dev-sec · rndmh3ro · Jun 29, 2018 · Apr 20, 2018 · Apr 20, 2018
diff --git a/.kitchen.aws.yml b/.kitchen.aws.yml
@@ -0,0 +1,37 @@
+---
+driver:
+  name: ec2
+  vpc_id: "vpc-4ef2ce26"
+  subnet_id: "subnet-b477b7df"
+  region: eu-central-1
+
+transport:
+  max_ssh_sessions: 5
+
+provisioner:
+  name: ansible_playbook
+  hosts: all
+  require_ansible_repo: false
+  require_chef_for_busser: false
+  require_ruby_for_busser: false
+  require_ansible_omnibus: true
+  ansible_verbose: true
+  ansible_diff: true
+  hosts: all
+  roles_path: ../ansible-ssh-hardening/
+  http_proxy: <%= ENV['http_proxy'] || nil %>
+  https_proxy: <%= ENV['https_proxy'] || nil %>
+  playbook: default.yml
+
+platforms:
+- name: centos-7
+- name: ubuntu-16.04
+
+verifier:
+  name: inspec
+  sudo: true
+  inspec_tests:
+    - https://github.com/dev-sec/tests-ssh-hardening
+
+suites:
+- name: os
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -21,7 +21,7 @@ provisioner:
   roles_path: ../ansible-ssh-hardening/
   http_proxy: <%= ENV['http_proxy'] || nil %>
   https_proxy: <%= ENV['https_proxy'] || nil %>
-  playbook: default.yml
+  playbook: tests/default.yml
   ansible_diff: true
   ansible_extra_flags:
     - "--skip-tags=sysctl"

diff --git a/.travis.yml b/.travis.yml
@@ -57,12 +57,14 @@ script:
   - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-ssh-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
 
   # Test role.
-  - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/default_custom.yml'
-  - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/default.yml'
+  - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default_custom.yml'
+  - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default.yml'
 
   # Verify role
   # remove the UseLogin-check, see here for reasons: https://github.com/dev-sec/ansible-ssh-hardening/pull/141
-  - 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=sshd-01 sshd-02 sshd-03 sshd-04 sshd-05 sshd-06 sshd-07 sshd-08 sshd-09 sshd-10 sshd-11 sshd-12 sshd-13 sshd-14 sshd-16 sshd-17 sshd-18 sshd-19 sshd-20 sshd-21 sshd-22 sshd-23 sshd-24 sshd-25 sshd-26 sshd-27 sshd-28 sshd-29 sshd-30 sshd-31 sshd-32 sshd-33 sshd-34 sshd-35 sshd-36 sshd-37 sshd-38 sshd-39 sshd-40'
+  - 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=sshd-01 sshd-02 sshd-03 sshd-04 sshd-05 sshd-06 sshd-07 sshd-08 sshd-09 sshd-10 sshd-11 sshd-12 sshd-13 sshd-14 sshd-16 sshd-17 sshd-18 sshd-19 sshd-20 sshd-21 sshd-22 sshd-23 sshd-24 sshd-25 sshd-26 sshd-27 sshd-28 sshd-29 sshd-30 sshd-31 sshd-32 sshd-33 sshd-34 sshd-35 sshd-36 sshd-37 sshd-38 sshd-39 sshd-40 sshd-41 sshd-42 sshd-43 sshd-44 sshd-45 sshd-46 sshd-47 sshd-48'
+  # remove UseRoaming and RhostsRSAAuthentication because these options are deprecated
+  - 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=ssh-01 ssh-02 ssh-03 ssh-04 ssh-05 ssh-06 ssh-07 ssh-08 ssh-09 ssh-10 ssh-11 ssh-12 ssh-13 ssh-16 ssh-17 ssh-18 ssh-19 ssh-20'
 
