First commit by Bas Meijer

.ansible-lint

@@ -0,0 +1,4 @@
+---
+skip_list:
+  - experimental  # all rules tagged as experimental
+...

.later.yml

@@ -0,0 +1,18 @@
+---
+ansible:
+  # Add the name of used custom Ansible modules. Otherwise ansible-later
+  # can't detect unknown modules and will through an error.
+  # Modules which are bundled with the role and placed in a './library'
+  # directory will be auto-detected and don't need to be added to this list.
+  custom_modules: []
+
+  # List of yamllint compatible literal bools (ANSIBLE0014)
+  literal-bools:
+    - "true"
+    - "false"
+rules:
+  exclude_filter:
+    - ANSIBLE0015
+  exclude_files:
+    - requirements.txt
+...

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2022 ansiblebook
+Copyright (c) 2022 Bas Meijer
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,2 +1,48 @@
 # ansible_role_ssh
 Improve the security of the SSH server.
+
+## What does this role change?
+
+This role is based on audit findings using ssh-audit. This role will improve the crypto of your ssh server to more secure and faster settings.
+
+When crypto policies are available the configured policy is set and activated, although a reboot is recommended.
+
+The  Diffie Hellmann moduli size for sshd is adjusted to modern standards.
+
+Host keys are re-configured from RSA to ED25519, this is faster and more secure. An RSA host key is now considered weak [source](https://eprint.iacr.org/2020/014.pdf).
+
+RSA and ECDSA host keys are disabled in sshd.
+
+
+## Crypto Policies
+
+Crypto policies were introduced in Fedora 21 and are also used in RHEL8, Centos Stream, Ubuntu 20. The STRICT policy template defines modern crypto for SSH and TLS that is stronger than FIPS:OSPP. The configured crypto policy will be system-wide for all applications. You can configure the policies present on your system too, but this role installs the STRICT crypto policy by default.
+
+## Possible values
+
+`crypto_policy: 'STRICT'` Recommended for high-security systems.
+
+`crypto_policy: FUTURE'` Recommended for modern systems.
+
+`crypto_policy: FIPS'` Required for US Government systems.
+
+`crypto_policy: DEFAULT'` What you get without this role.
+
+`crypto_policy: LEGACY'` Weak, for compatibility with older systems.
+
+## Algorithm recommendations
+
+The recommended crypto is configured in `vars/main.yml`.
+
+- `Ciphers`
+- `HostKeyAlgorithms`
+- `KexAlgorithms`
+- `MACs`
+
+## Default Variables
+
+The recommended default is configured in `defaults/main.yml`.
+`min_dh_size: '3072'` Minimal Diffie Hellmann moduli size.
+
+
+Copyright 2022 Bas Meijer @bbaassssiie

defaults/main.yml

@@ -0,0 +1,6 @@
+---
+# DEFAULT LEGACY FIPS FUTURE
+crypto_policy: 'STRICT'
+# Diffie Hellmann moduli size
+min_dh_size: '3072'
+...

handlers/main.yml

@@ -0,0 +1,22 @@
+---
+
+- name: Restart sshd
+  debug:
+    msg: "checking /etc/ssh/sshd_config first"
+  changed_when: true
+  notify:
+    - Check sshd configuration
+    - Restart sshd - after config check
+
+- name: Check sshd configuration
+  become: true
+  command: '/usr/sbin/sshd -t'
+  register: sshd_config
+  changed_when: "sshd_config.rc != 0"
+
+- name: Restart sshd - after config check
+  become: true
+  service:
+    name: sshd
+    state: restarted
+...

meta/main.yml

@@ -0,0 +1,32 @@
+---
+# Standards: 0.2
+galaxy_info:
+  role_name: ansible_role_ssh
+  namespace: ansiblebook
+  author: Bas Meijer
+  description: Hardened SSH server
+  company: "O'Reilly"
+
+  license: MIT
+
+  min_ansible_version: 2.11.0
+
+  platforms:
+    - name: EL
+      versions:
+        - 7
+        - 8
+    - name: Fedora
+      versions:
+        - ALL
+    - name: Ubuntu
+      versions:
+        - 20
+        - 18
+  galaxy_tags:
+    - system
+    - security
+    - hardening
+
+dependencies: []
+...

molecule/default/converge.yml

@@ -0,0 +1,9 @@
+---
+# Standards: 0.2
+- name: Converge
+  hosts: all
+  tasks:
+    - name: "Run ansible_role_ssh"
+      include_role:
+        name: "ansible_role_ssh"
+...

