|
76 | 76 | # |
77 | 77 | # Restrict cron permissions. All jobs are owned by root so there's no |
78 | 78 | # reason to allow others any level of access. This is also necessary to |
79 | | -# satisfy external auditing of CIS security benchmarks. |
| 79 | +# satisfy external auditing of CIS security benchmarks. Also ensuring |
| 80 | +# the permissions on /etc/ssh/sshd_config are configured. |
80 | 81 | # |
81 | 82 | - file: |
82 | | - path: /etc/crontab |
| 83 | + path: "{{ item }}" |
83 | 84 | state: file |
84 | 85 | mode: 0600 |
| 86 | + with_items: |
| 87 | + - /etc/crontab |
| 88 | + - /etc/ssh/sshd_config |
85 | 89 |
|
86 | 90 | - file: |
87 | 91 | path: "{{ item }}" |
|
228 | 232 | - 'delphix' |
229 | 233 | - 'root' |
230 | 234 |
|
231 | | -- lineinfile: |
232 | | - path: /etc/ssh/sshd_config |
233 | | - regexp: "^#?{{ item.key }} " |
234 | | - line: "{{ item.key }} {{ item.value }}" |
235 | | - with_items: |
236 | | - # |
237 | | - # Configure SSH to allow PAM "conversations" (interactions with the user). |
238 | | - # |
239 | | - - { key: "ChallengeResponseAuthentication", value: "yes" } |
240 | | - # |
241 | | - # Harden the appliance by disabling ssh-agent(1), tcp, UNIX domain, and |
242 | | - # X11 forwarding. Note that this doesn't improve security unless users are |
243 | | - # also denied shell access. |
244 | | - # |
245 | | - - { key: "AllowAgentForwarding", value: "no" } |
246 | | - - { key: "AllowStreamLocalForwarding", value: "no" } |
247 | | - - { key: "AllowTcpForwarding", value: "no" } |
248 | | - - { key: "X11Forwarding", value: "no" } |
249 | | - - { key: "HostKeyAlgorithms", value: "-ssh-rsa*" } |
250 | | - notify: "sshd config changed" |
251 | | - |
252 | 235 | # |
253 | | -# The CRA project mandated a 30 minute timeout for any idle connections. |
254 | | -# By enabling an inactivity timeout we ensure that idle connections are |
255 | | -# closed. Thus any sessions that are accidentally left opened at a |
256 | | -# customer site will timeout preventing customers from gaining access to |
257 | | -# our engine. |
| 236 | +# The 'ClientAliveInterval' setting determines the amount of time |
| 237 | +# (in seconds) the sshd server will wait to receive data from the |
| 238 | +# client before sending a request for response. |
258 | 239 | # |
259 | 240 | - set_fact: |
260 | | - ssh_client_alive_interval: "1800" |
| 241 | + ssh_client_alive_interval: "300" |
| 242 | + ssh_client_alive_count_max: "3" |
261 | 243 |
|
262 | 244 | # |
263 | 245 | # With that said (see comment above), the Azure marketplace does not |
|
266 | 248 | # |
267 | 249 | - set_fact: |
268 | 250 | ssh_client_alive_interval: "180" |
269 | | - when: platform == "azure" |
| 251 | + ssh_client_alive_count_max: "0" |
| 252 | + when: |
| 253 | + - platform == "azure" |
270 | 254 |
|
271 | 255 | - lineinfile: |
272 | 256 | path: /etc/ssh/sshd_config |
273 | 257 | regexp: "^#?{{ item.key }} " |
274 | 258 | line: "{{ item.key }} {{ item.value }}" |
275 | 259 | with_items: |
276 | | - - { key: "ClientAliveInterval", value: "{{ ssh_client_alive_interval }}" } |
277 | | - - { key: "ClientAliveCountMax", value: "0" } |
278 | | - when: |
279 | 260 | # |
280 | | - # For developer convenience, we only enable the CRA mandated timeout |
281 | | - # for external variants. The idle timeout can be a burden when we |
282 | | - # need to run long running processes over SSH on our internal |
283 | | - # systems (e.g. for development, testing, etc). |
