Configure sshd based on the RHEL 7 STIG
This patch adds several configurations for sshd per the STIG's requirements. The following STIG requirements are met with this patch: - RHEL-07-010270 - RHEL-07-010440 - RHEL-07-010441 - RHEL-07-010442 - RHEL-07-040110 - RHEL-07-040170 - RHEL-07-040190 - RHEL-07-040191 - RHEL-07-040301 - RHEL-07-040310 - RHEL-07-040332 - RHEL-07-040334 - RHEL-07-040334 - RHEL-07-040540 - RHEL-07-040590 - RHEL-07-040620 - RHEL-07-040690 - RHEL-07-040700 - RHEL-07-040670 - RHEL-07-040680 Only two tasks are needed for all of this work and this should speed up the deployment nicely. Documentation will be updated in a follow-on patch. Implements: blueprint security-rhel7-stig Change-Id: I80579533eac2dd983f6d370445d9796d7c22eefc
This commit is contained in:
Major Hayden
parent
a3e0f681d8
commit
365ad6529c
@ -413,5 +413,40 @@ security_rhel7_remove_ypserv: yes # RHEL-07-020010
|
|||||||
security_enable_gpgcheck: yes # RHEL-07-020150
|
security_enable_gpgcheck: yes # RHEL-07-020150
|
||||||
|
|
||||||
## ssh server (sshd)
|
## ssh server (sshd)
|
||||||
# Prevent users from logging in over ssh if they have an empty password.
|
# Disallow logins from users with empty/null passwords.
|
||||||
security_sshd_disallow_empty_password: yes # RHEL-07-010270
|
security_sshd_disallow_empty_password: yes # RHEL-07-010270 / RHEL-07-010440
|
||||||
|
# Disallow users from overriding the ssh environment variables.
|
||||||
|
security_sshd_disallow_environment_override: yes # RHEL-07-010441
|
||||||
|
# Disallow host based authentication.
|
||||||
|
security_sshd_disallow_host_based_auth: yes # RHEL-07-010442
|
||||||
|
# Set a list of allowed ssh ciphers.
|
||||||
|
security_sshd_cipher_list: 'aes128-ctr,aes192-ctr,aes256-ctr' # RHEL-07-040110
|
||||||
|
# Specify a text file to be displayed as the banner/MOTD for all sessions.
|
||||||
|
security_sshd_banner_file: /etc/issue.net # RHEL-07-040170
|
||||||
|
# Set the interval for max session length and the number of intervals to allow.
|
||||||
|
security_sshd_client_alive_interval: 600 # RHEL-07-040190
|
||||||
|
security_sshd_client_alive_count_max: 0 # RHEL-07-040191
|
||||||
|
# Print the last login for a user when they log in over ssh.
|
||||||
|
security_sshd_print_last_log: yes # RHEL-07-040301
|
||||||
|
# Permit direct root logins
|
||||||
|
security_sshd_permit_root_login: no # RHEL-07-040310
|
||||||
|
# Disallow authentication using known hosts authentication.
|
||||||
|
security_sshd_disallow_known_hosts_auth: yes # RHEL-07-040332 / RHEL-07-040333
|
||||||
|
# Disallow rhosts authentication.
|
||||||
|
security_sshd_disallow_rhosts_auth: yes # RHEL-07-040334
|
||||||
|
# Enable X11 forwarding.
|
||||||
|
security_sshd_enable_x11_forwarding: yes # RHEL-07-040540
|
||||||
|
# Set the allowed ssh protocols.
|
||||||
|
security_sshd_protocol: 2 # RHEL-07-040590
|
||||||
|
# Set the list of allowed Message Authentication Codes (MACs) for ssh.
|
||||||
|
security_sshd_allowed_macs: 'hmac-sha2-256,hmac-sha2-512' # RHEL-07-040620
|
||||||
|
# Disallow Generic Security Service Application Program Interface (GSSAPI) auth.
|
||||||
|
security_sshd_disallow_gssapi: yes # RHEL-07-040660
|
||||||
|
# Disallow compression or delay after login.
|
||||||
|
security_sshd_compression: 'delayed' # RHEL-07-040700
|
||||||
|
