Fix rules checking '/etc/ssh/sshd_config.d/' #12954
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The new rule in RHEL 9 STIG `file_permissions_sshd_drop_in_config` fails in daily productization in tests for Image Mode RHEL. A closer look reveals that this rule requires mode 0600 on `/etc/ssh/sshd_config.d/` directory, which makes the directory inaccessible. Directories should have the executable permissions. It should require mode 0700 on the directory. The intention is to set mode 0600 is set on the files within that directory. The `file_permissions` template doesn't allow to define different modes and have directories and files in a single rule. Therefore, we need to split the rule `file_permissions_sshd_drop_in_config` to 2 rules: `file_permissions_sshd_drop_in_config` and `directory_permissions_sshd_config_d`, where the former will check mode on config files in the `/etc/ssh/sshd_config.d/` directory and the latter will check mode on the directory itself. We need to do analogous changes also for rules `file_owner_sshd_drop_in_config` and `file_groupowner_sshd_drop_in_config`. We want to cover owner and group owner of the directory and of files in the directory. Therefore, we will create `directory_owner_sshd_config_d` and `directory_groupowner_sshd_config_d`.
jan-cerny
added
productization-issue
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_sshd_drop_in_config'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_sshd_drop_in_config
+++ xccdf_org.ssgproject.content_rule_file_groupowner_sshd_drop_in_config
@@ -1,10 +1,10 @@
[title]:
-Verify Group Who Owns SSH Server config file
+Verify Group Who Owns SSH Server Configuration Files
[description]:
-To properly set the group owner of /etc/ssh/sshd_config.d, run the command:
-$ sudo chgrp root /etc/ssh/sshd_config.d
+To properly set the group owner of files in /etc/ssh/sshd_config.d, run the command:
+find -H /etc/ssh/sshd_config.d -type d -exec chgrp -L root {} \;
[reference]:
12
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_sshd_drop_in_config' differs.
--- ocil:ssg-file_groupowner_sshd_drop_in_config_ocil:questionnaire:1
+++ ocil:ssg-file_groupowner_sshd_drop_in_config_ocil:questionnaire:1
@@ -1,7 +1,7 @@
-To check the group ownership of /etc/ssh/sshd_config.d,
+To check the group ownership of files in the /etc/ssh/sshd_config.d directory,
run the command:
$ ls -lL /etc/ssh/sshd_config.d
If properly configured, the output should indicate the following group-owner:
root
- Is it the case that /etc/ssh/sshd_config.d does not have a group owner of root?
+ Is it the case that files in the /etc/ssh/sshd_config.d directory do not have a group owner of root?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_sshd_drop_in_config' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_sshd_drop_in_config
+++ xccdf_org.ssgproject.content_rule_file_groupowner_sshd_drop_in_config
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
-find -H /etc/ssh/sshd_config.d/ -maxdepth 1 -type d -exec chgrp -L 0 {} \;
+find -L /etc/ssh/sshd_config.d/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex '^.*$' -exec chgrp -L 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_sshd_drop_in_config' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_sshd_drop_in_config
+++ xccdf_org.ssgproject.content_rule_file_groupowner_sshd_drop_in_config
@@ -14,11 +14,13 @@
- medium_severity
- no_reboot_needed
-- name: Ensure group owner on /etc/ssh/sshd_config.d/
- file:
- path: /etc/ssh/sshd_config.d/
- state: directory
- group: '0'
+- name: Find /etc/ssh/sshd_config.d/ file(s) matching ^.*$
+ command: find -H /etc/ssh/sshd_config.d/ -maxdepth 1 -type f ! -group 0 -regextype
+ posix-extended -regex "^.*$"
+ register: files_found
+ changed_when: false
+ failed_when: false
+ check_mode: false
when: '"kernel" in ansible_facts.packages'
tags:
- CCE-86253-2
@@ -32,3 +34,24 @@
- low_disruption
- medium_severity
- no_reboot_needed
+
+- name: Ensure group owner on /etc/ssh/sshd_config.d/ file(s) matching ^.*$
+ file:
+ path: '{{ item }}'
+ group: '0'
+ state: file
+ with_items:
+ - '{{ files_found.stdout_lines }}'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-86253-2
+ - DISA-STIG-RHEL-09-255105
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_groupowner_sshd_drop_in_config
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_sshd_drop_in_config'.
