{"id":6634,"sha1":"07db1adda9869e2ffba9d3cf11d19bd908a04656","playbook":{"id":4508,"items":{"plays":1,"tasks":6,"results":18,"hosts":3,"files":1,"records":0},"arguments":{"version":null,"verbosity":2,"private_key_file":"/home/ssh-gateway/.ssh/id_rsa","remote_user":"root","connection":"ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":false,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/ssh-gateway/ansible/kuly/test-stage-hosts"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":20,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["RM10193-sshd-config-changes.yaml"]},"labels":[{"id":1,"name":"remote_user:root"},{"id":2,"name":"check:False"},{"id":3,"name":"tags:all"}],"started":"2025-11-20T12:30:51.845449Z","ended":"2025-11-20T12:30:57.229380Z","duration":"00:00:05.383931","name":null,"ansible_version":"2.16.11","client_version":"1.7.3","python_version":"3.10.10","server_version":"1.7.3","status":"completed","path":"/home/ssh-gateway/ansible/kuly/RM10193-sshd-config-changes.yaml","controller":"ssh-gw-4.layershift.com","user":"root"},"content":"---\n- name: Playbook to make sshd changes\n  hosts: all\n  gather_facts: false\n  vars:\n    sshd_config_path: /etc/ssh/sshd_config\n    sshd_hardening_params:\n      - {regexp: '^#?AllowAgentForwarding', line: 'AllowAgentForwarding no'}\n      - {regexp: '^#?AllowTcpForwarding', line: 'AllowTcpForwarding no'}\n      - {regexp: '^#?X11Forwarding', line: 'X11Forwarding no'}\n    ssh_port: 2233\n\n  tasks:\n    - name: Ensure SSHD config file exists before proceeding\n      ansible.builtin.stat:\n        path: \"{{ sshd_config_path }}\"\n      register: sshd_config_stat\n      failed_when: not sshd_config_stat.stat.exists\n\n    - name: Make the replacements\n      ansible.builtin.lineinfile:\n        path: \"{{ sshd_config_path }}\"\n        regexp: \"{{ item.regexp }}\"\n        line: \"{{ item.line }}\"\n        state: present\n        backup: true\n        validate: 'sshd -t -f %s'\n      loop: \"{{ sshd_hardening_params }}\"\n\n    - name: Restart sshd daemon\n      ansible.builtin.systemd:\n        name: sshd.service\n        state: restarted\n\n    - name: Verify if the options are there\n      ansible.builtin.shell: |\n        set -o pipefail\n        sshd -T -C lport=2233| egrep \"x11forwarding|allowtcpforwarding|allowagentforwarding\"\n      args:\n        executable: /bin/bash\n      register: ssh_out\n      changed_when: \"'yes' in ssh_out.stdout\"\n\n    - name: Check sshd status\n      ansible.builtin.systemd:\n        name: sshd.service\n      register: sshd_config_status\n\n    - name: Check sshd status\n      ansible.builtin.debug:\n        msg: \"SSH is not runing as expected\"\n      when: sshd_config_status.status.ActiveState != \"active\"\n","created":"2025-11-20T12:30:51.880364Z","updated":"2025-11-20T12:30:51.880389Z","path":"/home/ssh-gateway/ansible/kuly/RM10193-sshd-config-changes.yaml"}