# Require privilege separation at every opportunity.
|
||||||
|
security_sshd_enable_privilege_separation: yes # RHEL-07-040690
|
||||||
|
# Require strict mode checking of home directory configuration files.
|
||||||
|
security_sshd_enable_strict_modes: yes # RHEL-07-040680
|
||||||
|
# Disallow Kerberos authentication.
|
||||||
|
security_sshd_disable_kerberos_auth: yes # RHEL-07-040670
|
||||||
|
|||||||
@ -19,45 +19,64 @@
|
|||||||
# are added by the security role. For that reason, we check for the existence
|
# are added by the security role. For that reason, we check for the existence
|
||||||
# of a marker line here and add a marker line to the file if it doesn't exist.
|
# of a marker line here and add a marker line to the file if it doesn't exist.
|
||||||
|
|
||||||
- name: Check for security role marker in sshd_config
|
- name: Find first 'Match' line in sshd_config (if it exists)
|
||||||
command: "grep '^# openstack-ansible-security configurations' /etc/ssh/sshd_config"
|
command: grep '^Match' /etc/ssh/sshd_config
|
||||||
register: sshd_marker_check
|
|
||||||
changed_when: False
|
|
||||||
check_mode: no
|
|
||||||
failed_when: False
|
|
||||||
|
|
||||||
# Check for "Match" stanzas in the sshd_config.
|
|
||||||
- name: Check for Match stanzas in sshd_config
|
|
||||||
command: "grep '^Match' /etc/ssh/sshd_config"
|
|
||||||
register: sshd_match_check
|
register: sshd_match_check
|
||||||
changed_when: False
|
changed_when: False
|
||||||
check_mode: no
|
check_mode: no
|
||||||
failed_when: False
|
tags:
|
||||||
|
- always
|
||||||
|
- sshd
|
||||||
|
|
||||||
# If the marker is missing, and "Match" stanzas are present, we must carefully
|
- name: Determine where we should insert new sshd configuration lines
|
||||||
# add a marker line above any "Match" stanzas in the configuration file. This
|
set_fact:
|
||||||
# is done by finding the first match with sed and then adding a marker
|
sshd_match_line: "{{ (sshd_match_check.rc == 0) | ternary('^' + sshd_match_check.stdout_lines[0] + '.*$', 'EOF') }}"
|
||||||
# line above it.
|
check_mode: no
|
||||||
- name: Add security role marker with sed above Match stanza
|
tags:
|
||||||
shell: |
|
- always
|
||||||
sed -i '0,/^Match/s/^Match/\n# openstack-ansible-security configurations\n\n&/' /etc/ssh/sshd_config
|
- sshd
|
||||||
when:
|
|
||||||
- sshd_marker_check.rc != 0
|
|
||||||
- sshd_match_check.rc == 0
|
|
||||||
|
|
||||||
- name: RHEL-07-010270 - The SSH daemon must not allow authentication using an empty password
|
- name: RHEL-07-040170 - Copy login warning banner
|
||||||
lineinfile:
|
copy:
|
||||||
state: present
|
src: login_banner.txt
|
||||||
|
dest: "{{ security_sshd_banner_file }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
tags:
|
||||||
|
- high
|
||||||
|
- sshd
|
||||||
|
- RHEL-07-040170
|
||||||
|
|
||||||
|
- name: Adjust ssh server configuration based on STIG requirements
|
||||||
|
blockinfile:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
regexp: '^(#)?PermitEmptyPasswords'
|
state: present
|
||||||
line: 'PermitEmptyPasswords no'
|
marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
|
||||||
insertafter: "^# openstack-ansible-security configurations"
|
insertbefore: "{{ sshd_match_line }}"
|
||||||
validate: '/usr/sbin/sshd -T -f %s'
|
validate: '/usr/sbin/sshd -T -f %s'