--- xccdf_org.ssgproject.content_rule_file_owner_sshd_drop_in_config
+++ xccdf_org.ssgproject.content_rule_file_owner_sshd_drop_in_config
@@ -1,10 +1,10 @@
[title]:
-Verify Owner on SSH Server config file
+Verify Owner on SSH Server Configuration Files
[description]:
-To properly set the owner of /etc/ssh/sshd_config.d, run the command:
-$ sudo chown root /etc/ssh/sshd_config.d
+To properly set the owner of files in /etc/ssh/sshd_config.d, run the command:
+find -H /etc/ssh/sshd_config.d -type d -exec chown -L root {} \;
[reference]:
12
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_owner_sshd_drop_in_config' differs.
--- ocil:ssg-file_owner_sshd_drop_in_config_ocil:questionnaire:1
+++ ocil:ssg-file_owner_sshd_drop_in_config_ocil:questionnaire:1
@@ -1,7 +1,7 @@
-To check the ownership of /etc/ssh/sshd_config.d,
+To check the ownership of files in the /etc/ssh/sshd_config.d directory,
run the command:
$ ls -lL /etc/ssh/sshd_config.d
If properly configured, the output should indicate the following owner:
root
- Is it the case that /etc/ssh/sshd_config.d does not have an owner of root?
+ Is it the case that files in the /etc/ssh/sshd_config.d directory do not have a owner of root?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_sshd_drop_in_config' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_sshd_drop_in_config
+++ xccdf_org.ssgproject.content_rule_file_owner_sshd_drop_in_config
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
-find -H /etc/ssh/sshd_config.d/ -maxdepth 1 -type d -exec chown -L 0 {} \;
+find -L /etc/ssh/sshd_config.d/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended -regex '^.*$' -exec chown -L 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_sshd_drop_in_config' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_sshd_drop_in_config
+++ xccdf_org.ssgproject.content_rule_file_owner_sshd_drop_in_config
@@ -14,11 +14,13 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner on directory /etc/ssh/sshd_config.d/
- file:
- path: /etc/ssh/sshd_config.d/
- state: directory
- owner: '0'
+- name: Find /etc/ssh/sshd_config.d/ file(s) matching ^.*$
+ command: find -H /etc/ssh/sshd_config.d/ -maxdepth 1 -type f ! -uid 0 -regextype
+ posix-extended -regex "^.*$"
+ register: files_found
+ changed_when: false
+ failed_when: false
+ check_mode: false
when: '"kernel" in ansible_facts.packages'
tags:
- CCE-86217-7
@@ -32,3 +34,24 @@
- low_disruption
- medium_severity
- no_reboot_needed
+
+- name: Ensure owner on /etc/ssh/sshd_config.d/ file(s) matching ^.*$
+ file:
+ path: '{{ item }}'
+ owner: '0'
+ state: file
+ with_items:
+ - '{{ files_found.stdout_lines }}'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-86217-7
+ - DISA-STIG-RHEL-09-255110
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_owner_sshd_drop_in_config
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
OVAL for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_config' differs.
--- oval:ssg-file_permissions_sshd_config:def:1
+++ oval:ssg-file_permissions_sshd_config:def:1
@@ -1,3 +1,2 @@
criteria AND
criterion oval:ssg-test_file_permissions_sshd_config_0:tst:1
-criterion oval:ssg-test_file_permissions_sshd_config_1:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_config' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_sshd_config
+++ xccdf_org.ssgproject.content_rule_file_permissions_sshd_config
@@ -3,8 +3,6 @@
chmod u-xs,g-xwrs,o-xwrt /etc/ssh/sshd_config
-chmod u-xs,g-xwrs,o-xwrt /etc/ssh/sshd_config.d
-
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_config' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_sshd_config
+++ xccdf_org.ssgproject.content_rule_file_permissions_sshd_config
@@ -57,45 +57,3 @@
- low_disruption
- medium_severity
- no_reboot_needed
-
-- name: Test for existence /etc/ssh/sshd_config.d
- stat:
- path: /etc/ssh/sshd_config.d
- register: file_exists
- when: '"kernel" in ansible_facts.packages'
- tags:
- - CCE-90818-6
- - DISA-STIG-RHEL-09-255115
- - NIST-800-53-AC-17(a)
- - NIST-800-53-AC-6(1)
- - NIST-800-53-CM-6(a)
- - PCI-DSSv4-2.2
- - PCI-DSSv4-2.2.6
- - configure_strategy
- - file_permissions_sshd_config
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
-
-- name: Ensure permission u-xs,g-xwrs,o-xwrt on /etc/ssh/sshd_config.d
- file:
- path: /etc/ssh/sshd_config.d
- mode: u-xs,g-xwrs,o-xwrt
- when:
- - '"kernel" in ansible_facts.packages'
- - file_exists.stat is defined and file_exists.stat.exists
- tags:
- - CCE-90818-6
- - DISA-STIG-RHEL-09-255115
- - NIST-800-53-AC-17(a)
- - NIST-800-53-AC-6(1)
- - NIST-800-53-CM-6(a)
- - PCI-DSSv4-2.2
- - PCI-DSSv4-2.2.6
- - configure_strategy
- - file_permissions_sshd_config
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_drop_in_config'.
