Merge "Add Salt 2018.3 tests"
diff --git a/README.rst b/README.rst
index 5a87430..f3921af 100644
--- a/README.rst
+++ b/README.rst
@@ -147,6 +147,18 @@
server:
dss_enabled: true
+CIS Compliance
+==============
+
+There is a number of configuration options that make openssh service compliant with
+CIS Benchmark. Those options could be found under metadata/service/server/cis,
+and are not enabled by default. For each CIS item a comprehencive description
+is provided with pillar data.
+
+More about CIS Benchmark could be found online at:
+
+ https://www.cisecurity.org/cis-benchmarks/
+
Read more
=========
diff --git a/metadata/service/server/cis/cis-5-2-10.yml b/metadata/service/server/cis/cis-5-2-10.yml
new file mode 100644
index 0000000..3cb6db0
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-10.yml
@@ -0,0 +1,36 @@
+# 5.2.10 Ensure SSH PermitUserEnvironment is disabled (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# The PermitUserEnvironment option allows users to present environment options to the
+# ssh daemon.
+#
+# Rationale
+# ---------
+# Permitting users the ability to set environment variables through the SSH daemon could
+# potentially allow users to bypass security controls (e.g. setting an execution path that has
+# ssh executing trojan'd programs)
+#
+# Audit
+# -----
+# Run the following command and verify that output matches:
+#
+# # grep PermitUserEnvironment /etc/ssh/sshd_config
+# PermitUserEnvironment no
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# PermitUserEnvironment no
+
+parameters:
+ openssh:
+ server:
+ permit_user_environment: False
+
diff --git a/metadata/service/server/cis/cis-5-2-11.yml b/metadata/service/server/cis/cis-5-2-11.yml
new file mode 100644
index 0000000..4f77a14
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-11.yml
@@ -0,0 +1,53 @@
+# 5.2.11 Ensure only approved MAC algorithms are used (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# This variable limits the types of MAC algorithms that SSH can use during communication.
+#
+# Rationale
+# ---------
+# MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase
+# exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of
+# attention as a weak spot that can be exploited with expanded computing power. An
+# attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the
+# SSH tunnel and capture credentials and information
+#
+# Audit
+# -----
+# Run the following command and verify that output does not contain any unlisted MAC
+# algorithms:
+#
+# # grep "MACs" /etc/ssh/sshd_config
+# MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,
+# umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com,
+# curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,
+# umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+parameters:
+ openssh:
+ server:
+ mac_algorithms:
+ hmac-sha2-512-etm@openssh.com:
+ enabled: True
+ hmac-sha2-256-etm@openssh.com:
+ enabled: True
+ umac-128-etm@openssh.com:
+ enabled: True
+ hmac-sha2-512:
+ enabled: True
+ hmac-sha2-256:
+ enabled: True
+ umac-128@openssh.com:
+ enabled: True
+
diff --git a/metadata/service/server/cis/cis-5-2-12.yml b/metadata/service/server/cis/cis-5-2-12.yml
new file mode 100644
index 0000000..3f10de7
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-12.yml
@@ -0,0 +1,52 @@
+# 5.2.12 Ensure SSH Idle Timeout Interval is configured (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# The two options ClientAliveInterval and ClientAliveCountMax control the timeout of
+# ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no
+# activity for the specified length of time are terminated. When the ClientAliveCountMax
+# variable is set, sshd will send client alive messages at every ClientAliveInterval
+# interval. When the number of consecutive client alive messages are sent with no response
+# from the client, the ssh session is terminated. For example, if the ClientAliveInterval is
+# set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be
+# terminated after 45 seconds of idle time.
+#
+# Rationale
+# ---------
+# Having no timeout value associated with a connection could allow an unauthorized user
+# access to another user's ssh session (e.g. user walks away from their computer and doesn't
+# lock the screen). Setting a timeout value at least reduces the risk of this happening..
+# While the recommended setting is 300 seconds (5 minutes), set this timeout value based on
+# site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client
+# session will be terminated after 5 minutes of idle time and no keepalive messages will be
+# sent.
