openssh CIS compliance
* CIS 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored)
* CIS 5.2.2 Ensure SSH Protocol is set to 2 (Scored)
* CIS 5.2.3 Ensure SSH LogLevel is set to INFO (Scored)
* CIS 5.2.4 Ensure SSH X11 forwarding is disabled (Scored)
* CIS 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored)
* CIS 5.2.6 Ensure SSH IgnoreRhosts is enabled (Scored)
* CIS 5.2.7 Ensure SSH HostbasedAuthentication is disabled (Scored)
* CIS 5.2.8 Ensure SSH root login is disabled (Scored)
* CIS 5.2.9 Ensure SSH PermitEmptyPasswords is disabled (Scored)
* CIS 5.2.10 Ensure SSH PermitUserEnvironment is disabled (Scored)
* CIS 5.2.11 Ensure only approved MAC algorithms are used (Scored)
* CIS 5.2.12 Ensure SSH Idle Timeout Interval is configured (Scored)
* CIS 5.2.13 Ensure SSH LoginGraceTime is set to one minute or less (Scored)
* CIS 5.2.14 Ensure SSH access is limited (Scored)
* CIS 5.2.15 Ensure SSH warning banner is configured (Scored)
Change-Id: Ie53dbdfada27bdb08d3571be10e0de95117a1a17
diff --git a/metadata/service/server/cis/cis-5-2-10.yml b/metadata/service/server/cis/cis-5-2-10.yml
new file mode 100644
index 0000000..3cb6db0
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-10.yml
@@ -0,0 +1,36 @@
+# 5.2.10 Ensure SSH PermitUserEnvironment is disabled (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# The PermitUserEnvironment option allows users to present environment options to the
+# ssh daemon.
+#
+# Rationale
+# ---------
+# Permitting users the ability to set environment variables through the SSH daemon could
+# potentially allow users to bypass security controls (e.g. setting an execution path that has
+# ssh executing trojan'd programs)
+#
+# Audit
+# -----
+# Run the following command and verify that output matches:
+#
+# # grep PermitUserEnvironment /etc/ssh/sshd_config
+# PermitUserEnvironment no
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# PermitUserEnvironment no
+
+parameters:
+ openssh:
+ server:
+ permit_user_environment: False
+
diff --git a/metadata/service/server/cis/cis-5-2-11.yml b/metadata/service/server/cis/cis-5-2-11.yml
new file mode 100644
index 0000000..4f77a14
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-11.yml
@@ -0,0 +1,53 @@
+# 5.2.11 Ensure only approved MAC algorithms are used (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# This variable limits the types of MAC algorithms that SSH can use during communication.
+#
+# Rationale
+# ---------
+# MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase
+# exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of
+# attention as a weak spot that can be exploited with expanded computing power. An
+# attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the
+# SSH tunnel and capture credentials and information
+#
+# Audit
+# -----
+# Run the following command and verify that output does not contain any unlisted MAC
+# algorithms:
+#
+# # grep "MACs" /etc/ssh/sshd_config
+# MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,
+# umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com,
+# curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,
+# umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+parameters:
+ openssh:
+ server:
+ mac_algorithms:
+ hmac-sha2-512-etm@openssh.com:
+ enabled: True
+ hmac-sha2-256-etm@openssh.com:
+ enabled: True
+ umac-128-etm@openssh.com:
+ enabled: True
+ hmac-sha2-512:
+ enabled: True
+ hmac-sha2-256:
+ enabled: True
+ umac-128@openssh.com:
+ enabled: True
+
diff --git a/metadata/service/server/cis/cis-5-2-12.yml b/metadata/service/server/cis/cis-5-2-12.yml
new file mode 100644
index 0000000..3f10de7
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-12.yml
@@ -0,0 +1,52 @@
+# 5.2.12 Ensure SSH Idle Timeout Interval is configured (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# The two options ClientAliveInterval and ClientAliveCountMax control the timeout of
+# ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no
+# activity for the specified length of time are terminated. When the ClientAliveCountMax
+# variable is set, sshd will send client alive messages at every ClientAliveInterval
+# interval. When the number of consecutive client alive messages are sent with no response
+# from the client, the ssh session is terminated. For example, if the ClientAliveInterval is
+# set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be
+# terminated after 45 seconds of idle time.