--- xccdf_org.ssgproject.content_rule_file_permissions_sshd_drop_in_config
+++ xccdf_org.ssgproject.content_rule_file_permissions_sshd_drop_in_config
@@ -1,10 +1,10 @@
[title]:
-Verify Permissions on SSH Server config file
+Verify Permissions on SSH Server Config File
[description]:
-To properly set the permissions of /etc/ssh/sshd_config.d, run the command:
-$ sudo chmod 0600 /etc/ssh/sshd_config.d
+To properly set the permissions of files in /etc/ssh/sshd_config.d, run the command:
+find -H /etc/ssh/sshd_config.d -type d -exec chown 0600 {} \;
[reference]:
12
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_drop_in_config' differs.
--- ocil:ssg-file_permissions_sshd_drop_in_config_ocil:questionnaire:1
+++ ocil:ssg-file_permissions_sshd_drop_in_config_ocil:questionnaire:1
@@ -1,7 +1,7 @@
-To check the permissions of /etc/ssh/sshd_config.d,
+To check the permissions of files in the /etc/ssh/sshd_config.d directory,
run the command:
-$ ls -l /etc/ssh/sshd_config.d
+$ ls -lL /etc/ssh/sshd_config.d
If properly configured, the output should indicate the following permissions:
-rw-------
- Is it the case that /etc/ssh/sshd_config.d does not have unix mode -rw-------?
+ Is it the case that files in the /etc/ssh/sshd_config.d directory do not have unix mode -rw-------?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_drop_in_config' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_sshd_drop_in_config
+++ xccdf_org.ssgproject.content_rule_file_permissions_sshd_drop_in_config
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
-find -H /etc/ssh/sshd_config.d// -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt -type d -exec chmod u-xs,g-xwrs,o-xwrt {} \;
+find -L /etc/ssh/sshd_config.d/ -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt -type f -regextype posix-extended -regex '^.*$' -exec chmod u-xs,g-xwrs,o-xwrt {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_drop_in_config' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_sshd_drop_in_config
+++ xccdf_org.ssgproject.content_rule_file_permissions_sshd_drop_in_config
@@ -14,9 +14,9 @@
- medium_severity
- no_reboot_needed
-- name: Find /etc/ssh/sshd_config.d// file(s)
- command: 'find -H /etc/ssh/sshd_config.d// -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt -type
- d '
+- name: Find /etc/ssh/sshd_config.d/ file(s)
+ command: find -H /etc/ssh/sshd_config.d/ -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt -type
+ f -regextype posix-extended -regex "^.*$"
register: files_found
changed_when: false
failed_when: false
@@ -35,11 +35,11 @@
- medium_severity
- no_reboot_needed
-- name: Set permissions for /etc/ssh/sshd_config.d// file(s)
+- name: Set permissions for /etc/ssh/sshd_config.d/ file(s)
file:
path: '{{ item }}'
mode: u-xs,g-xwrs,o-xwrt
- state: directory
+ state: file
with_items:
- '{{ files_found.stdout_lines }}'
when: '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
@@ -77,3 +77,25 @@
- no_reboot_needed
- restrict_strategy
- sshd_set_keepalive_0
+
+- name: Set SSH Client Alive Count Max to zero - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-90271-8
+ - CJIS-5.5.6
+ - NIST-800-171-3.1.11
+ - NIST-800-53-AC-12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-2(5)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-SC-10
+ - PCI-DSS-Req-8.1.8
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_set_keepalive_0
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive
@@ -6,6 +6,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive
@@ -88,3 +88,28 @@
- no_reboot_needed
- restrict_strategy
- sshd_set_keepalive
+
+- name: Set SSH Client Alive Count Max - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-90805-3
+ - CJIS-5.5.6
+ - DISA-STIG-RHEL-09-255095
+ - NIST-800-171-3.1.11
+ - NIST-800-53-AC-12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-2(5)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-SC-10
+ - PCI-DSS-Req-8.1.8
+ - PCI-DSSv4-8.2
+ - PCI-DSSv4-8.2.8
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_set_keepalive
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
+++ xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
@@ -6,6 +6,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*ClientAliveInterval\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*ClientAliveInterval\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