+#
+# Audit
+# -----
+# Run the following commands and verify ClientAliveInterval is 300 or less and
+# ClientAliveCountMax is 3 or less:
+#
+# # grep "^ClientAliveInterval" /etc/ssh/sshd_config
+# ClientAliveInterval 300
+# # grep "^ClientAliveCountMax" /etc/ssh/sshd_config
+# ClientAliveCountMax 0
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameters as follows:
+#
+# ClientAliveInterval 300
+# ClientAliveCountMax 0
+
+parameters:
+ openssh:
+ server:
+ alive:
+ interval: 300
+ count: 0
+
diff --git a/metadata/service/server/cis/cis-5-2-13.yml b/metadata/service/server/cis/cis-5-2-13.yml
new file mode 100644
index 0000000..d442768
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-13.yml
@@ -0,0 +1,39 @@
+# 5.2.13 Ensure SSH LoginGraceTime is set to one minute or less (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# The LoginGraceTime parameter specifies the time allowed for successful authentication to
+# the SSH server. The longer the Grace period is the more open unauthenticated connections
+# can exist. Like other session controls in this session the Grace Period should be limited to
+# appropriate organizational limits to ensure the service is available for needed access.
+#
+# Rationale
+# ---------
+# Setting the LoginGraceTime parameter to a low number will minimize the risk of
+# successful brute force attacks to the SSH server. It will also limit the number of concurrent
+# unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set
+# the number based on site policy.
+#
+# Audit
+# -----
+# Run the following command and verify that output LoginGraceTime is 60 or less:
+#
+# # grep "^LoginGraceTime" /etc/ssh/sshd_config
+# LoginGraceTime 60
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# LoginGraceTime 60
+
+parameters:
+ openssh:
+ server:
+ login_grace_time: 60
+
diff --git a/metadata/service/server/cis/cis-5-2-15.yml b/metadata/service/server/cis/cis-5-2-15.yml
new file mode 100644
index 0000000..f5ca67e
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-15.yml
@@ -0,0 +1,45 @@
+# 5.2.15 Ensure SSH warning banner is configured (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# The Banner parameter specifies a file whose contents must be sent to the remote user
+# before authentication is permitted. By default, no banner is displayed.
+#
+# Rationale
+# ---------
+# Banners are used to warn connecting users of the particular site's policy regarding
+# connection. Presenting a warning message prior to the normal user login may assist the
+# prosecution of trespassers on the computer system.
+#
+# Audit
+# -----
+# Run the following command and verify that output matches:
+#
+# # grep "^Banner" /etc/ssh/sshd_config
+# Banner /etc/issue.net
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# Banner /etc/issue.net
+
+parameters:
+ openssh:
+ server:
+ banner: |
+ =================================== WARNING ====================================
+ You have accessed a computer managed by ${_param:ssh_banner_company_name}.
+ You are required to have authorisation from ${_param:ssh_banner_company_name}
+ before you proceed and you are strictly limited to use set out within that
+ authorisation. Unauthorised access to or misuse of this system is prohibited
+ and constitutes an offence under the Computer Misuse Act 1990.
+ If you disclose any information obtained through this system without authority
+ ${_param:ssh_banner_company_name} may take legal action against you.
+ ================================================================================
+
diff --git a/metadata/service/server/cis/cis-5-2-2.yml b/metadata/service/server/cis/cis-5-2-2.yml
new file mode 100644
index 0000000..7ebee6c
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-2.yml
@@ -0,0 +1,34 @@
+# 5.2.2 Ensure SSH Protocol is set to 2 (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the
+# original protocol and was subject to security issues. SSH2 is more advanced and secure.
+#
+# Rationale
+# ---------
+# SSH v1 suffers from insecurities that do not affect SSH v2.
+#
+# Audit
+# -----
+# Run the following command and verify that output matches:
+#
+# # grep "^Protocol" /etc/ssh/sshd_config
+# Protocol 2
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# Protocol 2
+
+parameter:
+ openssh:
+ server:
+ protocol: 2
+
diff --git a/metadata/service/server/cis/cis-5-2-3.yml b/metadata/service/server/cis/cis-5-2-3.yml
new file mode 100644
index 0000000..a81b1f6
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-3.yml
@@ -0,0 +1,38 @@
+# 5.2.3 Ensure SSH LogLevel is set to INFO (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# The INFO parameter specifies that login and logout activity will be logged.
