353 lines
16 KiB
Diff
353 lines
16 KiB
Diff
From c4afa942edea4b26498dc223d4965fb722d919ed Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Tue, 8 Nov 2022 13:53:14 +0100
|
|
Subject: [PATCH 1/7] RHEL8 STIG v1R8 requires ClientAliveCountMax 1
|
|
|
|
Following update from V1R8, update the STIG profile to configure
|
|
ClientAliveCountMax to 1.
|
|
|
|
This will timeout SSH connections when client alive messages are not
|
|
received within ClientAliveInterval seconds.
|
|
This serves the purpose of disconnecting sessions when the client has
|
|
become unresponsive.
|
|
---
|
|
.../guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml | 1 +
|
|
.../services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 1 -
|
|
products/rhel8/profiles/stig.profile | 4 ++--
|
|
3 files changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
|
|
index bc8ee914565..df0681f3f3a 100644
|
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
|
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
|
|
@@ -55,6 +55,7 @@ references:
|
|
pcidss: Req-8.1.8
|
|
srg: SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109
|
|
stigid@ol7: OL07-00-040340
|
|
+ stigid@rhel8: RHEL-08-010200
|
|
stigid@sle12: SLES-12-030191
|
|
stigid@ubuntu2004: UBTU-20-010036
|
|
vmmsrg: SRG-OS-000480-VMM-002000
|
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
|
index 024cb687382..a02fa8f40db 100644
|
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
|
@@ -54,7 +54,6 @@ references:
|
|
stigid@ol7: OL07-00-040340
|
|
stigid@ol8: OL08-00-010200
|
|
stigid@rhel7: RHEL-07-040340
|
|
- stigid@rhel8: RHEL-08-010200
|
|
stigid@sle12: SLES-12-030191
|
|
stigid@sle15: SLES-15-010320
|
|
vmmsrg: SRG-OS-000480-VMM-002000
|
|
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
index 96dfbf6b203..d184957f28c 100644
|
|
--- a/products/rhel8/profiles/stig.profile
|
|
+++ b/products/rhel8/profiles/stig.profile
|
|
@@ -50,7 +50,7 @@ selections:
|
|
- var_password_pam_lcredit=1
|
|
- var_password_pam_retry=3
|
|
- var_password_pam_minlen=15
|
|
- # - var_sshd_set_keepalive=0
|
|
+ - var_sshd_set_keepalive=1
|
|
- sshd_approved_macs=stig
|
|
- sshd_approved_ciphers=stig
|
|
- sshd_idle_timeout_value=10_minutes
|
|
@@ -174,7 +174,7 @@ selections:
|
|
# they still need to be selected so it follows exactly what STIG
|
|
# states.
|
|
# RHEL-08-010200
|
|
- - sshd_set_keepalive_0
|
|
+ - sshd_set_keepalive
|
|
# RHEL-08-010201
|
|
- sshd_set_idle_timeout
|
|
|
|
|
|
From a9f13cdff06ce7de53420b0ca65b3a8110eae85a Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Tue, 8 Nov 2022 14:06:42 +0100
|
|
Subject: [PATCH 2/7] Change verbiage on keepalive rules
|
|
|
|
Stop using the 'idle', that implies an idle user; And
|
|
start using unresponsive, which better describes the state of network.
|
|
---
|
|
.../ssh/ssh_server/sshd_set_keepalive/rule.yml | 15 ++++++++-------
|
|
.../ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 6 +++---
|
|
2 files changed, 11 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
|
|
index df0681f3f3a..7a27c134f1e 100644
|
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
|
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
|
|
@@ -7,14 +7,15 @@ description: |-
|
|
during a SSH session and waits for a response from the SSH client.
|
|
The option <tt>ClientAliveInterval</tt> configures timeout after
|
|
each <tt>ClientAliveCountMax</tt> message. If the SSH server does not
|
|
- receive a response from the client, then the connection is considered idle
|
|
+ receive a response from the client, then the connection is considered unresponsive
|
|
and terminated.
|
|
For SSH earlier than v8.2, a <tt>ClientAliveCountMax</tt> value of <tt>0</tt>
|
|
- causes an idle timeout precisely when the <tt>ClientAliveInterval</tt> is set.
|
|
+ causes a timeout precisely when the <tt>ClientAliveInterval</tt> is set.
|
|
Starting with v8.2, a value of <tt>0</tt> disables the timeout functionality
|
|
completely. If the option is set to a number greater than <tt>0</tt>, then
|
|
- the idle session will be disconnected after
|
|
- <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds.
