.com/kostasns))
 - feat: Allow to set custom list of HostKeyAlgorithms [\#278](https://github.com/dev-sec/ansible-ssh-hardening/pull/278) ([kostasns](https://github.com/kostasns))
- fix\(ansible\_facts\): replace few remaining facts from 'ansible\_' to using 'ansible\_facts' dictionary [\#277](https://github.com/dev-sec/ansible-ssh-hardening/pull/277) ([kostasns](https://github.com/kostasns))
+- fix\(ansible_facts\): replace few remaining facts from 'ansible\_' to using 'ansible_facts' dictionary [\#277](https://github.com/dev-sec/ansible-ssh-hardening/pull/277) ([kostasns](https://github.com/kostasns))

 ## [8.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/8.0.0) (2020-04-21)

@ -198,7 +198,7 @@
 - fix broken packages, extend README with furhter development instructions [\#246](https://github.com/dev-sec/ansible-ssh-hardening/pull/246) ([szEvEz](https://github.com/szEvEz))
 - refactor authenticationmethod settings, allow user to set authenticat… [\#245](https://github.com/dev-sec/ansible-ssh-hardening/pull/245) ([szEvEz](https://github.com/szEvEz))
 - RHEL/OL/CentOS 8 support [\#242](https://github.com/dev-sec/ansible-ssh-hardening/pull/242) ([Furragen](https://github.com/Furragen))
- Added ssh\_syslog\_facility, ssh\_log\_level and ssh\_strict\_modes parameters [\#240](https://github.com/dev-sec/ansible-ssh-hardening/pull/240) ([bschonec](https://github.com/bschonec))
+- Added ssh_syslog_facility, ssh_log_level and ssh_strict_modes parameters [\#240](https://github.com/dev-sec/ansible-ssh-hardening/pull/240) ([bschonec](https://github.com/bschonec))

 **Fixed bugs:**

@ -215,7 +215,7 @@

 **Implemented enhancements:**

- Add new option ssh\_server\_match\_address [\#230](https://github.com/dev-sec/ansible-ssh-hardening/issues/230)
+- Add new option ssh_server_match_address [\#230](https://github.com/dev-sec/ansible-ssh-hardening/issues/230)
 - set UsePAM to yes by default [\#233](https://github.com/dev-sec/ansible-ssh-hardening/pull/233) ([rndmh3ro](https://github.com/rndmh3ro))

 **Fixed bugs:**
@ -244,7 +244,7 @@

 **Implemented enhancements:**

- Fix squash\_actions deprecation in test playbooks [\#228](https://github.com/dev-sec/ansible-ssh-hardening/pull/228) ([Normo](https://github.com/Normo))
+- Fix squash_actions deprecation in test playbooks [\#228](https://github.com/dev-sec/ansible-ssh-hardening/pull/228) ([Normo](https://github.com/Normo))
 - Fix deprecation warnings in Ansible 2.8 [\#227](https://github.com/dev-sec/ansible-ssh-hardening/pull/227) ([Normo](https://github.com/Normo))
 - Make ansible-lint happy [\#204](https://github.com/dev-sec/ansible-ssh-hardening/pull/204) ([alexclear](https://github.com/alexclear))

@ -258,11 +258,11 @@

 **Fixed bugs:**

- sshd\_custom\_options used in ssh\_config generation [\#224](https://github.com/dev-sec/ansible-ssh-hardening/issues/224)
+- sshd_custom_options used in ssh_config generation [\#224](https://github.com/dev-sec/ansible-ssh-hardening/issues/224)

 **Merged pull requests:**

- use correct variable ssh\_custom\_options in ssh\_config template [\#225](https://github.com/dev-sec/ansible-ssh-hardening/pull/225) ([rndmh3ro](https://github.com/rndmh3ro))
+- use correct variable ssh_custom_options in ssh_config template [\#225](https://github.com/dev-sec/ansible-ssh-hardening/pull/225) ([rndmh3ro](https://github.com/rndmh3ro))

 ## [6.1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/6.1.1) (2019-05-07)

@ -304,7 +304,7 @@
 **Implemented enhancements:**

 - Ubuntu 18.04 support [\#182](https://github.com/dev-sec/ansible-ssh-hardening/issues/182)
- Removed DEPRECATION WARNING for apt, using list instead of with\_items [\#201](https://github.com/dev-sec/ansible-ssh-hardening/pull/201) ([jonaswre](https://github.com/jonaswre))
+- Removed DEPRECATION WARNING for apt, using list instead of with_items [\#201](https://github.com/dev-sec/ansible-ssh-hardening/pull/201) ([jonaswre](https://github.com/jonaswre))
 - Update opensshd.conf.js [\#196](https://github.com/dev-sec/ansible-ssh-hardening/pull/196) ([ikr0m](https://github.com/ikr0m))

 **Fixed bugs:**
@ -323,7 +323,7 @@

 - Support for custom configuration [\#199](https://github.com/dev-sec/ansible-ssh-hardening/pull/199) ([MatthiasLohr](https://github.com/MatthiasLohr))
 - parameterize PermitRootLogin [\#195](https://github.com/dev-sec/ansible-ssh-hardening/pull/195) ([rndmh3ro](https://github.com/rndmh3ro))
- set 'GSSAPIAuthentication yes' if variable 'ssh\_gssapi\_support' is set to 'true' [\#194](https://github.com/dev-sec/ansible-ssh-hardening/pull/194) ([szEvEz](https://github.com/szEvEz))
+- set 'GSSAPIAuthentication yes' if variable 'ssh_gssapi_support' is set to 'true' [\#194](https://github.com/dev-sec/ansible-ssh-hardening/pull/194) ([szEvEz](https://github.com/szEvEz))
 - Use ansible version compare module [\#187](https://github.com/dev-sec/ansible-ssh-hardening/pull/187) ([BentoumiTech](https://github.com/BentoumiTech))
 - add ubuntu 18.04 support [\#186](https://github.com/dev-sec/ansible-ssh-hardening/pull/186) ([rndmh3ro](https://github.com/rndmh3ro))