+#
+# Rationale
+# ---------
+# SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically
+# not recommended other than strictly for debugging SSH communications since it provides
+# so much data that it is difficult to identify important security information. INFO level is the
+# basic level that only records login activity of SSH users. In many situations, such as Incident
+# Response, it is important to determine when a particular user was active on a system. The
+# logout record can eliminate those users who disconnected, which helps narrow the field.
+#
+# Audit
+# -----
+# Run the following command and verify that output matches:
+#
+# # grep "^LogLevel" /etc/ssh/sshd_config
+# LogLevel INFO
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# LogLevel INFO
+
+parameters:
+ openssh:
+ server:
+ log_level: INFO
+
diff --git a/metadata/service/server/cis/cis-5-2-4.yml b/metadata/service/server/cis/cis-5-2-4.yml
new file mode 100644
index 0000000..d9e3b7b
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-4.yml
@@ -0,0 +1,38 @@
+# 5.2.4 Ensure SSH X11 forwarding is disabled (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# The X11Forwarding parameter provides the ability to tunnel X11 traffic through the
+# connection to enable remote graphic connections.
+#
+# Rationale
+# ---------
+# Disable X11 forwarding unless there is an operational requirement to use X11 applications
+# directly. There is a small risk that the remote X11 servers of users who are logged in via
+# SSH with X11 forwarding could be compromised by other users on the X11 server. Note
+# that even if X11 forwarding is disabled, users can always install their own forwarders.
+#
+# Audit
+# -----
+# Run the following command and verify that output matches:
+#
+# # grep "^X11Forwarding" /etc/ssh/sshd_config
+# X11Forwarding no
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# X11Forwarding no
+
+parameters:
+ openssh:
+ server:
+ x11:
+ forwarding: False
+
diff --git a/metadata/service/server/cis/cis-5-2-5.yml b/metadata/service/server/cis/cis-5-2-5.yml
new file mode 100644
index 0000000..0d5082b
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-5.yml
@@ -0,0 +1,37 @@
+# 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# The MaxAuthTries parameter specifies the maximum number of authentication attempts
+# permitted per connection. When the login failure count reaches half the number, error
+# messages will be written to the syslog file detailing the login failure.
+#
+# Rationale
+# ----------
+# Setting the MaxAuthTries parameter to a low number will minimize the risk of successful
+# brute force attacks to the SSH server. While the recommended setting is 4, set the number
+# based on site policy.
+#
+# Audit
+# -----
+# Run the following command and verify that output MaxAuthTries is 4 or less:
+#
+# # grep "^MaxAuthTries" /etc/ssh/sshd_config
+# MaxAuthTries 4
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# MaxAuthTries 4
+
+parameters:
+ openssh:
+ server:
+ max_auth_tries: 4
+
diff --git a/metadata/service/server/cis/cis-5-2-6.yml b/metadata/service/server/cis/cis-5-2-6.yml
new file mode 100644
index 0000000..fdcd6d3
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-6.yml
@@ -0,0 +1,34 @@
+# 5.2.6 Ensure SSH IgnoreRhosts is enabled (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in
+# RhostsRSAAuthentication or HostbasedAuthentication .
+#
+# Rationale
+# ---------
+# Setting this parameter forces users to enter a password when authenticating with ssh.
+#
+# Audit
+# -----
+# Run the following command and verify that output matches:
+#
+# # grep "^IgnoreRhosts" /etc/ssh/sshd_config
+# IgnoreRhosts yes
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# IgnoreRhosts yes
+
+parameter:
+ openssh:
+ server:
+ ignore_rhosts: True
+
diff --git a/metadata/service/server/cis/cis-5-2-7.yml b/metadata/service/server/cis/cis-5-2-7.yml
new file mode 100644
index 0000000..f2e13bf
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-7.yml
@@ -0,0 +1,36 @@
+# 5.2.7 Ensure SSH HostbasedAuthentication is disabled (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# The HostbasedAuthentication parameter specifies if authentication is allowed through
+# trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public
+# key client host authentication. This option only applies to SSH Protocol Version 2.