 notifications:
   webhooks: https://galaxy.ansible.com/api/v1/notifications/
diff --git a/tasks/2fa.yml b/tasks/2fa.yml
@@ -0,0 +1,36 @@
+---
+# Install the 2FA packages and setup the config in PAM and SSH
+- name: Install google authenticator PAM module
+  apt:
+    name: 'libpam-google-authenticator'
+    state: present
+  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
+
+- name: Install google authenticator PAM module
+  yum:
+    name: 'google-authenticator'
+    state: present
+  when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'
+
+- name: Add google auth module to PAM
+  pamd:
+    name: 'sshd'
+    type: 'auth'
+    control: 'required'
+    module_path: 'pam_google_authenticator.so'
+
+- name: Remove password auth from PAM
+  pamd:
+    name: 'sshd'
+    type: 'auth'
+    control: 'substack'
+    module_path: 'password-auth'
+    state: absent
+  when: ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux' or ansible_distribution == 'Amazon'
+
+- name: Remove password auth from PAM
+  replace:
+    dest: '/etc/pam.d/sshd'
+    regexp: '^@include common-auth'
+    replace: '#@include common-auth'
+  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
diff --git a/tasks/ca_keys_and_principals.yml b/tasks/ca_keys_and_principals.yml
@@ -1,12 +1,27 @@
 ---
 - name: Set ssh CA pub keys
-  template: src='trusted_user_ca_keys.j2' dest="{{ ssh_trusted_user_ca_keys_file }}" mode=0644 owner="{{ ssh_owner }}" group="{{ ssh_group }}"
+  template:
+    src: 'trusted_user_ca_keys.j2'
+    dest: '{{ ssh_trusted_user_ca_keys_file }}'
+    mode: '0644'
+    owner: '{{ ssh_owner }}'
+    group: '{{ ssh_group }}'
   notify: restart sshd
 
 - name: Create ssh authorized principals directories
-  file: path="{{ item.path | dirname }}" mode="{{ item.directorymode | default(0700) }}" owner="{{ item.directoryowner | default(ssh_owner) }}" group="{{ item.directorygroup | default(ssh_group) }}" state=directory
-  with_items: "{{ ssh_authorized_principals }}"
+  file:
+    path: '{{ item.path | dirname }}'
+    mode: '{{ item.directorymode | default(0700) }}'
+    owner: '{{ item.directoryowner | default(ssh_owner) }}'
+    group: '{{ item.directorygroup | default(ssh_group) }}'
+    state: directory
+  with_items: '{{ ssh_authorized_principals }}'
 
 - name: Set ssh authorized principals
-  template: src='authorized_principals.j2' dest="{{ item.path }}" mode="{{ item.filemode | default(0600) }}" owner="{{ item.owner| default(ssh_owner) }}" group="{{ item.group | default(ssh_group) }}"
-  with_items: "{{ ssh_authorized_principals }}"
+  template:
+    src: 'authorized_principals.j2'
+    dest: '{{ item.path }}'
+    mode: '{{ item.filemode | default(0600) }}'
+    owner: '{{ item.owner| default(ssh_owner) }}'
+    group: '{{ item.group | default(ssh_group) }}'
+  with_items: '{{ ssh_authorized_principals }}'
diff --git a/tasks/crypto.yml b/tasks/crypto.yml
@@ -19,80 +19,80 @@
 
 - name: set weak macs according to openssh-version if openssh >= 7.6
   set_fact:
-    ssh_macs: "{{ssh_macs_76_default}}"
+    ssh_macs: '{{ ssh_macs_76_default }}'
   when: sshd_version.stdout >= '7.6' and not ssh_macs
 
 - name: set weak macs according to openssh-version if openssh >= 6.6
   set_fact:
-    ssh_macs: "{{ssh_macs_66_weak}}"
+    ssh_macs: '{{ ssh_macs_66_weak }}'
   when: sshd_version.stdout >= '6.6' and ssh_server_weak_hmac and not ssh_macs
 
