Add Debian 13 and Ubuntu 26.04 CIS-inspired hardening playbook

2026-05-06 08:56:45 +00:00
parent 75a11f7650
commit 2fd9c0b5ef
15 changed files with 778 additions and 0 deletions
@@ -0,0 +1,99 @@
+---
+- name: Ensure sshd drop-in directory exists
+  ansible.builtin.file:
+    path: "{{ cis_ssh_dropin_path | dirname }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+
+- name: Ensure sshd hardening drop-in exists
+  ansible.builtin.file:
+    path: "{{ cis_ssh_dropin_path }}"
+    state: touch
+    owner: root
+    group: root
+    mode: "0644"
+    modification_time: preserve
+    access_time: preserve
+
+- name: Ensure sshd drop-in directory is included
+  ansible.builtin.lineinfile:
+    path: "{{ cis_ssh_main_config_path }}"
+    regexp: '^Include\s+/etc/ssh/sshd_config\.d/\*\.conf'
+    line: "Include /etc/ssh/sshd_config.d/*.conf"
+    insertbefore: BOF
+    validate: sshd -t -f %s
+  notify:
+    - validate ssh
+    - restart ssh
+
+- name: Configure SSH root login
+  ansible.builtin.lineinfile:
+    path: "{{ cis_ssh_dropin_path }}"
+    regexp: '^PermitRootLogin\s+'
+    line: "PermitRootLogin {{ 'no' if cis_disable_root_login | bool else 'prohibit-password' }}"
+    validate: sshd -t -f %s
+  notify:
+    - validate ssh
+    - restart ssh
+
+- name: Configure SSH empty password restriction
+  ansible.builtin.lineinfile:
+    path: "{{ cis_ssh_dropin_path }}"
+    regexp: '^PermitEmptyPasswords\s+'
+    line: "PermitEmptyPasswords no"
+    validate: sshd -t -f %s
+  notify:
+    - validate ssh
+    - restart ssh
+
+- name: Configure SSH password authentication
+  ansible.builtin.lineinfile:
+    path: "{{ cis_ssh_dropin_path }}"
+    regexp: '^PasswordAuthentication\s+'
+    line: "PasswordAuthentication {{ 'no' if cis_disable_password_auth | bool else 'yes' }}"
+    validate: sshd -t -f %s
+  notify:
+    - validate ssh
+    - restart ssh
+
+- name: Configure SSH MaxAuthTries
+  ansible.builtin.lineinfile:
+    path: "{{ cis_ssh_dropin_path }}"
+    regexp: '^MaxAuthTries\s+'
+    line: "MaxAuthTries {{ cis_ssh_max_auth_tries }}"
+    validate: sshd -t -f %s
+  notify:
+    - validate ssh
+    - restart ssh
+
+- name: Configure SSH LoginGraceTime
+  ansible.builtin.lineinfile:
+    path: "{{ cis_ssh_dropin_path }}"
+    regexp: '^LoginGraceTime\s+'
+    line: "LoginGraceTime {{ cis_ssh_login_grace_time }}"
+    validate: sshd -t -f %s
+  notify:
+    - validate ssh
+    - restart ssh
+
+- name: Configure SSH ClientAliveInterval
+  ansible.builtin.lineinfile:
+    path: "{{ cis_ssh_dropin_path }}"
+    regexp: '^ClientAliveInterval\s+'
+    line: "ClientAliveInterval {{ cis_ssh_client_alive_interval }}"
+    validate: sshd -t -f %s
+  notify:
+    - validate ssh
+    - restart ssh
+
+- name: Configure SSH ClientAliveCountMax
+  ansible.builtin.lineinfile:
+    path: "{{ cis_ssh_dropin_path }}"
+    regexp: '^ClientAliveCountMax\s+'
+    line: "ClientAliveCountMax {{ cis_ssh_client_alive_count_max }}"
+    validate: sshd -t -f %s
+  notify:
+    - validate ssh
+    - restart ssh