Skip to content

Commit

Permalink
added validate to sshd tasks
Browse files Browse the repository at this point in the history
Signed-off-by: Mark Bolwell <[email protected]>
  • Loading branch information
uk-bolly committed Nov 20, 2023
1 parent 4399b7d commit f5a7ff0
Showing 1 changed file with 22 additions and 0 deletions.
22 changes: 22 additions & 0 deletions tasks/section_5/cis_5.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@
path: /etc/ssh/sshd_config
regexp: '^AllowUsers|^#AllowUsers'
line: 'AllowUsers {{ ubtu22cis_sshd.allow_users }}'
validate: 'sshd -t -f %s'
notify: restart sshd
when: "ubtu22cis_sshd['allow_users']| default('') | length > 0 "

Expand All @@ -87,6 +88,7 @@
path: /etc/ssh/sshd_config
regexp: '^AllowGroups|^#AllowGroups'
line: 'AllowGroups {{ ubtu22cis_sshd.allow_groups }}'
validate: 'sshd -t -f %s'
notify: restart sshd
when: "ubtu22cis_sshd['allow_groups']| default('') | length > 0"

Expand All @@ -95,6 +97,7 @@
path: /etc/ssh/sshd_config
regexp: '^DenyUsers|^#DenyUsers'
line: 'DenyUsers {{ ubtu22cis_sshd.deny_users }} '
validate: 'sshd -t -f %s'
notify: restart sshd
when: "ubtu22cis_sshd['deny_users']| default('') | length > 0"

