openstack
/
ansible-hardening
Code Issues Proposed changes

Configure sshd based on the RHEL 7 STIG 

This patch adds several configurations for sshd per the STIG's requirements.
The following STIG requirements are met with this patch:

  - RHEL-07-010270
  - RHEL-07-010440
  - RHEL-07-010441
  - RHEL-07-010442
  - RHEL-07-040110
  - RHEL-07-040170
  - RHEL-07-040190
  - RHEL-07-040191
  - RHEL-07-040301
  - RHEL-07-040310
  - RHEL-07-040332
  - RHEL-07-040334
  - RHEL-07-040334
  - RHEL-07-040540
  - RHEL-07-040590
  - RHEL-07-040620
  - RHEL-07-040690
  - RHEL-07-040700
  - RHEL-07-040670
  - RHEL-07-040680

Only two tasks are needed for all of this work and this should speed up
the deployment nicely.

Documentation will be updated in a follow-on patch.

Implements: blueprint security-rhel7-stig
Change-Id: I80579533eac2dd983f6d370445d9796d7c22eefc
This commit is contained in:
Major Hayden 2016-11-08 14:22:40 -06:00
parent a3e0f681d8
commit 365ad6529c
3 changed files with 144 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
defaults/main.yml
View File

@ -413,5 +413,40 @@ security_rhel7_remove_ypserv: yes # RHEL-07-020010
security_enable_gpgcheck: yes # RHEL-07-020150
## ssh server (sshd)
# Prevent users from logging in over ssh if they have an empty password.
security_sshd_disallow_empty_password: yes # RHEL-07-010270
# Disallow logins from users with empty/null passwords.
security_sshd_disallow_empty_password: yes # RHEL-07-010270 / RHEL-07-010440
# Disallow users from overriding the ssh environment variables.
security_sshd_disallow_environment_override: yes # RHEL-07-010441
# Disallow host based authentication.
security_sshd_disallow_host_based_auth: yes # RHEL-07-010442
# Set a list of allowed ssh ciphers.
security_sshd_cipher_list: 'aes128-ctr,aes192-ctr,aes256-ctr' # RHEL-07-040110
# Specify a text file to be displayed as the banner/MOTD for all sessions.
security_sshd_banner_file: /etc/issue.net # RHEL-07-040170
# Set the interval for max session length and the number of intervals to allow.
security_sshd_client_alive_interval: 600 # RHEL-07-040190
security_sshd_client_alive_count_max: 0 # RHEL-07-040191
# Print the last login for a user when they log in over ssh.
security_sshd_print_last_log: yes # RHEL-07-040301
# Permit direct root logins
security_sshd_permit_root_login: no # RHEL-07-040310
# Disallow authentication using known hosts authentication.
security_sshd_disallow_known_hosts_auth: yes # RHEL-07-040332 / RHEL-07-040333
# Disallow rhosts authentication.
security_sshd_disallow_rhosts_auth: yes # RHEL-07-040334
# Enable X11 forwarding.
security_sshd_enable_x11_forwarding: yes # RHEL-07-040540
# Set the allowed ssh protocols.
security_sshd_protocol: 2 # RHEL-07-040590
# Set the list of allowed Message Authentication Codes (MACs) for ssh.
security_sshd_allowed_macs: 'hmac-sha2-256,hmac-sha2-512' # RHEL-07-040620
# Disallow Generic Security Service Application Program Interface (GSSAPI) auth.
security_sshd_disallow_gssapi: yes # RHEL-07-040660
# Disallow compression or delay after login.
security_sshd_compression: 'delayed' # RHEL-07-040700
# Require privilege separation at every opportunity.
security_sshd_enable_privilege_separation: yes # RHEL-07-040690
# Require strict mode checking of home directory configuration files.
security_sshd_enable_strict_modes: yes # RHEL-07-040680
# Disallow Kerberos authentication.
security_sshd_disable_kerberos_auth: yes # RHEL-07-040670