|
|
+ the session will be disconnected after
|
|
+ <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds without receiving
|
|
+ a keep alive message.
|
|
|
|
rationale: |-
|
|
This ensures a user login will be terminated as soon as the <tt>ClientAliveInterval</tt>
|
|
@@ -70,8 +71,8 @@ ocil: |-
|
|
<pre>$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config</pre>
|
|
If properly configured, the output should be:
|
|
<pre>ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}</pre>
|
|
- For SSH earlier than v8.2, a <tt>ClientAliveCountMax</tt> value of <tt>0</tt> causes an idle timeout precisely when
|
|
+ For SSH earlier than v8.2, a <tt>ClientAliveCountMax</tt> value of <tt>0</tt> causes a timeout precisely when
|
|
the <tt>ClientAliveInterval</tt> is set. Starting with v8.2, a value of <tt>0</tt> disables the timeout
|
|
functionality completely.
|
|
- If the option is set to a number greater than <tt>0</tt>, then the idle session will be disconnected after
|
|
- <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds.
|
|
+ If the option is set to a number greater than <tt>0</tt>, then the session will be disconnected after
|
|
+ <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds witout receiving a keep alive message.
|
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
|
index a02fa8f40db..55011ab66a7 100644
|
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
|
@@ -10,10 +10,10 @@ description: |-
|
|
during a SSH session and waits for a response from the SSH client.
|
|
The option <tt>ClientAliveInterval</tt> configures timeout after
|
|
each <tt>ClientAliveCountMax</tt> message. If the SSH server does not
|
|
- receive a response from the client, then the connection is considered idle
|
|
+ receive a response from the client, then the connection is considered unresponsive
|
|
and terminated.
|
|
|
|
- To ensure the SSH idle timeout occurs precisely when the
|
|
+ To ensure the SSH timeout occurs precisely when the
|
|
<tt>ClientAliveInterval</tt> is set, set the <tt>ClientAliveCountMax</tt> to
|
|
value of <tt>0</tt> in
|
|
{{{ sshd_config_file() }}}
|
|
@@ -73,7 +73,7 @@ ocil: |-
|
|
If properly configured, the output should be:
|
|
<pre>ClientAliveCountMax 0</pre>
|
|
|
|
- In this case, the SSH idle timeout occurs precisely when
|
|
+ In this case, the SSH timeout occurs precisely when
|
|
the <tt>ClientAliveInterval</tt> is set.
|
|
|
|
template:
|
|
|
|
From 587cec666b6379995e38a90bcd0ed86bbf4bd3e3 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Tue, 8 Nov 2022 14:27:50 +0100
|
|
Subject: [PATCH 3/7] Add tests to check for configuration conflicts
|
|
|
|
---
|
|
.../sshd_set_keepalive/tests/param_conflict.fail.sh | 11 +++++++++++
|
|
.../tests/param_conflict_directory.fail.sh | 13 +++++++++++++
|
|
2 files changed, 24 insertions(+)
|
|
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh
|
|
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh
|
|
|
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh
|
|
new file mode 100644
|
|
index 00000000000..54441cbb5b6
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh
|
|
@@ -0,0 +1,11 @@
|
|
+#!/bin/bash
|
|
+
|
|
+mkdir -p /etc/ssh/sshd_config.d
|
|
+touch /etc/ssh/sshd_config.d/nothing
|
|
+
|
|
+if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
|
+ sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
|
+fi
|
|
+
|
|
+echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
|
|
+echo "ClientAliveCountMax 1" >> /etc/ssh/sshd_config
|
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh
|
|
new file mode 100644
|
|
index 00000000000..aa6931cc243
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh
|
|
@@ -0,0 +1,13 @@
|
|
+#!/bin/bash
|
|
+
|
|
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
|
|
+
|
|
+mkdir -p /etc/ssh/sshd_config.d
|
|
+touch /etc/ssh/sshd_config.d/nothing
|
|
+
|
|
+if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
|
+ sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
|
+fi
|
|
+
|
|
+echo "ClientAliveCountMax 0" > /etc/ssh/sshd_config.d/good_config.conf
|
|
+echo "ClientAliveCountMax 1" > /etc/ssh/sshd_config.d/bad_config.conf
|
|
|
|
From d07a7f33cc5dd486d5d56ce71b90118366b68091 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Tue, 8 Nov 2022 17:09:16 +0100
|
|
Subject: [PATCH 4/7] Check all instances of ClientAliveCountMax
|
|
|
|
The rule was only checking the first occurence of ClientAliveCountMax,
|
|
but we need to check that all and any occurrences of
|
|
ClientAliveCountMax are compliant.