Expand All @@ -103,6 +106,7 @@
path: /etc/ssh/sshd_config
regexp: '^DenyGroups|^#DenyGroups'
line: 'DenyGroups {{ ubtu22cis_sshd.deny_groups }}'
validate: 'sshd -t -f %s'
notify: restart sshd
when: "ubtu22cis_sshd['deny_groups']| default('') | length > 0"
when:
Expand All @@ -121,6 +125,7 @@
regexp: '^LogLevel|^#LogLevel'
line: 'LogLevel {{ ubtu22cis_sshd.log_level }}'
insertafter: '^# Logging'
validate: 'sshd -t -f %s'
notify: restart sshd
when:
- ubtu22cis_rule_5_2_5
Expand All @@ -138,6 +143,7 @@
regexp: '^UsePAM|^#UsePAM'
line: 'UsePAM yes'
insertafter: '^# and ChallengeResponseAuthentication'
validate: 'sshd -t -f %s'
notify: restart sshd
when:
- ubtu22cis_rule_5_2_6
Expand All @@ -155,6 +161,7 @@
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin|^#PermitRootLogin'
line: 'PermitRootLogin no'
validate: 'sshd -t -f %s'
notify: restart sshd
when:
- ubtu22cis_rule_5_2_7
Expand All @@ -171,6 +178,7 @@
path: /etc/ssh/sshd_config
regexp: '^HostbasedAuthentication|^#HostbasedAuthentication'
line: 'HostbasedAuthentication no'
validate: 'sshd -t -f %s'
notify: restart sshd
when:
- ubtu22cis_rule_5_2_8
Expand All @@ -188,6 +196,7 @@
regexp: '^PermitEmptyPasswords|^#PermitEmptyPasswords'
line: 'PermitEmptyPasswords no'
insertafter: '# To disable tunneled clear text passwords'
validate: 'sshd -t -f %s'
notify: restart sshd
when:
- ubtu22cis_rule_5_2_9
Expand All @@ -204,6 +213,7 @@
path: /etc/ssh/sshd_config
regexp: '^PermitUserEnvironment|^#PermitUserEnvironment'
line: 'PermitUserEnvironment no'
validate: 'sshd -t -f %s'
notify: restart sshd
when:
- ubtu22cis_rule_5_2_10
Expand All @@ -220,6 +230,7 @@
path: /etc/ssh/sshd_config
regexp: '^IgnoreRhosts|^#IgnoreRhosts'
line: 'IgnoreRhosts yes'
validate: 'sshd -t -f %s'
notify: restart sshd
when:
- ubtu22cis_rule_5_2_11
Expand All @@ -236,6 +247,7 @@
path: /etc/ssh/sshd_config
regexp: '^X11Forwarding|^#X11Forwarding'
line: 'X11Forwarding no'
validate: 'sshd -t -f %s'
notify: restart sshd
when:
- ubtu22cis_rule_5_2_12
Expand All @@ -253,6 +265,7 @@
regexp: '^Ciphers|^#Ciphers'
line: "Ciphers {{ ubtu22cis_sshd.ciphers | join(',') }}"
insertafter: '^# Ciphers and keying'
validate: 'sshd -t -f %s'
notify: restart sshd
when:
- ubtu22cis_rule_5_2_13
Expand All @@ -270,6 +283,7 @@
regexp: '^MACs|^#MACs'
line: "MACs {{ ubtu22cis_sshd.macs | join(',') }}"
insertafter: '^# Ciphers and keying'
validate: 'sshd -t -f %s'
notify: restart sshd
when:
- ubtu22cis_rule_5_2_14
Expand All @@ -287,6 +301,7 @@
regexp: '^KexAlgorithms|^#KexAlgorithms'
line: "KexAlgorithms {{ ubtu22cis_sshd.kex_algorithms | join(',') }}"
insertafter: '^# Ciphers and keying'
validate: 'sshd -t -f %s'
notify: restart sshd
when:
- ubtu22cis_rule_5_2_15
Expand All @@ -303,6 +318,7 @@
path: /etc/ssh/sshd_config
regexp: '^AllowTcpForwarding|^#AllowTcpForwarding'
line: 'AllowTcpForwarding no'
validate: 'sshd -t -f %s'
notify: restart sshd
when:
- ubtu22cis_rule_5_2_16
Expand All @@ -320,6 +336,7 @@
regexp: '^Banner|^#Banner'
line: Banner /etc/issue.net
insertafter: '^# no default banner path'
validate: 'sshd -t -f %s'
notify: restart sshd
when:
- ubtu22cis_rule_5_2_17
Expand All @@ -337,6 +354,7 @@
regexp: '^MaxAuthTries|^#MaxAuthTries'
line: 'MaxAuthTries {{ ubtu22cis_sshd.max_auth_tries }}'
insertafter: '^# Authentication'
validate: 'sshd -t -f %s'
notify: restart sshd
when:
- ubtu22cis_rule_5_2_18
Expand All @@ -353,6 +371,7 @@
path: /etc/ssh/sshd_config
regexp: '^MaxStartups|^#MaxStartups'
line: 'MaxStartups 10:30:60'
validate: 'sshd -t -f %s'
notify: restart sshd
when:
- ubtu22cis_rule_5_2_19
Expand All @@ -370,6 +389,7 @@
regexp: '^MaxSessions|^#MaxSessions'
line: 'MaxSessions {{ ubtu22cis_sshd.max_sessions }}'
insertafter: '^# Authentication'
validate: 'sshd -t -f %s'
notify: restart sshd
when:
- ubtu22cis_rule_5_2_20
Expand All @@ -387,6 +407,7 @@
regexp: '^LoginGraceTime|^#LoginGraceTime'
line: 'LoginGraceTime {{ ubtu22cis_sshd.login_grace_time }}'
insertafter: '^# Authentication'
validate: 'sshd -t -f %s'
notify: restart sshd
when:
- ubtu22cis_rule_5_2_21
Expand All @@ -403,6 +424,7 @@
path: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
validate: 'sshd -t -f %s'
with_items:
- { regexp: '^ClientAliveInterval|^#ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu22cis_sshd.client_alive_interval }}' }
- { regexp: '^ClientAliveCountMax|^#ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu22cis_sshd.client_alive_count_max }}' }
Expand Down

0 comments on commit f5a7ff0

Please sign in to comment.