rpms/scap-security-guide
7
0
Fork 0
Code Issues Pull Requests Releases Activity
c10135e851
scap-security-guide/scap-security-guide-0.1.65-stig_rhel8_ClientAliveCountMax-PR_9784.patch

353 lines
16 KiB
Diff
Raw Blame History

From c4afa942edea4b26498dc223d4965fb722d919ed Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 8 Nov 2022 13:53:14 +0100
Subject: [PATCH 1/7] RHEL8 STIG v1R8 requires ClientAliveCountMax 1
Following update from V1R8, update the STIG profile to configure
ClientAliveCountMax to 1.
This will timeout SSH connections when client alive messages are not
received within ClientAliveInterval seconds.
This serves the purpose of disconnecting sessions when the client has
become unresponsive.
---
.../guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml | 1 +
.../services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 1 -
products/rhel8/profiles/stig.profile | 4 ++--
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
index bc8ee914565..df0681f3f3a 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
@@ -55,6 +55,7 @@ references:
pcidss: Req-8.1.8
srg: SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109
stigid@ol7: OL07-00-040340
+ stigid@rhel8: RHEL-08-010200
stigid@sle12: SLES-12-030191
stigid@ubuntu2004: UBTU-20-010036
vmmsrg: SRG-OS-000480-VMM-002000
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
index 024cb687382..a02fa8f40db 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
@@ -54,7 +54,6 @@ references:
stigid@ol7: OL07-00-040340
stigid@ol8: OL08-00-010200
stigid@rhel7: RHEL-07-040340
- stigid@rhel8: RHEL-08-010200
stigid@sle12: SLES-12-030191
stigid@sle15: SLES-15-010320
vmmsrg: SRG-OS-000480-VMM-002000
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 96dfbf6b203..d184957f28c 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -50,7 +50,7 @@ selections:
- var_password_pam_lcredit=1
- var_password_pam_retry=3
- var_password_pam_minlen=15
- # - var_sshd_set_keepalive=0
+ - var_sshd_set_keepalive=1
- sshd_approved_macs=stig
- sshd_approved_ciphers=stig
- sshd_idle_timeout_value=10_minutes
@@ -174,7 +174,7 @@ selections:
# they still need to be selected so it follows exactly what STIG
# states.
# RHEL-08-010200
- - sshd_set_keepalive_0
+ - sshd_set_keepalive
# RHEL-08-010201
- sshd_set_idle_timeout
From a9f13cdff06ce7de53420b0ca65b3a8110eae85a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 8 Nov 2022 14:06:42 +0100
Subject: [PATCH 2/7] Change verbiage on keepalive rules
Stop using the 'idle', that implies an idle user; And
start using unresponsive, which better describes the state of network.
---
.../ssh/ssh_server/sshd_set_keepalive/rule.yml | 15 ++++++++-------
.../ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 6 +++---
2 files changed, 11 insertions(+), 10 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
index df0681f3f3a..7a27c134f1e 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
@@ -7,14 +7,15 @@ description: |-
during a SSH session and waits for a response from the SSH client.
The option <tt>ClientAliveInterval</tt> configures timeout after
each <tt>ClientAliveCountMax</tt> message. If the SSH server does not
- receive a response from the client, then the connection is considered idle
+ receive a response from the client, then the connection is considered unresponsive
and terminated.
For SSH earlier than v8.2, a <tt>ClientAliveCountMax</tt> value of <tt>0</tt>
- causes an idle timeout precisely when the <tt>ClientAliveInterval</tt> is set.
+ causes a timeout precisely when the <tt>ClientAliveInterval</tt> is set.
Starting with v8.2, a value of <tt>0</tt> disables the timeout functionality
completely. If the option is set to a number greater than <tt>0</tt>, then
- the idle session will be disconnected after
- <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds.