+#
+# Rationale
+# ---------
+# Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf ,
+# disabling the ability to use .rhosts files in SSH provides an additional layer of protection .
+#
+# Audit
+# -----
+# Run the following command and verify that output matches:
+#
+# # grep "^HostbasedAuthentication" /etc/ssh/sshd_config
+# HostbasedAuthentication no
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# HostbasedAuthentication no
+
+parameters:
+ openssh:
+ server:
+ host_auth: False
+
diff --git a/metadata/service/server/cis/cis-5-2-8.yml b/metadata/service/server/cis/cis-5-2-8.yml
new file mode 100644
index 0000000..871cfbf
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-8.yml
@@ -0,0 +1,35 @@
+# 5.2.8 Ensure SSH root login is disabled (Scored)
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The
+# default is no.
+#
+# Rationale
+# ---------
+# Disallowing root logins over SSH requires system admins to authenticate using their own
+# individual account, then escalating to root via sudo or su . This in turn limits opportunity
+# for non-repudiation and provides a clear audit trail in the event of a security incident
+#
+# Audit
+# -----
+# Run the following command and verify that output matches:
+#
+# # grep "^PermitRootLogin" /etc/ssh/sshd_config
+# PermitRootLogin no
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# PermitRootLogin no
+
+parameters:
+ openssh:
+ server:
+ permit_root_login: False
+
diff --git a/metadata/service/server/cis/cis-5-2-9.yml b/metadata/service/server/cis/cis-5-2-9.yml
new file mode 100644
index 0000000..b36cc4d
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-9.yml
@@ -0,0 +1,34 @@
+# 5.2.9 Ensure SSH PermitEmptyPasswords is disabled (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts
+# with empty password strings.
+#
+# Rationale
+# ---------
+# Disallowing remote shell access to accounts that have an empty password reduces the
+# probability of unauthorized access to the system
+#
+# Audit
+# -----
+# Run the following command and verify that output matches:
+#
+# # grep "^PermitEmptyPasswords" /etc/ssh/sshd_config
+# PermitEmptyPasswords no
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# PermitEmptyPasswords no
+
+parameters:
+ openssh:
+ server:
+ permit_empty_passwords: False
diff --git a/metadata/service/server/cis/init.yml b/metadata/service/server/cis/init.yml
new file mode 100644
index 0000000..8c6400e
--- /dev/null
+++ b/metadata/service/server/cis/init.yml
@@ -0,0 +1,14 @@
+classes:
+- service.openssh.server.cis.cis-5-2-2
+- service.openssh.server.cis.cis-5-2-3
+- service.openssh.server.cis.cis-5-2-4
+- service.openssh.server.cis.cis-5-2-5
+- service.openssh.server.cis.cis-5-2-6
+- service.openssh.server.cis.cis-5-2-7
+- service.openssh.server.cis.cis-5-2-8
+- service.openssh.server.cis.cis-5-2-9
+- service.openssh.server.cis.cis-5-2-10
+- service.openssh.server.cis.cis-5-2-11
+- service.openssh.server.cis.cis-5-2-12
+- service.openssh.server.cis.cis-5-2-13
+- service.openssh.server.cis.cis-5-2-15
diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config
index 95ed4ae..5404e84 100755
--- a/openssh/files/sshd_config
+++ b/openssh/files/sshd_config
@@ -15,13 +15,15 @@
ListenAddress {{ server.bind.address }}
{%- endif %}
-Protocol 2
+Protocol {{ server.get('protocol', 2) }}
+
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
{%- if grains.os_family != 'CentOS' %}
HostKey /etc/ssh/ssh_host_ecdsa_key
{%- endif %}
+
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
@@ -30,20 +32,25 @@
ServerKeyBits {{ server.get('server_key_bits', '2048') }}
# Logging
-SyslogFacility AUTH
-LogLevel INFO
+SyslogFacility {{ server.get('syslog_facility', 'AUTH')|upper }}
-# Authentication:
-LoginGraceTime 120
+LogLevel {{ server.get('log_level', 'INFO')|upper }}
-# FIXME: PermitRootLogin its not boolean variable! need to be refactored!