@ -335,7 +335,7 @@

 - Fixing the broken Ansible dependency mechanism [\#176](https://github.com/dev-sec/ansible-ssh-hardening/issues/176)
 - Include new baseline-tests [\#161](https://github.com/dev-sec/ansible-ssh-hardening/issues/161)
- GlobalKnownHostsFile missing from ssh\_config [\#155](https://github.com/dev-sec/ansible-ssh-hardening/issues/155)
+- GlobalKnownHostsFile missing from ssh_config [\#155](https://github.com/dev-sec/ansible-ssh-hardening/issues/155)
 - Options not compatible with OpenSSH server 7.6 [\#151](https://github.com/dev-sec/ansible-ssh-hardening/issues/151)
 - Kitchen travis [\#180](https://github.com/dev-sec/ansible-ssh-hardening/pull/180) ([rndmh3ro](https://github.com/rndmh3ro))
 - update config of kex, macs, ciphers [\#179](https://github.com/dev-sec/ansible-ssh-hardening/pull/179) ([rndmh3ro](https://github.com/rndmh3ro))
@ -351,7 +351,7 @@
 - Adds sshd config for keyboard-interactive pam device [\#156](https://github.com/dev-sec/ansible-ssh-hardening/pull/156) ([rcII](https://github.com/rcII))
 - Use package state 'present' since 'installed' is deprecated [\#154](https://github.com/dev-sec/ansible-ssh-hardening/pull/154) ([Normo](https://github.com/Normo))
 - conform to current dev-sec/ssh-baseline [\#150](https://github.com/dev-sec/ansible-ssh-hardening/pull/150) ([alval5280](https://github.com/alval5280))
- new parameter: ssh\_max\_startups [\#149](https://github.com/dev-sec/ansible-ssh-hardening/pull/149) ([aeschbacher](https://github.com/aeschbacher))
+- new parameter: ssh_max_startups [\#149](https://github.com/dev-sec/ansible-ssh-hardening/pull/149) ([aeschbacher](https://github.com/aeschbacher))
 - Update syntax to 2.4 [\#148](https://github.com/dev-sec/ansible-ssh-hardening/pull/148) ([thomasjpfan](https://github.com/thomasjpfan))
 - Amazonlinux-Testing [\#147](https://github.com/dev-sec/ansible-ssh-hardening/pull/147) ([rndmh3ro](https://github.com/rndmh3ro))
 - Fixed trailing whitespace [\#146](https://github.com/dev-sec/ansible-ssh-hardening/pull/146) ([zbrojny120](https://github.com/zbrojny120))
@ -359,9 +359,9 @@

 **Fixed bugs:**

- ssh\_server\_weak\_kex variable is not used any where  [\#167](https://github.com/dev-sec/ansible-ssh-hardening/issues/167)
+- ssh_server_weak_kex variable is not used any where [\#167](https://github.com/dev-sec/ansible-ssh-hardening/issues/167)
 - opensshd.conf.j2 template type error [\#159](https://github.com/dev-sec/ansible-ssh-hardening/issues/159)
-  line 56: Bad SSH2 mac spec [\#135](https://github.com/dev-sec/ansible-ssh-hardening/issues/135)
+- line 56: Bad SSH2 mac spec [\#135](https://github.com/dev-sec/ansible-ssh-hardening/issues/135)

 **Closed issues:**

@ -378,7 +378,7 @@
 **Implemented enhancements:**

 - Changes in selinux section to avoid confusion and some inconsistencies [\#127](https://github.com/dev-sec/ansible-ssh-hardening/issues/127)
- Issue \#137: Fix sshd\_config's "Match Group sftponly" [\#138](https://github.com/dev-sec/ansible-ssh-hardening/pull/138) ([kekumu](https://github.com/kekumu))
+- Issue \#137: Fix sshd_config's "Match Group sftponly" [\#138](https://github.com/dev-sec/ansible-ssh-hardening/pull/138) ([kekumu](https://github.com/kekumu))
 - allow configuration of GatewayPorts [\#136](https://github.com/dev-sec/ansible-ssh-hardening/pull/136) ([pwyliu](https://github.com/pwyliu))
 - Added support for AuthorizedKeysFile config setting [\#132](https://github.com/dev-sec/ansible-ssh-hardening/pull/132) ([hyrsky](https://github.com/hyrsky))
 - corrected comments explaining the task's behaviour [\#131](https://github.com/dev-sec/ansible-ssh-hardening/pull/131) ([martinbydefault](https://github.com/martinbydefault))
@ -386,13 +386,13 @@

 **Fixed bugs:**

- ssh\_use\_dns used twice in defaults/main.yml [\#129](https://github.com/dev-sec/ansible-ssh-hardening/issues/129)
+- ssh_use_dns used twice in defaults/main.yml [\#129](https://github.com/dev-sec/ansible-ssh-hardening/issues/129)

