search

EGI-Federation / community.egi.eu

Community forum playbooks and configs.
Apache License 2.0
1 stars 2 forks source link

harden ssh. #7

Closed brucellino closed 6 years ago

brucellino commented 6 years ago

Configuration and deployment is done over SSH using Ansible. This should be locked down appropriately.

brucellino commented 6 years ago

Welp... the ssh baseline profile is a burning mess of fail:

Profile Summary: 5 successful controls, 63 control failures, 0 controls skipped Test Summary: 36 successful, 64 failures, 0 skipped

Let's see if we can't do something about that.

brucellino commented 6 years ago

After applying the profile ON THE ACTUAL MACHINE and not my laptop :man_facepalming: we now get : 

Profile Summary: 65 successful controls, 3 control failures, 0 controls skipped
Test Summary: 97 successful, 3 failures, 0 skipped

Failure summary : 

  ×  sshd-15: Server: Specify UseLogin to NO
     ×  SSHD Configuration UseLogin should eq "no"
  ×  sshd-36: Server: Set a client alive interval
     ×  SSHD Configuration ClientAliveInterval should eq "300"
  ×  sshd-40: Server: Disable Agent forwarding
     ×  SSHD Configuration AllowAgentForwarding should eq "no"

Woot.