-PermitRootLogin {% if server.get('permit_root_login', False) %}yes{% else %}no{% endif %}
+LoginGraceTime {{ server.get('login_grace_time', 120) }}
+
+{%- set permit_root_login = server.get('permit_root_login', 'no') %}
+{%- if permit_root_login not in ('yes', 'no', 'prohibit-password',
+ 'without-password', 'forced-commands-only') %}
+{# permit_root_login might be boolean for historical reasons #}
+{%- set permit_root_login = {True: 'yes', False: 'no'}.get(permit_root_login, 'no') %}
+{%- endif %}
+PermitRootLogin {{ permit_root_login }}
StrictModes yes
RSAAuthentication yes
-PubkeyAuthentication {% if server.get('public_key_auth', True) %}yes{% else %}no{% endif %}
+PubkeyAuthentication {{ 'yes' if server.get('public_key_auth', True) else 'no' }}
AuthorizedKeysFile %h/.ssh/authorized_keys
{%- if server.authorized_keys_command is defined %}
@@ -72,26 +79,28 @@
AllowGroups {{ server.allow_groups|join(' ') }}
{% endif %}
-# Don't read the user's ~/.rhosts and ~/.shosts files
-IgnoreRhosts yes
+IgnoreRhosts {{ 'yes' if server.get('ignore_rhosts', True) else 'no' }}
+
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
-HostbasedAuthentication {% if server.get('host_auth', False) %}yes{% else %}no{% endif %}
+HostbasedAuthentication {{ 'yes' if server.get('host_auth', False) else 'no' }}
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
-PermitEmptyPasswords no
+PermitEmptyPasswords {{ 'yes' if server.get('permit_empty_passwords', False) else 'no' }}
+
+PermitUserEnvironment {{ 'yes' if server.get('permit_user_environment', False) else 'no' }}
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
-PasswordAuthentication {% if server.get('password_auth', True) %}yes{% else %}no{% endif %}
+PasswordAuthentication {{ 'yes' if server.get('password_auth', True) else 'no' }}
# Kerberos options
{%- if server.get('kerberos_auth', False) %}
@@ -114,7 +123,8 @@
{%- if server.use_dns is defined %}
UseDNS {{ server.use_dns }}
{%- endif %}
-X11Forwarding {% if server.get('x11', {}).get('forwarding', True) %}yes{% else %}no{% endif %}
+
+X11Forwarding {{ 'yes' if server.get('x11', {}).get('forwarding', True) else 'no' }}
X11DisplayOffset {{ server.get('x11', {}).get('display_offset', '10') }}
PrintMotd {% if server.get('print_motd', False) %}yes{% else %}no{% endif %}
PrintLastLog {% if server.get('print_lastlog', True) %}yes{% else %}no{% endif %}
@@ -124,6 +134,7 @@
{%- if server.get('alive', {'interval': None}).interval is number %}
ClientAliveInterval {{ server.alive.interval }}
{% endif %}
+
{%- if server.get('alive', {'count': None}).count is number %}
ClientAliveCountMax {{ server.alive.count }}
{% endif %}
@@ -139,10 +150,16 @@
#MaxStartups 10:30:60
{%- endif %}
+{%- if server.max_auth_tries is defined %}
+MaxAuthTries {{ server.max_auth_tries }}
+{%- endif %}
+
{%- if server.banner is defined %}
-Banner /etc/banner
-{%- else %}
-#Banner /etc/banner
+# CIS 5.2.15 requires Banner option configured. It also proposes
+# file name '/etc/issue.net' as a solution, if Banner is not configured.
+# WARNING: Some security scanners accepts only '/etc/issue.net'
+# as a valid banner file name, so please do not change it.
