Produced by Araxis Merge on 5/14/2018 1:18:38 PM Eastern Daylight Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.
| # | Location | File | Last Modified |
|---|---|---|---|
| 1 | MCCF_EDI_TAS_Infrastructure.zip\MCCF_EDI_TAS_Infrastructure\mag_sys_build\playbooks | open_sshd.yml | Tue Mar 27 23:51:10 2018 UTC |
| 2 | MCCF_EDI_TAS_Infrastructure.zip\MCCF_EDI_TAS_Infrastructure\mag_sys_build\playbooks | open_sshd.yml | Tue May 8 03:19:01 2018 UTC |
| Description | Between Files 1 and 2 |
|
|---|---|---|
| Text Blocks | Lines | |
| Unchanged | 2 | 584 |
| Changed | 1 | 2 |
| Inserted | 0 | 0 |
| Removed | 0 | 0 |
| Whitespace | |
|---|---|
| Character case | Differences in character case are significant |
| Line endings | Differences in line endings (CR and LF characters) are ignored |
| CR/LF characters | Not shown in the comparison detail |
No regular expressions were active.
| 1 | # Ansible Playbook | |
| 2 | # Erik van Oudheusde n PII - 28 Sep 2 017 | |
| 3 | # | |
| 4 | # Configur e OpenSSH Server if Necessary | |
| 5 | # | |
| 6 | # 2 Octobe r 2017 - C ommented o ut below f or Centrif y testing | |
| 7 | ||
| 8 | --- | |
| 9 | - name: Co nfigure Op enSSH Serv er if Nece ssary | |
| 10 | hosts: r hel7 | |
| 11 | become: yes | |
| 12 | vars: | |
| 13 | sshdCo nfigFiles: | |
| 14 | - /e tc/ssh/ssh d_config | |
| 15 | # - / etc/centri fydc/ssh/s shd_config | |
| 16 | tasks: | |
| 17 | - name: latest ssh d version installed | |
| 18 | yum: | |
| 19 | name : openssh- server | |
| 20 | stat e: latest | |
| 21 | - name: Delete exi sting issu e banner | |
| 22 | file: path=/etc/ issue | |
| 23 | stat e=absent | |
| 24 | - name: Delete exi sting issu e.net bann er | |
| 25 | file: path=/etc/ issue.net | |
| 26 | stat e=absent | |
| 27 | - name: edit issue banner | |
| 28 | blocki nfile: | |
| 29 | path : /etc/iss ue.net | |
| 30 | crea te: yes | |
| 31 | back up: yes | |
| 32 | mark er: "Secur ity Warnin g!" | |
| 33 | owne r: root | |
| 34 | grou p: root | |
| 35 | mode : 0644 | |
| 36 | cont ent: | | |
| 37 | Se curity War ning! | |
| 38 | ||
| 39 | Th is U.S. go vernment s ystem is i ntended to be used b y authoriz ed VA netw ork | |
| 40 | us ers for vi ewing and retrieving informati on only ex cept as ot herwise ex plicitly | |
| 41 | au thorized. VA informa tion resid es on and transmits through co mputer sys tems and | |
| 42 | ne tworks fun ded by the VA. All u se is cons idered to be with an understan ding and | |
| 43 | ac ceptance t hat there is no reas onable exp ectation o f privacy for any da ta or | |
| 44 | tr ansmission s on Gover nment Intr anet or Ex tranet (no n-public) networks o r systems. | |
| 45 | ||
| 46 | Al l transact ions that occur on t his system and all d ata transm itted thro ugh this | |
| 47 | sy stem are s ubject to review and action in cluding (b ut not lim ited to) | |
| 48 | mo nitoring- recording- retrievin g- coping- auditing- inspectin g- investi gating- | |
| 49 | re stricting access- bl ocking- tr acking- di sclosing t o authoriz ed personn el or any | |
| 50 | ot her author ized actio ns by all authorized VA and la w enforcem ent person nel. | |
| 51 | ||
| 52 | Al l use of t his system constitut es underst anding and unconditi onal accep tance | |
| 53 | of these ter ms., Unaut horized at tempts or acts to ei ther | |
| 54 | (1 ) access- upload- ch ange- or d elete info rmation on this syst em | |
| 55 | (2 ) modify t his system | |
| 56 | (3 ) deny acc ess to thi s system o r | |
