diff --git a/.config/ansible-lint.yml b/.config/ansible-lint.yml index 45ce63fc..7c301702 100644 --- a/.config/ansible-lint.yml +++ b/.config/ansible-lint.yml @@ -12,3 +12,6 @@ exclude_paths: mock_roles: - geerlingguy.git - nginxinc.nginx + +skip_list: + - var-naming[no-role-prefix] diff --git a/roles/ssh_hardening/tasks/crypto_hostkeys.yml b/roles/ssh_hardening/tasks/crypto_hostkeys.yml index 8b242782..cd318134 100644 --- a/roles/ssh_hardening/tasks/crypto_hostkeys.yml +++ b/roles/ssh_hardening/tasks/crypto_hostkeys.yml @@ -8,16 +8,6 @@ force: false regenerate: partial_idempotence -# In RHEL and Fedora, the 'ssh_keys' group is the group owner of the host private SSH keys. -# Since the openssh_keypair module needs to read the key to provide idempotency, we need to set ownership and group based on specific OS vars. -- name: Change host private key ownership, group and permissions - ansible.builtin.file: - path: "{{ ssh_host_keys_dir }}/ssh_host_rsa_key" - owner: "{{ ssh_host_keys_owner }}" - group: "{{ ssh_host_keys_group }}" - mode: "0640" - when: ansible_facts.os_family == 'RedHat' - - name: Set hostkeys according to openssh-version if openssh >= 5.3 ansible.builtin.set_fact: ssh_host_key_files: @@ -38,3 +28,11 @@ - "{{ ssh_host_keys_dir }}/ssh_host_ecdsa_key" - "{{ ssh_host_keys_dir }}/ssh_host_ed25519_key" when: sshd_version is version('6.3', '>=') + +- name: Change host private key ownership, group and permissions + ansible.builtin.file: + path: "{{ item }}" + owner: "{{ ssh_host_keys_owner }}" + group: "{{ ssh_host_keys_group }}" + mode: "{{ ssh_host_keys_mode }}" + loop: "{{ ssh_host_key_files }}" diff --git a/roles/ssh_hardening/vars/Amazon_2.yml b/roles/ssh_hardening/vars/Amazon_2.yml index 4c97cd6a..7a345fb8 100644 --- a/roles/ssh_hardening/vars/Amazon_2.yml +++ b/roles/ssh_hardening/vars/Amazon_2.yml @@ -1,11 +1,12 @@ --- sshd_path: /usr/sbin/sshd -ssh_host_keys_dir: '/etc/ssh' +ssh_host_keys_dir: /etc/ssh sshd_service_name: sshd ssh_owner: root ssh_group: root -ssh_host_keys_owner: 'root' -ssh_host_keys_group: 'ssh_keys' +ssh_host_keys_owner: root +ssh_host_keys_group: ssh_keys +ssh_host_keys_mode: "0600" ssh_selinux_packages: - policycoreutils-python - checkpolicy @@ -16,7 +17,7 @@ ssh_kerberos_support: true # true if SSH has PAM support ssh_pam_support: true -sshd_moduli_file: '/etc/ssh/moduli' +sshd_moduli_file: /etc/ssh/moduli # disable CRYPTO_POLICY to take settings from sshd configuration # see: https://access.redhat.com/solutions/4410591 diff --git a/roles/ssh_hardening/vars/Archlinux.yml b/roles/ssh_hardening/vars/Archlinux.yml index 9ccbe38f..7648010f 100644 --- a/roles/ssh_hardening/vars/Archlinux.yml +++ b/roles/ssh_hardening/vars/Archlinux.yml @@ -6,6 +6,7 @@ ssh_owner: root ssh_group: root ssh_host_keys_owner: root ssh_host_keys_group: root +ssh_host_keys_mode: "0600" # true if SSH support Kerberos ssh_kerberos_support: true diff --git a/roles/ssh_hardening/vars/Debian.yml b/roles/ssh_hardening/vars/Debian.yml index 9cbc1d97..d062326e 100644 --- a/roles/ssh_hardening/vars/Debian.yml +++ b/roles/ssh_hardening/vars/Debian.yml @@ -6,6 +6,7 @@ ssh_owner: root ssh_group: root ssh_host_keys_owner: root ssh_host_keys_group: root +ssh_host_keys_mode: "0600" ssh_selinux_packages: - policycoreutils-python - checkpolicy diff --git a/roles/ssh_hardening/vars/Fedora.yml b/roles/ssh_hardening/vars/Fedora.yml index 2b157dbe..702989a7 100644 --- a/roles/ssh_hardening/vars/Fedora.yml +++ b/roles/ssh_hardening/vars/Fedora.yml @@ -5,7 +5,8 @@ sshd_service_name: sshd ssh_owner: root ssh_group: root ssh_host_keys_owner: root -ssh_host_keys_group: ssh_keys +ssh_host_keys_group: root +ssh_host_keys_mode: "0600" ssh_selinux_packages: - python3-policycoreutils - checkpolicy diff --git a/roles/ssh_hardening/vars/FreeBSD.yml b/roles/ssh_hardening/vars/FreeBSD.yml index 036d3f35..2967494d 100644 --- a/roles/ssh_hardening/vars/FreeBSD.yml +++ b/roles/ssh_hardening/vars/FreeBSD.yml @@ -5,7 +5,8 @@ sshd_service_name: sshd ssh_owner: root ssh_group: wheel ssh_host_keys_owner: root -ssh_host_keys_group: root +ssh_host_keys_group: wheel +ssh_host_keys_mode: "0600" # true if SSH support Kerberos ssh_kerberos_support: true diff --git a/roles/ssh_hardening/vars/OpenBSD.yml b/roles/ssh_hardening/vars/OpenBSD.yml index 24174711..d6ef2a10 100644 --- a/roles/ssh_hardening/vars/OpenBSD.yml +++ b/roles/ssh_hardening/vars/OpenBSD.yml @@ -5,7 +5,8 @@ sshd_service_name: sshd ssh_owner: root ssh_group: wheel ssh_host_keys_owner: root -ssh_host_keys_group: root +ssh_host_keys_group: wheel +ssh_host_keys_mode: "0600" # true if SSH support Kerberos ssh_kerberos_support: false diff --git a/roles/ssh_hardening/vars/RedHat.yml b/roles/ssh_hardening/vars/RedHat.yml index dcb8e63d..f859c8fe 100644 --- a/roles/ssh_hardening/vars/RedHat.yml +++ b/roles/ssh_hardening/vars/RedHat.yml @@ -6,6 +6,7 @@ ssh_owner: root ssh_group: root ssh_host_keys_owner: root ssh_host_keys_group: ssh_keys +ssh_host_keys_mode: "0600" ssh_selinux_packages: - policycoreutils-python-utils - checkpolicy diff --git a/roles/ssh_hardening/vars/RedHat_7.yml b/roles/ssh_hardening/vars/RedHat_7.yml index d871dd52..7a345fb8 100644 --- a/roles/ssh_hardening/vars/RedHat_7.yml +++ b/roles/ssh_hardening/vars/RedHat_7.yml @@ -6,6 +6,7 @@ ssh_owner: root ssh_group: root ssh_host_keys_owner: root ssh_host_keys_group: ssh_keys +ssh_host_keys_mode: "0600" ssh_selinux_packages: - policycoreutils-python - checkpolicy diff --git a/roles/ssh_hardening/vars/RedHat_9.yml b/roles/ssh_hardening/vars/RedHat_9.yml new file mode 100644 index 00000000..2d956140 --- /dev/null +++ b/roles/ssh_hardening/vars/RedHat_9.yml @@ -0,0 +1,24 @@ +--- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: /etc/ssh +sshd_service_name: sshd +ssh_owner: root +ssh_group: root +ssh_host_keys_owner: root +ssh_host_keys_group: root +ssh_host_keys_mode: "0600" +ssh_selinux_packages: + - policycoreutils-python-utils + - checkpolicy + +# true if SSH support Kerberos +ssh_kerberos_support: true + +# true if SSH has PAM support +ssh_pam_support: true + +sshd_moduli_file: /etc/ssh/moduli + +# disable CRYPTO_POLICY to take settings from sshd configuration +# see: https://access.redhat.com/solutions/4410591 +sshd_disable_crypto_policy: true diff --git a/roles/ssh_hardening/vars/SmartOS.yml b/roles/ssh_hardening/vars/SmartOS.yml index 9a6e7a15..94849b68 100644 --- a/roles/ssh_hardening/vars/SmartOS.yml +++ b/roles/ssh_hardening/vars/SmartOS.yml @@ -6,6 +6,7 @@ ssh_owner: root ssh_group: root ssh_host_keys_owner: root ssh_host_keys_group: root +ssh_host_keys_mode: "0600" # true if SSH support Kerberos ssh_kerberos_support: true diff --git a/roles/ssh_hardening/vars/Suse.yml b/roles/ssh_hardening/vars/Suse.yml index 833e7484..8a797610 100644 --- a/roles/ssh_hardening/vars/Suse.yml +++ b/roles/ssh_hardening/vars/Suse.yml @@ -6,6 +6,7 @@ ssh_owner: root ssh_group: root ssh_host_keys_owner: root ssh_host_keys_group: root +ssh_host_keys_mode: "0600" # true if SSH support Kerberos ssh_kerberos_support: true