+Banner /etc/issue.net
{%- endif %}
# Allow client to pass locale environment variables
@@ -167,3 +184,32 @@
{%- if server.get('dss_enabled', false) %}
PubkeyAcceptedKeyTypes=+ssh-dss
{%- endif %}
+
+{%- if server.get('mac_algorithms', False) %}
+{%- set supported_macs = ('hmac-md5',
+ 'hmac-md5-96',
+ 'hmac-ripemd160',
+ 'hmac-sha1',
+ 'hmac-sha1-96',
+ 'hmac-sha2-256',
+ 'hmac-sha2-512',
+ 'umac-64@openssh.com',
+ 'umac-128@openssh.com',
+ 'hmac-md5-etm@openssh.com',
+ 'hmac-md5-96-etm@openssh.com',
+ 'hmac-ripemd160-etm@openssh.com',
+ 'hmac-sha1-etm@openssh.com',
+ 'hmac-sha1-96-etm@openssh.com',
+ 'hmac-sha2-256-etm@openssh.com',
+ 'hmac-sha2-512-etm@openssh.com',
+ 'umac-64-etm@openssh.com',
+ 'umac-128-etm@openssh.com') %}
+{%- set mac_algorithms = [] %}
+{%- for k, v in server.mac_algorithms.items() %}
+{%- set _ = mac_algorithms.append(k) if v.get('enabled', False) and k in supported_macs %}
+{%- endfor %}
+{%- if mac_algorithms|length >0 %}
+MACs {{ mac_algorithms|join(',') }}
+{%- endif %}
+{%- endif %}
+
diff --git a/openssh/schemas/server.yaml b/openssh/schemas/server.yaml
index 7b07859..86e1abe 100644
--- a/openssh/schemas/server.yaml
+++ b/openssh/schemas/server.yaml
@@ -16,6 +16,14 @@
description: |
Enables openssh server configurathion.
type: boolean
+ banner:
+ description: |
+ Banner
+ ------
+ The contents of the specified file are sent to the remote user
+ before authentication is allowed. If the argument is “none” then
+ no banner is displayed. By default, no banner is displayed.
+ type: string
bind:
description: Specifies sshd servcive listen on configurathion.
type: object
@@ -28,16 +36,176 @@
description: Specifies the port on which the server listens for connections. Multiple options are permitted.
type: string
example: 127.0.0.1 192.168.1.1
+ host_auth:
+ description: |
+ HostbasedAuthentication
+ -----------------------
+ Specifies whether rhosts or /etc/hosts.equiv authentication
+ together with successful public key client host authentication is
+ allowed (host-based authentication). The default is False(“no”).
+ type: boolean
+ ignore_rhosts:
+ description: |
+ IgnoreRhosts
+ ------------
+ Specifies that .rhosts and .shosts files will not be used in
+ RhostsRSAAuthentication or HostbasedAuthentication.
+ .
+ /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used. The
+ default is True (“yes”).
+ type: boolean
+ kerberos_auth:
+ description: |
+ KerberosAuthentication
+ ----------------------
+ Specifies whether the password provided by the user for
+ PasswordAuthentication will be validated through the Kerberos
+ KDC. To use this option, the server needs a Kerberos servtab
+ which allows the verification of the KDC's identity. The default
+ is False (“no”).
+ type: boolean
+ syslog_facility:
+ description: |
+ SyslogFacility
+ --------
+ Gives the facility code that is used when logging messages from
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+ The default is AUTH.
+ enum:
+ - daemon
+ - user
+ - auth
+ - authpriv
+ - local0
+ - local1
+ - local2
+ - local3
+ - local4
+ - local5
+ - local6
+ - local7
+ log_level:
+ description: |
+ LogLevel
+ --------
+ Gives the verbosity level that is used when logging messages from
+ sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO,
+ VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO.
+ DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify
+ higher levels of debugging output. Logging with a DEBUG level
+ violates the privacy of users and is not recommended.
+ enum:
+ - quiet
+ - fatal
+ - error
+ - info
+ - verbose
+ - debug
+ - debug1
+ - debug2
+ - debug3
+ login_grace_time:
+ description: |
+ LoginGraceTime
+ --------------
+ The server disconnects after this time if the user has not
+ successfully logged in. If the value is 0, there is no time
+ limit. The default is 120 seconds.