79
tasks/rhel7stig/sshd.yml
View File

@ -19,45 +19,64 @@
# are added by the security role. For that reason, we check for the existence
# of a marker line here and add a marker line to the file if it doesn't exist.
- name: Check for security role marker in sshd_config
command: "grep '^# openstack-ansible-security configurations' /etc/ssh/sshd_config"
register: sshd_marker_check
changed_when: False
check_mode: no
failed_when: False
# Check for "Match" stanzas in the sshd_config.
- name: Check for Match stanzas in sshd_config
command: "grep '^Match' /etc/ssh/sshd_config"
- name: Find first 'Match' line in sshd_config (if it exists)
command: grep '^Match' /etc/ssh/sshd_config
register: sshd_match_check
changed_when: False
check_mode: no
failed_when: False
tags:
- always
- sshd
# If the marker is missing, and "Match" stanzas are present, we must carefully
# add a marker line above any "Match" stanzas in the configuration file. This
# is done by finding the first match with sed and then adding a marker
# line above it.
- name: Add security role marker with sed above Match stanza
shell: |
sed -i '0,/^Match/s/^Match/\n# openstack-ansible-security configurations\n\n&/' /etc/ssh/sshd_config
when:
- sshd_marker_check.rc != 0
- sshd_match_check.rc == 0
- name: Determine where we should insert new sshd configuration lines
set_fact:
sshd_match_line: "{{ (sshd_match_check.rc == 0) | ternary('^' + sshd_match_check.stdout_lines[0] + '.*$', 'EOF') }}"
check_mode: no
tags:
- always
- sshd
- name: RHEL-07-010270 - The SSH daemon must not allow authentication using an empty password
lineinfile:
state: present
- name: RHEL-07-040170 - Copy login warning banner
copy:
src: login_banner.txt
dest: "{{ security_sshd_banner_file }}"
owner: root
group: root
tags:
- high
- sshd
- RHEL-07-040170
- name: Adjust ssh server configuration based on STIG requirements
blockinfile:
dest: /etc/ssh/sshd_config
regexp: '^(#)?PermitEmptyPasswords'
line: 'PermitEmptyPasswords no'
insertafter: "^# openstack-ansible-security configurations"
state: present
marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
insertbefore: "{{ sshd_match_line }}"
validate: '/usr/sbin/sshd -T -f %s'
when:
- security_sshd_disallow_empty_password | bool
block: "{{ lookup('template', 'sshd_config_block.j2') }}"
notify:
- restart ssh
tags:
- sshd
- high
- sshd
- RHEL-07-010270
- RHEL-07-010440
- RHEL-07-010441
- RHEL-07-010442
- RHEL-07-040110
- RHEL-07-040170
- RHEL-07-040190
- RHEL-07-040191
- RHEL-07-040301
- RHEL-07-040310
- RHEL-07-040332
- RHEL-07-040334
- RHEL-07-040334
- RHEL-07-040540
- RHEL-07-040590
- RHEL-07-040620
- RHEL-07-040690
- RHEL-07-040700
- RHEL-07-040670
- RHEL-07-040680

58
templates/sshd_config_block.j2 Normal file
View File

@ -0,0 +1,58 @@
{% if security_sshd_disallow_empty_password | bool %}
# RHEL-07-010270 / RHEL-07-010440
PermitEmptyPasswords no
{% endif %}
{% if security_sshd_disallow_environment_override | bool %}
# RHEL-07-010441
PermitUserEnvironment no
{% endif %}
{% if security_sshd_disallow_host_based_auth | bool %}
# RHEL-07-010442
HostbasedAuthentication no
{% endif %}
# RHEL-07-040110
Ciphers {{ security_sshd_cipher_list }}
# RHEL-07-040170
Banner {{ security_sshd_banner_file }}
# RHEL-07-040190
ClientAliveInterval {{ security_sshd_client_alive_interval }}
# RHEL-07-040191
ClientAliveCountMax {{ security_sshd_client_alive_count_max }}
{% if security_sshd_print_last_log | bool %}
# RHEL-07-040301
PrintLastLog yes
{% endif %}
{% if security_sshd_permit_root_login | bool %}
# RHEL-07-040310
PermitRootLogin no
{% endif %}
{% if security_sshd_disallow_known_hosts_auth | bool %}
# RHEL-07-040332 / RHEL-07-040333
IgnoreUserKnownHosts yes
{% endif %}
{% if security_sshd_disallow_rhosts_auth | bool %}
# RHEL-07-040334
IgnoreRhosts yes
{% endif %}
{% if security_sshd_enable_x11_forwarding | bool %}
# RHEL-07-040540
X11Forwarding yes
{% endif %}
# RHEL-07-040590
Protocol {{ security_sshd_protocol }}
# RHEL-07-040620
MACs {{security_sshd_allowed_macs }}
{% if security_sshd_enable_privilege_separation | bool %}
# RHEL-07-040690
UsePrivilegeSeparation sandbox
{% endif %}
# RHEL-07-040700
Compression {{ security_sshd_compression }}
{% if security_sshd_disable_kerberos_auth | bool %}
# RHEL-07-040670
KerberosAuthentication no
{% endif %}
{% if security_sshd_enable_strict_modes| bool %}
# RHEL-07-040680
StrictModes yes
{% endif %}