 **Closed issues:**

 - coreos support? [\#142](https://github.com/dev-sec/ansible-ssh-hardening/issues/142)
 - UseLogin is deprecated on CentOS 7 [\#140](https://github.com/dev-sec/ansible-ssh-hardening/issues/140)
- sftp Match Group settings overriding global sshd\_config settings [\#137](https://github.com/dev-sec/ansible-ssh-hardening/issues/137)
+- sftp Match Group settings overriding global sshd_config settings [\#137](https://github.com/dev-sec/ansible-ssh-hardening/issues/137)
 - get openssh-version fails on FreeBSD \(with ansible 2.4.0.0\) [\#133](https://github.com/dev-sec/ansible-ssh-hardening/issues/133)

 **Merged pull requests:**
@ -407,7 +407,7 @@

 **Implemented enhancements:**

- Remove duplicate ssh\_use\_dns [\#130](https://github.com/dev-sec/ansible-ssh-hardening/pull/130) ([MagnusEnger](https://github.com/MagnusEnger))
+- Remove duplicate ssh_use_dns [\#130](https://github.com/dev-sec/ansible-ssh-hardening/pull/130) ([MagnusEnger](https://github.com/MagnusEnger))

 **Fixed bugs:**

@ -428,7 +428,7 @@

 **Merged pull requests:**

- Don't overwrite ssh\_host\_key\_files if set manually [\#125](https://github.com/dev-sec/ansible-ssh-hardening/pull/125) ([oakey-b1](https://github.com/oakey-b1))
+- Don't overwrite ssh_host_key_files if set manually [\#125](https://github.com/dev-sec/ansible-ssh-hardening/pull/125) ([oakey-b1](https://github.com/oakey-b1))
 - Add comment filter to {{ansible\_managed}} string [\#121](https://github.com/dev-sec/ansible-ssh-hardening/pull/121) ([fazlearefin](https://github.com/fazlearefin))

 ## [4.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/4.2.0) (2017-06-30)
@ -458,7 +458,7 @@

 **Implemented enhancements:**

- added check\_mode: no to "get openssh-version" task, so it won't fail … [\#117](https://github.com/dev-sec/ansible-ssh-hardening/pull/117) ([wschaft](https://github.com/wschaft))
+- added check_mode: no to "get openssh-version" task, so it won't fail … [\#117](https://github.com/dev-sec/ansible-ssh-hardening/pull/117) ([wschaft](https://github.com/wschaft))

 **Fixed bugs:**

@ -483,7 +483,7 @@
 **Implemented enhancements:**

 - Provide option to allow password server login [\#106](https://github.com/dev-sec/ansible-ssh-hardening/issues/106)
- Deprecation warning always\_run [\#82](https://github.com/dev-sec/ansible-ssh-hardening/issues/82)
+- Deprecation warning always_run [\#82](https://github.com/dev-sec/ansible-ssh-hardening/issues/82)
 - Added support for UseDNS config switch [\#109](https://github.com/dev-sec/ansible-ssh-hardening/pull/109) ([ftaeger](https://github.com/ftaeger))
 - Added support for UseDNS config switch [\#108](https://github.com/dev-sec/ansible-ssh-hardening/pull/108) ([ftaeger](https://github.com/ftaeger))

@ -503,12 +503,12 @@
 **Implemented enhancements:**

 - Avoid small primes for DH and allow rebuild of DH primes [\#89](https://github.com/dev-sec/ansible-ssh-hardening/issues/89)
- Accommodate missing plugins in kitchen\_vagrant\_block.rb [\#100](https://github.com/dev-sec/ansible-ssh-hardening/pull/100) ([fullyint](https://github.com/fullyint))
+- Accommodate missing plugins in kitchen_vagrant_block.rb [\#100](https://github.com/dev-sec/ansible-ssh-hardening/pull/100) ([fullyint](https://github.com/fullyint))
 - Use different Hostkeys according to installed ssh version [\#99](https://github.com/dev-sec/ansible-ssh-hardening/pull/99) ([rndmh3ro](https://github.com/rndmh3ro))
 - Remove small dh primes [\#97](https://github.com/dev-sec/ansible-ssh-hardening/pull/97) ([rndmh3ro](https://github.com/rndmh3ro))
 - Add Ed25519 SSH host key to match commit 28b4df3 in ssh-baseline [\#96](https://github.com/dev-sec/ansible-ssh-hardening/pull/96) ([techraf](https://github.com/techraf))
 - Add support for FreeBSD OpenSSH server and client [\#95](https://github.com/dev-sec/ansible-ssh-hardening/pull/95) ([jbenden](https://github.com/jbenden))
- Replace deprecated always\_run with check\_mode [\#93](https://github.com/dev-sec/ansible-ssh-hardening/pull/93) ([jbenden](https://github.com/jbenden))
+- Replace deprecated always_run with check_mode [\#93](https://github.com/dev-sec/ansible-ssh-hardening/pull/93) ([jbenden](https://github.com/jbenden))
 - Defaults: Remove DSA from SSH host keys to match ssh-baseline profile [\#92](https://github.com/dev-sec/ansible-ssh-hardening/pull/92) ([techraf](https://github.com/techraf))
 - use new docker images [\#91](https://github.com/dev-sec/ansible-ssh-hardening/pull/91) ([rndmh3ro](https://github.com/rndmh3ro))
 - use centos 7 in vagrant, limit ssh conns [\#88](https://github.com/dev-sec/ansible-ssh-hardening/pull/88) ([rndmh3ro](https://github.com/rndmh3ro))
@ -529,7 +529,7 @@
 **Merged pull requests:**

