487 lines
14 KiB
YAML
487 lines
14 KiB
YAML
---
|
|
|
|
- name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured"
|
|
when: ubtu24cis_rule_5_1_1
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.1.1
|
|
- NIST800-53R5_AC-3
|
|
- NIST800-53R5_MP-2
|
|
- sshd
|
|
block:
|
|
- name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured"
|
|
ansible.builtin.file:
|
|
path: /etc/ssh/sshd_config
|
|
owner: root
|
|
group: root
|
|
mode: 'u-x,go-rwx'
|
|
|
|
- name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured | find conf files"
|
|
ansible.builtin.find:
|
|
paths: /etc/ssh/sshd_config.d
|
|
file_type: file
|
|
patterns: '*.conf'
|
|
register: discovered_sshd_confs
|
|
|
|
- name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured"
|
|
ansible.builtin.file:
|
|
path: "{{ item.path }}"
|
|
recurse: false
|
|
owner: root
|
|
group: root
|
|
mode: 'u-x,go-rwx'
|
|
loop: "{{ discovered_sshd_confs.files }}"
|
|
|
|
- name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured"
|
|
when: ubtu24cis_rule_5_1_2
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.1.2
|
|
- NIST800-53R5_AC-3
|
|
- NIST800-53R5_MP-2
|
|
- sshd
|
|
block:
|
|
- name: "5.1.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find ssh_host private keys"
|
|
ansible.builtin.find:
|
|
paths: /etc/ssh
|
|
patterns: 'ssh_host_*_key'
|
|
register: discovered_ssh_host_priv_keys
|
|
|
|
- name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions"
|
|
ansible.builtin.file:
|
|
path: "{{ item.path }}"
|
|
owner: root
|
|
group: root
|
|
mode: 'o-x,go-rwx'
|
|
with_items:
|
|
- "{{ discovered_ssh_host_priv_keys.files }}"
|
|
loop_control:
|
|
label: "{{ item.path }}"
|
|
|
|
- name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured"
|
|
when: ubtu24cis_rule_5_1_3
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.1.3
|
|
- NIST800-53R5_AC-3
|
|
- NIST800-53R5_MP-2
|
|
- sshd
|
|
block:
|
|
- name: "5.1.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find ssh_host public keys"
|
|
ansible.builtin.find:
|
|
paths: /etc/ssh
|
|
patterns: 'ssh_host_*_key.pub'
|
|
register: discovered_ssh_host_pub_keys
|
|
|
|
- name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions"
|
|
ansible.builtin.file:
|
|
path: "{{ item.path }}"
|
|
owner: root
|
|
group: root
|
|
mode: 'go-wx'
|
|
with_items:
|
|
- "{{ discovered_ssh_host_pub_keys.files }}"
|
|
loop_control:
|
|
label: "{{ item.path }}"
|
|
|
|
- name: "5.1.4 | PATCH | Ensure sshd access is configured"
|
|
when: ubtu24cis_rule_5_1_4
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.1.4
|
|
- NIST800-53R5_AC-3
|
|
- NIST800-53R5_MP-2
|
|
- sshd
|
|
block:
|
|
- name: "5.1.4 | PATCH | Ensure sshd access is configured | Add allowed users"
|
|
when: "ubtu24cis_sshd_allow_users| default('') | length > 0 "
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '(?i)^(#|)\s*AllowUsers'
|
|
line: 'AllowUsers {{ ubtu24cis_sshd_allow_users }}'
|
|
validate: 'sshd -t -f %s'
|
|
notify: Restart sshd
|
|
|
|
- name: "5.1.4 | PATCH | Ensure sshd access is configured | Add allowed groups"
|
|
when: "ubtu24cis_sshd_allow_groups| default('') | length > 0"
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '(?i)^(#|)\s*AllowGroups'
|
|
line: 'AllowGroups {{ ubtu24cis_sshd_allow_groups }}'
