From 365ad6529cd495b45343782843dbc2dde8c61394 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Tue, 8 Nov 2016 14:22:40 -0600
Subject: [PATCH] Configure sshd based on the RHEL 7 STIG

This patch adds several configurations for sshd per the STIG's requirements.
The following STIG requirements are met with this patch:

  - RHEL-07-010270
  - RHEL-07-010440
  - RHEL-07-010441
  - RHEL-07-010442
  - RHEL-07-040110
  - RHEL-07-040170
  - RHEL-07-040190
  - RHEL-07-040191
  - RHEL-07-040301
  - RHEL-07-040310
  - RHEL-07-040332
  - RHEL-07-040334
  - RHEL-07-040334
  - RHEL-07-040540
  - RHEL-07-040590
  - RHEL-07-040620
  - RHEL-07-040690
  - RHEL-07-040700
  - RHEL-07-040670
  - RHEL-07-040680

Only two tasks are needed for all of this work and this should speed up
the deployment nicely.

Documentation will be updated in a follow-on patch.

Implements: blueprint security-rhel7-stig
Change-Id: I80579533eac2dd983f6d370445d9796d7c22eefc
---
 defaults/main.yml              | 39 ++++++++++++++++-
 tasks/rhel7stig/sshd.yml       | 79 +++++++++++++++++++++-------------
 templates/sshd_config_block.j2 | 58 +++++++++++++++++++++++++
 3 files changed, 144 insertions(+), 32 deletions(-)
 create mode 100644 templates/sshd_config_block.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index 89c4a06f..d0fa7a1b 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -413,5 +413,40 @@ security_rhel7_remove_ypserv: yes                            # RHEL-07-020010
 security_enable_gpgcheck: yes                                # RHEL-07-020150
 
 ## ssh server (sshd)
-# Prevent users from logging in over ssh if they have an empty password.
-security_sshd_disallow_empty_password: yes                   # RHEL-07-010270
+# Disallow logins from users with empty/null passwords.
+security_sshd_disallow_empty_password: yes                   # RHEL-07-010270 / RHEL-07-010440
+# Disallow users from overriding the ssh environment variables.
+security_sshd_disallow_environment_override: yes             # RHEL-07-010441
+# Disallow host based authentication.
+security_sshd_disallow_host_based_auth: yes                  # RHEL-07-010442
+# Set a list of allowed ssh ciphers.
+security_sshd_cipher_list: 'aes128-ctr,aes192-ctr,aes256-ctr' # RHEL-07-040110
+# Specify a text file to be displayed as the banner/MOTD for all sessions.
+security_sshd_banner_file: /etc/issue.net                    # RHEL-07-040170
+# Set the interval for max session length and the number of intervals to allow.
+security_sshd_client_alive_interval: 600                     # RHEL-07-040190
+security_sshd_client_alive_count_max: 0                      # RHEL-07-040191
+# Print the last login for a user when they log in over ssh.
+security_sshd_print_last_log: yes                            # RHEL-07-040301
+# Permit direct root logins
+security_sshd_permit_root_login: no                          # RHEL-07-040310
+# Disallow authentication using known hosts authentication.
+security_sshd_disallow_known_hosts_auth: yes                 # RHEL-07-040332 / RHEL-07-040333
+# Disallow rhosts authentication.
+security_sshd_disallow_rhosts_auth: yes                      # RHEL-07-040334
+# Enable X11 forwarding.
+security_sshd_enable_x11_forwarding: yes                     # RHEL-07-040540
+# Set the allowed ssh protocols.
+security_sshd_protocol: 2                                    # RHEL-07-040590
+# Set the list of allowed Message Authentication Codes (MACs) for ssh.
+security_sshd_allowed_macs: 'hmac-sha2-256,hmac-sha2-512'    # RHEL-07-040620
+# Disallow Generic Security Service Application Program Interface (GSSAPI) auth.
+security_sshd_disallow_gssapi: yes                           # RHEL-07-040660
+# Disallow compression or delay after login.
+security_sshd_compression: 'delayed'                         # RHEL-07-040700
+# Require privilege separation at every opportunity.
+security_sshd_enable_privilege_separation: yes               # RHEL-07-040690
+# Require strict mode checking of home directory configuration files.
+security_sshd_enable_strict_modes: yes                       # RHEL-07-040680
+# Disallow Kerberos authentication.
+security_sshd_disable_kerberos_auth: yes                     # RHEL-07-040670
diff --git a/tasks/rhel7stig/sshd.yml b/tasks/rhel7stig/sshd.yml
index ba0ae254..c5da8a55 100644
--- a/tasks/rhel7stig/sshd.yml
+++ b/tasks/rhel7stig/sshd.yml
@@ -19,45 +19,64 @@
 # are added by the security role. For that reason, we check for the existence
 # of a marker line here and add a marker line to the file if it doesn't exist.
 