 - remove duplicate section [\#105](https://github.com/dev-sec/ansible-ssh-hardening/pull/105) ([rndmh3ro](https://github.com/rndmh3ro))
- Fix ssh\_server\_ports and ssh\_client\_ports documentation bug [\#80](https://github.com/dev-sec/ansible-ssh-hardening/pull/80) ([kivilahtio](https://github.com/kivilahtio))
+- Fix ssh_server_ports and ssh_client_ports documentation bug [\#80](https://github.com/dev-sec/ansible-ssh-hardening/pull/80) ([kivilahtio](https://github.com/kivilahtio))

 ## [3.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.2.0) (2016-10-24)

@ -568,19 +568,19 @@
 - Add Xenial / Ubuntu 16.04 LTS to meta/main.yml [\#63](https://github.com/dev-sec/ansible-ssh-hardening/issues/63)
 - Use new ciphers, kex, macs and priv separation sandbox for redhat family 7 [\#73](https://github.com/dev-sec/ansible-ssh-hardening/pull/73) ([atomic111](https://github.com/atomic111))
 - add docker support [\#71](https://github.com/dev-sec/ansible-ssh-hardening/pull/71) ([rndmh3ro](https://github.com/rndmh3ro))
- add always\_run: true to task. fix \#64 [\#69](https://github.com/dev-sec/ansible-ssh-hardening/pull/69) ([rndmh3ro](https://github.com/rndmh3ro))
+- add always_run: true to task. fix \#64 [\#69](https://github.com/dev-sec/ansible-ssh-hardening/pull/69) ([rndmh3ro](https://github.com/rndmh3ro))
 - Debian8 [\#68](https://github.com/dev-sec/ansible-ssh-hardening/pull/68) ([rndmh3ro](https://github.com/rndmh3ro))
 - Fixed KexAlgorithms Conditional Statement [\#66](https://github.com/dev-sec/ansible-ssh-hardening/pull/66) ([cjsheets](https://github.com/cjsheets))
 - Moves vars to defaults [\#60](https://github.com/dev-sec/ansible-ssh-hardening/pull/60) ([conorsch](https://github.com/conorsch))

 **Fixed bugs:**

- semodule ssh\_password error on AWS Centos 7 [\#64](https://github.com/dev-sec/ansible-ssh-hardening/issues/64)
+- semodule ssh_password error on AWS Centos 7 [\#64](https://github.com/dev-sec/ansible-ssh-hardening/issues/64)

 **Closed issues:**

 - `ssh\_server\_ports` a bit misleading in the vars section? [\#62](https://github.com/dev-sec/ansible-ssh-hardening/issues/62)
- sftp\_enabled: false will break Ansible's template module [\#55](https://github.com/dev-sec/ansible-ssh-hardening/issues/55)
+- sftp_enabled: false will break Ansible's template module [\#55](https://github.com/dev-sec/ansible-ssh-hardening/issues/55)
 - Move cipher/kex/mac vars to defaults [\#53](https://github.com/dev-sec/ansible-ssh-hardening/issues/53)

 **Merged pull requests:**
@ -593,7 +593,7 @@

 **Implemented enhancements:**

- Added sftp\_enabled, sftp\_chroot\_dir, and ssh\_client\_roaming from the … [\#57](https://github.com/dev-sec/ansible-ssh-hardening/pull/57) ([ghost](https://github.com/ghost))
+- Added sftp_enabled, sftp_chroot_dir, and ssh_client_roaming from the … [\#57](https://github.com/dev-sec/ansible-ssh-hardening/pull/57) ([ghost](https://github.com/ghost))
 - add test support for ansible 1.9 and 2.0 [\#56](https://github.com/dev-sec/ansible-ssh-hardening/pull/56) ([rndmh3ro](https://github.com/rndmh3ro))
 - update platforms in meta-file [\#52](https://github.com/dev-sec/ansible-ssh-hardening/pull/52) ([rndmh3ro](https://github.com/rndmh3ro))
 - add webhook for ansible galaxy [\#51](https://github.com/dev-sec/ansible-ssh-hardening/pull/51) ([rndmh3ro](https://github.com/rndmh3ro))
@ -623,7 +623,7 @@

 - New dir layout. Fix \#43 [\#44](https://github.com/dev-sec/ansible-ssh-hardening/pull/44) ([rndmh3ro](https://github.com/rndmh3ro))
 - Add var to travis job [\#42](https://github.com/dev-sec/ansible-ssh-hardening/pull/42) ([rndmh3ro](https://github.com/rndmh3ro))
- sftp\_enable option [\#41](https://github.com/dev-sec/ansible-ssh-hardening/pull/41) ([fitz123](https://github.com/fitz123))
+- sftp_enable option [\#41](https://github.com/dev-sec/ansible-ssh-hardening/pull/41) ([fitz123](https://github.com/fitz123))

 ## [1.2.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2.1) (2015-10-16)

@ -657,7 +657,7 @@

 **Closed issues:**

- ssh\_ports - individual client/server config [\#33](https://github.com/dev-sec/ansible-ssh-hardening/issues/33)
+- ssh_ports - individual client/server config [\#33](https://github.com/dev-sec/ansible-ssh-hardening/issues/33)
 - UsePAM should probably default to yes on Red Hat Linux 7 [\#23](https://github.com/dev-sec/ansible-ssh-hardening/issues/23)