+++ xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
@@ -92,3 +92,30 @@
- no_reboot_needed
- restrict_strategy
- sshd_set_idle_timeout
+
+- name: Set SSH Client Alive Interval - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-90811-1
+ - CJIS-5.5.6
+ - DISA-STIG-RHEL-09-255100
+ - NIST-800-171-3.1.11
+ - NIST-800-53-AC-12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-2(5)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-SC-10
+ - PCI-DSS-Req-8.1.8
+ - PCI-DSSv4-8.2
+ - PCI-DSSv4-8.2.8
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_set_idle_timeout
bash remediation for rule 'xccdf_org.ssgproject.content_rule_disable_host_auth' differs.
--- xccdf_org.ssgproject.content_rule_disable_host_auth
+++ xccdf_org.ssgproject.content_rule_disable_host_auth
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_disable_host_auth' differs.
--- xccdf_org.ssgproject.content_rule_disable_host_auth
+++ xccdf_org.ssgproject.content_rule_disable_host_auth
@@ -81,3 +81,27 @@
- medium_severity
- no_reboot_needed
- restrict_strategy
+
+- name: Disable Host-Based Authentication - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-90816-0
+ - CJIS-5.5.6
+ - DISA-STIG-RHEL-09-255080
+ - NIST-800-171-3.1.12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-3
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSSv4-8.3
+ - PCI-DSSv4-8.3.1
+ - disable_host_auth
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2' differs.
--- xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
+++ xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*Protocol\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*Protocol\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2' differs.
--- xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
+++ xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
@@ -79,3 +79,26 @@
- no_reboot_needed
- restrict_strategy
- sshd_allow_only_protocol2
+
+- name: Allow Only SSH Protocol 2 - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-90812-9
+ - CJIS-5.5.6
+ - NIST-800-171-3.1.13
+ - NIST-800-171-3.5.4
+ - NIST-800-53-AC-17(2)
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-5(1)(c)
+ - NIST-800-53-MA-4(6)
+ - NIST-800-53-SC-13
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_allow_only_protocol2
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_compression' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_compression
+++ xccdf_org.ssgproject.content_rule_sshd_disable_compression
@@ -6,6 +6,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*Compression\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*Compression\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_compression' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_compression
+++ xccdf_org.ssgproject.content_rule_sshd_disable_compression
@@ -78,3 +78,23 @@
- no_reboot_needed
- restrict_strategy
- sshd_disable_compression
+
+- name: Disable Compression Or Set Compression to delayed - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-90801-2
+ - DISA-STIG-RHEL-09-255130
+ - NIST-800-171-3.1.12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_disable_compression
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
+++ xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
+++ xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
@@ -83,3 +83,28 @@
- no_reboot_needed
- restrict_strategy
- sshd_disable_empty_passwords
+
+- name: Disable SSH Access via Empty Passwords - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-90799-8
+ - CJIS-5.5.6
+ - DISA-STIG-RHEL-09-255040
+ - NIST-800-171-3.1.1
+ - NIST-800-171-3.1.5
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-2.2.4
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_disable_empty_passwords
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
@@ -73,3 +73,23 @@
- no_reboot_needed
- restrict_strategy
- sshd_disable_gssapi_auth
+
+- name: Disable GSSAPI Authentication - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-90808-7
+ - DISA-STIG-RHEL-09-255135
+ - NIST-800-171-3.1.12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_disable_gssapi_auth
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
LC_ALL=C sed -i "/^\s*KerberosAuthentication\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*KerberosAuthentication\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