| 57 | (4 ) accrue r esources f or unautho rized use on this sy stem are s trictly pr ohibited. | |
| 58 | Su ch attempt s or acts are subjec t to actio n that may result in criminal civil | |
| 59 | or administr ative pena lties. | |
| 60 | ||
| 61 | - name: create sym link to i ssue banne r | |
| 62 | file: | |
| 63 | src: /etc/issu e.net | |
| 64 | dest : /etc/iss ue | |
| 65 | owne r: root | |
| 66 | grou p: root | |
| 67 | stat e: link | |
| 68 | - name: Set ssh pr otocol to 2 | |
| 69 | linein file: | |
| 70 | back up: yes | |
| 71 | inse rtafter: " #?ListenAd dress [^0- 2]{1,3}" | |
| 72 | line : 'Protoco l 2' | |
| 73 | path : "{{ item }}" | |
| 74 | with_i tems: "{{ sshdConfig Files }}" | |
| 75 | #- name: Disable S SH Support for Rhost s RSA Auth entication | |
| 76 | # linei nfile: | |
| 77 | # pat h: "{{ ite m }}" | |
| 78 | # ins ertafter: "Protocol 2" | |
| 79 | # lin e: 'Rhosts RSAAuthent ication no ' | |
| 80 | # with_ items: "{{ sshdConfi gFiles }}" | |
| 81 | - name: Disable ro ot logon | |
| 82 | linein file: | |
| 83 | back refs: yes | |
| 84 | rege xp: '^#?Pe rmitRootLo gin yes' | |
| 85 | line : 'PermitR ootLogin n o' | |
| 86 | path : "{{ item }}" | |
| 87 | with_i tems: "{{ sshdConfig Files }}" | |
| 88 | - name: Set logon banner | |
| 89 | linein file: | |
| 90 | back refs: yes | |
| 91 | rege xp: '^#?Ba nner none' | |
| 92 | line : 'Banner /etc/issue ' | |
| 93 | path : "{{ item }}" | |
| 94 | with_i tems: "{{ sshdConfig Files }}" | |
| 95 | - name: Print last logon | |
| 96 | linein file: | |
| 97 | back refs: yes | |
| 98 | rege xp: '^#Pri ntLastLog yes' | |
| 99 | line : 'PrintLa stLog yes' | |
| 100 | path : "{{ item }}" | |
| 101 | with_i tems: "{{ sshdConfig Files }}" | |
| 102 | - name: Permit Use r Environm ent | |
| 103 | linein file: | |
| 104 | back refs: yes | |
| 105 | rege xp: '^#Per mitUserEnv ironment n o' | |
| 106 | line : 'PermitU serEnviron ment no' | |
| 107 | path : "{{ item }}" | |
| 108 | with_i tems: "{{ sshdConfig Files }}" | |
| 109 | - name: Enable GSS API Authen tication | |
| 110 | linein file: | |
| 111 | back refs: yes | |
| 112 | rege xp: '^GSSA PIAuthenti cation yes ' | |
| 113 | line : 'GSSAPIA uthenticat ion yes' | |
| 114 | path : "{{ item }}" | |
| 115 | with_i tems: "{{ sshdConfig Files }}" | |
| 116 | - name: Enable Use PAM | |
| 117 | linein file: | |
| 118 | back refs: yes | |
| 119 | rege xp: '^#Use PAM .*' | |
| 120 | line : 'UsePAM yes' | |
| 121 | path : "{{ item }}" | |
| 122 | with_i tems: "{{ sshdConfig Files }}" | |
| 123 | - name: Enable Pub lic Key Au thenticati on | |
| 124 | linein file: | |
| 125 | back refs: yes | |
| 126 | rege xp: '^#Pub keyAuthent ication .* ' | |
| 127 | line : 'PubkeyA uthenticat ion yes' | |
| 128 | path : "{{ item }}" | |
| 129 | with_i tems: "{{ sshdConfig Files }}" | |
| 130 | - name: Permit Ker beros Auth entication | |
| 131 | linein file: | |
| 132 | back refs: yes | |
| 133 | rege xp: '^#?Ke rberosAuth entication no' | |
| 134 | line : 'Kerbero sAuthentic ation yes' | |
| 135 | path : "{{ item }}" | |
| 136 | with_i tems: "{{ sshdConfig Files }}" | |
| 137 | - name: Enable Cha llengeResp onseAuthen tication # added for Centrify | |
| 138 | linein file: | |
| 139 | back refs: yes | |
| 140 | rege xp: '^Chal lengeRespo nseAuthent ication' | |
| 141 | line : 'Challen geResponse Authentica tion yes' | |
| 142 | path : "{{ item }}" | |
| 143 | with_i tems: "{{ sshdConfig Files }}" | |
| 144 | - name: Enable Use of StictM odes | |
| 145 | linein file: | |