 **Merged pull requests:**
@ -665,12 +665,12 @@
 - Change variable for hmac from server to client [\#37](https://github.com/dev-sec/ansible-ssh-hardening/pull/37) ([rndmh3ro](https://github.com/rndmh3ro))
 - Update kitchen-ansible, remove separate debian install [\#36](https://github.com/dev-sec/ansible-ssh-hardening/pull/36) ([rndmh3ro](https://github.com/rndmh3ro))
 - Separate ssh client and server ports. Fix \#33 [\#34](https://github.com/dev-sec/ansible-ssh-hardening/pull/34) ([rndmh3ro](https://github.com/rndmh3ro))
- update common kitchen.yml platforms \(ansible\), kitchen\_debian.yml platforms \(ansible\) [\#32](https://github.com/dev-sec/ansible-ssh-hardening/pull/32) ([chris-rock](https://github.com/chris-rock))
+- update common kitchen.yml platforms \(ansible\), kitchen_debian.yml platforms \(ansible\) [\#32](https://github.com/dev-sec/ansible-ssh-hardening/pull/32) ([chris-rock](https://github.com/chris-rock))
 - Make MaxAuthTries configurable [\#31](https://github.com/dev-sec/ansible-ssh-hardening/pull/31) ([rndmh3ro](https://github.com/rndmh3ro))
 - Change oneliner if-statements to be more readable [\#30](https://github.com/dev-sec/ansible-ssh-hardening/pull/30) ([rndmh3ro](https://github.com/rndmh3ro))
 - Make ssh client password login configurable. [\#29](https://github.com/dev-sec/ansible-ssh-hardening/pull/29) ([ypid](https://github.com/ypid))
 - Fix join-filter, jinja-cases, intendation [\#27](https://github.com/dev-sec/ansible-ssh-hardening/pull/27) ([rndmh3ro](https://github.com/rndmh3ro))
- Short role review. Fixed role when ssh\_client\_weak\_kex == true. [\#26](https://github.com/dev-sec/ansible-ssh-hardening/pull/26) ([ypid](https://github.com/ypid))
+- Short role review. Fixed role when ssh_client_weak_kex == true. [\#26](https://github.com/dev-sec/ansible-ssh-hardening/pull/26) ([ypid](https://github.com/ypid))
 - Make it configurable to only harden ssh client/server or both \(default\). [\#25](https://github.com/dev-sec/ansible-ssh-hardening/pull/25) ([ypid](https://github.com/ypid))
 - Separate system-vars from editable vars [\#24](https://github.com/dev-sec/ansible-ssh-hardening/pull/24) ([rndmh3ro](https://github.com/rndmh3ro))
 - Add correct CONTRIB-file [\#22](https://github.com/dev-sec/ansible-ssh-hardening/pull/22) ([rndmh3ro](https://github.com/rndmh3ro))
@ -705,10 +705,8 @@
 - add travis config for ansible [\#9](https://github.com/dev-sec/ansible-ssh-hardening/pull/9) ([chris-rock](https://github.com/chris-rock))
 - update .kitchen.yml to find playbook role in tests [\#8](https://github.com/dev-sec/ansible-ssh-hardening/pull/8) ([chris-rock](https://github.com/chris-rock))
 - Oracle support [\#5](https://github.com/dev-sec/ansible-ssh-hardening/pull/5) ([rndmh3ro](https://github.com/rndmh3ro))
-  Remove custom Vagrantfile-reference. Fix \#2 [\#4](https://github.com/dev-sec/ansible-ssh-hardening/pull/4) ([rndmh3ro](https://github.com/rndmh3ro))
+- Remove custom Vagrantfile-reference. Fix \#2 [\#4](https://github.com/dev-sec/ansible-ssh-hardening/pull/4) ([rndmh3ro](https://github.com/rndmh3ro))
 - Remove custom Vagrantfile-reference. Fix \#2 [\#3](https://github.com/dev-sec/ansible-ssh-hardening/pull/3) ([rndmh3ro](https://github.com/rndmh3ro))
 - Fix missing gem [\#1](https://github.com/dev-sec/ansible-ssh-hardening/pull/1) ([chris-rock](https://github.com/chris-rock))

-
-
-\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*
+\* _This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)_
--- a/roles/ssh_hardening/README.md
+++ b/roles/ssh_hardening/README.md
@ -10,223 +10,223 @@ Warning: This role disables root-login on the target server! Please make sure yo

