--- - name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" when: ubtu24cis_rule_5_1_1 tags: - level1-server - level1-workstation - patch - rule_5.1.1 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - sshd block: - name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" ansible.builtin.file: path: /etc/ssh/sshd_config owner: root group: root mode: 'u-x,go-rwx' - name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured | find conf files" ansible.builtin.find: paths: /etc/ssh/sshd_config.d file_type: file patterns: '*.conf' register: discovered_sshd_confs - name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" ansible.builtin.file: path: "{{ item.path }}" recurse: false owner: root group: root mode: 'u-x,go-rwx' loop: "{{ discovered_sshd_confs.files }}" - name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured" when: ubtu24cis_rule_5_1_2 tags: - level1-server - level1-workstation - patch - rule_5.1.2 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - sshd block: - name: "5.1.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find ssh_host private keys" ansible.builtin.find: paths: /etc/ssh patterns: 'ssh_host_*_key' register: discovered_ssh_host_priv_keys - name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions" ansible.builtin.file: path: "{{ item.path }}" owner: root group: root mode: 'o-x,go-rwx' with_items: - "{{ discovered_ssh_host_priv_keys.files }}" loop_control: label: "{{ item.path }}" - name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured" when: ubtu24cis_rule_5_1_3 tags: - level1-server - level1-workstation - patch - rule_5.1.3 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - sshd block: - name: "5.1.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find ssh_host public keys" ansible.builtin.find: paths: /etc/ssh patterns: 'ssh_host_*_key.pub' register: discovered_ssh_host_pub_keys - name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions" ansible.builtin.file: path: "{{ item.path }}" owner: root group: root mode: 'go-wx' with_items: - "{{ discovered_ssh_host_pub_keys.files }}" loop_control: label: "{{ item.path }}" - name: "5.1.4 | PATCH | Ensure sshd access is configured" when: ubtu24cis_rule_5_1_4 tags: - level1-server - level1-workstation - patch - rule_5.1.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - sshd block: - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add allowed users" when: "ubtu24cis_sshd_allow_users| default('') | length > 0 " ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^(#|)\s*AllowUsers' line: 'AllowUsers {{ ubtu24cis_sshd_allow_users }}' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add allowed groups" when: "ubtu24cis_sshd_allow_groups| default('') | length > 0" ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^(#|)\s*AllowGroups' line: 'AllowGroups {{ ubtu24cis_sshd_allow_groups }}' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add deny users" when: "ubtu24cis_sshd_deny_users| default('') | length > 0" ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^(#|)\s*DenyUsers' line: 'DenyUsers {{ ubtu24cis_sshd_deny_users }}' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add deny groups" when: "ubtu24cis_sshd_deny_groups| default('') | length > 0" ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^DenyGroups|^#DenyGroups' line: 'DenyGroups {{ ubtu24cis_sshd_deny_groups }}' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.5| PATCH | Ensure sshd Banner is configured" when: ubtu24cis_rule_5_1_5 tags: - level1-server - level1-workstation - patch - rule_5.1.5 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - sshd ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: ^Banner line: Banner /etc/issue.net insertafter: '^# no default banner path' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.6 | PATCH | Ensure sshd Ciphers are configured" when: ubtu24cis_rule_5_1_6 tags: - level1-server - level1-workstation - patch - rule_5.1.6 - NIST800-53R5_SC-8 - sshd ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: ^Ciphers line: "Ciphers {{ ubtu24cis_sshd_ciphers | join(',') }}" insertafter: '^# Ciphers and keying' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.7 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured" when: ubtu24cis_rule_5_1_7 tags: - level1-server - level1-workstation - patch - rule_5.1.7 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - sshd ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "{{ item.regexp }}" line: "{{ item.line }}" validate: 'sshd -t -f %s' with_items: - { regexp: '^ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu24cis_sshd_client_alive_interval | default(ubtu24cis_sshd_default_client_alive_interval) }}' } - { regexp: '^ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu24cis_sshd_client_alive_count_max | default(ubtu24cis_sshd_default_client_alive_count_max) }}' } notify: Restart sshd - name: "5.1.8 | PATCH | Ensure sshd DisableForwarding is enabled" when: ubtu24cis_rule_5_1_8 tags: - level2-server - level1-workstation - patch - rule_5.1.8 - NIST800-53R5_CM-7 - sshd ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: (?i)^(#|)\s*DisableForwarding line: 'DisableForwarding yes' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.9 | PATCH | Ensure sshd GSSAPIAuthentication is is disabled" when: ubtu24cis_rule_5_1_9 tags: - level2-server - level1-workstation - patch - rule_5.1.9 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - sshd ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: (?i)^(#|)\s*GSSAPIAuthentication line: 'GSSAPIAuthentication no' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.10 | PATCH | Ensure SSH HostbasedAuthentication is disabled" when: ubtu24cis_rule_5_1_10 tags: - level1-server - level1-workstation - patch - rule_5.1.10 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - sshd ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: (?i)^(#|)\s*HostbasedAuthentication line: 'HostbasedAuthentication no' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" when: ubtu24cis_rule_5_1_11 tags: - level1-server - level1-workstation - patch - rule_5.1.11 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - sshd ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: (?i)^(#|)\s*IgnoreRhosts line: 'IgnoreRhosts yes' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.12 | PATCH | Ensure only strong Key Exchange algorithms are used" when: ubtu24cis_rule_5_1_12 tags: - level1-server - level1-workstation - patch - rule_5.1.12 - NIST800-53R5_SC-8 - sshd ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: (?i)^(#|)\s*KexAlgorithms line: "KexAlgorithms {{ ubtu24cis_sshd_kex_algorithms | default(ubtu24cis_sshd_default_kex_algorithms) | join(',') }}" insertafter: '^# Ciphers and keying' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.13 | PATCH | Ensure SSH LoginGraceTime is configured" when: ubtu24cis_rule_5_1_13 tags: - level1-server - level1-workstation - patch - rule_5.1.13 - NIST800-53R5_CM-6 - sshd ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: (?i)^(#|)\s*LoginGraceTime line: 'LoginGraceTime {{ ubtu24cis_sshd_login_grace_time | default(ubtu24cis_sshd_default_login_grace_time) }}' insertafter: '^# Authentication' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.14 | PATCH | Ensure SSH LogLevel is configured" when: ubtu24cis_rule_5_1_14 tags: - level1-server - level1-workstation - patch - rule_5.1.14 - NIST800-53R5_AU-2 - NIST800-53R5_AU-12 - NIST800-53R5_SI-5 - sshd ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: (?i)^(#|)\s*LogLevel line: 'LogLevel {{ ubtu24cis_sshd_log_level | default(ubtu24cis_sshd_default_log_level) }}' insertafter: '^# Logging' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.15 | PATCH | Ensure only strong MAC algorithms are used" when: ubtu24cis_rule_5_1_15 tags: - level1-server - level1-workstation - patch - rule_5.1.15 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - sshd ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: (?i)^(#|)\s*MACs line: "MACs {{ ubtu24cis_sshd_macs | default(ubtu24cis_sshd_default_macs) | join(',') }}" insertafter: '^# Ciphers and keying' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" when: ubtu24cis_rule_5_1_16 tags: - level1-server - level1-workstation - patch - rule_5.1.16 - NIST800-53R5_AU-3 - sshd ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: (?i)^(#|)\s*MaxAuthTries line: 'MaxAuthTries {{ ubtu24cis_sshd_max_auth_tries | default(ubtu24cis_sshd_default_max_auth_tries) }}' insertafter: '^# Authentication' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.17 | PATCH | Ensure sshd MaxSessions is configured" when: ubtu24cis_rule_5_1_17 tags: - level1-server - level1-workstation - patch - rule_5.1.17 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - sshd ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: (?i)^(#|)\s*MaxSessions line: 'MaxSessions {{ ubtu24cis_sshd_max_sessions | default(ubtu24cis_sshd_default_max_sessions) }}' insertafter: '^# Authentication' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.18 | PATCH | Ensure SSH MaxStartups is configured" when: ubtu24cis_rule_5_1_18 tags: - level1-server - level1-workstation - patch - rule_5.1.18 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - sshd ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: (?i)^(#|)\s*MaxStartups line: 'MaxStartups 10:30:60' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.19 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" when: ubtu24cis_rule_5_1_19 tags: - level1-server - level1-workstation - patch - rule_5.1.19 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - sshd ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: (?i)^(#|)\s*PermitEmptyPasswords line: 'PermitEmptyPasswords no' insertafter: '# To disable tunneled clear text passwords' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled" when: ubtu24cis_rule_5_1_20 tags: - level1-server - level1-workstation - patch - rule_5.1.20 - NIST800-53R5_AC-6 - sshd ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: (?i)^(#|)\s*PermitRootLogin line: 'PermitRootLogin no' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.21 | PATCH | Ensure SSH PermitUserEnvironment is disabled" when: ubtu24cis_rule_5_1_21 tags: - level1-server - level1-workstation - patch - rule_5.1.21 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - sshd ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: (?i)^(#|)\s*PermitUserEnvironment line: 'PermitUserEnvironment no' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.22 | PATCH | Ensure sshd UsePAM is enabled" when: ubtu24cis_rule_5_1_22 tags: - level1-server - level1-workstation - patch - rule_5.1.22 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - sshd - pam ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: (?i)^(#|)\s*UsePAM line: 'UsePAM yes' insertafter: '^# and ChallengeResponseAuthentication' validate: 'sshd -t -f %s' notify: Restart sshd