CIS role split and permission safety

2025-12-27 22:27:26 +01:00
parent f62dba3ed6
commit dda1287f23
9 changed files with 261 additions and 249 deletions
--- a/roles/cis/tasks/sshd.yml
+++ b/roles/cis/tasks/sshd.yml
@@ -0,0 +1,51 @@
+---
+- name: Adjust SSHD config
+  ansible.builtin.lineinfile:
+    path: /mnt/etc/ssh/sshd_config
+    regexp: ^\s*#?{{ item.option }}\s+.*$
+    line: "{{ item.option }} {{ item.value }}"
+  loop:
+    - {option: LogLevel, value: VERBOSE}
+    - {option: LoginGraceTime, value: "60"}
+    - {option: PermitRootLogin, value: "no"}
+    - {option: StrictModes, value: "yes"}
+    - {option: MaxAuthTries, value: "4"}
+    - {option: MaxSessions, value: "10"}
+    - {option: MaxStartups, value: "10:30:60"}
+    - {option: PubkeyAuthentication, value: "yes"}
+    - {option: HostbasedAuthentication, value: "no"}
+    - {option: IgnoreRhosts, value: "yes"}
+    - {option: PasswordAuthentication, value: "no"}
+    - {option: PermitEmptyPasswords, value: "no"}
+    - {option: KerberosAuthentication, value: "no"}
+    - {option: GSSAPIAuthentication, value: "no"}
+    - {option: AllowAgentForwarding, value: "no"}
+    - {option: AllowTcpForwarding, value: "no"}
+    - {option: ChallengeResponseAuthentication, value: "no"}
+    - {option: GatewayPorts, value: "no"}
+    - {option: X11Forwarding, value: "no"}
+    - {option: PermitUserEnvironment, value: "no"}
+    - {option: ClientAliveInterval, value: "300"}
+    - {option: ClientAliveCountMax, value: "1"}
+    - {option: PermitTunnel, value: "no"}
+    - {option: Banner, value: /etc/issue.net}
+
+- name: Append CIS specific configurations to sshd_config
+  ansible.builtin.blockinfile:
+    path: /mnt/etc/ssh/sshd_config
+    marker: "# {mark} CIS SSH HARDENING"
+    block: |-
+      ## CIS Specific
+      Protocol 2
+      ### Ciphers and keying ###
+      RekeyLimit 512M 6h
+      KexAlgorithms  mlkem768x25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
+      Ciphers        aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+      MACs           hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
+      ###########################
+      AllowStreamLocalForwarding no
+      PermitUserRC no
+      AllowUsers *
+      AllowGroups *
+      DenyUsers nobody
+      DenyGroups nobody