 - name: set macs according to openssh-version if openssh >= 6.6
   set_fact:
-    ssh_macs: "{{ssh_macs_66_default}}"
+    ssh_macs: '{{ ssh_macs_66_default }}'
   when: sshd_version.stdout >= '6.6' and not ssh_macs
 
 - name: set weak macs according to openssh-version
   set_fact:
-    ssh_macs: "{{ssh_macs_59_weak}}"
+    ssh_macs: '{{ ssh_macs_59_weak }}'
   when: sshd_version.stdout >= '5.9' and ssh_server_weak_hmac and not ssh_macs
 
 - name: set macs according to openssh-version
   set_fact:
-    ssh_macs: "{{ssh_macs_59_default}}"
+    ssh_macs: '{{ ssh_macs_59_default }}'
   when: sshd_version.stdout >= '5.9' and not ssh_macs
 
 - name: set macs according to openssh-version
   set_fact:
-    ssh_macs: "{{ssh_macs_53_default}}"
+    ssh_macs: '{{ ssh_macs_53_default }}'
   when: sshd_version.stdout >= '5.3' and not ssh_macs
 
 - name: set macs according to openssh-version
   set_fact:
-    ssh_macs: "{{ssh_macs_53_default}}"
+    ssh_macs: '{{ ssh_macs_53_default }}'
   when: sshd_version.stdout >= '5.3' and not ssh_macs
 
 ###
 
 - name: set weak ciphers according to openssh-version if openssh >= 6.6
   set_fact:
-    ssh_ciphers: "{{ssh_ciphers_66_weak}}"
+    ssh_ciphers: '{{ ssh_ciphers_66_weak }}'
   when: sshd_version.stdout >= '6.6' and ssh_server_cbc_required and not ssh_ciphers
 
 - name: set ciphers according to openssh-version if openssh >= 6.6
   set_fact:
-    ssh_ciphers: "{{ssh_ciphers_66_default}}"
+    ssh_ciphers: '{{ ssh_ciphers_66_default }}'
   when: sshd_version.stdout >= '6.6' and not ssh_ciphers
 
 - name: set weak ciphers according to openssh-version
   set_fact:
-    ssh_ciphers: "{{ssh_ciphers_53_weak}}"
+    ssh_ciphers: '{{ ssh_ciphers_53_weak }}'
   when: sshd_version.stdout >= '5.3' and ssh_server_cbc_required and not ssh_ciphers
 
 - name: set ciphers according to openssh-version
   set_fact:
-    ssh_ciphers: "{{ssh_ciphers_53_default}}"
+    ssh_ciphers: '{{ ssh_ciphers_53_default }}'
   when: sshd_version.stdout >= '5.3' and not ssh_ciphers
 
 ###
 
 - name: set weak kex according to openssh-version if openssh >= 6.6
   set_fact:
-    ssh_kex: "{{ssh_kex_66_weak}}"
+    ssh_kex: '{{ ssh_kex_66_weak }}'
   when: sshd_version.stdout >= '6.6' and ssh_server_weak_hmac and not ssh_kex
 
 - name: set kex according to openssh-version if openssh >= 6.6
   set_fact:
-    ssh_kex: "{{ssh_kex_66_default}}"
+    ssh_kex: '{{ ssh_kex_66_default }}'
   when: sshd_version.stdout >= '6.6' and not ssh_kex
 
 - name: set weak kex according to openssh-version
   set_fact:
-    ssh_kex: "{{ssh_kex_59_weak}}"
+    ssh_kex: '{{ ssh_kex_59_weak }}'
   when: sshd_version.stdout >= '5.9' and ssh_server_weak_hmac and not ssh_kex
 
 - name: set kex according to openssh-version
   set_fact:
-    ssh_kex: "{{ssh_kex_59_default}}"
+    ssh_kex: '{{ ssh_kex_59_default }}'
   when: sshd_version.stdout >= '5.9' and not ssh_kex