43 lines
1.5 KiB
YAML
43 lines
1.5 KiB
YAML
|
---
|
||
|
|
- name: Ensure sshd configuration exists
|
||
|
|
ansible.builtin.stat:
|
||
|
|
path: "{{ cis_ssh_config_path }}"
|
||
|
|
register: cis_aix_sshd_config
|
||
|
|
|
||
|
|
- name: Fail when sshd configuration is missing
|
||
|
|
ansible.builtin.assert:
|
||
|
|
that:
|
||
|
|
- cis_aix_sshd_config.stat.exists
|
||
|
|
fail_msg: "CRITICAL: {{ cis_ssh_config_path }} was not found; refusing to manage SSH hardening."
|
||
|
|
success_msg: "OK: {{ cis_ssh_config_path }} exists."
|
||
|
|
|
||
|
|
- name: Set sshd validation command from detected binary
|
||
|
|
ansible.builtin.set_fact:
|
||
|
|
cis_sshd_test_command: "{{ cis_aix_sshd_path }} -t"
|
||
|
|
when: cis_aix_sshd_path is defined and cis_aix_sshd_path | length > 0
|
||
|
|
|
||
|
|
- name: Apply managed AIX sshd hardening block
|
||
|
|
ansible.builtin.blockinfile:
|
||
|
|
path: "{{ cis_ssh_config_path }}"
|
||
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK cis-aix7-hardening"
|
||
|
|
owner: root
|
||
|
|
group: system
|
||
|
|
mode: "0600"
|
||
|
|
backup: true
|
||
|
|
validate: "{{ cis_sshd_test_command }} -f %s"
|
||
|
|
block: |
|
||
|
|
PermitRootLogin {{ 'no' if cis_disable_root_login | bool else 'prohibit-password' }}
|
||
|
|
PermitEmptyPasswords no
|
||
|
|
PasswordAuthentication {{ 'no' if cis_disable_password_auth | bool else 'yes' }}
|
||
|
|
MaxAuthTries {{ cis_ssh_max_auth_tries }}
|
||
|
|
LoginGraceTime {{ cis_ssh_login_grace_time }}
|
||
|
|
ClientAliveInterval {{ cis_ssh_client_alive_interval }}
|
||
|
|
ClientAliveCountMax {{ cis_ssh_client_alive_count_max }}
|
||
|
|
notify:
|
||
|
|
- validate sshd
|
||
|
|
- restart sshd
|
||
|
|
|
||
|
|
- name: Validate effective sshd configuration
|
||
|
|
ansible.builtin.command: "{{ cis_sshd_test_command }}"
|
||
|
|
changed_when: false
|