|
|
validate: 'sshd -t -f %s'
|
|
notify: Restart sshd
|
|
|
|
- name: "5.1.4 | PATCH | Ensure sshd access is configured | Add deny users"
|
|
when: "ubtu24cis_sshd_deny_users| default('') | length > 0"
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '(?i)^(#|)\s*DenyUsers'
|
|
line: 'DenyUsers {{ ubtu24cis_sshd_deny_users }}'
|
|
validate: 'sshd -t -f %s'
|
|
notify: Restart sshd
|
|
|
|
- name: "5.1.4 | PATCH | Ensure sshd access is configured | Add deny groups"
|
|
when: "ubtu24cis_sshd_deny_groups| default('') | length > 0"
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^DenyGroups|^#DenyGroups'
|
|
line: 'DenyGroups {{ ubtu24cis_sshd_deny_groups }}'
|
|
validate: 'sshd -t -f %s'
|
|
notify: Restart sshd
|
|
|
|
- name: "5.1.5| PATCH | Ensure sshd Banner is configured"
|
|
when: ubtu24cis_rule_5_1_5
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.1.5
|
|
- NIST800-53R5_CM-1
|
|
- NIST800-53R5_CM-2
|
|
- NIST800-53R5_CM-6
|
|
- NIST800-53R5_CM-7
|
|
- NIST800-53R5_IA-5
|
|
- sshd
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: ^Banner
|
|
line: Banner /etc/issue.net
|
|
insertafter: '^# no default banner path'
|
|
validate: 'sshd -t -f %s'
|
|
notify: Restart sshd
|
|
|
|
- name: "5.1.6 | PATCH | Ensure sshd Ciphers are configured"
|
|
when: ubtu24cis_rule_5_1_6
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.1.6
|
|
- NIST800-53R5_SC-8
|
|
- sshd
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: ^Ciphers
|
|
line: "Ciphers {{ ubtu24cis_sshd_ciphers | join(',') }}"
|
|
insertafter: '^# Ciphers and keying'
|
|
validate: 'sshd -t -f %s'
|
|
notify: Restart sshd
|
|
|
|
- name: "5.1.7 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured"
|
|
when: ubtu24cis_rule_5_1_7
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.1.7
|
|
- NIST800-53R5_CM-1
|
|
- NIST800-53R5_CM-2
|
|
- NIST800-53R5_CM-6
|
|
- NIST800-53R5_CM-7
|
|
- NIST800-53R5_IA-5
|
|
- sshd
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: "{{ item.regexp }}"
|
|
line: "{{ item.line }}"
|
|
validate: 'sshd -t -f %s'
|
|
with_items:
|
|
- { regexp: '^ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu24cis_sshd_client_alive_interval | default(ubtu24cis_sshd_default_client_alive_interval) }}' }
|
|
- { regexp: '^ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu24cis_sshd_client_alive_count_max | default(ubtu24cis_sshd_default_client_alive_count_max) }}' }
|
|
notify: Restart sshd
|
|
|
|
- name: "5.1.8 | PATCH | Ensure sshd DisableForwarding is enabled"
|
|
when: ubtu24cis_rule_5_1_8
|
|
tags:
|
|
- level2-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.1.8
|
|
- NIST800-53R5_CM-7
|
|
- sshd
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: (?i)^(#|)\s*DisableForwarding
|
|
line: 'DisableForwarding yes'
|
|
validate: 'sshd -t -f %s'
|
|
notify: Restart sshd
|
|
|
|
- name: "5.1.9 | PATCH | Ensure sshd GSSAPIAuthentication is is disabled"
|
|
when: ubtu24cis_rule_5_1_9
|
|
tags:
|
|
- level2-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.1.9
|
|
- NIST800-53R5_CM-1
|
|
- NIST800-53R5_CM-2
|
|
- NIST800-53R5_CM-6
|
|
- NIST800-53R5_CM-7
|
|
- NIST800-53R5_IA-5
|
|
- sshd
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: (?i)^(#|)\s*GSSAPIAuthentication