+ the session will be disconnected after
+ <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds without receiving
+ a keep alive message.
rationale: |-
This ensures a user login will be terminated as soon as the <tt>ClientAliveInterval</tt>
@@ -70,8 +71,8 @@ ocil: |-
<pre>$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config</pre>
If properly configured, the output should be:
<pre>ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}</pre>
- For SSH earlier than v8.2, a <tt>ClientAliveCountMax</tt> value of <tt>0</tt> causes an idle timeout precisely when
+ For SSH earlier than v8.2, a <tt>ClientAliveCountMax</tt> value of <tt>0</tt> causes a timeout precisely when
the <tt>ClientAliveInterval</tt> is set. Starting with v8.2, a value of <tt>0</tt> disables the timeout
functionality completely.
- If the option is set to a number greater than <tt>0</tt>, then the idle session will be disconnected after
- <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds.
+ If the option is set to a number greater than <tt>0</tt>, then the session will be disconnected after
+ <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds witout receiving a keep alive message.
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
index a02fa8f40db..55011ab66a7 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
@@ -10,10 +10,10 @@ description: |-
during a SSH session and waits for a response from the SSH client.
The option <tt>ClientAliveInterval</tt> configures timeout after
each <tt>ClientAliveCountMax</tt> message. If the SSH server does not
- receive a response from the client, then the connection is considered idle
+ receive a response from the client, then the connection is considered unresponsive
and terminated.
- To ensure the SSH idle timeout occurs precisely when the
+ To ensure the SSH timeout occurs precisely when the
<tt>ClientAliveInterval</tt> is set, set the <tt>ClientAliveCountMax</tt> to
value of <tt>0</tt> in
{{{ sshd_config_file() }}}
@@ -73,7 +73,7 @@ ocil: |-
If properly configured, the output should be:
<pre>ClientAliveCountMax 0</pre>
- In this case, the SSH idle timeout occurs precisely when
+ In this case, the SSH timeout occurs precisely when
the <tt>ClientAliveInterval</tt> is set.
template:
From 587cec666b6379995e38a90bcd0ed86bbf4bd3e3 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 8 Nov 2022 14:27:50 +0100
Subject: [PATCH 3/7] Add tests to check for configuration conflicts
---
.../sshd_set_keepalive/tests/param_conflict.fail.sh | 11 +++++++++++
.../tests/param_conflict_directory.fail.sh | 13 +++++++++++++
2 files changed, 24 insertions(+)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh
new file mode 100644
index 00000000000..54441cbb5b6
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+ sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
+
+echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
+echo "ClientAliveCountMax 1" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh
new file mode 100644
index 00000000000..aa6931cc243
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+ sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
+
+echo "ClientAliveCountMax 0" > /etc/ssh/sshd_config.d/good_config.conf
+echo "ClientAliveCountMax 1" > /etc/ssh/sshd_config.d/bad_config.conf
From d07a7f33cc5dd486d5d56ce71b90118366b68091 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 8 Nov 2022 17:09:16 +0100
Subject: [PATCH 4/7] Check all instances of ClientAliveCountMax
The rule was only checking the first occurence of ClientAliveCountMax,
but we need to check that all and any occurrences of
ClientAliveCountMax are compliant.
---
.../services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml
index 5e07d982821..404c36c8dbc 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml
@@ -49,7 +49,7 @@
<ind:textfilecontent54_object id="obj_sshd_clientalivecountmax" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:#.*)?$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
{{%- if sshd_distributed_config == "true" %}}
<ind:textfilecontent54_test check="all" check_existence="all_exist"
From d15ebb0b563895fbc2ab85c631410ea60bd02d95 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 8 Nov 2022 17:40:26 +0100
Subject: [PATCH 5/7] Add test to check for configuration conflicts
Add test for non distributed ssh config conflicts for
ClientAliveInterval.
