Robert Kaussow
fec8f170ec
All checks were successful
continuous-integration/drone/push Build is passing
48 lines
1.3 KiB
YAML
48 lines
1.3 KiB
YAML
---
|
|
- name: Gather package facts
|
|
package_facts:
|
|
check_mode: False
|
|
when: sshd_disable_crypto_policy | bool
|
|
|
|
- block:
|
|
- name: Hardening sshd config
|
|
template:
|
|
src: etc/ssh/sshd_config.j2
|
|
dest: /etc/ssh/sshd_config
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
notify: __sshd_restart
|
|
|
|
- name: Check if /etc/ssh/moduli contains weak DH parameters
|
|
shell: awk '$5 < {{ sshd_moduli_minimum }}' /etc/ssh/moduli
|
|
register: __sshd_register_moduli
|
|
changed_when: False
|
|
check_mode: no
|
|
|
|
- name: Remove all small primes
|
|
shell:
|
|
awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
|
|
[ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
|
|
notify: __sshd_restart
|
|
when: __sshd_register_moduli.stdout
|
|
|
|
- name: Create SSH Usergroup
|
|
group:
|
|
name: "{{ item }}"
|
|
state: present
|
|
loop: "{{ sshd_allow_groups }}"
|
|
|
|
- name: Disable SSH server CRYPTO_POLICY
|
|
template:
|
|
src: etc/sysconfig/sshd.j2
|
|
dest: /etc/sysconfig/sshd
|
|
owner: root
|
|
group: root
|
|
mode: 0640
|
|
when:
|
|
- sshd_disable_crypto_policy | bool
|
|
- ('crypto-policies' in ansible_facts.packages)
|
|
become: True
|
|
become_user: root
|