|
|
line: 'GSSAPIAuthentication no'
|
|
validate: 'sshd -t -f %s'
|
|
notify: Restart sshd
|
|
|
|
- name: "5.1.10 | PATCH | Ensure SSH HostbasedAuthentication is disabled"
|
|
when: ubtu24cis_rule_5_1_10
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.1.10
|
|
- NIST800-53R5_CM-1
|
|
- NIST800-53R5_CM-2
|
|
- NIST800-53R5_CM-6
|
|
- NIST800-53R5_CM-7
|
|
- NIST800-53R5_IA-5
|
|
- sshd
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: (?i)^(#|)\s*HostbasedAuthentication
|
|
line: 'HostbasedAuthentication no'
|
|
validate: 'sshd -t -f %s'
|
|
notify: Restart sshd
|
|
|
|
- name: "5.1.11 | PATCH | Ensure SSH IgnoreRhosts is enabled"
|
|
when: ubtu24cis_rule_5_1_11
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.1.11
|
|
- NIST800-53R5_CM-1
|
|
- NIST800-53R5_CM-2
|
|
- NIST800-53R5_CM-6
|
|
- NIST800-53R5_CM-7
|
|
- NIST800-53R5_IA-5
|
|
- sshd
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: (?i)^(#|)\s*IgnoreRhosts
|
|
line: 'IgnoreRhosts yes'
|
|
validate: 'sshd -t -f %s'
|
|
notify: Restart sshd
|
|
|
|
- name: "5.1.12 | PATCH | Ensure only strong Key Exchange algorithms are used"
|
|
when: ubtu24cis_rule_5_1_12
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.1.12
|
|
- NIST800-53R5_SC-8
|
|
- sshd
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: (?i)^(#|)\s*KexAlgorithms
|
|
line: "KexAlgorithms {{ ubtu24cis_sshd_kex_algorithms | default(ubtu24cis_sshd_default_kex_algorithms) | join(',') }}"
|
|
insertafter: '^# Ciphers and keying'
|
|
validate: 'sshd -t -f %s'
|
|
notify: Restart sshd
|
|
|
|
- name: "5.1.13 | PATCH | Ensure SSH LoginGraceTime is configured"
|
|
when: ubtu24cis_rule_5_1_13
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.1.13
|
|
- NIST800-53R5_CM-6
|
|
- sshd
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: (?i)^(#|)\s*LoginGraceTime
|
|
line: 'LoginGraceTime {{ ubtu24cis_sshd_login_grace_time | default(ubtu24cis_sshd_default_login_grace_time) }}'
|
|
insertafter: '^# Authentication'
|
|
validate: 'sshd -t -f %s'
|
|
notify: Restart sshd
|
|
|
|
- name: "5.1.14 | PATCH | Ensure SSH LogLevel is configured"
|
|
when: ubtu24cis_rule_5_1_14
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.1.14
|
|
- NIST800-53R5_AU-2
|
|
- NIST800-53R5_AU-12
|
|
- NIST800-53R5_SI-5
|
|
- sshd
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: (?i)^(#|)\s*LogLevel
|
|
line: 'LogLevel {{ ubtu24cis_sshd_log_level | default(ubtu24cis_sshd_default_log_level) }}'
|
|
insertafter: '^# Logging'
|
|
validate: 'sshd -t -f %s'
|
|
notify: Restart sshd
|
|
|
|
- name: "5.1.15 | PATCH | Ensure only strong MAC algorithms are used"
|
|
when: ubtu24cis_rule_5_1_15
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.1.15
|
|
- NIST800-53R5_CM-1
|
|
- NIST800-53R5_CM-2
|
|
- NIST800-53R5_CM-6
|
|
- NIST800-53R5_CM-7
|
|
- NIST800-53R5_IA-5
|
|
- sshd
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: (?i)^(#|)\s*MACs
|
|
line: "MACs {{ ubtu24cis_sshd_macs | default(ubtu24cis_sshd_default_macs) | join(',') }}"
|
|
insertafter: '^# Ciphers and keying'
|
|
validate: 'sshd -t -f %s'
|
|
notify: Restart sshd
|
|
|
|
- name: "5.1.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less"
|
|
when: ubtu24cis_rule_5_1_16
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.1.16