+ type: integer
+ mac_algorithms:
+ description: |
+ MACs
+ ----
+ Specifies the available MAC (message authentication code)
+ algorithms. The MAC algorithm is used for data integrity
+ protection. Multiple algorithms must be comma-separated. If the
+ specified value begins with a ‘+’ character, then the specified
+ algorithms will be appended to the default set instead of
+ replacing them.
+ .
+ The algorithms that contain “-etm” calculate the MAC after
+ encryption (encrypt-then-mac). These are considered safer and
+ their use recommended. The supported MACs are:
+ hmac-md5
+ hmac-md5-96
+ hmac-ripemd160
+ hmac-sha1
+ hmac-sha1-96
+ hmac-sha2-256
+ hmac-sha2-512
+ umac-64@openssh.com
+ umac-128@openssh.com
+ hmac-md5-etm@openssh.com
+ hmac-md5-96-etm@openssh.com
+ hmac-ripemd160-etm@openssh.com
+ hmac-sha1-etm@openssh.com
+ hmac-sha1-96-etm@openssh.com
+ hmac-sha2-256-etm@openssh.com
+ hmac-sha2-512-etm@openssh.com
+ umac-64-etm@openssh.com
+ umac-128-etm@openssh.com
+ .
+ The default is:
+ umac-64-etm@openssh.com,umac-128-etm@openssh.com,
+ hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
+ hmac-sha1-etm@openssh.com,
+ umac-64@openssh.com,umac-128@openssh.com,
+ hmac-sha2-256,hmac-sha2-512,hmac-sha1
+ type: object
+ properties:
+ enabled:
+ description: |
+ Enables / disabled specific MAC algorithm.
+ type: boolean
+ max_auth_tries:
+ description: |
+ MaxAuthTries
+ ------------
+ Specifies the maximum number of authentication attempts permitted
+ per connection. Once the number of failures reaches half this
+ value, additional failures are logged. The default is 6.
+ type: integer
password_auth:
- description: Specifies whether password authentication is allowed.
+ description: |
+ PasswordAuthentication
+ ----------------------
+ Specifies whether password authentication is allowed. The
+ default is True(“yes”).
+ type: boolean
+ permit_empty_passwords:
+ description: |
+ PermitEmptyPasswords
+ --------------------
+ When password authentication is allowed, it specifies whether the
+ server allows login to accounts with empty password strings. The
+ default is False (“no”).
type: boolean
permit_root_login:
description: |
- Specifies whether root can log in using ssh.
- # TODO currently its only boolean option, need to be fixed.
- # The argument must be ``yes'', ``prohibit-password'',
- # ``without-password'', ``forced-commands-only'', or ``no''.
- # The default is ``prohibit-password''.
+ PermitRootLogin
+ ---------------
+ Specifies whether root can log in using ssh(1). The argument
+ must be “yes”, “prohibit-password”, “without-password”,
+ “forced-commands-only”, or “no”. The default is
+ “prohibit-password”.
+ .
+ If this option is set to “prohibit-password” or
+ “without-password”, password and keyboard-interactive
+ authentication are disabled for root.
+ .
+ If this option is set to “forced-commands-only”, root login with
+ public key authentication will be allowed, but only if the
+ command option has been specified (which may be useful for taking
+ remote backups even if root login is normally not allowed). All
+ other authentication methods are disabled for root.
+ .
+ If this option is set to “no”, root is not allowed to log in.
+ # TODO Currently its only boolean option, however, support for other
+ # values has been added recently to sshd_config template, now
+ # it may use both booleans and strings.
+ # Now the next step is to update reclass models and switch
+ # from boolean values to strings.
# enum:
# - yes
# - no
@@ -45,6 +213,38 @@
# - forced-commands-only
# - prohibit-password
type: boolean
+ permit_user_environment:
+ description: |
+ PermitUserEnvironment
+ ---------------------
+ Specifies whether ~/.ssh/environment and environment= options in
+ ~/.ssh/authorized_keys are processed by sshd(8). The default is
+ False (“no”). Enabling environment processing may enable users to
+ bypass access restrictions in some configurations using mechanisms
+ such as LD_PRELOAD.