| 261 | + # Configure SSH to allow PAM "conversations" (interactions with the user). |
284 | 262 | # |
285 | | - - variant is regex("external-.*") |
| 263 | + - { key: "ChallengeResponseAuthentication", value: "yes" } |
| 264 | + # |
| 265 | + # Harden the appliance by disabling ssh-agent(1), tcp, UNIX domain, and |
| 266 | + # X11 forwarding. Note that this doesn't improve security unless users are |
| 267 | + # also denied shell access. |
| 268 | + # |
| 269 | + - { key: "AllowAgentForwarding", value: "no" } |
| 270 | + - { key: "AllowStreamLocalForwarding", value: "no" } |
| 271 | + - { key: "AllowTcpForwarding", value: "no" } |
| 272 | + - { key: "Ciphers", value: "chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com" } |
| 273 | + - { key: "ClientAliveCountMax", value: "{{ ssh_client_alive_count_max }}" } |
| 274 | + - { key: "ClientAliveInterval", value: "{{ ssh_client_alive_interval }}" } |
| 275 | + - { key: "HostKeyAlgorithms", value: "-ssh-rsa*" } |
| 276 | + - { key: "KexAlgorithms", value: "curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256"} |
| 277 | + - { key: "LoginGraceTime", value: "60"} |
| 278 | + - { key: "MACs", value: "umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512"} |
| 279 | + - { key: "MaxAuthTries", value: "4" } |
| 280 | + - { key: "MaxStartups", value: "10:30:60"} |
| 281 | + - { key: "PermitRootLogin", value: "no" } |
| 282 | + - { key: "X11Forwarding", value: "no" } |
| 283 | + notify: "sshd config changed" |
286 | 284 |
|
287 | 285 | - blockinfile: |
288 | 286 | path: /etc/profile |
|
338 | 336 | regexp: '^#?[\s]*(auth[\s]+required[\s]+pam_wheel\.so.*)$' |
339 | 337 | replace: '\1' |
340 | 338 |
|
341 | | -# |
342 | | -# Prevent sshd from offering weak message authentication codes to clients. |
343 | | -# |
344 | | -# The "MACs" configuration parameter in sshd_config takes a list of algorithms |
345 | | -# as its parameter. This list may be prefixed by a '+' or '-' operator |
346 | | -# (indicating that the given list should be appended to or removed from the |
347 | | -# existing MAC set, respectively), or neither operator (indicating that the |
348 | | -# given list should replace the existing MAC set). If there already exists a |
349 | | -# "MACs -..." line, we can append to this list. If otherwise, we need to add |
350 | | -# this as a separate line in the configuration. |
351 | | -# |
352 | | -- shell: grep -c -E "^MACs(\s+)-" /etc/ssh/sshd_config || true |
353 | | - register: grep_sshd_config_macs_to_remove |
354 | | - |
355 | | -- shell: grep -c -E "^MACs(\s+)-(.*)hmac-sha1\*,umac-64\*" /etc/ssh/sshd_config || true |
356 | | - register: grep_sshd_config_macs_already_removed |
357 | | - |
358 | | -- lineinfile: |
359 | | - path: /etc/ssh/sshd_config |
360 | | - backrefs: yes |
361 | | - regexp: '^MACs[\s]+-(.*)$' |
362 | | - line: 'MACs -\1,hmac-sha1*,umac-64*' |
363 | | - notify: "sshd config changed" |
364 | | - when: grep_sshd_config_macs_to_remove.stdout != "0" and grep_sshd_config_macs_already_removed == "0" |
365 | | - |
366 | | -- lineinfile: |
367 | | - path: /etc/ssh/sshd_config |
368 | | - insertafter: EOF |
369 | | - line: "MACs -hmac-sha1*,umac-64*" |
370 | | - notify: "sshd config changed" |
371 | | - when: grep_sshd_config_macs_to_remove.stdout == "0" |
372 | | - |
373 | 339 | # |
374 | 340 | # Enable SNMP client tools to load MIBs by default. |
375 | 341 | # |
|
0 commit comments