commit e9420e75912bc314f3ee6bf62d07a691ffaf5b89
author Dmitry Teselkin <dteselkin@mirantis.com> Tue Apr 03 13:49:39 2018 +0300
committer Dmitry Teselkin <dteselkin@mirantis.com> Fri Apr 13 15:29:28 2018 +0300
tree 15aedbf4f9331fa8db518aabb047d7d762571d5b
parent 0f39c90243595e9e7ce3972ef63cc25602faa7fe

openssh CIS compliance

* CIS 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored)
* CIS 5.2.2 Ensure SSH Protocol is set to 2 (Scored)
* CIS 5.2.3 Ensure SSH LogLevel is set to INFO (Scored)
* CIS 5.2.4 Ensure SSH X11 forwarding is disabled (Scored)
* CIS 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored)
* CIS 5.2.6 Ensure SSH IgnoreRhosts is enabled (Scored)
* CIS 5.2.7 Ensure SSH HostbasedAuthentication is disabled (Scored)
* CIS 5.2.8 Ensure SSH root login is disabled (Scored)
* CIS 5.2.9 Ensure SSH PermitEmptyPasswords is disabled (Scored)
* CIS 5.2.10 Ensure SSH PermitUserEnvironment is disabled (Scored)
* CIS 5.2.11 Ensure only approved MAC algorithms are used (Scored)
* CIS 5.2.12 Ensure SSH Idle Timeout Interval is configured (Scored)
* CIS 5.2.13 Ensure SSH LoginGraceTime is set to one minute or less (Scored)
* CIS 5.2.14 Ensure SSH access is limited (Scored)
* CIS 5.2.15 Ensure SSH warning banner is configured (Scored)

Change-Id: Ie53dbdfada27bdb08d3571be10e0de95117a1a17

metadata/service/server/cis/cis-5-2-15.yml

diff --git a/metadata/service/server/cis/cis-5-2-15.yml b/metadata/service/server/cis/cis-5-2-15.yml
new file mode 100644
index 0000000..f5ca67e
--- /dev/null
+++ b/metadata/service/server/cis/cis-5-2-15.yml
@@ -0,0 +1,45 @@
+# 5.2.15 Ensure SSH warning banner is configured (Scored)
+#
+# Profile Applicability
+# ---------------------
+# - Level 1 - Server
+# - Level 1 - Workstation
+#
+# Description
+# -----------
+# The Banner parameter specifies a file whose contents must be sent to the remote user
+# before authentication is permitted. By default, no banner is displayed.
+#
+# Rationale
+# ---------
+# Banners are used to warn connecting users of the particular site's policy regarding
+# connection. Presenting a warning message prior to the normal user login may assist the
+# prosecution of trespassers on the computer system.
+#
+# Audit
+# -----
+# Run the following command and verify that output matches:
+#
+#   # grep "^Banner" /etc/ssh/sshd_config
+#   Banner /etc/issue.net
+#
+# Remediation
+# -----------
+# Edit the /etc/ssh/sshd_config file to set the parameter as follows:
+#
+#  Banner /etc/issue.net
+
+parameters:
+  openssh:
+    server:
+      banner: |
+        =================================== WARNING ====================================
+        You have accessed a computer managed by ${_param:ssh_banner_company_name}.
+        You are required to have authorisation from ${_param:ssh_banner_company_name}
+        before you proceed and you are strictly limited to use set out within that
+        authorisation. Unauthorised access to or misuse of this system is prohibited
+        and constitutes an offence under the Computer Misuse Act 1990.
+        If you disclose any information obtained through this system without authority
+        ${_param:ssh_banner_company_name} may take legal action against you.
+        ================================================================================
+