mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-11-10 09:14:18 +00:00
f295397611
* add role argument spec for os, ssh, mysql Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add role argument spec for os, ssh, mysql Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove variable in variable as it cannot be used in argument spec Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * fix wrong syntax * fix spelling errors Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * cannot use vars before arg-spec validation Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * yamllint the arg-spec Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add back variable Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove redundant setting in tests * fix descriptions in mysql hardening to betterreflect what they do Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove duplicate empty line Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * set correct defaults on to ssl options Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove left-over hidepid argument spec Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove license and author infos, this lives in the collection readme Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * fix styling Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * update some descriptions and sort them in the readme Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * some more linting Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> --------- Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
98 lines
2.9 KiB
YAML
98 lines
2.9 KiB
YAML
---
|
|
- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with custom settings
|
|
hosts: all
|
|
become: true
|
|
environment:
|
|
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
|
|
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
|
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
|
collections:
|
|
- devsec.hardening
|
|
tasks:
|
|
- include_role:
|
|
name: ssh_hardening
|
|
vars:
|
|
ssh_trusted_user_ca_keys_file: '/etc/ssh/ca.pub'
|
|
ssh_trusted_user_ca_keys:
|
|
- '# ssh-rsa ...'
|
|
ssh_authorized_principals_file: '/etc/ssh/auth_principals/%u'
|
|
ssh_authorized_principals:
|
|
- path: "/etc/ssh/auth_principals/root"
|
|
principals:
|
|
- "root"
|
|
network_ipv6_enable: true
|
|
ssh_allow_tcp_forwarding: 'yes'
|
|
ssh_gateway_ports: true
|
|
ssh_allow_agent_forwarding: true
|
|
ssh_server_permit_environment_vars: 'yes'
|
|
ssh_server_accept_env_vars: 'PWD HTTP_PROXY'
|
|
ssh_client_alive_interval: 100
|
|
ssh_client_alive_count: 10
|
|
ssh_client_password_login: true
|
|
ssh_challengeresponseauthentication: true
|
|
ssh_compression: true
|
|
ssh_allow_users: 'root kitchen vagrant'
|
|
ssh_allow_groups: 'root kitchen vagrant'
|
|
ssh_deny_users: 'foo bar'
|
|
ssh_deny_groups: 'foo bar'
|
|
ssh_authorized_keys_file: '/etc/ssh/authorized_keys/%u'
|
|
ssh_max_auth_retries: 10
|
|
ssh_permit_root_login: "without-password"
|
|
ssh_permit_tunnel: true
|
|
ssh_print_motd: true
|
|
ssh_print_last_log: true
|
|
ssh_banner: true
|
|
ssh_server_password_login: true
|
|
sftp_chroot: true
|
|
# ssh_server_enabled: false
|
|
ssh_server_ports:
|
|
- 22
|
|
- 222
|
|
ssh_server_match_address:
|
|
- address: '192.168.1.0/24'
|
|
rules:
|
|
- 'AllowTcpForwarding yes'
|
|
- 'AllowAgentForwarding no'
|
|
ssh_server_match_group:
|
|
- group: 'root'
|
|
rules:
|
|
- 'AllowTcpForwarding yes'
|
|
- 'AllowAgentForwarding no'
|
|
ssh_server_match_user:
|
|
- user: 'root'
|
|
rules:
|
|
- 'AllowTcpForwarding yes'
|
|
- 'AllowAgentForwarding no'
|
|
ssh_server_match_local_port:
|
|
- port: 222
|
|
rules:
|
|
- 'AllowTcpForwarding yes'
|
|
- 'AllowAgentForwarding no'
|
|
ssh_remote_hosts:
|
|
- names: ['example.com', 'example2.com']
|
|
options: ['Port 2222', 'ForwardAgent yes']
|
|
- names: ['example3.com']
|
|
options: ['StrictHostKeyChecking no']
|
|
ssh_use_dns: true
|
|
ssh_use_pam: true
|
|
ssh_max_startups: '10:30:60'
|
|
ssh_host_key_algorithms:
|
|
- ssh-ed25519
|
|
- rsa-sha2-512
|
|
- rsa-sha2-256
|
|
- ssh-rsa
|
|
ssh_macs:
|
|
- hmac-sha2-512
|
|
- hmac-sha2-256
|
|
ssh_ciphers:
|
|
- aes256-ctr
|
|
- aes192-ctr
|
|
- aes128-ctr
|
|
- aes256-cbc
|
|
ssh_kex:
|
|
- diffie-hellman-group-exchange-sha256
|
|
- diffie-hellman-group-exchange-sha1
|
|
ssh_custom_options:
|
|
- "Include /etc/ssh/ssh_config.d/*"
|
|
sshd_custom_options:
|
|
- "AcceptEnv LANG"
|