restructure

ansible/README.md

@@ -4,8 +4,37 @@ Ansible playbooks, roles, modules, etc will come here. Documentation to come soo
 
 Each playbook should have comments or a name descripter that explains what the playbook does or how it is used. If not available, README-... files can be used in place.
 
+## Management Node Structure
+
+Loosely copied from the CentOS ansible infrastructure. This structure is represented in this repository.
+
+```
+.
+├── ansible.cfg
+├── files -> playbooks/files
+├── handlers -> playbooks/handlers
+├── inventory
+├── pkistore
+├── playbooks
+│   ├── files
+│   ├── group_vars
+│   ├── host_vars
+│   ├── handlers
+│   ├── tasks
+│   ├── templates
+│   ├── vars
+│   └── requirements.yml
+├── roles
+│   ├── <role-name>
+├── tasks -> playbooks/tasks
+├── templates -> playbooks/templates
+└── vars -> playbooks/vars
+```
+
 ## Structure
 
+What each folder represents
+
 ```
 files      -> As the name implies, non-templated files go here
 group_vars -> Group Variables go here if they are not fulfilled in an inventory
@@ -15,7 +44,6 @@ roles      -> Custom roles can go here
 tasks      -> Common tasks come here
 templates  -> Templates go here
 vars       -> Global variables that are called with vars_files go here. This
-              is mainly for init and encpass.yml
 ```
 
 ## Current Playbook Naming

ansible/ansible.cfg

@@ -0,0 +1 @@
+# Empty

ansible/files

@@ -0,0 +1 @@
+playbooks/files

ansible/handlers

@@ -0,0 +1 @@
+playbooks/handlers

ansible/playbooks/handlers/handlers

@@ -0,0 +1 @@
+playbooks/handlers

ansible/playbooks/init-rocky-system-config.yml

@@ -0,0 +1,28 @@
+---
+# Basic system configuration. All hardening should also be imported here.
+- name: Configure system
+  hosts: all
+  become: true
+
+  pre_tasks:
+    - name: Check if ansible cannot be run here
+      stat:
+        path: /etc/no-ansible
+      register: no_ansible
+
+    - name: Verify if we can run ansible
+      assert:
+        that:
+          - "not no_ansible.stat.exists"
+        msg: "/etc/no-ansible exists - skipping run on this node"
+
+  tasks:
+    - name: Configure SSH
+      include: tasks/ssh-config.yml
+
+  post_tasks:
+    - name: Touching run file that ansible has ran here
+      file:
+        path: /var/log/ansible.run
+        state: touch
+

ansible/playbooks/role-rocky-ipa-replica.yml

@@ -36,7 +36,7 @@
 
     - name: Ensure resolv.conf is pointing to main master
       template:
-        src: templates/resolv.conf.j2
+        src: etc/resolv.conf.j2
         dest: /etc/resolv.conf
         owner: root
         group: root

ansible/playbooks/tasks/ssh-config.yml

@@ -0,0 +1,34 @@
+---
+- name: Ensure SSH is installed - it should be
+  package:
+    name: openssh-server
+    state: present
+
+- name: ssh configuration - global
+  block:
+  - name: ssh configuration - base
+    template:
+      src: "etc/ssh/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-sshd_config.j2"
+      dest: /etc/ssh/sshd_config
+      owner: root
+      group: root
+      mode: '0600'
+      validate: /usr/sbin/sshd -t -f %s
+      backup: yes
+    notify: restart_ssh
+
+  - name: ssh banner
+    copy:
+      src: "etc/banner"
+      dest: "{{ ssh_banner }}"
+      owner: root
+      group: root
+    notify: restart_ssh
+
+  - name: Remove dsa keys
+    file:
+      path: "{{ item }}"
+      state: absent
+    with_items:
+      - /etc/ssh/ssh_host_dsa_key.pub
+      - /etc/ssh/ssh_host_dsa_key

ansible/playbooks/templates/etc/rockybanner

@@ -0,0 +1,11 @@
+ *******                    **             
+/**////**                  /**      **   **
+/**   /**   ******   ***** /**  ** //** ** 
+/*******   **////** **///**/** **   //***  
+/**///**  /**   /**/**  // /****     /**   
+/**  //** /**   /**/**   **/**/**    **    
+/**   //**//****** //***** /**//**  **     
+//     //  //////   /////  //  //  //      
+
+All access is logged and monitors. Unauthorized access is prohibited.
+

ansible/playbooks/templates/etc/ssh/CentOS-7-sshd_config.j2

@@ -0,0 +1 @@
+RedHat-7-sshd_config.j2

ansible/playbooks/templates/etc/ssh/CentOS-8-sshd_config.j2

@@ -0,0 +1 @@
+RedHat-8-sshd_config.j2

ansible/playbooks/templates/etc/ssh/RedHat-7-sshd_config.j2

@@ -0,0 +1,156 @@
+#	$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+# If you want to change the port on a SELinux system, you have to tell
+# SELinux about this change.
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
+#
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+PasswordAuthentication yes
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+#ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+#KerberosUseKuserok yes
+
+# GSSAPI options
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials no
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+#GSSAPIEnablek5users no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
+# problems.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation sandbox
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+
+################################################################################
+# Below managed by {{ ansible_managed }}
+#
+Banner /etc/rockybanner
+PermitRootLogin no
+X11Forwarding no
+LoginGraceTime 1m
+
+# FIPS Compliant (old)
+MACs hmac-sha2-512,hmac-sha2-256
+Ciphers aes256-ctr,aes192-ctr,aes128-ctr
+
+# IPA
+AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
+AuthorizedKeysCommandUser nobody
+ChallengeResponseAuthentication yes

ansible/playbooks/templates/etc/ssh/RedHat-8-sshd_config.j2

@@ -0,0 +1,168 @@
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+# If you want to change the port on a SELinux system, you have to tell
+# SELinux about this change.
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
+#
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# System-wide Crypto policy:
+# This system is following system-wide crypto policy. The changes to
+# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
+# effect here. They will be overridden by command-line options passed on
+# the server start up.
+# To opt out, uncomment a line with redefinition of  CRYPTO_POLICY=
+# variable in  /etc/sysconfig/sshd  to overwrite the policy.
+# For more information, see manual page for update-crypto-policies(8).
+
+# Logging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+PasswordAuthentication yes
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+#ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+#KerberosUseKuserok yes
+
+# GSSAPI options
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials no
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+#GSSAPIEnablek5users no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
+# problems.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+
+# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
+# as it is more configurable and versatile than the built-in version.
+PrintMotd no
+
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+
+################################################################################
+# Below managed by {{ ansible_managed }}
+#
+Banner /etc/rockybanner
+PermitRootLogin no
+X11Forwarding no
+LoginGraceTime 1m
+
+# FIPS Compliant
+# This has no effect in RHEL 8 or Fedora. However, in the case of compliance
+# higher than that of PCI, it may be a good idea to override it.
+MACs hmac-sha2-512,hmac-sha2-256
+Ciphers aes256-ctr,aes192-ctr,aes128-ctr
+
+# IPA
+AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
+AuthorizedKeysCommandUser nobody
+ChallengeResponseAuthentication yes

ansible/tasks

@@ -0,0 +1 @@
+playbooks/tasks

ansible/templates

@@ -0,0 +1 @@
+playbooks/templates

ansible/vars

@@ -0,0 +1 @@
+playbooks/vars