@@ -73,3 +73,23 @@
- no_reboot_needed
- restrict_strategy
- sshd_disable_kerb_auth
+
+- name: Disable Kerberos Authentication - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-90802-0
+ - DISA-STIG-RHEL-09-255140
+ - NIST-800-171-3.1.12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_disable_kerb_auth
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*PubkeyAuthentication\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*PubkeyAuthentication\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
@@ -59,3 +59,16 @@
- no_reboot_needed
- restrict_strategy
- sshd_disable_pubkey_auth
+
+- name: Disable PubkeyAuthentication Authentication - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_disable_pubkey_auth
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
@@ -79,3 +79,26 @@
- no_reboot_needed
- restrict_strategy
- sshd_disable_rhosts
+
+- name: Disable SSH Support for .rhosts Files - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-90797-2
+ - CJIS-5.5.6
+ - DISA-STIG-RHEL-09-255145
+ - NIST-800-171-3.1.12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_disable_rhosts
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa
+++ xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*RhostsRSAAuthentication\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*RhostsRSAAuthentication\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa
+++ xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa
@@ -71,3 +71,22 @@
- no_reboot_needed
- restrict_strategy
- sshd_disable_rhosts_rsa
+
+- name: Disable SSH Support for Rhosts RSA Authentication - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-87836-3
+ - NIST-800-171-3.1.12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_disable_rhosts_rsa
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_login
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_login
@@ -89,3 +89,31 @@
- no_reboot_needed
- restrict_strategy
- sshd_disable_root_login
+
+- name: Disable SSH Root Login - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-90800-4
+ - CJIS-5.5.6
+ - DISA-STIG-RHEL-09-255045
+ - NIST-800-171-3.1.1
+ - NIST-800-171-3.1.5
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-6(2)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-IA-2
+ - NIST-800-53-IA-2(5)
+ - PCI-DSS-Req-2.2.4
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_disable_root_login
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
@@ -59,3 +59,16 @@
- no_reboot_needed
- restrict_strategy
- sshd_disable_root_password_login
+
+- name: Disable SSH root Login with a Password (Insecure) - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_disable_root_password_login
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*AllowTcpForwarding\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*AllowTcpForwarding\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
@@ -65,3 +65,19 @@
- no_reboot_needed
- restrict_strategy
- sshd_disable_tcp_forwarding
+
+- name: Disable SSH TCP Forwarding - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-90806-1
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_disable_tcp_forwarding
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*IgnoreUserKnownHosts\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*IgnoreUserKnownHosts\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
@@ -73,3 +73,23 @@
- no_reboot_needed
- restrict_strategy
- sshd_disable_user_known_hosts
+
+- name: Disable SSH Support for User Known Hosts - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-90796-4
+ - DISA-STIG-RHEL-09-255150
+ - NIST-800-171-3.1.12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_disable_user_known_hosts
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
@@ -69,3 +69,21 @@
- no_reboot_needed
- restrict_strategy
- sshd_disable_x11_forwarding
+
+- name: Disable X11 Forwarding - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-90798-0
+ - DISA-STIG-RHEL-09-255155
+ - NIST-800-53-CM-6(b)
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_disable_x11_forwarding
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env' differs.
--- xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
+++ xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env' differs.
--- xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
+++ xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
@@ -81,3 +81,27 @@
- no_reboot_needed
- restrict_strategy
- sshd_do_not_permit_user_env
+
+- name: Do Not Allow SSH Environment Options - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-90803-8
+ - CJIS-5.5.6
+ - DISA-STIG-RHEL-09-255085
+ - NIST-800-171-3.1.12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-2.2.4
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_do_not_permit_user_env
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
@@ -59,3 +59,16 @@
- no_reboot_needed
- restrict_strategy
- sshd_enable_gssapi_auth
+
+- name: Enable GSSAPI Authentication - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_enable_gssapi_auth
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pam' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pam
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pam
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*UsePAM\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*UsePAM\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pam' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pam
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pam
@@ -67,3 +67,20 @@
- no_reboot_needed
- restrict_strategy
- sshd_enable_pam
+
+- name: Enable PAM - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-86722-6
+ - DISA-STIG-RHEL-09-255050
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_enable_pam
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*PubkeyAuthentication\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*PubkeyAuthentication\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
@@ -63,3 +63,18 @@
- no_reboot_needed
- restrict_strategy
- sshd_enable_pubkey_auth
+
+- name: Enable Public Key Authentication - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-86138-5
+ - DISA-STIG-RHEL-09-255035
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_enable_pubkey_auth
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
+++ xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
LC_ALL=C sed -i "/^\s*StrictModes\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*StrictModes\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
+++ xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
@@ -71,3 +71,22 @@
- no_reboot_needed
- restrict_strategy
- sshd_enable_strictmodes
+
+- name: Enable Use of Strict Mode Checking - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-90809-5
+ - DISA-STIG-RHEL-09-255160
+ - NIST-800-171-3.1.12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-6
+ - NIST-800-53-CM-6(a)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_enable_strictmodes
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
+++ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
+++ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
@@ -77,3 +77,25 @@
- no_reboot_needed
- restrict_strategy
- sshd_enable_warning_banner
+
+- name: Enable SSH Warning Banner - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-90807-9
+ - CJIS-5.5.6
+ - DISA-STIG-RHEL-09-255025
+ - NIST-800-171-3.1.9
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-8(a)
+ - NIST-800-53-AC-8(c)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-2.2.4
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_enable_warning_banner
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net
+++ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net
+++ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net
@@ -73,3 +73,23 @@
- no_reboot_needed
- restrict_strategy
- sshd_enable_warning_banner_net
+
+- name: Enable SSH Warning Banner - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-87979-1
+ - CJIS-5.5.6
+ - NIST-800-171-3.1.9
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-8(a)
+ - NIST-800-53-AC-8(c)
+ - NIST-800-53-CM-6(a)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_enable_warning_banner_net
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
@@ -69,3 +69,21 @@
- no_reboot_needed
- restrict_strategy
- sshd_enable_x11_forwarding
+
+- name: Enable Encrypted X11 Forwarding - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-89696-9
+ - NIST-800-171-3.1.13
+ - NIST-800-53-AC-17(2)
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-CM-6(a)
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_enable_x11_forwarding
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_print_last_log' differs.
--- xccdf_org.ssgproject.content_rule_sshd_print_last_log
+++ xccdf_org.ssgproject.content_rule_sshd_print_last_log
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
LC_ALL=C sed -i "/^\s*PrintLastLog\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*PrintLastLog\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_print_last_log' differs.
--- xccdf_org.ssgproject.content_rule_sshd_print_last_log
+++ xccdf_org.ssgproject.content_rule_sshd_print_last_log
@@ -67,3 +67,20 @@
- no_reboot_needed
- restrict_strategy
- sshd_print_last_log
+
+- name: Enable SSH Print Last Log - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-90804-6
+ - DISA-STIG-RHEL-09-255165
+ - NIST-800-53-AC-9
+ - NIST-800-53-AC-9(1)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_print_last_log
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_rekey_limit' differs.
--- xccdf_org.ssgproject.content_rule_sshd_rekey_limit
+++ xccdf_org.ssgproject.content_rule_sshd_rekey_limit
@@ -8,6 +8,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*RekeyLimit\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*RekeyLimit\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_rekey_limit' differs.
