Merge branch 'master' into docker

Author: rndmh3ro

.kitchen.vagrant.yml

@@ -23,6 +23,10 @@ provisioner:
 transport:
   max_ssh_sessions: 5
 
+transport:
+  max_ssh_sessions: 5
+
+
 platforms:
 - name: ubuntu-12.04
   driver_config:
@@ -37,9 +41,10 @@ platforms:
     box: opscode-ubuntu-16.04
     box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-16.04_chef-provisionerless.box
 - name: centos-6.4
+- name: centos-7.2
   driver_config:
-    box: opscode-centos-6.4
-    box_url: https://opscode-vm.s3.amazonaws.com/vagrant/opscode_centos-6.4_provisionerless.box
+    box: opscode-centos-7.2
+    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-7.2_chef-provisionerless.box
 - name: centos-6.5
   driver_config:
     box: opscode-centos-6.5

.kitchen.yml

@@ -9,6 +9,10 @@ driver:
 transport:
   max_ssh_sessions: 5
 
+transport:
+  max_ssh_sessions: 5
+
+
 provisioner:
   name: ansible_playbook
   hosts: all
@@ -74,4 +78,4 @@ verifier:
     - https://github.com/dev-sec/ssh-baseline
 
 suites:
-- name: ssh
+- name: ssh

.travis.yml

@@ -46,6 +46,7 @@ env:
     init: /lib/systemd/systemd
     run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
 
+
 before_install:
   # Pull container
   - 'docker pull rndmh3ro/docker-${distro}-ansible:${version}'

README.md

@@ -8,9 +8,11 @@
 
 This role provides secure ssh-client and ssh-server configurations.
 
+Warning: This role disables root-login on the target server! Please make sure you have another user with su or sudo permissions that can login into the server.
+
 ## Requirements
 
-* Ansible
+* Ansible > 2.2.1
 
 ## Role Variables
 | Name           | Default Value | Description                        |

defaults/main.yml

@@ -30,7 +30,7 @@ ssh_client_ports: ['22']      # ssh
 ssh_listen_to: ['0.0.0.0']    # sshd
 
 # Host keys to look for when starting sshd.
-ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', '/etc/ssh/ssh_host_ecdsa_key']        # sshd
+ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key']  # sshd
 
 # Specifies  the  maximum  number  of authentication attempts permitted per connection.  Once the number of failures reaches half this value, additional failures are logged.
 ssh_max_auth_retries: 2

meta/main.yml

@@ -4,7 +4,7 @@ galaxy_info:
   description: 'This Ansible role provides numerous security-related ssh configurations, providing all-round base protection.'
   company: Hardening Framework Team
   license: Apache License 2.0
-  min_ansible_version: '1.9'
+  min_ansible_version: '2.2.1'
   platforms:
     - name: EL
       versions:

tasks/main.yml

@@ -2,34 +2,6 @@
 - name: add the OS specific variables
   include_vars: "{{ ansible_os_family }}.yml"
 
-- name: test to see if selinux is running
-  command: getenforce
-  register: sestatus
-  failed_when: false
-  changed_when: false
-  always_run: true
-
-- name: install selinux dependencies when selinux is installed on RHEL or Oracle Linux
-  yum: name="{{item}}" state=installed
-  with_items:
-    - policycoreutils-python
-    - checkpolicy
-  when: sestatus.rc == 0 and (ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux')
-
-- name: install selinux dependencies when selinux is installed on Debian or Ubuntu
-  apt: name="{{item}}" state=installed
-  with_items:
-    - policycoreutils
-    - checkpolicy
-  when: sestatus.rc == 0 and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu')
-
-- name: check the ssh_password policy state
-  shell: semodule -l | grep "ssh_password" | awk '{print $3}'
-  register: selinux_policy_state
-  when: sestatus.rc == 0 and sestatus.stdout != 'Disabled'
-  failed_when: false
-  changed_when: false
-
 - name: create sshd_config and set permissions to root/600
   template: src='opensshd.conf.j2' dest='/etc/ssh/sshd_config' mode=0600 owner=root group=root validate="/usr/sbin/sshd -T -f %s"
   notify: restart sshd
@@ -39,37 +11,62 @@
   template: src='openssh.conf.j2' dest='/etc/ssh/ssh_config' mode=0644 owner=root group=root
   when: ssh_client_hardening
 