 ## Requirements

-* Ansible >= 2.9
+- Ansible >= 2.9

 ## Role Variables

-* `network_ipv6_enable`
-  * Default: false
-  * Description: true if IPv6 is needed. `ssh_listen_to` must also be set to listen to IPv6 addresses (for example `[::]`).
-* `ssh_server_ports`
-  * Default: ['22']
-  * Description: ports on which ssh-server should listen
-* `ssh_client_port`
-  * Default: '22'
-  * Description: port to which ssh-client should connect
-* `ssh_listen_to`
-  * Default: ['0.0.0.0']
-  * Description: one or more ip addresses, to which ssh-server should listen to. Default is all IPv4 adresses, but should be configured to specific addresses for security reasons!
-* `ssh_host_key_files`
-  * Default: []
-  * Description: Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version
-* `ssh_host_key_algorithms`
-  * Default: []
-  * Description: Host key algorithms that the server offers. If empty the [default list](https://man.openbsd.org/sshd_config#HostKeyAlgorithms) will be used, otherwise overrides the setting with specified list of algorithms
-* `ssh_client_alive_interval`
-  * Default: 600
-  * Description: specifies an interval for sending keepalive messages
-* `ssh_client_alive_count`
-  * Default: 3
-  * Description: defines how often keep-alive messages are sent
-* `ssh_permit_tunnel`
-  * Default: false
-  * Description: true if SSH Port Tunneling is required
-* `ssh_remote_hosts`
-  * Default: []
-  * Description: one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`.
-* `ssh_permit_root_login`
-  * Default: no
-  * Description: Disable root-login. Set to `without-password` or `yes` to enable root-login
-* `ssh_allow_tcp_forwarding`
-  * Default: no
-  * Description: `'no'` to disable TCP Forwarding. Set to `'yes'` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `'yes'`, `'no'`, `'all'` or `'local'`. <br> *Note*: values passed to this variable must be strings, thus values `'yes'` and `'no'` should be passed with quotes.
-* `ssh_gateway_ports`
-  * Default: `false`
-  * Description: `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to.
-* `ssh_allow_agent_forwarding`
-  * Default: false
-  * Description: false to disable Agent Forwarding. Set to true to allow Agent Forwarding.
-* `ssh_x11_forwarding`
-  * Default: false
-  * Description: false to disable X11 Forwarding. Set to true to allow X11 Forwarding.
-* `ssh_pam_support`
-  * Default: true
-  * Description: true if SSH has PAM support.
-* `ssh_use_pam`
-  * Default: true
-  * Description: false to disable pam authentication.
-* `ssh_gssapi_support`
-  * Default: false
-  * Description: true if SSH has GSSAPI support.
-* `ssh_kerberos_support`
-  * Default: true
-  * Description: true if SSH has Kerberos support.
-* `ssh_deny_users`
-  * Default: ''
-  * Description: if specified, login is disallowed for user names that match one of the patterns.
-* `ssh_allow_users`
-  * Default: ''
-  * Description: if specified, login is allowed only for user names that match one of the patterns.
-* `ssh_deny_groups`
-  * Default: ''
-  * Description: if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns.
-* `ssh_allow_groups`
-  * Default: ''
-  * Description: if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.
-* `ssh_authorized_keys_file`
-  * Default: ''
-  * Description: change default file that contains the public keys that can be used for user authentication.
-* `ssh_trusted_user_ca_keys_file`
-  * Default: ''
-  * Description: specifies the file containing trusted certificate authorities public keys used to sign user certificates.
-* `ssh_trusted_user_ca_keys`
-  * Default: []
-  * Description: set the trusted certificate authorities public keys used to sign user certificates. Only used if `ssh_trusted_user_ca_keys_file` is set.
-* `ssh_authorized_principals_file`
-  * Default: ''
-  * Description: specifies the file containing principals that are allowed. Only used if `ssh_trusted_user_ca_keys_file` is set.
-* `ssh_authorized_principals`
-  * Default: []
-  * Description: list of hashes containing file paths and authorized principals, see `default_custom.yml` for all options. Only used if `ssh_authorized_principals_file` is set.
-* `ssh_print_motd`
-  * Default: false
-  * Description: false to disable printing of the MOTD
-* `ssh_print_pam_motd`
-  * Default: false
-  * Description: false to disable printing of the MOTD via pam (Debian and Ubuntu)
-* `ssh_print_last_log`
-  * Default: false
-  * Description: false to disable display of last login information
-* `sftp_enabled`
-  * Default: false
-  * Description: true to enable sftp configuration
-* `sftp_umask`
-  * Default: '0027'
-  * Description: Specifies the umask for sftp
-* `sftp_chroot`
-  * Default: true
-  * Description: false to disable chroot for sftp
-* `sftp_chroot_dir`
-  * Default: /home/%u
-  * Description: change default sftp chroot location
-* `ssh_client_roaming`
-  * Default: false
-  * Description: enable experimental client roaming
-* `sshd_moduli_file`
-  * Default: '/etc/ssh/moduli'
-  * Description: path to the SSH moduli file
-* `sshd_moduli_minimum`
-  * Default: 2048
-  * Description: remove Diffie-Hellman parameters smaller than the defined size to mitigate logjam
-* `ssh_challengeresponseauthentication`
-  * Default: false
-  * Description: Specifies whether challenge-response authentication is allowed (e.g. via PAM)
-* `ssh_client_password_login`
-  * Default: false
-  * Description: `true` to allow password-based authentication with the ssh client
-* `ssh_server_password_login`
-  * Default: false
-  * Description: `true` to allow password-based authentication with the ssh server
-* `ssh_banner`
-  * Default: `false`
-  * Description: `true` to print a banner on login
-* `ssh_banner_path`
-  * Default: '/etc/sshd/banner.txt'
-  * Description: path to the SSH banner file
-* `ssh_client_hardening`
-  * Default: `true`
-  * Description: `false` to stop harden the client
-* `ssh_client_port`
-  * Default: `'22'`
-  * Description: Specifies the port number to connect on the remote host.
-* `ssh_client_compression`
-  * Default: `false`
-  * Description: Specifies whether the client requests compression.
-* `ssh_compression`
-  * Default: `false`
-  * Description: Specifies whether server-side compression is enabled after the user has authenticated successfully.
-* `ssh_login_grace_time`
