Merge pull request #177 from BedrockSolutions/master

Dependency flag

Author: rndmh3ro

defaults/main.yml

@@ -241,3 +241,7 @@ ssh_challengeresponseauthentication: false
 
 # a list of public keys that are never accepted by the ssh server
 ssh_server_revoked_keys: []
+
+# Set to false to turn the role into a no-op. Useful when using
+# the Ansible role dependency mechanism.
+ssh_hardening_enabled: true

handlers/main.yml

@@ -1,3 +1,4 @@
 - name: restart sshd
   service: name={{ sshd_service_name }} state=restarted
   when: "(ssh_server_enabled|bool)"
+  become: yes

tasks/hardening.yml

@@ -0,0 +1,83 @@
+---
+- name: Set OS dependent variables
+  include_vars: '{{ item }}'
+  with_first_found:
+   - '{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml'
+   - '{{ ansible_distribution }}.yml'
+   - '{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml'
+   - '{{ ansible_os_family }}.yml'
+
+- name: get openssh-version
+  shell: ssh -V 2>&1 | sed -r 's/.*_([0-9]*\.[0-9]).*/\1/g'
+  args:
+    executable: /bin/sh
+  changed_when: false
+  register: sshd_version
+  check_mode: no
+
+- name: include tasks to create crypo-vars
+  include_tasks: crypto.yml
+
+- name: create revoked_keys and set permissions to root/600
+  template:
+    src: 'revoked_keys.j2'
+    dest: '/etc/ssh/revoked_keys'
+    mode: '0600'
+    owner: '{{ ssh_owner }}'
+    group: '{{ ssh_group }}'
+  notify: restart sshd
+  when: ssh_server_hardening
+
+- name: create sshd_config and set permissions to root/600
+  template:
+    src: 'opensshd.conf.j2'
+    dest: '/etc/ssh/sshd_config'
+    mode: '0600'
+    owner: '{{ ssh_owner }}'
+    group: '{{ ssh_group }}'
+    validate: '/usr/sbin/sshd -T -f %s'
+  notify: restart sshd
+  when: ssh_server_hardening
+
+- name: create ssh_config and set permissions to root/644
+  template:
+    src: 'openssh.conf.j2'
+    dest: '/etc/ssh/ssh_config'
+    mode: '0644'
+    owner: '{{ ssh_owner }}'
+    group: '{{ ssh_group }}'
+  when: ssh_client_hardening
+
+- name: Check if {{ sshd_moduli_file }} contains weak DH parameters
+  shell: awk '$5 < {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }}
+  register: sshd_register_moduli
+  changed_when: false
+  check_mode: no
+
+- name: remove all small primes
+  shell: awk '$5 >= {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }} > {{ sshd_moduli_file }}.new ;
+         [ -r {{ sshd_moduli_file }}.new -a -s {{ sshd_moduli_file }}.new ] && mv {{ sshd_moduli_file }}.new {{ sshd_moduli_file }} || true
+  notify: restart sshd
+  when: sshd_register_moduli.stdout
+
+- name: include tasks to setup ca keys and principals
+  include_tasks: ca_keys_and_principals.yml
+  when: ssh_trusted_user_ca_keys_file != ''
+
+- name: include tasks to setup 2FA
+  include_tasks: 2fa.yml
+  when:
+    - ssh_use_pam
+    - ssh_challengeresponseauthentication
+    - ssh_google_auth
+
+- name: test to see if selinux is installed and running
+  command: getenforce
+  register: sestatus
+  failed_when: false
+  changed_when: false
+  check_mode: no
+
+- name: include selinux specific tasks
+  include_tasks: selinux.yml
+  when: sestatus.rc == 0

tasks/main.yml

@@ -1,83 +1,4 @@
 ---
-- name: Set OS dependent variables
-  include_vars: '{{ item }}'
-  with_first_found:
-   - '{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml'
-   - '{{ ansible_distribution }}.yml'
-   - '{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml'
-   - '{{ ansible_os_family }}.yml'
 
-- name: get openssh-version
-  shell: ssh -V 2>&1 | sed -r 's/.*_([0-9]*\.[0-9]).*/\1/g'
-  args:
-    executable: /bin/sh
-  changed_when: false
-  register: sshd_version
-  check_mode: no
-
-- name: include tasks to create crypo-vars
-  include_tasks: crypto.yml
-
-- name: create revoked_keys and set permissions to root/600
-  template:
-    src: 'revoked_keys.j2'
-    dest: '/etc/ssh/revoked_keys'
-    mode: '0600'
-    owner: '{{ ssh_owner }}'
-    group: '{{ ssh_group }}'
-  notify: restart sshd
-  when: ssh_server_hardening
-
-- name: create sshd_config and set permissions to root/600
-  template:
-    src: 'opensshd.conf.j2'
-    dest: '/etc/ssh/sshd_config'
-    mode: '0600'
-    owner: '{{ ssh_owner }}'
-    group: '{{ ssh_group }}'
-    validate: '/usr/sbin/sshd -T -f %s'
-  notify: restart sshd
-  when: ssh_server_hardening
-
-- name: create ssh_config and set permissions to root/644
-  template:
-    src: 'openssh.conf.j2'
-    dest: '/etc/ssh/ssh_config'
-    mode: '0644'
-    owner: '{{ ssh_owner }}'
-    group: '{{ ssh_group }}'
-  when: ssh_client_hardening
-
-- name: Check if {{ sshd_moduli_file }} contains weak DH parameters
-  shell: awk '$5 < {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }}
-  register: sshd_register_moduli
-  changed_when: false
-  check_mode: no
-
-- name: remove all small primes
-  shell: awk '$5 >= {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }} > {{ sshd_moduli_file }}.new ;
-         [ -r {{ sshd_moduli_file }}.new -a -s {{ sshd_moduli_file }}.new ] && mv {{ sshd_moduli_file }}.new {{ sshd_moduli_file }} || true
-  notify: restart sshd
-  when: sshd_register_moduli.stdout
-
-- name: include tasks to setup ca keys and principals
-  include_tasks: ca_keys_and_principals.yml
-  when: ssh_trusted_user_ca_keys_file != ''
-
-- name: include tasks to setup 2FA
-  include_tasks: 2fa.yml
-  when:
-    - ssh_use_pam
-    - ssh_challengeresponseauthentication
-    - ssh_google_auth
-
-- name: test to see if selinux is installed and running
-  command: getenforce
-  register: sestatus
-  failed_when: false
-  changed_when: false
-  check_mode: no
-
-- name: include selinux specific tasks
-  include_tasks: selinux.yml
-  when: sestatus.rc == 0
+- include_tasks: hardening.yml
+  when: ssh_hardening_enabled