+#
+# Rationale
+# ---------
+# Having no timeout value associated with a connection could allow an unauthorized user
+# access to another user's ssh session (e.g. user walks away from their computer and doesn't
+# lock the screen). Setting a timeout value at least reduces the risk of this happening..
+# While the recommended setting is 300 seconds (5 minutes), set this timeout value based on
+# site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client
+# session will be terminated after 5 minutes of idle time and no keepalive messages will be
+# sent.
+#
+# Audit
+# -----
+# Run the following commands and verify ClientAliveInterval is 300 or less and
+# ClientAliveCountMax is 3 or less:
+#
+# # grep "^ClientAliveInterval" /etc/ssh/sshd_config
+# ClientAliveInterval 300
+# # grep "^ClientAliveCountMax" /etc/ssh/sshd_config
+# ClientAliveCountMax 0
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameters as follows:
+#
+# ClientAliveInterval 300
+# ClientAliveCountMax 0
+
+parameters:
+ openssh:
+ server:
+ alive:
+ interval: 300
+ count: 0
+
diff --git a/metadata/service/server/cis/cis-5-2-13.yml b/metadata/service/server/cis/cis-5-2-13.yml
new file mode 100644
index 0000000..d442768
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-13.yml
@@ -0,0 +1,39 @@
+# 5.2.13 Ensure SSH LoginGraceTime is set to one minute or less (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# The LoginGraceTime parameter specifies the time allowed for successful authentication to
+# the SSH server. The longer the Grace period is the more open unauthenticated connections
+# can exist. Like other session controls in this session the Grace Period should be limited to
+# appropriate organizational limits to ensure the service is available for needed access.
+#
+# Rationale
+# ---------
+# Setting the LoginGraceTime parameter to a low number will minimize the risk of
+# successful brute force attacks to the SSH server. It will also limit the number of concurrent
+# unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set
+# the number based on site policy.
+#
+# Audit
+# -----
+# Run the following command and verify that output LoginGraceTime is 60 or less:
+#
+# # grep "^LoginGraceTime" /etc/ssh/sshd_config
+# LoginGraceTime 60
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# LoginGraceTime 60
+
+parameters:
+ openssh:
+ server:
+ login_grace_time: 60
+
diff --git a/metadata/service/server/cis/cis-5-2-15.yml b/metadata/service/server/cis/cis-5-2-15.yml
new file mode 100644
index 0000000..f5ca67e
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-15.yml
@@ -0,0 +1,45 @@
+# 5.2.15 Ensure SSH warning banner is configured (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# The Banner parameter specifies a file whose contents must be sent to the remote user
+# before authentication is permitted. By default, no banner is displayed.
+#
+# Rationale
+# ---------
+# Banners are used to warn connecting users of the particular site's policy regarding
+# connection. Presenting a warning message prior to the normal user login may assist the
+# prosecution of trespassers on the computer system.
+#
+# Audit
+# -----
+# Run the following command and verify that output matches:
+#
+# # grep "^Banner" /etc/ssh/sshd_config
+# Banner /etc/issue.net
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# Banner /etc/issue.net
+
+parameters:
+ openssh:
+ server:
+ banner: |
+ =================================== WARNING ====================================
+ You have accessed a computer managed by ${_param:ssh_banner_company_name}.
+ You are required to have authorisation from ${_param:ssh_banner_company_name}
+ before you proceed and you are strictly limited to use set out within that
+ authorisation. Unauthorised access to or misuse of this system is prohibited
+ and constitutes an offence under the Computer Misuse Act 1990.
+ If you disclose any information obtained through this system without authority
+ ${_param:ssh_banner_company_name} may take legal action against you.
+ ================================================================================
+
diff --git a/metadata/service/server/cis/cis-5-2-2.yml b/metadata/service/server/cis/cis-5-2-2.yml
new file mode 100644
index 0000000..7ebee6c
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-2.yml
@@ -0,0 +1,34 @@
+# 5.2.2 Ensure SSH Protocol is set to 2 (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the
+# original protocol and was subject to security issues. SSH2 is more advanced and secure.