-  * Default: `30s`
-  * Description: specifies the time allowed for successful authentication to the SSH server
-* `ssh_max_auth_retries`
-  * Default: `2`
-  * Description: Specifies the maximum number of authentication attempts permitted per connection.
-* `ssh_max_sessions`
-  * Default: `10`
-  * Description: Specifies the maximum number of open sessions permitted from a given connection.
-* `ssh_print_debian_banner`
-  * Default: `false`
-  * Description: `true` to print debian specific banner
-* `ssh_server_enabled`
-  * Default: `true`
-  * Description: `false` to disable the opensshd server
-* `ssh_server_hardening`
-  * Default: `true`
-  * Description: `false` to stop harden the server
-* `ssh_server_match_address`
-  * Default: ''
-  * Description: Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.
-* `ssh_server_match_group`
-  * Default: ''
-  * Description: Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.
-* `ssh_server_match_user`
-  * Default: ''
-  * Description: Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.
-* `ssh_server_match_local_port`
-  * Default: ''
-  * Description: Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.
-* `ssh_server_permit_environment_vars`
-  * Default: `no`
-  * Description: `yes` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global "yes" or "no" settings
-* `ssh_server_accept_env_vars`
-  * Default: ''
-  * Description: Specifies what environment variables sent by the client will be copied into the session's environment, multiple environment variables may be separated by whitespace
-* `ssh_use_dns`
-  * Default: `false`
-  * Description: Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address.
-* `ssh_server_revoked_keys`
-  * Default: []
-  * Description: a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys.
-* `ssh_max_startups`
-  * Default: '10:30:100'
-  * Description: Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.
-* `ssh_macs`
-  * Default: []
-  * Description: Change this list to overwrite macs. Defaults found in `defaults/main.yml`
-* `ssh_kex`
-  * Default: []
-  * Description: Change this list to overwrite kexs. Defaults found in `defaults/main.yml`
-* `ssh_ciphers`
-  * Default: []
-  * Description: Change this list to overwrite ciphers. Defaults found in `defaults/main.yml`
-* `ssh_custom_options`
-  * Default: []
-  * Description: Custom lines for SSH client configuration
-* `sshd_custom_options`
-  * Default: []
-  * Description: Custom lines for SSH daemon configuration
-* `sshd_syslog_facility`
-  * Default: 'AUTH'
-  * Description: The facility code that is used when logging messages from sshd
-* `sshd_log_level`
-  * Default: 'VERBOSE'
-  * Description: the verbosity level that is used when logging messages from sshd
-* `sshd_strict_modes`
-  * Default: true
-  * Description: Check file modes and ownership of the user's files and home directory before accepting login
-* `sshd_authenticationmethods`
-  * Default: `publickey`
-  * Description: Specifies the authentication methods that must be successfully completed for a user to be granted access. Make sure to set all required variables for your selected authentication method. Defaults found in `defaults/main.yml`
+- `network_ipv6_enable`
+  - Default: false
+  - Description: true if IPv6 is needed. `ssh_listen_to` must also be set to listen to IPv6 addresses (for example `[::]`).
+- `ssh_server_ports`
+  - Default: ['22']
+  - Description: ports on which ssh-server should listen
+- `ssh_client_port`
+  - Default: '22'
+  - Description: port to which ssh-client should connect
+- `ssh_listen_to`
+  - Default: ['0.0.0.0']
+  - Description: one or more ip addresses, to which ssh-server should listen to. Default is all IPv4 adresses, but should be configured to specific addresses for security reasons!
+- `ssh_host_key_files`
+  - Default: []
+  - Description: Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version
+- `ssh_host_key_algorithms`
+  - Default: []
+  - Description: Host key algorithms that the server offers. If empty the [default list](https://man.openbsd.org/sshd_config#HostKeyAlgorithms) will be used, otherwise overrides the setting with specified list of algorithms
+- `ssh_client_alive_interval`
+  - Default: 600
+  - Description: specifies an interval for sending keepalive messages
+- `ssh_client_alive_count`
+  - Default: 3
+  - Description: defines how often keep-alive messages are sent
+- `ssh_permit_tunnel`
+  - Default: false
+  - Description: true if SSH Port Tunneling is required
+- `ssh_remote_hosts`
+  - Default: []
+  - Description: one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`.
+- `ssh_permit_root_login`
+  - Default: no
+  - Description: Disable root-login. Set to `without-password` or `yes` to enable root-login
+- `ssh_allow_tcp_forwarding`
+  - Default: no
+  - Description: `'no'` to disable TCP Forwarding. Set to `'yes'` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `'yes'`, `'no'`, `'all'` or `'local'`. <br> _Note_: values passed to this variable must be strings, thus values `'yes'` and `'no'` should be passed with quotes.
+- `ssh_gateway_ports`
+  - Default: `false`
+  - Description: `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to.
+- `ssh_allow_agent_forwarding`
+  - Default: false
+  - Description: false to disable Agent Forwarding. Set to true to allow Agent Forwarding.
+- `ssh_x11_forwarding`
+  - Default: false
+  - Description: false to disable X11 Forwarding. Set to true to allow X11 Forwarding.
+- `ssh_pam_support`
+  - Default: true
+  - Description: true if SSH has PAM support.
+- `ssh_use_pam`
+  - Default: true
+  - Description: false to disable pam authentication.
+- `ssh_gssapi_support`
+  - Default: false
+  - Description: true if SSH has GSSAPI support.
+- `ssh_kerberos_support`
+  - Default: true
+  - Description: true if SSH has Kerberos support.
+- `ssh_deny_users`
+  - Default: ''
+  - Description: if specified, login is disallowed for user names that match one of the patterns.
+- `ssh_allow_users`
+  - Default: ''
+  - Description: if specified, login is allowed only for user names that match one of the patterns.
+- `ssh_deny_groups`
+  - Default: ''
+  - Description: if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns.
+- `ssh_allow_groups`
+  - Default: ''
+  - Description: if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.