| 146 | back refs: yes | |
| 147 | rege xp: '^#Str ictModes y es' | |
| 148 | line : 'StrictM odes yes' | |
| 149 | path : "{{ item }}" | |
| 150 | with_i tems: "{{ sshdConfig Files }}" | |
| 151 | - name: Disable Co mpression Or Set Com pression t o delayed | |
| 152 | linein file: | |
| 153 | back refs: yes | |
| 154 | rege xp: '^#Com pression d elayed' | |
| 155 | line : 'Compres sion delay ed' | |
| 156 | path : "{{ item }}" | |
| 157 | with_i tems: "{{ sshdConfig Files }}" | |
| 158 | - name: Set SSH Id le Timeout Interval | |
| 159 | linein file: | |
| 160 | back refs: yes | |
| 161 | rege xp: '^#Cli entAliveIn terval 0' | |
| 162 | line : 'ClientA liveInterv al 900' | |
| 163 | path : "{{ item }}" | |
| 164 | with_i tems: "{{ sshdConfig Files }}" | |
| 165 | - name: Set SSH Cl ient Alive Count | |
| 166 | linein file: | |
| 167 | back refs: yes | |
| 168 | rege xp: '^#Cli entAliveCo untMax 3' | |
| 169 | line : 'ClientA liveCountM ax 10' | |
| 170 | path : "{{ item }}" | |
| 171 | with_i tems: "{{ sshdConfig Files }}" | |
| 172 | - name: Disable SS H Access v ia Empty P asswords | |
| 173 | linein file: | |
| 174 | back refs: yes | |
| 175 | rege xp: '^#Per mitEmptyPa sswords no ' | |
| 176 | line : 'PermitE mptyPasswo rds no' | |
| 177 | path : "{{ item }}" | |
| 178 | with_i tems: "{{ sshdConfig Files }}" | |
| 179 | - name: Set loggin g to info | |
| 180 | linein file: | |
| 181 | back refs: yes | |
| 182 | rege xp: '^#Log Level INFO ' | |
| 183 | line : 'LogLeve l INFO' | |
| 184 | path : "{{ item }}" | |
| 185 | with_i tems: "{{ sshdConfig Files }}" | |
| 186 | - name: Use Only A pproved Ci phers Comm ent | |
| 187 | linein file: | |
| 188 | inse rtafter: " # Ciphers and keying " | |
| 189 | line : '#Use on ly fips ce rtified ci phers' | |
| 190 | path : "{{ item }}" | |
| 191 | with_i tems: "{{ sshdConfig Files }}" | |
| 192 | - name: Insert App roved FIPS Ciphers | |
| 193 | linein file: | |
| 194 | inse rtafter: " #Use only fips certi fied ciphe rs" | |
| 195 | line : 'Ciphers aes128-ct r,aes192-c tr,aes256- ctr' | |
| 196 | path : "{{ item }}" | |
| 197 | with_i tems: "{{ sshdConfig Files }}" | |
| 198 | - name: Use Only F IPS Approv ed MACs Co mment | |
| 199 | linein file: | |
| 200 | inse rtafter: " Ciphers ae s128-ctr,a es192-ctr, aes256-ctr " | |
| 201 | line : '#Disabl e MD5 MACs algorithm s' | |
| 202 | path : "{{ item }}" | |
| 203 | with_i tems: "{{ sshdConfig Files }}" | |
| 204 | - name: Use Only F IPS Approv ed MACs | |
| 205 | linein file: | |
| 206 | inse rtafter: " #Disable M D5 MACs al gorithms" | |
| 207 | line : 'MACs hm ac-sha2-51 2,hmac-sha 2-256,hmac -sha1' | |
| 208 | path : "{{ item }}" | |
| 209 | with_i tems: "{{ sshdConfig Files }}" | |
| 210 | - name: Enable Use of Privil ege Separa tion Comme nt | |
| 211 | linein file: | |
| 212 | inse rtafter: " MACs hmac- sha2-512,h mac-sha2-2 56,hmac-sh a1" | |
| 213 | line : '#Enable Use of Pr ivilege Se paration' | |
| 214 | path : "{{ item }}" | |
| 215 | with_i tems: "{{ sshdConfig Files }}" | |
| 216 | - name: Enable Use of Privil ege Separa tion | |
| 217 | linein file: | |
| 218 | inse rtafter: " #Enable Us e of Privi lege Separ ation" | |
| 219 | line : 'UsePriv ilegeSepar ation yes' | |
| 220 | path : "{{ item }}" | |
| 221 | with_i tems: "{{ sshdConfig Files }}" | |
| 222 | - name: Display la st login u pon succes sful login | |
| 223 | linein file: | |
| 224 | path : /etc/pam .d/sshd | |
| 225 | inse rtafter: " #%PAM-1.0" | |
