Skip to content

Commit

Permalink
https://ansible.readthedocs.io/projects/lint/rules/yaml/
Browse files Browse the repository at this point in the history
bbaassssiiee committed Jul 12, 2024
1 parent b7521ef commit 9aef4b6
Showing 7 changed files with 33 additions and 34 deletions.
6 changes: 6 additions & 0 deletions .yamllint
Original file line number Diff line number Diff line change
@@ -9,6 +9,9 @@ rules:
brackets:
max-spaces-inside: 1
level: error
comments:
min-spaces-from-content: 1
comments-indentation: false
indentation:
indent-sequences: consistent
spaces: 2
@@ -20,6 +23,9 @@ rules:
new-line-at-end-of-file: enable
new-lines:
type: unix
octal-values:
forbid-implicit-octal: true
forbid-explicit-octal: true
trailing-spaces: enable
truthy:
allowed-values: ['true', 'false']
12 changes: 5 additions & 7 deletions tasks/Debian11.yml
Original file line number Diff line number Diff line change
@@ -7,17 +7,15 @@
line: "{{ item.line }}"
state: present
create: true
mode: 0640
mode: '0640'
loop:
- regexp: '^(#)?Ciphers'
line: "Ciphers {{ Ciphers }}"
line: "Ciphers {{ ciphers }}"
- regexp: '^(#)?HostKeyAlgorithms'
line: "HostKeyAlgorithms {{ HostKeyAlgorithms }}"
line: "HostKeyAlgorithms {{ host_key_algorithms }}"
- regexp: '^(#)?KexAlgorithms'
line: "KexAlgorithms {{ KexAlgorithms }}"
line: "KexAlgorithms {{ kex_algorithms }}"
- regexp: '^(#)?MACs'
line: "MACs {{ MACs }}"
# - regexp: '^(#)?PubkeyAcceptedKeyTypes'
# line: "PubkeyAcceptedKeyTypes {{ PubkeyAcceptedKeyTypes }}"
line: "MACs {{ macs }}"
notify: Restart sshd
...
8 changes: 4 additions & 4 deletions tasks/crypto_policy.yml
Original file line number Diff line number Diff line change
@@ -19,7 +19,7 @@
dest: /usr/share/crypto-policies/policies/
owner: root
group: root
mode: 0644
mode: '0644'

- name: "Ensure crypto-policy {{ crypto_policy }}"
when: current_policy.stdout != crypto_policy
@@ -36,13 +36,13 @@
ansible.builtin.copy:
dest: /etc/profile.d/cc-ssh-strong-rng.sh
content: "export SSH_USE_STRONG_RNG=32\n"
mode: 0644
mode: '0644'

- name: SSH client uses strong entropy to seed (for CSH like shells)
ansible.builtin.copy:
dest: /etc/profile.d/cc-ssh-strong-rng.csh
content: "setenv SSH_USE_STRONG_RNG 32\n"
mode: 0644
mode: '0644'

- name: Remove RekeyLimit from ssh_config
ansible.builtin.lineinfile:
@@ -57,6 +57,6 @@
regexp: '^(#)?RekeyLimit'
line: 'RekeyLimit 1G 1h'
state: present
mode: 0644
mode: '0644'

...
12 changes: 6 additions & 6 deletions tasks/main.yml
Original file line number Diff line number Diff line change
@@ -26,7 +26,7 @@
ansible.builtin.file:
path: /run/sshd
state: directory
mode: 0750
mode: '0750'

- name: "Fedora crypto-policy {{ crypto_policy }}"
when: ansible_distribution == 'Fedora'
@@ -94,13 +94,13 @@
ansible.builtin.copy:
src: issue
dest: /etc/issue
mode: 0644
mode: '0644'

- name: Create login banner
ansible.builtin.copy:
src: issue
dest: /etc/issue.net
mode: 0644
mode: '0644'

