Try SpotterManage SSH proxy security profiles on a BIG-IP
| "added in version" 1.13.0 of f5networks.f5_bigip"
Authors: Wojciech Wypior (@wojtek0806)
Install with ansible-galaxy collection install f5networks.f5_bigip:==3.4.0
collections:
- name: f5networks.f5_bigip
version: 3.4.0Manage SSH proxy security profiles on a BIG-IP.
- name: Create an SSH proxy profile
bigip_security_ssh_profile:
name: test_profile
default_action:
name: default_rule
shell:
control: disallow
log: true
sub_system:
control: disallow
log: true
agent:
control: terminate
log: true
other:
control: terminate
log: true
lang_env_tolerance: common
description: "this is a new profile"
timeout: 180
state: present
- name: Modify an SSH proxy profile
bigip_security_ssh_profile:
name: test_profile
default_action:
name: default_rule
shell:
control: allow
log: false
timeout: 200
state: present
- name: Remove ssh proxy profile
bigip_security_ssh_profile:
name: test_profile
state: absent
name:
description:
- Specifies the name of the SSH proxy security profile to manage.
required: true
type: str
state:
choices:
- absent
- present
default: present
description:
- When C(present), ensures the SSH proxy security profile is created.
- When C(absent), ensures the SSH proxy security profile is removed.
type: str
timeout:
description:
- Specifies a timeout for the SSH proxy, in seconds.
type: int
partition:
default: Common
description:
- Device partition to manage resources on.
type: str
description:
description:
- Specifies descriptive text that identifies the SSH proxy profile.
type: str
default_action:
description:
- Specifies the default action rule for the SSH proxy security profile.
- When creating a new policy, this parameter must be specified otherwise failure occurs.
suboptions:
agent:
description:
- Defines the use of an ssh-agent over the SSH tunnel.
- Agent forwarding specifies the chain of SSH connections, forwards key challenges
back to the original agent, removing the need for passwords or private keys
on intermediate machines.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate), the SSH connection is terminated with a reset
message when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
forward_local:
description:
- Defines the use of the C(-L) to do local port forwarding over the SSH tunnel.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate), the SSH connection is terminated with a reset
message when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
forward_remote:
description:
- Defines the use of the C(-R) to do remote port forwarding over the SSH tunnel.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate), the SSH connection is terminated with a reset
message when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
forward_x11:
description:
- Defines the use of X11 forwarding over the SSH tunnel.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate), the SSH connection is terminated with a reset
message when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
name:
description:
- Name of the C(default_action) rule to be created or modified.
required: true
type: str
other:
description:
- Defines the use of other SSH commands on SSH connection.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate), the SSH connection is terminated with a reset
message when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
rexec:
description:
- Defines the use of C(rexec) remote execution commands over the SSH tunnel.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate), the SSH connection is terminated with a reset
message when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
scp_down:
description:
- Defines the use of Secure Copy to copy files from a remote directory to a local
directory over the SSH tunnel.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate), the SSH connection is terminated with a reset
message when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
scp_up:
description:
- Defines the use of Secure Copy to copy files from a local directory to a remote
directory over the SSH tunnel.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate), the SSH connection is terminated with a reset
message when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
sftp_down:
description:
- Defines the use of Secure File Transfer Protocol to download files over the
SSH tunnel.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate), the SSH connection is terminated with a reset
message when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
sftp_up:
description:
- Defines the use of Secure File Transfer Protocol to upload files over the SSH
tunnel.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate), the SSH connection is terminated with a reset
message when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
shell:
description:
- Defines use of the C(shell) command to open an SSH shell channel type.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate) the SSH connection is terminated with a reset message
when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
sub_system:
description:
- Defines the use of the C(subsystem) command, to invoke remote commands that
are defined on the server over the SSH tunnel.
suboptions:
control:
choices:
- allow
- disallow
- terminate
description:
- When set to C(allow), allows setup of the session for the selected SSH channel
action.
- When set to C(disallow), the SSH channel action is denied and a I(command
not accepted) message is sent.
- When set to C(terminate) the SSH connection is terminated with a reset message
when the selected channel action is received.
type: str
log:
description:
- Specifies if logging should be enabled for the selected SSH action.
type: bool
type: dict
type: dict
lang_env_tolerance:
choices:
- any
- none
- common
description:
- Determines which connections with LANG environment variables set are allowed to
pass through if the SSH Proxy profile has the C(other) channel type action set.
- When set to C(any), allows connections with any LANG environment value set.
- When set to C(none), disallows all connections with the LANG environment variable
set.
- When set to C(common) allows only connections with the LANG environment value set
to C(en_US.UTF-8) to pass through the C(other) restrictions.
- This setting is in effect only if C(other) action is set to C(disallow) or C(terminate).
type: str
default_action:
description: The default action rule for SSH proxy security profile.
returned: changed
sample: hash/dictionary of values
type: dict
description:
description: Descriptive text that identifies the SSH proxy profile.
returned: changed
sample: this is a profile
type: str
lang_env_tolerance:
description: Determines which connections with LANG environment variables set are
allowed to pass through.
returned: changed
sample: any
type: str
timeout:
description: The timeout for the SSH proxy.
returned: changed
sample: 200
type: int