+ type: boolean
+ protocol:
+ description: |
+ Protocol
+ --------
+ Specifies the protocol versions sshd(8) supports. The possible
+ values are ‘1’ and ‘2’. Multiple versions must be comma-
+ separated. The default is ‘2’. Protocol 1 suffers from a number
+ of cryptographic weaknesses and should not be used. It is only
+ offered to support legacy devices.
+ .
+ Note that the order of the protocol list does not indicate
+ preference, because the client selects among multiple protocol
+ versions offered by the server. Specifying “2,1” is identical to
+ “1,2”.
+ type: integer
+ public_key_auth:
+ description: |
+ PubkeyAuthentication
+ --------------------
+ Specifies whether public key authentication is allowed. The
+ default is True (“yes”).
+ type: boolean
user:
description: |
List of openssh user's, to be configured.
@@ -64,13 +264,13 @@
description: List of pub keys for user (> authorized_keys)
type: array
items:
- - type: object
- additionalProperties: false
- properties:
- key:
- type: string
- description: ssh public key
- example: "ssh-rsa AAAAXXX username@example.com"
+ type: object
+ additionalProperties: false
+ properties:
+ key:
+ type: string
+ description: ssh public key
+ example: "ssh-rsa AAAAXXX username@example.com"
example:
- key: "ssh-rsa AAAAXXX1111 username@example.com"
- key: "ssh-rsa AAAAXXX2222 username@example.com"
@@ -89,17 +289,35 @@
- no
interval:
description: |
- Configure ClientAliveInterval option.
- Sets a timeout interval in seconds after which if no data has been
- received from the client, sshd(8) will send a message through the
- encrypted channel to request a response from the client.
+ ClientAliveInterval
+ -------------------
+ Sets a timeout interval in seconds after which if no data has
+ been received from the client, sshd(8) will send a message
+ through the encrypted channel to request a response from the
+ client. The default is 0, indicating that these messages will
+ not be sent to the client.
type: integer
example: 600
count:
description: |
- Configure ClientAliveCountMax option
- Sets the number of client alive messages which may be sent without ssh receiving
- any messages back from the client.
+ ClientAliveCountMax
+ -------------------
+ Sets the number of client alive messages (see below) which may be
+ sent without sshd(8) receiving any messages back from the client.
+ If this threshold is reached while client alive messages are
+ being sent, sshd will disconnect the client, terminating the
+ session. It is important to note that the use of client alive
+ messages is very different from TCPKeepAlive (below). The client
+ alive messages are sent through the encrypted channel and
+ therefore will not be spoofable. The TCP keepalive option
+ enabled by TCPKeepAlive is spoofable. The client alive mechanism
+ is valuable when the client or server depend on knowing when a
+ connection has become inactive.
+ .
+ The default value is 3. If ClientAliveInterval (see below) is
+ set to 15, and ClientAliveCountMax is left at the default,
+ unresponsive SSH clients will be disconnected after approximately
+ 45 seconds.
type: integer
example: 3
force_command:
diff --git a/openssh/server/service.sls b/openssh/server/service.sls
index fdb6989..682857e 100644
--- a/openssh/server/service.sls
+++ b/openssh/server/service.sls
@@ -7,7 +7,13 @@
{%- if server.banner is defined %}
-/etc/banner:
+{# CIS 5.2.15 requires Banner option configured. It also proposes
+ file name '/etc/issue.net' as a solution, if Banner is not configured.
+ WARNING: Some security scanners accepts only '/etc/issue.net'
+ as a valid banner file name, so please do not change it.
+#}
+
+/etc/issue.net:
file.managed:
- user: root
- group: root
diff --git a/tests/pillar/server.sls b/tests/pillar/server.sls
index ccfcbcb..4bdf62b 100644
--- a/tests/pillar/server.sls
+++ b/tests/pillar/server.sls
@@ -13,6 +13,7 @@
server:
enabled: true
use_dns: yes
+ syslog_facility: auth
user:
testusername:
enabled: true