---
.../tests/param_conflict.fail.sh | 15 +++++++++++++++
1 file changed, 15 insertions(+)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh
new file mode 100644
index 00000000000..1e14aa3da36
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^\s*ClientAliveInterval" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+ sed -i "/^\s*ClientAliveInterval.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
+if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+ sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
+
+echo "ClientAliveInterval 6000" >> /etc/ssh/sshd_config
+echo "ClientAliveInterval 200" >> /etc/ssh/sshd_config
+echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
From c19d5400bd3ded71aae9175f27361065c962069e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 8 Nov 2022 17:41:19 +0100
Subject: [PATCH 6/7] Change verbiage on idle timeout rule
The config is not really about idle user timeout, the config is about
unresponsive network timeout.
---
.../ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
index aa085894f61..c5606aac557 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
@@ -1,12 +1,12 @@
documentation_complete: true
-title: 'Set SSH Idle Timeout Interval'
+title: 'Set SSH Client Alive Interval'
description: |-
- SSH allows administrators to set an idle timeout interval. After this interval
- has passed, the idle user will be automatically logged out.
+ SSH allows administrators to set a network responsiveness timeout interval.
+ After this interval has passed, the unresponsive client will be automatically logged out.
<br /><br />
- To set an idle timeout interval, edit the following line in <tt>/etc/ssh/sshd_config</tt> as
+ To set this timeout interval, edit the following line in <tt>/etc/ssh/sshd_config</tt> as
follows:
<pre>ClientAliveInterval <b>{{{ xccdf_value("sshd_idle_timeout_value") }}}</b></pre>
<br/><br/>
@@ -15,7 +15,7 @@ description: |-
<br /><br />
If a shorter timeout has already been set for the login shell, that value will
preempt any SSH setting made in <tt>/etc/ssh/sshd_config</tt>. Keep in mind that
- some processes may stop SSH from correctly detecting that the user is idle.
+ some processes may stop SSH from correctly detecting that the user is idle.
rationale: |-
Terminating an idle ssh session within a short time period reduces the window of
@@ -81,7 +81,7 @@ ocil: |-
warnings:
- dependency: |-
- SSH disconnecting idle clients will not have desired effect without also
+ SSH disconnecting unresponsive clients will not have desired effect without also
configuring ClientAliveCountMax in the SSH service configuration.
- general: |-
Following conditions may prevent the SSH session to time out:
From 86b1a6147582c896e1bb49a0649493eeec37a8d4 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 9 Nov 2022 11:31:50 +0100
Subject: [PATCH 7/7] Update profile stability test data
---
tests/data/profile_stability/rhel8/stig.profile | 3 ++-
tests/data/profile_stability/rhel8/stig_gui.profile | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index cadc3f5fc7a..51971451996 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -371,7 +371,7 @@ selections:
- sshd_print_last_log
- sshd_rekey_limit
- sshd_set_idle_timeout
-- sshd_set_keepalive_0
+- sshd_set_keepalive
- sshd_use_strong_rng
- sshd_x11_use_localhost
- sssd_certificate_verification
@@ -441,6 +441,7 @@ selections:
- var_password_pam_ucredit=1
- var_password_pam_lcredit=1
- var_password_pam_retry=3
+- var_sshd_set_keepalive=1
- sshd_approved_macs=stig
- sshd_approved_ciphers=stig
- sshd_idle_timeout_value=10_minutes
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index bde4e18b068..fd150744167 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -381,7 +381,7 @@ selections:
- sshd_print_last_log
- sshd_rekey_limit
- sshd_set_idle_timeout
-- sshd_set_keepalive_0
+- sshd_set_keepalive
- sshd_use_strong_rng
- sshd_x11_use_localhost
- sssd_certificate_verification
@@ -449,6 +449,7 @@ selections:
- var_password_pam_ucredit=1
- var_password_pam_lcredit=1
- var_password_pam_retry=3
+- var_sshd_set_keepalive=1
- sshd_approved_macs=stig
- sshd_approved_ciphers=stig
- sshd_idle_timeout_value=10_minutes
Reference in New Issue View Git Blame Copy Permalink