- name: Manage ed25519 host key
when: crypto_policy == 'STRICT'
@@ -123,14 +123,14 @@
- name: Set host key permissions
ansible.builtin.file:
path: /etc/ssh/ssh_host_ed25519_key
mode: 0600
mode: '0600'

- name: Configure ed25519 host key
ansible.builtin.lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^HostKey /etc/ssh/ssh_host_ed25519_key'
line: 'HostKey /etc/ssh/ssh_host_ed25519_key'
mode: 0600
mode: '0600'
state: present
notify: Restart sshd

@@ -146,7 +146,7 @@
ansible.builtin.lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^HostKey /etc/ssh/ssh_host_ed25519_key'
mode: 0600
mode: '0600'
state: absent
notify: Restart sshd
when: crypto_policy in ['FIPS', 'FIPS:OSPP']
12 changes: 5 additions & 7 deletions tasks/sshd_crypto.yml
Original file line number Diff line number Diff line change
@@ -7,17 +7,15 @@
line: "{{ item.line }}"
state: present
create: true
mode: 0600
mode: '0600'
loop:
- regexp: '^Ciphers'
line: "Ciphers {{ Ciphers }}"
line: "Ciphers {{ ciphers }}"
- regexp: '^HostKeyAlgorithms'
line: "HostKeyAlgorithms {{ HostKeyAlgorithms }}"
line: "HostKeyAlgorithms {{ host_key_algorithms }}"
- regexp: '^KexAlgorithms'
line: "KexAlgorithms {{ KexAlgorithms }}"
line: "KexAlgorithms {{ kex_algorithms }}"
- regexp: '^MACs'
line: "MACs {{ MACs }}"
# - regexp: '^(#)?PubkeyAcceptedKeyTypes'
# line: "PubkeyAcceptedKeyTypes {{ PubkeyAcceptedKeyTypes }}"
line: "MACs {{ macs }}"
notify: Restart sshd
...
6 changes: 3 additions & 3 deletions tasks/strict_config.yml
Original file line number Diff line number Diff line change
@@ -7,10 +7,10 @@
ansible.builtin.lineinfile:
path: /etc/sysconfig/sshd
regex: '^CRYPTO_POLICY'
line: "CRYPTO_POLICY='-oCiphers={{ Ciphers }} -oMACs={{ MACs }} -oKexAlgorithms={{ KexAlgorithms }} -oHostKeyAlgorithms={{ HostKeyAlgorithms }}'"
line: "CRYPTO_POLICY='-oCiphers={{ ciphers }} -oMACs={{ macs }} -oKexAlgorithms={{ kex_algorithms }} -oHostKeyAlgorithms={{ host_key_algorithms }}'"
state: present
create: true
mode: 0640
mode: '0640'
notify: Restart sshd

- name: Install rgn-tools for entropy, if available
@@ -27,7 +27,7 @@
regexp: '^SSH_USE_STRONG_RNG'
line: 'SSH_USE_STRONG_RNG=32'
state: present
mode: 0640
mode: '0640'
when: entropy.changed | bool # noqa no-handler
notify: Start RNG Entropy Gatherer
...
11 changes: 4 additions & 7 deletions vars/main.yml
Original file line number Diff line number Diff line change
@@ -14,14 +14,11 @@ weak_host_keys:

# https://www.ssh-audit.com/hardening_guides.html

Ciphers: [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
ciphers: [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr

HostKeyAlgorithms: [email protected],ssh-ed25519,rsa-sha2-256,rsa-sha2-512
host_key_algorithms: [email protected],ssh-ed25519,rsa-sha2-256,rsa-sha2-512
# This is a compatible subset
KexAlgorithms: curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
kex_algorithms: curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256

MACs: [email protected],[email protected],[email protected]

# Not enforced!
PubkeyAcceptedKeyTypes: ssh-ed25519,[email protected],rsa-sha2-256,rsa-sha2-512
macs: [email protected],[email protected],[email protected]
...

0 comments on commit 9aef4b6

Please sign in to comment.