molecule/default/molecule.yml

@@ -0,0 +1,63 @@
+---
+# Standards: 0.2
+dependency:
+  name: galaxy
+driver:
+  name: docker
+lint: |
+  set -e
+  yamllint .
+  ansible-lint
+  ansible-later
+platforms:
+  - name: ssh-centos7
+    image: quay.io/centos/centos:7
+    command: /sbin/init
+    capabilities:
+      - CAP_NET_BIND_SERVICE
+    tmpfs:
+      - /run
+      - /tmp
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+  - name: ssh-centos8
+    image: quay.io/centos/centos:stream8
+    command: /sbin/init
+    capabilities:
+      - CAP_NET_BIND_SERVICE
+    tmpfs:
+      - /run
+      - /tmp
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+  - name: ssh-ubuntu
+    image: dokken/ubuntu-20.04
+    command: /lib/systemd/systemd
+    capabilities:
+      - CAP_NET_BIND_SERVICE
+    tmpfs:
+      - /run
+      - /tmp
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+  - name: ssh-buster
+    image: dokken/debian-10
+    command: /sbin/init
+    capabilities:
+      - CAP_NET_BIND_SERVICE
+    tmpfs:
+      - /run
+      - /tmp
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      stdout_callback: yaml
+      executable: /bin/bash
+verifier:
+  name: testinfra
+...

molecule/default/tests/conftest.py

@@ -0,0 +1,22 @@
+"""PyTest Fixtures."""
+from __future__ import absolute_import
+
+import os
+
+import pytest
+
+
+def pytest_runtest_setup(item):
+    """Run tests only when under molecule with testinfra installed."""
+    try:
+        import testinfra
+    except ImportError:
+        pytest.skip("Test requires testinfra", allow_module_level=True)
+    if "MOLECULE_INVENTORY_FILE" in os.environ:
+        pytest.testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+            os.environ["MOLECULE_INVENTORY_FILE"]
+        ).get_hosts("all")
+    else:
+        pytest.skip(
+            "Test should run only from inside molecule.", allow_module_level=True
+        )

molecule/default/tests/test_default.py

@@ -0,0 +1,33 @@
+"""Role testing files using testinfra."""
+
+
+import os
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ["MOLECULE_INVENTORY_FILE"]
+).get_hosts("all")
+
+
+def test_sshd_is_installed(host):
+    sshd = host.package("openssh-server")
+    assert sshd.is_installed
+
+
+def test_sshd_running_and_enabled(host):
+    sshd = host.service("sshd")
+    assert sshd.is_running
+    assert sshd.is_enabled
+
+
+def test_sshd_config_file(host):
+    sshd_config = host.file("/etc/ssh/ssh_host_ed25519_key.pub")
+    assert sshd_config.contains("ssh-ed25519 ")
+    assert sshd_config.user == "root"
+    assert sshd_config.group == "root"
+    assert sshd_config.mode == 0o644
+
+
+def test_ssh_user(host):
+    assert host.user("sshd").exists
+

tasks/CentOS8.yml

@@ -0,0 +1,15 @@
+---
+# yamllint disable rule:line-length
+# STRICT sshd crypto
+# update-crypto-policies on RHEL 8.5 leaves weak algorithms due
+# to the implementation in the python script.
+- name: Override CRYPTO_POLICY for sshd
+  lineinfile:
+    path: /etc/sysconfig/sshd
+    regex: '^CRYPTO_POLICY'
+    line: "CRYPTO_POLICY='-oCiphers={{ Ciphers }} -oMACs={{ MACs }} -oKexAlgorithms={{ KexAlgorithms }} -oHostKeyAlgorithms={{ HostKeyAlgorithms }}'"
+    state: present
+    create: true
+    mode: 0640
+  notify: Restart sshd
+...

tasks/Debian11.yml

@@ -0,0 +1,23 @@
+---
+
+- name: Harden SSH configuration
+  lineinfile:
+    dest: /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    state: present
+    create: true
+    mode: 0640
+  loop:
+    - regexp: '^(#)?Ciphers'
+      line: "Ciphers {{ Ciphers }}"
+    - regexp: '^(#)?HostKeyAlgorithms'
+      line: "HostKeyAlgorithms {{ HostKeyAlgorithms }}"
+    - regexp: '^(#)?KexAlgorithms'
+      line: "KexAlgorithms {{ KexAlgorithms }}"
+    - regexp: '^(#)?MACs'
+      line: "MACs {{ MACs }}"
+      # - regexp: '^(#)?PubkeyAcceptedKeyTypes'
+      #  line: "PubkeyAcceptedKeyTypes {{ PubkeyAcceptedKeyTypes }}"
+  notify: Restart sshd
+...

tasks/crypto_policy.yml

@@ -0,0 +1,33 @@
+---
+
+- name: Install crypto-policies
+  package:
+    name: crypto-policies
+    state: present
+
+- name: Inquire which crypto policy is configured
+  command: "update-crypto-policies --show"
+  changed_when: false
+  register: current_policy
+
+- name: Install STRICT policy
+  when: crypto_policy == 'STRICT'
+  template:
+    src: STRICT.pol
+    dest: /usr/share/crypto-policies/policies/
+    owner: root
+    group: root
+    mode: 0644
+
+- name: "Ensure {{ crypto_policy }} policy is configured"
+  when: current_policy.stdout != crypto_policy
+  command: "update-crypto-policies --set {{ crypto_policy }}"
+  changed_when: true
+  notify: Restart sshd
+
+- name: Apply crypto policy (reboot recommended)
+  when: current_policy.stdout != crypto_policy
+  command: /bin/sh /usr/share/crypto-policies/reload-cmds.sh
+  changed_when: false
+
+...