|
|
- NIST800-53R5_AU-3
|
|
- sshd
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: (?i)^(#|)\s*MaxAuthTries
|
|
line: 'MaxAuthTries {{ ubtu24cis_sshd_max_auth_tries | default(ubtu24cis_sshd_default_max_auth_tries) }}'
|
|
insertafter: '^# Authentication'
|
|
validate: 'sshd -t -f %s'
|
|
notify: Restart sshd
|
|
|
|
- name: "5.1.17 | PATCH | Ensure sshd MaxSessions is configured"
|
|
when: ubtu24cis_rule_5_1_17
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.1.17
|
|
- NIST800-53R5_CM-1
|
|
- NIST800-53R5_CM-2
|
|
- NIST800-53R5_CM-6
|
|
- NIST800-53R5_CM-7
|
|
- NIST800-53R5_IA-5
|
|
- sshd
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: (?i)^(#|)\s*MaxSessions
|
|
line: 'MaxSessions {{ ubtu24cis_sshd_max_sessions | default(ubtu24cis_sshd_default_max_sessions) }}'
|
|
insertafter: '^# Authentication'
|
|
validate: 'sshd -t -f %s'
|
|
notify: Restart sshd
|
|
|
|
- name: "5.1.18 | PATCH | Ensure SSH MaxStartups is configured"
|
|
when: ubtu24cis_rule_5_1_18
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.1.18
|
|
- NIST800-53R5_CM-1
|
|
- NIST800-53R5_CM-2
|
|
- NIST800-53R5_CM-6
|
|
- NIST800-53R5_CM-7
|
|
- NIST800-53R5_IA-5
|
|
- sshd
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: (?i)^(#|)\s*MaxStartups
|
|
line: 'MaxStartups 10:30:60'
|
|
validate: 'sshd -t -f %s'
|
|
notify: Restart sshd
|
|
|
|
- name: "5.1.19 | PATCH | Ensure SSH PermitEmptyPasswords is disabled"
|
|
when: ubtu24cis_rule_5_1_19
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.1.19
|
|
- NIST800-53R5_CM-1
|
|
- NIST800-53R5_CM-2
|
|
- NIST800-53R5_CM-6
|
|
- NIST800-53R5_CM-7
|
|
- NIST800-53R5_IA-5
|
|
- sshd
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: (?i)^(#|)\s*PermitEmptyPasswords
|
|
line: 'PermitEmptyPasswords no'
|
|
insertafter: '# To disable tunneled clear text passwords'
|
|
validate: 'sshd -t -f %s'
|
|
notify: Restart sshd
|
|
|
|
- name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled"
|
|
when: ubtu24cis_rule_5_1_20
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.1.20
|
|
- NIST800-53R5_AC-6
|
|
- sshd
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: (?i)^(#|)\s*PermitRootLogin
|
|
line: 'PermitRootLogin no'
|
|
validate: 'sshd -t -f %s'
|
|
notify: Restart sshd
|
|
|
|
- name: "5.1.21 | PATCH | Ensure SSH PermitUserEnvironment is disabled"
|
|
when: ubtu24cis_rule_5_1_21
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.1.21
|
|
- NIST800-53R5_CM-1
|
|
- NIST800-53R5_CM-2
|
|
- NIST800-53R5_CM-6
|
|
- NIST800-53R5_CM-7
|
|
- NIST800-53R5_IA-5
|
|
- sshd
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: (?i)^(#|)\s*PermitUserEnvironment
|
|
line: 'PermitUserEnvironment no'
|
|
validate: 'sshd -t -f %s'
|
|
notify: Restart sshd
|
|
|
|
- name: "5.1.22 | PATCH | Ensure sshd UsePAM is enabled"
|
|
when: ubtu24cis_rule_5_1_22
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.1.22
|
|
- NIST800-53R5_CM-1
|
|
- NIST800-53R5_CM-2
|
|
- NIST800-53R5_CM-6
|
|
- NIST800-53R5_CM-7
|
|
- NIST800-53R5_IA-5
|
|
- sshd
|
|
- pam
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: (?i)^(#|)\s*UsePAM
|
|
line: 'UsePAM yes'
|
|
insertafter: '^# and ChallengeResponseAuthentication'
|
|
validate: 'sshd -t -f %s'
|
|
notify: Restart sshd
|