--- xccdf_org.ssgproject.content_rule_sshd_rekey_limit
+++ xccdf_org.ssgproject.content_rule_sshd_rekey_limit
@@ -73,3 +73,18 @@
- medium_severity
- no_reboot_needed
- sshd_rekey_limit
+
+- name: Force frequent session key renegotiation - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-90815-2
+ - DISA-STIG-RHEL-09-255090
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - sshd_rekey_limit
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
+++ xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
@@ -6,6 +6,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*LoginGraceTime\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*LoginGraceTime\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
+++ xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
@@ -70,3 +70,19 @@
- no_reboot_needed
- restrict_strategy
- sshd_set_login_grace_time
+
+- name: Ensure SSH LoginGraceTime is configured - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-86552-7
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_set_login_grace_time
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
@@ -65,3 +65,19 @@
- no_reboot_needed
- restrict_strategy
- sshd_set_loglevel_info
+
+- name: Set LogLevel to INFO - set file mode for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-90813-7
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-CM-6(a)
+ - low_complexity
+ - low_disruption
+ - low_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_set_loglevel_info
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
@@ -75,3 +75,24 @@
- no_reboot_needed
- restrict_strategy
- sshd_set_loglevel_verbose
+
+- name: Set SSH Daemon LogLevel to VERBOSE - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-86923-0
+ - DISA-STIG-RHEL-09-255030
+ - NIST-800-53-AC-17(1)
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-CM-6(a)
+ - PCI-DSS-Req-2.2.4
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_set_loglevel_verbose
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
@@ -6,6 +6,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*MaxAuthTries\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*MaxAuthTries\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
@@ -70,3 +70,19 @@
- no_reboot_needed
- restrict_strategy
- sshd_set_max_auth_tries
+
+- name: Set SSH authentication attempt limit - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-90810-3
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_set_max_auth_tries
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_sessions' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
@@ -6,6 +6,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*MaxSessions\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*MaxSessions\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_sessions' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
@@ -70,3 +70,19 @@
- no_reboot_needed
- restrict_strategy
- sshd_set_max_sessions
+
+- name: Set SSH MaxSessions limit - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-84103-1
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_set_max_sessions
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_maxstartups' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
+++ xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
@@ -6,6 +6,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*MaxStartups\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*MaxStartups\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_maxstartups' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
+++ xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
@@ -70,3 +70,19 @@
- no_reboot_needed
- restrict_strategy
- sshd_set_maxstartups
+
+- name: Ensure SSH MaxStartups is configured - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-87872-8
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_set_maxstartups
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
+++ xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
@@ -6,6 +6,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*UsePrivilegeSeparation\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*UsePrivilegeSeparation\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
+++ xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
@@ -74,3 +74,21 @@
- no_reboot_needed
- restrict_strategy
- sshd_use_priv_separation
+
+- name: Enable Use of Privilege Separation - set file mode for /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-88822-2
+ - NIST-800-171-3.1.12
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-6
+ - NIST-800-53-CM-6(a)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_use_priv_separation
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost' differs.
--- xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
+++ xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
LC_ALL=C sed -i "/^\s*X11UseLocalhost\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*X11UseLocalhost\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost' differs.
--- xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
+++ xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
@@ -65,3 +65,20 @@
- no_reboot_needed
- restrict_strategy
- sshd_x11_use_localhost
+
+- name: Prevent remote hosts from connecting to the proxy display - set file mode
+ for /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ ansible.builtin.file:
+ path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ mode: '0600'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-89105-1
+ - DISA-STIG-RHEL-09-255175
+ - NIST-800-53-CM-6(b)
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sshd_x11_use_localhost |
|
Change in Ansible Please consider using more suitable Ansible module than |
We need to create the drop in configuration file with correct mode (0600) that is expected by rule file_permissions_sshd_drop_in_config.
|
Change in Ansible Please consider using more suitable Ansible module than |
|
Code Climate has analyzed commit 7bc68da and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.9% (0.0% change). View more on Code Climate. |
vojtapolasek
approved these changes
Feb 3, 2025
There was a problem hiding this comment.
Looks great @jcpunk thank you. Very nice work with templates and macros.
I think you meant @jan-cerny , wasn't it? :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The new rule in RHEL 9 STIG
file_permissions_sshd_drop_in_configfails in daily productization in tests for Image Mode RHEL.A closer look reveals that this rule requires mode 0600 on
/etc/ssh/sshd_config.d/directory, which makes the directory inaccessible. Directories should have the executable permissions. It should require mode 0700 on the directory. The intention is to set mode 0600 is set on the files within that directory.The
file_permissionstemplate doesn't allow to define different modes and have directories and files in a single rule. Therefore, we need to split the rulefile_permissions_sshd_drop_in_configto 2 rules:file_permissions_sshd_drop_in_configanddirectory_permissions_sshd_config_d, where the former will check mode on config files in the/etc/ssh/sshd_config.d/directory and the latter will check mode on the directory itself.We need to do analogous changes also for rules
file_owner_sshd_drop_in_configandfile_groupowner_sshd_drop_in_config. We want to cover owner and group owner of the directory and of files in the directory. Therefore, we will createdirectory_owner_sshd_config_danddirectory_groupowner_sshd_config_d.