+#
+# Rationale
+# ---------
+# SSH v1 suffers from insecurities that do not affect SSH v2.
+#
+# Audit
+# -----
+# Run the following command and verify that output matches:
+#
+# # grep "^Protocol" /etc/ssh/sshd_config
+# Protocol 2
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# Protocol 2
+
+parameter:
+ openssh:
+ server:
+ protocol: 2
+
diff --git a/metadata/service/server/cis/cis-5-2-3.yml b/metadata/service/server/cis/cis-5-2-3.yml
new file mode 100644
index 0000000..a81b1f6
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-3.yml
@@ -0,0 +1,38 @@
+# 5.2.3 Ensure SSH LogLevel is set to INFO (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# The INFO parameter specifies that login and logout activity will be logged.
+#
+# Rationale
+# ---------
+# SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically
+# not recommended other than strictly for debugging SSH communications since it provides
+# so much data that it is difficult to identify important security information. INFO level is the
+# basic level that only records login activity of SSH users. In many situations, such as Incident
+# Response, it is important to determine when a particular user was active on a system. The
+# logout record can eliminate those users who disconnected, which helps narrow the field.
+#
+# Audit
+# -----
+# Run the following command and verify that output matches:
+#
+# # grep "^LogLevel" /etc/ssh/sshd_config
+# LogLevel INFO
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# LogLevel INFO
+
+parameters:
+ openssh:
+ server:
+ log_level: INFO
+
diff --git a/metadata/service/server/cis/cis-5-2-4.yml b/metadata/service/server/cis/cis-5-2-4.yml
new file mode 100644
index 0000000..d9e3b7b
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-4.yml
@@ -0,0 +1,38 @@
+# 5.2.4 Ensure SSH X11 forwarding is disabled (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# The X11Forwarding parameter provides the ability to tunnel X11 traffic through the
+# connection to enable remote graphic connections.
+#
+# Rationale
+# ---------
+# Disable X11 forwarding unless there is an operational requirement to use X11 applications
+# directly. There is a small risk that the remote X11 servers of users who are logged in via
+# SSH with X11 forwarding could be compromised by other users on the X11 server. Note
+# that even if X11 forwarding is disabled, users can always install their own forwarders.
+#
+# Audit
+# -----
+# Run the following command and verify that output matches:
+#
+# # grep "^X11Forwarding" /etc/ssh/sshd_config
+# X11Forwarding no
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# X11Forwarding no
+
+parameters:
+ openssh:
+ server:
+ x11:
+ forwarding: False
+
diff --git a/metadata/service/server/cis/cis-5-2-5.yml b/metadata/service/server/cis/cis-5-2-5.yml
new file mode 100644
index 0000000..0d5082b
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-5.yml
@@ -0,0 +1,37 @@
+# 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# The MaxAuthTries parameter specifies the maximum number of authentication attempts
+# permitted per connection. When the login failure count reaches half the number, error
+# messages will be written to the syslog file detailing the login failure.
+#
+# Rationale
+# ----------
+# Setting the MaxAuthTries parameter to a low number will minimize the risk of successful
+# brute force attacks to the SSH server. While the recommended setting is 4, set the number
+# based on site policy.
+#
+# Audit
+# -----
+# Run the following command and verify that output MaxAuthTries is 4 or less:
+#
+# # grep "^MaxAuthTries" /etc/ssh/sshd_config
+# MaxAuthTries 4
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# MaxAuthTries 4
+
+parameters:
+ openssh:
+ server:
+ max_auth_tries: 4
+
diff --git a/metadata/service/server/cis/cis-5-2-6.yml b/metadata/service/server/cis/cis-5-2-6.yml
new file mode 100644
index 0000000..fdcd6d3
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-6.yml
@@ -0,0 +1,34 @@
+# 5.2.6 Ensure SSH IgnoreRhosts is enabled (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in
+# RhostsRSAAuthentication or HostbasedAuthentication .