| 226 | line : 'session requir ed pam _lastlog.s o showfail ed' | |
| 227 | - name: Do not per mit RSA Ho st Authent ication | |
| 228 | linein file: | |
| 229 | back refs: yes | |
| 230 | rege xp: '^#Ign oreRhosts yes' | |
| 231 | line : 'IgnoreR hosts yes' | |
| 232 | path : "{{ item }}" | |
| 233 | with_i tems: "{{ sshdConfig Files }}" | |
| 234 | - name: Do not per mit Known Host Authe ntication | |
| 235 | linein file: | |
| 236 | back refs: yes | |
| 237 | rege xp: '^#Ign oreUserKno wnHosts no ' | |
| 238 | line : 'IgnoreU serKnownHo sts yes' | |
| 239 | path : "{{ item }}" | |
| 240 | with_i tems: "{{ sshdConfig Files }}" | |
| 241 | # - name: Do not pe rmit RSA H ost Authen tication | |
| 242 | # linei nfile: | |
| 243 | # bac krefs: yes | |
| 244 | # reg exp: '^#Rh ostsRSAAut henticatio n no' | |
| 245 | # lin e: 'Rhosts RSAAuthent ication ye s' | |
| 246 | # pat h: "{{ ite m }}" | |
| 247 | # with_ items: "{{ sshdConfi gFiles }}" | |
| 248 | - name: Do not all ow untrust ed host SS H logon | |
| 249 | linein file: | |
| 250 | back refs: yes | |
| 251 | rege xp: '^#Hos tbasedAuth entication no' | |
| 252 | line : 'Hostbas edAuthenti cation no' | |
| 253 | path : "{{ item }}" | |
| 254 | with_i tems: "{{ sshdConfig Files }}" | |
| 255 | - name: SSH enable d and runn ing | |
| 256 | servic e: | |
| 257 | name : sshd | |
| 258 | enab led: true | |
| 259 | stat e: started | |
| 260 | ||
| 261 | # - name: edit issu e banner | |
| 262 | # block infile: | |
| 263 | # pat h: /etc/is sue.net | |
| 264 | # cre ate: yes | |
| 265 | # bac kup: yes | |
| 266 | # mar ker: "Secu rity Warni ng!" | |
| 267 | # own er: root | |
| 268 | # gro up: root | |
| 269 | # mod e: 0644 | |
| 270 | # con tent: | | |
| 271 | # V A systems are intend ed to be u sed by aut horized VA network u sers for v iewing and | |
| 272 | # r etrieving informatio n only exc ept as oth erwise exp licitly au thorized f or officia l | |
| 273 | # b usiness an d limited personal u se under V A policy. | |
| 274 | # | |
| 275 | # I nformation from this system re sides on a nd transmi ts through computer systems an d | |
| 276 | # n etworks fu nded by th e VA. All access or use const itutes und erstanding and accep tance | |
| 277 | # t hat there is no reas onable exp ectation o f privacy in the use of Govern ment netwo rks | |
| 278 | # o r systems. All acce ss or use of this sy stem const itutes use r understa nding and | |
| 279 | # a cceptance of these t erms and c onstitutes unconditi onal conse nt to revi ew and act ion | |
| 280 | # i ncluding ( but not li mited to) monitoring recording copying a uditing in specting | |
| 281 | # i nvestigati ng restric ting acces s blocking tracking disclosin g to autho rized pers onnel | |
| 282 | # o r any othe r authoriz ed actions by all au thorized V A and law enforcemen t personne l. | |
| 283 | # | |
| 284 | # U nauthorize d user att empts or a cts to | |
| 285 | # ( 1) access upload dow nload chan ge or dele te informa tion on th is system | |
| 286 | # ( 2) modify this syste m | |
| 287 | # ( 3) deny ac cess to th is system | |
| 288 | # ( 4) accrue resources for unauth orized use or | |
| 289 | # ( 5) otherwi se misuse this syste m are stri ctly prohi bited. | |
| 290 | # S uch attemp ts or acts are subje ct to acti on that ma y result i n | |
| 291 | # c riminal ci vil or adm inistrativ e penaltie s. | |
| 292 | # | |
| 293 |
Araxis Merge (but not the data content of this report) is Copyright © 1993-2016 Araxis Ltd (www.araxis.com). All rights reserved.