+- `ssh_authorized_keys_file`
+  - Default: ''
+  - Description: change default file that contains the public keys that can be used for user authentication.
+- `ssh_trusted_user_ca_keys_file`
+  - Default: ''
+  - Description: specifies the file containing trusted certificate authorities public keys used to sign user certificates.
+- `ssh_trusted_user_ca_keys`
+  - Default: []
+  - Description: set the trusted certificate authorities public keys used to sign user certificates. Only used if `ssh_trusted_user_ca_keys_file` is set.
+- `ssh_authorized_principals_file`
+  - Default: ''
+  - Description: specifies the file containing principals that are allowed. Only used if `ssh_trusted_user_ca_keys_file` is set.
+- `ssh_authorized_principals`
+  - Default: []
+  - Description: list of hashes containing file paths and authorized principals, see `default_custom.yml` for all options. Only used if `ssh_authorized_principals_file` is set.
+- `ssh_print_motd`
+  - Default: false
+  - Description: false to disable printing of the MOTD
+- `ssh_print_pam_motd`
+  - Default: false
+  - Description: false to disable printing of the MOTD via pam (Debian and Ubuntu)
+- `ssh_print_last_log`
+  - Default: false
+  - Description: false to disable display of last login information
+- `sftp_enabled`
+  - Default: false
+  - Description: true to enable sftp configuration
+- `sftp_umask`
+  - Default: '0027'
+  - Description: Specifies the umask for sftp
+- `sftp_chroot`
+  - Default: true
+  - Description: false to disable chroot for sftp
+- `sftp_chroot_dir`
+  - Default: /home/%u
+  - Description: change default sftp chroot location
+- `ssh_client_roaming`
+  - Default: false
+  - Description: enable experimental client roaming
+- `sshd_moduli_file`
+  - Default: '/etc/ssh/moduli'
+  - Description: path to the SSH moduli file
+- `sshd_moduli_minimum`
+  - Default: 2048
+  - Description: remove Diffie-Hellman parameters smaller than the defined size to mitigate logjam
+- `ssh_challengeresponseauthentication`
+  - Default: false
+  - Description: Specifies whether challenge-response authentication is allowed (e.g. via PAM)
+- `ssh_client_password_login`
+  - Default: false
+  - Description: `true` to allow password-based authentication with the ssh client
+- `ssh_server_password_login`
+  - Default: false
+  - Description: `true` to allow password-based authentication with the ssh server
+- `ssh_banner`
+  - Default: `false`
+  - Description: `true` to print a banner on login
+- `ssh_banner_path`
+  - Default: '/etc/sshd/banner.txt'
+  - Description: path to the SSH banner file
+- `ssh_client_hardening`
+  - Default: `true`
+  - Description: `false` to stop harden the client
+- `ssh_client_port`
+  - Default: `'22'`
+  - Description: Specifies the port number to connect on the remote host.
+- `ssh_client_compression`
+  - Default: `false`
+  - Description: Specifies whether the client requests compression.
+- `ssh_compression`
+  - Default: `false`
+  - Description: Specifies whether server-side compression is enabled after the user has authenticated successfully.
+- `ssh_login_grace_time`
+  - Default: `30s`
+  - Description: specifies the time allowed for successful authentication to the SSH server
+- `ssh_max_auth_retries`
+  - Default: `2`
+  - Description: Specifies the maximum number of authentication attempts permitted per connection.
+- `ssh_max_sessions`
+  - Default: `10`
+  - Description: Specifies the maximum number of open sessions permitted from a given connection.
+- `ssh_print_debian_banner`
+  - Default: `false`
+  - Description: `true` to print debian specific banner
+- `ssh_server_enabled`
+  - Default: `true`
+  - Description: `false` to disable the opensshd server
+- `ssh_server_hardening`
+  - Default: `true`
+  - Description: `false` to stop harden the server
+- `ssh_server_match_address`
+  - Default: ''
+  - Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.
+- `ssh_server_match_group`
+  - Default: ''
+  - Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.
+- `ssh_server_match_user`
+  - Default: ''
+  - Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.
+- `ssh_server_match_local_port`
+  - Default: ''
+  - Description: Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.
+- `ssh_server_permit_environment_vars`
+  - Default: `no`
+  - Description: `yes` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global "yes" or "no" settings
+- `ssh_server_accept_env_vars`
+  - Default: ''
+  - Description: Specifies what environment variables sent by the client will be copied into the session's environment, multiple environment variables may be separated by whitespace
+- `ssh_use_dns`
+  - Default: `false`
+  - Description: Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address.
+- `ssh_server_revoked_keys`
+  - Default: []
+  - Description: a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys.
+- `ssh_max_startups`
+  - Default: '10:30:100'
+  - Description: Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.
+- `ssh_macs`
+  - Default: []
+  - Description: Change this list to overwrite macs. Defaults found in `defaults/main.yml`
+- `ssh_kex`
+  - Default: []
+  - Description: Change this list to overwrite kexs. Defaults found in `defaults/main.yml`
+- `ssh_ciphers`
+  - Default: []
+  - Description: Change this list to overwrite ciphers. Defaults found in `defaults/main.yml`
+- `ssh_custom_options`
+  - Default: []
+  - Description: Custom lines for SSH client configuration
+- `sshd_custom_options`
+  - Default: []
+  - Description: Custom lines for SSH daemon configuration
+- `sshd_syslog_facility`
+  - Default: 'AUTH'
+  - Description: The facility code that is used when logging messages from sshd
+- `sshd_log_level`
+  - Default: 'VERBOSE'
+  - Description: the verbosity level that is used when logging messages from sshd
+- `sshd_strict_modes`
+  - Default: true
+  - Description: Check file modes and ownership of the user's files and home directory before accepting login
+- `sshd_authenticationmethods`
+  - Default: `publickey`
+  - Description: Specifies the authentication methods that must be successfully completed for a user to be granted access. Make sure to set all required variables for your selected authentication method. Defaults found in `defaults/main.yml`

 ## Example Playbook