dev-sec · chris-rock · Apr 28, 2015 · Apr 27, 2015
diff --git a/roles/ansible-ssh-hardening/templates/openssh.conf.j2 b/roles/ansible-ssh-hardening/templates/openssh.conf.j2
@@ -9,15 +9,15 @@
 # ===================
 
 # Address family should always be limited to the active network configuration.
-AddressFamily {% if network_ipv6_enable %}any{% else %}inet{% endif %}
+AddressFamily {% if network_ipv6_enable -%}any{% else -%}inet{% endif %}
 
 # Restrict the following configuration to be limited to this Host.
-{% for host in ssh_remote_hosts %}
+{% for host in ssh_remote_hosts -%}
 Host {{host}}
 {% endfor %}
 
 # The port at the destination should be defined
-{% for port in ssh_ports %}
+{% for port in ssh_ports -%}
 Port {{port}}
 {% endfor %}
 
@@ -48,15 +48,15 @@ StrictHostKeyChecking ask
 # -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
 # 
 {% if ssh_client_cbc_required %}
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' %}
+{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
 Ciphers {{ciphers_66_weak}}
-{% else %}
+{% else -%}
 Ciphers {{ciphers_53_weak}}
 {% endif %}
 {% else %}
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' %}
+{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
 Ciphers {{ciphers_66_default}}
-{% else %}
+{% else -%}
 Ciphers {{ciphers_53_default}}
 {% endif %}
 {% endif %}
@@ -66,21 +66,21 @@ Ciphers {{ciphers_53_default}}
 # eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.
 # 
 {% if ssh_server_weak_hmac %}
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' %}
+{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
 MACs {{macs_66_weak}}
-{% elif ansible_os_family == 'RedHat' and ansible_distribution_major_version <= '6' %}
+{% elif (ansible_os_family == 'RedHat' and ansible_distribution_major_version <= '6') or ansible_os_family == 'Oracle Linux' -%}
 MACs {{macs_53_default}}
-{% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' %}
+{% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
 MACs {{macs_53_default}}
 {% else %}
 MACs {{macs_59_weak}}
 {% endif %}
 {% else %}
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' %}
+{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
 MACs {{macs_66_default}}
-{% elif ansible_os_family == 'RedHat' and ansible_distribution_major_version <= '6' %}
+{% elif (ansible_os_family == 'RedHat' and ansible_distribution_major_version <= '6')  or ansible_os_family == 'Oracle Linux' -%}
 MACs {{macs_53_default}}
-{% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' %}
+{% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
 MACs {{macs_53_default}}
 {% else %}
 MACs {{macs_59_default}}
@@ -101,7 +101,7 @@ MACs {{macs_59_default}}
                 KexAlgorithms {{kex_66_default}}
         {% endif %}
 {% else -%}
-        {% if ansible_os_family == 'RedHat' or (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') -%}
+        {% if ansible_os_family == 'RedHat' or (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') or ansible_os_family == 'Oracle Linux' -%}
                 #KexAlgorithms
         {% else -%}
                 KexAlgorithms {{kex_59_default}}

diff --git a/roles/ansible-ssh-hardening/templates/opensshd.conf.j2 b/roles/ansible-ssh-hardening/templates/opensshd.conf.j2
@@ -76,7 +76,7 @@ Ciphers {{ciphers_53_default}}
 {% if ssh_server_weak_hmac -%}
 {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
 MACs {{macs_66_weak}}
-{% elif ansible_os_family == 'RedHat' and ansible_distribution_major_version <= '6' -%}
+{% elif (ansible_os_family == 'RedHat' and ansible_distribution_major_version <= '6') or ansible_os_family == 'Oracle Linux' -%}
 MACs {{macs_53_default}}
 {% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
 MACs {{macs_53_default}}
@@ -86,7 +86,7 @@ MACs {{macs_59_weak}}
 {% else %}
 {% if ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '14.04' -%}
 MACs {{macs_66_default}}
-{% elif ansible_os_family == 'RedHat' and ansible_distribution_major_version <= '6' -%}
+{% elif (ansible_os_family == 'RedHat' and ansible_distribution_major_version <= '6') or ansible_os_family == 'Oracle Linux' -%}
 MACs {{macs_53_default}}
 {% elif ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6' -%}
 MACs {{macs_53_default}}
@@ -109,7 +109,7 @@ MACs {{macs_59_default}}
                 KexAlgorithms {{kex_66_default}}
         {% endif %}
 {% else -%}
-        {% if ansible_os_family == 'RedHat' or (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') -%}
+        {% if ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux' or (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') -%}
                 #KexAlgorithms
         {% else -%}
                 KexAlgorithms {{kex_59_default}}
@@ -121,7 +121,7 @@ MACs {{macs_59_default}}
 
 # Secure Login directives.
 UseLogin no
-UsePrivilegeSeparation {% if (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') or ansible_os_family == 'RedHat' -%}{{ssh_ps53}}{% else %}{{ssh_ps59}}{% endif %}
+UsePrivilegeSeparation {% if (ansible_distribution == 'Debian' and ansible_distribution_major_version <= '6') or ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux' -%}{{ssh_ps53}}{% else %}{{ssh_ps59}}{% endif %}
 
 PermitUserEnvironment no
 LoginGraceTime 30s

diff --git a/roles/ansible-ssh-hardening/vars/Oracle Linux.yml b/roles/ansible-ssh-hardening/vars/Oracle Linux.yml
@@ -0,0 +1 @@
+sshd_service_name: sshd