Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace ssh_keys group with root, where applicable and use less permissive file mode #677

Merged
merged 6 commits into from
Jun 10, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .config/ansible-lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,6 @@ exclude_paths:
mock_roles:
- geerlingguy.git
- nginxinc.nginx

skip_list:
- var-naming[no-role-prefix]
18 changes: 8 additions & 10 deletions roles/ssh_hardening/tasks/crypto_hostkeys.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,16 +8,6 @@
force: false
regenerate: partial_idempotence

# In RHEL and Fedora, the 'ssh_keys' group is the group owner of the host private SSH keys.
# Since the openssh_keypair module needs to read the key to provide idempotency, we need to set ownership and group based on specific OS vars.
- name: Change host private key ownership, group and permissions
ansible.builtin.file:
path: "{{ ssh_host_keys_dir }}/ssh_host_rsa_key"
owner: "{{ ssh_host_keys_owner }}"
group: "{{ ssh_host_keys_group }}"
mode: "0640"
when: ansible_facts.os_family == 'RedHat'

- name: Set hostkeys according to openssh-version if openssh >= 5.3
ansible.builtin.set_fact:
ssh_host_key_files:
Expand All @@ -38,3 +28,11 @@
- "{{ ssh_host_keys_dir }}/ssh_host_ecdsa_key"
- "{{ ssh_host_keys_dir }}/ssh_host_ed25519_key"
when: sshd_version is version('6.3', '>=')

- name: Change host private key ownership, group and permissions
ansible.builtin.file:
path: "{{ item }}"
owner: "{{ ssh_host_keys_owner }}"
group: "{{ ssh_host_keys_group }}"
mode: "{{ ssh_host_keys_mode }}"
loop: "{{ ssh_host_key_files }}"
9 changes: 5 additions & 4 deletions roles/ssh_hardening/vars/Amazon_2.yml
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
---
sshd_path: /usr/sbin/sshd
ssh_host_keys_dir: '/etc/ssh'
ssh_host_keys_dir: /etc/ssh
sshd_service_name: sshd
ssh_owner: root
ssh_group: root
ssh_host_keys_owner: 'root'
ssh_host_keys_group: 'ssh_keys'
ssh_host_keys_owner: root
ssh_host_keys_group: ssh_keys
ssh_host_keys_mode: "0600"
ssh_selinux_packages:
- policycoreutils-python
- checkpolicy
Expand All @@ -16,7 +17,7 @@ ssh_kerberos_support: true
# true if SSH has PAM support
ssh_pam_support: true

sshd_moduli_file: '/etc/ssh/moduli'
sshd_moduli_file: /etc/ssh/moduli

# disable CRYPTO_POLICY to take settings from sshd configuration
# see: https://access.redhat.com/solutions/4410591
Expand Down
1 change: 1 addition & 0 deletions roles/ssh_hardening/vars/Archlinux.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ ssh_owner: root
ssh_group: root
ssh_host_keys_owner: root
ssh_host_keys_group: root
ssh_host_keys_mode: "0600"

# true if SSH support Kerberos
ssh_kerberos_support: true
Expand Down
1 change: 1 addition & 0 deletions roles/ssh_hardening/vars/Debian.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ ssh_owner: root
ssh_group: root
ssh_host_keys_owner: root
ssh_host_keys_group: root
ssh_host_keys_mode: "0600"
ssh_selinux_packages:
- policycoreutils-python
- checkpolicy
Expand Down
3 changes: 2 additions & 1 deletion roles/ssh_hardening/vars/Fedora.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@ sshd_service_name: sshd
ssh_owner: root
ssh_group: root
ssh_host_keys_owner: root
ssh_host_keys_group: ssh_keys
ssh_host_keys_group: root
ssh_host_keys_mode: "0600"
ssh_selinux_packages:
- python3-policycoreutils
- checkpolicy
Expand Down
3 changes: 2 additions & 1 deletion roles/ssh_hardening/vars/FreeBSD.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@ sshd_service_name: sshd
ssh_owner: root
ssh_group: wheel
ssh_host_keys_owner: root
ssh_host_keys_group: root
ssh_host_keys_group: wheel
ssh_host_keys_mode: "0600"

# true if SSH support Kerberos
ssh_kerberos_support: true
Expand Down
3 changes: 2 additions & 1 deletion roles/ssh_hardening/vars/OpenBSD.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@ sshd_service_name: sshd
ssh_owner: root
ssh_group: wheel
ssh_host_keys_owner: root
ssh_host_keys_group: root
ssh_host_keys_group: wheel
ssh_host_keys_mode: "0600"

# true if SSH support Kerberos
ssh_kerberos_support: false
Expand Down
1 change: 1 addition & 0 deletions roles/ssh_hardening/vars/RedHat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ ssh_owner: root
ssh_group: root
ssh_host_keys_owner: root
ssh_host_keys_group: ssh_keys
ssh_host_keys_mode: "0600"
ssh_selinux_packages:
- policycoreutils-python-utils
- checkpolicy
Expand Down
1 change: 1 addition & 0 deletions roles/ssh_hardening/vars/RedHat_7.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ ssh_owner: root
ssh_group: root
ssh_host_keys_owner: root
ssh_host_keys_group: ssh_keys
ssh_host_keys_mode: "0600"
ssh_selinux_packages:
- policycoreutils-python
- checkpolicy
Expand Down
24 changes: 24 additions & 0 deletions roles/ssh_hardening/vars/RedHat_9.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
---
sshd_path: /usr/sbin/sshd
ssh_host_keys_dir: /etc/ssh
sshd_service_name: sshd
ssh_owner: root
ssh_group: root
ssh_host_keys_owner: root
ssh_host_keys_group: root
ssh_host_keys_mode: "0600"
ssh_selinux_packages:
- policycoreutils-python-utils
- checkpolicy

# true if SSH support Kerberos
ssh_kerberos_support: true

# true if SSH has PAM support
ssh_pam_support: true

sshd_moduli_file: /etc/ssh/moduli

# disable CRYPTO_POLICY to take settings from sshd configuration
# see: https://access.redhat.com/solutions/4410591
sshd_disable_crypto_policy: true
1 change: 1 addition & 0 deletions roles/ssh_hardening/vars/SmartOS.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ ssh_owner: root
ssh_group: root
ssh_host_keys_owner: root
ssh_host_keys_group: root
ssh_host_keys_mode: "0600"

# true if SSH support Kerberos
ssh_kerberos_support: true
Expand Down
1 change: 1 addition & 0 deletions roles/ssh_hardening/vars/Suse.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ ssh_owner: root
ssh_group: root
ssh_host_keys_owner: root
ssh_host_keys_group: root
ssh_host_keys_mode: "0600"

# true if SSH support Kerberos
ssh_kerberos_support: true
Expand Down