|
||||||
when:
|
block: "{{ lookup('template', 'sshd_config_block.j2') }}"
|
||||||
- security_sshd_disallow_empty_password | bool
|
|
||||||
notify:
|
notify:
|
||||||
- restart ssh
|
- restart ssh
|
||||||
tags:
|
tags:
|
||||||
- sshd
|
|
||||||
- high
|
- high
|
||||||
|
- sshd
|
||||||
- RHEL-07-010270
|
- RHEL-07-010270
|
||||||
|
- RHEL-07-010440
|
||||||
|
- RHEL-07-010441
|
||||||
|
- RHEL-07-010442
|
||||||
|
- RHEL-07-040110
|
||||||
|
- RHEL-07-040170
|
||||||
|
- RHEL-07-040190
|
||||||
|
- RHEL-07-040191
|
||||||
|
- RHEL-07-040301
|
||||||
|
- RHEL-07-040310
|
||||||
|
- RHEL-07-040332
|
||||||
|
- RHEL-07-040334
|
||||||
|
- RHEL-07-040334
|
||||||
|
- RHEL-07-040540
|
||||||
|
- RHEL-07-040590
|
||||||
|
- RHEL-07-040620
|
||||||
|
- RHEL-07-040690
|
||||||
|
- RHEL-07-040700
|
||||||
|
- RHEL-07-040670
|
||||||
|
- RHEL-07-040680
|
||||||
|
|||||||
58
templates/sshd_config_block.j2
Normal file
58
templates/sshd_config_block.j2
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
{% if security_sshd_disallow_empty_password | bool %}
|
||||||
|
# RHEL-07-010270 / RHEL-07-010440
|
||||||
|
PermitEmptyPasswords no
|
||||||
|
{% endif %}
|
||||||
|
{% if security_sshd_disallow_environment_override | bool %}
|
||||||
|
# RHEL-07-010441
|
||||||
|
PermitUserEnvironment no
|
||||||
|
{% endif %}
|
||||||
|
{% if security_sshd_disallow_host_based_auth | bool %}
|
||||||
|
# RHEL-07-010442
|
||||||
|
HostbasedAuthentication no
|
||||||
|
{% endif %}
|
||||||
|
# RHEL-07-040110
|
||||||
|
Ciphers {{ security_sshd_cipher_list }}
|
||||||
|
# RHEL-07-040170
|
||||||
|
Banner {{ security_sshd_banner_file }}
|
||||||
|
# RHEL-07-040190
|
||||||
|
ClientAliveInterval {{ security_sshd_client_alive_interval }}
|
||||||
|
# RHEL-07-040191
|
||||||
|
ClientAliveCountMax {{ security_sshd_client_alive_count_max }}
|
||||||
|
{% if security_sshd_print_last_log | bool %}
|
||||||
|
# RHEL-07-040301
|
||||||
|
PrintLastLog yes
|
||||||
|
{% endif %}
|
||||||
|
{% if security_sshd_permit_root_login | bool %}
|
||||||
|
# RHEL-07-040310
|
||||||
|
PermitRootLogin no
|
||||||
|
{% endif %}
|
||||||
|
{% if security_sshd_disallow_known_hosts_auth | bool %}
|
||||||
|
# RHEL-07-040332 / RHEL-07-040333
|
||||||
|
IgnoreUserKnownHosts yes
|
||||||
|
{% endif %}
|
||||||
|
{% if security_sshd_disallow_rhosts_auth | bool %}
|
||||||
|
# RHEL-07-040334
|
||||||
|
IgnoreRhosts yes
|
||||||
|
{% endif %}
|
||||||
|
{% if security_sshd_enable_x11_forwarding | bool %}
|
||||||
|
# RHEL-07-040540
|
||||||
|
X11Forwarding yes
|
||||||
|
{% endif %}
|
||||||
|
# RHEL-07-040590
|
||||||
|
Protocol {{ security_sshd_protocol }}
|
||||||
|
# RHEL-07-040620
|
||||||
|
MACs {{security_sshd_allowed_macs }}
|
||||||
|
{% if security_sshd_enable_privilege_separation | bool %}
|
||||||
|
# RHEL-07-040690
|
||||||
|
UsePrivilegeSeparation sandbox
|
||||||
|
{% endif %}
|
||||||
|
# RHEL-07-040700
|
||||||
|
Compression {{ security_sshd_compression }}
|
||||||
|
{% if security_sshd_disable_kerberos_auth | bool %}
|
||||||
|
# RHEL-07-040670
|
||||||
|
KerberosAuthentication no
|
||||||
|
{% endif %}
|
||||||
|
{% if security_sshd_enable_strict_modes| bool %}
|
||||||
|
# RHEL-07-040680
|
||||||
|
StrictModes yes
|
||||||
|
{% endif %}
|
||||||
Loading…
x
Reference in New Issue
Block a user