-- name: Check for security role marker in sshd_config
-  command: "grep '^# openstack-ansible-security configurations' /etc/ssh/sshd_config"
-  register: sshd_marker_check
-  changed_when: False
-  check_mode: no
-  failed_when: False
-
-# Check for "Match" stanzas in the sshd_config.
-- name: Check for Match stanzas in sshd_config
-  command: "grep '^Match' /etc/ssh/sshd_config"
+- name: Find first 'Match' line in sshd_config (if it exists)
+  command: grep '^Match' /etc/ssh/sshd_config
   register: sshd_match_check
   changed_when: False
   check_mode: no
-  failed_when: False
+  tags:
+    - always
+    - sshd
 
-# If the marker is missing, and "Match" stanzas are present, we must carefully
-# add a marker line above any "Match" stanzas in the configuration file. This
-# is done by finding the first match with sed and then adding a marker
-# line above it.
-- name: Add security role marker with sed above Match stanza
-  shell: |
-    sed -i '0,/^Match/s/^Match/\n# openstack-ansible-security configurations\n\n&/' /etc/ssh/sshd_config
-  when:
-    - sshd_marker_check.rc != 0
-    - sshd_match_check.rc == 0
+- name: Determine where we should insert new sshd configuration lines
+  set_fact:
+    sshd_match_line: "{{ (sshd_match_check.rc == 0) | ternary('^' + sshd_match_check.stdout_lines[0] + '.*$', 'EOF') }}"
+  check_mode: no
+  tags:
+    - always
+    - sshd
 
-- name: RHEL-07-010270 - The SSH daemon must not allow authentication using an empty password
-  lineinfile:
-    state: present
+- name: RHEL-07-040170 - Copy login warning banner
+  copy:
+    src: login_banner.txt
+    dest: "{{ security_sshd_banner_file }}"
+    owner: root
+    group: root
+  tags:
+    - high
+    - sshd
+    - RHEL-07-040170
+
+- name: Adjust ssh server configuration based on STIG requirements
+  blockinfile:
     dest: /etc/ssh/sshd_config
-    regexp: '^(#)?PermitEmptyPasswords'
-    line: 'PermitEmptyPasswords no'
-    insertafter: "^# openstack-ansible-security configurations"
+    state: present
+    marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
+    insertbefore: "{{ sshd_match_line }}"
     validate: '/usr/sbin/sshd -T -f %s'
-  when:
-    - security_sshd_disallow_empty_password | bool
+    block: "{{ lookup('template', 'sshd_config_block.j2') }}"
   notify:
     - restart ssh
   tags:
-    - sshd
     - high
+    - sshd
     - RHEL-07-010270
+    - RHEL-07-010440
+    - RHEL-07-010441
+    - RHEL-07-010442
+    - RHEL-07-040110
+    - RHEL-07-040170
+    - RHEL-07-040190
+    - RHEL-07-040191
+    - RHEL-07-040301
+    - RHEL-07-040310
+    - RHEL-07-040332
+    - RHEL-07-040334
+    - RHEL-07-040334
+    - RHEL-07-040540
+    - RHEL-07-040590
+    - RHEL-07-040620
+    - RHEL-07-040690
+    - RHEL-07-040700
+    - RHEL-07-040670
+    - RHEL-07-040680
diff --git a/templates/sshd_config_block.j2 b/templates/sshd_config_block.j2
new file mode 100644
index 00000000..0798d5b0
--- /dev/null
+++ b/templates/sshd_config_block.j2
@@ -0,0 +1,58 @@
+{% if security_sshd_disallow_empty_password | bool %}
+# RHEL-07-010270 / RHEL-07-010440
+PermitEmptyPasswords no
+{% endif %}
+{% if security_sshd_disallow_environment_override | bool %}
+# RHEL-07-010441
+PermitUserEnvironment no
+{% endif %}
+{% if security_sshd_disallow_host_based_auth | bool %}
+# RHEL-07-010442
+HostbasedAuthentication no
+{% endif %}
+# RHEL-07-040110
+Ciphers {{ security_sshd_cipher_list }}
+# RHEL-07-040170
+Banner {{ security_sshd_banner_file }}
+# RHEL-07-040190
+ClientAliveInterval {{ security_sshd_client_alive_interval }}
+# RHEL-07-040191
+ClientAliveCountMax {{ security_sshd_client_alive_count_max }}
+{% if security_sshd_print_last_log | bool %}
+# RHEL-07-040301
+PrintLastLog yes
+{% endif %}
+{% if security_sshd_permit_root_login | bool %}
+# RHEL-07-040310
+PermitRootLogin no
+{% endif %}
+{% if security_sshd_disallow_known_hosts_auth | bool %}
+# RHEL-07-040332 / RHEL-07-040333
+IgnoreUserKnownHosts yes
+{% endif %}
+{% if security_sshd_disallow_rhosts_auth | bool %}
+# RHEL-07-040334
+IgnoreRhosts yes
+{% endif %}
+{% if security_sshd_enable_x11_forwarding | bool %}
+# RHEL-07-040540
+X11Forwarding yes
+{% endif %}
+# RHEL-07-040590
+Protocol {{ security_sshd_protocol }}
+# RHEL-07-040620
+MACs {{security_sshd_allowed_macs }}
+{% if security_sshd_enable_privilege_separation | bool %}
+# RHEL-07-040690
+UsePrivilegeSeparation sandbox
+{% endif %}
+# RHEL-07-040700
+Compression {{ security_sshd_compression }}
+{% if security_sshd_disable_kerberos_auth | bool %}
+# RHEL-07-040670
+KerberosAuthentication no
+{% endif %}
+{% if security_sshd_enable_strict_modes| bool %}
+# RHEL-07-040680
+StrictModes yes
+{% endif %}