-- name: check if ssh_password module is already installed
-  shell: "semodule -l| grep ssh_password"
-  register: ssh_password_module
+- name: create ssh_config and set permissions to root/644
+  template: src='openssh.conf.j2' dest='/etc/ssh/ssh_config' mode=0644 owner=root group=root
+  when: ssh_client_hardening
+
+- name: test to see if selinux is running
+  command: getenforce
+  register: sestatus
   failed_when: false
   changed_when: false
-  always_run: true
+  check_mode: no
+
+- block: # only runs when selinux is running
+  - name: install selinux dependencies when selinux is installed on RHEL or Oracle Linux
+    yum: name="{{item}}" state=installed
+    with_items:
+      - policycoreutils-python
+      - checkpolicy
+    when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'
+
+  - name: install selinux dependencies when selinux is installed on Debian or Ubuntu
+    apt: name="{{item}}" state=installed
+    with_items:
+      - policycoreutils
+      - checkpolicy
+    when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
+
+  - name: check if ssh_password module is already installed
+    shell: "semodule -l| grep ssh_password"
+    register: ssh_password_module
+    failed_when: false
+    changed_when: false
+    check_mode: no
+
+  # The following tasks only get executed when selinux is in state enforcing, UsePam is "no" and the ssh_password module is installed.
+  # See this issue for more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23
+  - block:
+    - name: Create selinux custom policy drop folder
+      file: path='{{ ssh_custom_selinux_dir }}' state=directory owner=root group=root mode=0750
 
-# The following tasks only get executed when selinux is in state enforcing, UsePam is "no" and the ssh_password module is installed.
-# See this issue for more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23
+    - name: Distributing custom selinux policies
+      copy: src='ssh_password' dest='{{ ssh_custom_selinux_dir }}'
 
-- name: Create selinux custom policy drop folder
-  file: path={{ ssh_custom_selinux_dir }} state=directory owner=root group=root mode=0750
-  when: not ssh_use_pam and sestatus.rc == 0 and sestatus.stdout != 'Disabled' and ssh_password_module.stdout.find('ssh_password') != 0
+    - name: check and compile policy
+      shell: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password
 
-- name: Distributing custom selinux policies
-  copy: src='ssh_password' dest='{{ ssh_custom_selinux_dir }}'
-  when: not ssh_use_pam and sestatus.rc == 0 and sestatus.stdout != 'Disabled' and ssh_password_module.stdout.find('ssh_password') != 0
+    - name: create selinux policy module package
+      shell: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp  -m {{ ssh_custom_selinux_dir }}/ssh_password.mod
 
-- name: check and compile policy
-  shell: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password
-  when: not ssh_use_pam and sestatus.rc == 0 and sestatus.stdout != 'Disabled' and ssh_password_module.stdout.find('ssh_password') != 0
+    - name: install selinux policy
+      shell: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp
 
-- name: create selinux policy module package
-  shell: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp  -m {{ ssh_custom_selinux_dir }}/ssh_password.mod
-  when: not ssh_use_pam and sestatus.rc == 0 and sestatus.stdout != 'Disabled' and ssh_password_module.stdout.find('ssh_password') != 0
+    when: not ssh_use_pam and sestatus.stdout != 'Disabled' and ssh_password_module.stdout.find('ssh_password') != 0
 
-- name: install selinux policy
-  shell: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp
-  when: not ssh_use_pam and sestatus.rc == 0 and sestatus.stdout != 'Disabled' and ssh_password_module.stdout.find('ssh_password') != 0
+  # The following tasks only get executed when selinux is in state enforcing, UsePam is "yes" and the ssh_password module is installed.
+  - name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk (http://danwalsh.livejournal.com/12333.html)
+    shell: semodule -r ssh_password
+    when: ssh_use_pam and ssh_password_module.stdout.find('ssh_password') == 0
 
-# The following tasks only get executed when selinux is in state enforcing, UsePam is "yes" and the ssh_password module is installed.
-- name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk (http://danwalsh.livejournal.com/12333.html)
-  shell: semodule -r ssh_password
-  when: sestatus.rc == 0 and ssh_use_pam and ssh_password_module.stdout.find('ssh_password') == 0
+  when: sestatus.rc == 0