openssh CIS compliance
* CIS 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored)
* CIS 5.2.2 Ensure SSH Protocol is set to 2 (Scored)
* CIS 5.2.3 Ensure SSH LogLevel is set to INFO (Scored)
* CIS 5.2.4 Ensure SSH X11 forwarding is disabled (Scored)
* CIS 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored)
* CIS 5.2.6 Ensure SSH IgnoreRhosts is enabled (Scored)
* CIS 5.2.7 Ensure SSH HostbasedAuthentication is disabled (Scored)
* CIS 5.2.8 Ensure SSH root login is disabled (Scored)
* CIS 5.2.9 Ensure SSH PermitEmptyPasswords is disabled (Scored)
* CIS 5.2.10 Ensure SSH PermitUserEnvironment is disabled (Scored)
* CIS 5.2.11 Ensure only approved MAC algorithms are used (Scored)
* CIS 5.2.12 Ensure SSH Idle Timeout Interval is configured (Scored)
* CIS 5.2.13 Ensure SSH LoginGraceTime is set to one minute or less (Scored)
* CIS 5.2.14 Ensure SSH access is limited (Scored)
* CIS 5.2.15 Ensure SSH warning banner is configured (Scored)
Change-Id: Ie53dbdfada27bdb08d3571be10e0de95117a1a17
diff --git a/README.rst b/README.rst
index 5a87430..f3921af 100644
--- a/README.rst
+++ b/README.rst
@@ -147,6 +147,18 @@
server:
dss_enabled: true
+CIS Compliance
+==============
+
+There is a number of configuration options that make openssh service compliant with
+CIS Benchmark. Those options could be found under metadata/service/server/cis,
+and are not enabled by default. For each CIS item a comprehencive description
+is provided with pillar data.
+
+More about CIS Benchmark could be found online at:
+
+ https://www.cisecurity.org/cis-benchmarks/
+
Read more
=========