+#
+# Rationale
+# ---------
+# Setting this parameter forces users to enter a password when authenticating with ssh.
+#
+# Audit
+# -----
+# Run the following command and verify that output matches:
+#
+# # grep "^IgnoreRhosts" /etc/ssh/sshd_config
+# IgnoreRhosts yes
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# IgnoreRhosts yes
+
+parameter:
+ openssh:
+ server:
+ ignore_rhosts: True
+
diff --git a/metadata/service/server/cis/cis-5-2-7.yml b/metadata/service/server/cis/cis-5-2-7.yml
new file mode 100644
index 0000000..f2e13bf
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-7.yml
@@ -0,0 +1,36 @@
+# 5.2.7 Ensure SSH HostbasedAuthentication is disabled (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# The HostbasedAuthentication parameter specifies if authentication is allowed through
+# trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public
+# key client host authentication. This option only applies to SSH Protocol Version 2.
+#
+# Rationale
+# ---------
+# Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf ,
+# disabling the ability to use .rhosts files in SSH provides an additional layer of protection .
+#
+# Audit
+# -----
+# Run the following command and verify that output matches:
+#
+# # grep "^HostbasedAuthentication" /etc/ssh/sshd_config
+# HostbasedAuthentication no
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# HostbasedAuthentication no
+
+parameters:
+ openssh:
+ server:
+ host_auth: False
+
diff --git a/metadata/service/server/cis/cis-5-2-8.yml b/metadata/service/server/cis/cis-5-2-8.yml
new file mode 100644
index 0000000..871cfbf
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-8.yml
@@ -0,0 +1,35 @@
+# 5.2.8 Ensure SSH root login is disabled (Scored)
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The
+# default is no.
+#
+# Rationale
+# ---------
+# Disallowing root logins over SSH requires system admins to authenticate using their own
+# individual account, then escalating to root via sudo or su . This in turn limits opportunity
+# for non-repudiation and provides a clear audit trail in the event of a security incident
+#
+# Audit
+# -----
+# Run the following command and verify that output matches:
+#
+# # grep "^PermitRootLogin" /etc/ssh/sshd_config
+# PermitRootLogin no
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# PermitRootLogin no
+
+parameters:
+ openssh:
+ server:
+ permit_root_login: False
+
diff --git a/metadata/service/server/cis/cis-5-2-9.yml b/metadata/service/server/cis/cis-5-2-9.yml
new file mode 100644
index 0000000..b36cc4d
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-9.yml
@@ -0,0 +1,34 @@
+# 5.2.9 Ensure SSH PermitEmptyPasswords is disabled (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts
+# with empty password strings.
+#
+# Rationale
+# ---------
+# Disallowing remote shell access to accounts that have an empty password reduces the
+# probability of unauthorized access to the system
+#
+# Audit
+# -----
+# Run the following command and verify that output matches:
+#
+# # grep "^PermitEmptyPasswords" /etc/ssh/sshd_config
+# PermitEmptyPasswords no
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+# PermitEmptyPasswords no
+
+parameters:
+ openssh:
+ server:
+ permit_empty_passwords: False
diff --git a/metadata/service/server/cis/init.yml b/metadata/service/server/cis/init.yml
new file mode 100644
index 0000000..8c6400e
--- /dev/null
+++ b/metadata/service/server/cis/init.yml
@@ -0,0 +1,14 @@
+classes:
+- service.openssh.server.cis.cis-5-2-2
+- service.openssh.server.cis.cis-5-2-3
+- service.openssh.server.cis.cis-5-2-4
+- service.openssh.server.cis.cis-5-2-5
+- service.openssh.server.cis.cis-5-2-6
+- service.openssh.server.cis.cis-5-2-7
+- service.openssh.server.cis.cis-5-2-8
+- service.openssh.server.cis.cis-5-2-9
+- service.openssh.server.cis.cis-5-2-10
+- service.openssh.server.cis.cis-5-2-11
+- service.openssh.server.cis.cis-5-2-12
+- service.openssh.server.cis.cis-5-2-13
+- service.openssh.server.cis.cis-5-2-15