sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(cis): remove deprecated sshd options and update hardening values

Browse Source
This commit is contained in:
Sandwich
2026-02-20 20:17:52 +01:00
parent a2993212ca
commit 524356cf8d
6 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
roles/cis/tasks/auth.yml
View File

@@ -5,6 +5,7 @@
regexp: "^(\\s*)umask\\s+\\d+"
line: "umask 027"
# Non-RHEL/non-Debian distros: loop evaluates to [] (intentional skip)
- name: Prevent Login to Accounts With Empty Password
ansible.builtin.replace:
dest: "{{ item }}"

2
roles/cis/tasks/crypto.yml
View File

@@ -9,4 +9,4 @@
ansible.builtin.command: >
{{ chroot_command }} systemctl mask {{ 'nftables' if system_cfg.features.firewall.toolkit == 'iptables' else 'iptables' }} bluetooth rpcbind
register: cis_mask_services_result
changed_when: cis_mask_services_result.rc == 0
changed_when: "'Created symlink' in cis_mask_services_result.stderr"

1
roles/cis/tasks/modules.yml
View File

@@ -10,6 +10,7 @@
install hfs /bin/false
install hfsplus /bin/false
install cramfs /bin/false
# Note: disabling squashfs breaks snap (Ubuntu). Remove for snap-dependent hosts.
install squashfs /bin/false
install udf /bin/false
install usb-storage /bin/false

2
roles/cis/tasks/security_lines.yml
View File

@@ -11,7 +11,7 @@
- { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 }
- { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 }
- { path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: umask 077 }
- { path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: export TMOUT=3000 }
- { path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: export TMOUT=900 }
- { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent }
- { path: /mnt/etc/sudoers, content: Defaults logfile="/var/log/sudo.log" }
- { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so }

3
roles/cis/tasks/sshd.yml
View File

@@ -21,7 +21,7 @@
- { option: GSSAPIAuthentication, value: "no" }
- { option: AllowAgentForwarding, value: "no" }
- { option: AllowTcpForwarding, value: "no" }
- { option: ChallengeResponseAuthentication, value: "no" }
- { option: KbdInteractiveAuthentication, value: "no" }
- { option: GatewayPorts, value: "no" }
- { option: X11Forwarding, value: "no" }
- { option: PermitUserEnvironment, value: "no" }
@@ -36,7 +36,6 @@
marker: "# {mark} CIS SSH HARDENING"
block: |-
## CIS Specific
Protocol 2
### Ciphers and keying ###
RekeyLimit 512M 6h
KexAlgorithms mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256

4
roles/cis/tasks/sysctl.yml
View File

@@ -5,9 +5,12 @@
mode: "0644"
content: |
## CIS Sysctl configurations
fs.suid_dumpable=0
kernel.dmesg_restrict=1
kernel.yama.ptrace_scope=1
kernel.randomize_va_space=2
# Network
# Disable forwarding; override in inventory for routers/containers
net.ipv4.ip_forward=0
net.ipv4.tcp_syncookies=1
net.ipv4.icmp_echo_ignore_broadcasts=1
@@ -24,6 +27,7 @@
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv6.conf.all.accept_redirects=0
# Disable IPv6; override in inventory if IPv6 is needed
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.accept_redirects=0
net.ipv6.conf.default.disable_ipv6=1