|
|
---
|
|
.../services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml
|
|
index 5e07d982821..404c36c8dbc 100644
|
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml
|
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml
|
|
@@ -49,7 +49,7 @@
|
|
<ind:textfilecontent54_object id="obj_sshd_clientalivecountmax" version="2">
|
|
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
|
|
<ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:#.*)?$</ind:pattern>
|
|
- <ind:instance datatype="int">1</ind:instance>
|
|
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
|
</ind:textfilecontent54_object>
|
|
{{%- if sshd_distributed_config == "true" %}}
|
|
<ind:textfilecontent54_test check="all" check_existence="all_exist"
|
|
|
|
From d15ebb0b563895fbc2ab85c631410ea60bd02d95 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Tue, 8 Nov 2022 17:40:26 +0100
|
|
Subject: [PATCH 5/7] Add test to check for configuration conflicts
|
|
|
|
Add test for non distributed ssh config conflicts for
|
|
ClientAliveInterval.
|
|
---
|
|
.../tests/param_conflict.fail.sh | 15 +++++++++++++++
|
|
1 file changed, 15 insertions(+)
|
|
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh
|
|
|
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh
|
|
new file mode 100644
|
|
index 00000000000..1e14aa3da36
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh
|
|
@@ -0,0 +1,15 @@
|
|
+#!/bin/bash
|
|
+
|
|
+mkdir -p /etc/ssh/sshd_config.d
|
|
+touch /etc/ssh/sshd_config.d/nothing
|
|
+
|
|
+if grep -q "^\s*ClientAliveInterval" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
|
+ sed -i "/^\s*ClientAliveInterval.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
|
+fi
|
|
+if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
|
+ sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
|
+fi
|
|
+
|
|
+echo "ClientAliveInterval 6000" >> /etc/ssh/sshd_config
|
|
+echo "ClientAliveInterval 200" >> /etc/ssh/sshd_config
|
|
+echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
|
|
|
|
From c19d5400bd3ded71aae9175f27361065c962069e Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Tue, 8 Nov 2022 17:41:19 +0100
|
|
Subject: [PATCH 6/7] Change verbiage on idle timeout rule
|
|
|
|
The config is not really about idle user timeout, the config is about
|
|
unresponsive network timeout.
|
|
---
|
|
.../ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 12 ++++++------
|
|
1 file changed, 6 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
|
index aa085894f61..c5606aac557 100644
|
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
|
@@ -1,12 +1,12 @@
|
|
documentation_complete: true
|
|
|
|
-title: 'Set SSH Idle Timeout Interval'
|
|
+title: 'Set SSH Client Alive Interval'
|
|
|
|
description: |-
|
|
- SSH allows administrators to set an idle timeout interval. After this interval
|
|
- has passed, the idle user will be automatically logged out.
|
|
+ SSH allows administrators to set a network responsiveness timeout interval.
|
|
+ After this interval has passed, the unresponsive client will be automatically logged out.
|
|
<br /><br />
|
|
- To set an idle timeout interval, edit the following line in <tt>/etc/ssh/sshd_config</tt> as
|
|
+ To set this timeout interval, edit the following line in <tt>/etc/ssh/sshd_config</tt> as
|
|
follows:
|
|
<pre>ClientAliveInterval <b>{{{ xccdf_value("sshd_idle_timeout_value") }}}</b></pre>
|
|
<br/><br/>
|
|
@@ -15,7 +15,7 @@ description: |-
|
|
<br /><br />
|
|
If a shorter timeout has already been set for the login shell, that value will
|
|
preempt any SSH setting made in <tt>/etc/ssh/sshd_config</tt>. Keep in mind that
|
|
- some processes may stop SSH from correctly detecting that the user is idle.
|
|
+ some processes may stop SSH from correctly detecting that the user is idle.
|
|
|
|
rationale: |-
|
|
Terminating an idle ssh session within a short time period reduces the window of
|
|
@@ -81,7 +81,7 @@ ocil: |-
|
|
|
|
warnings:
|
|
- dependency: |-
|
|
- SSH disconnecting idle clients will not have desired effect without also
|
|
+ SSH disconnecting unresponsive clients will not have desired effect without also
|
|
configuring ClientAliveCountMax in the SSH service configuration.
|
|
- general: |-
|
|
Following conditions may prevent the SSH session to time out:
|
|
|
|
From 86b1a6147582c896e1bb49a0649493eeec37a8d4 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Wed, 9 Nov 2022 11:31:50 +0100
|
|
Subject: [PATCH 7/7] Update profile stability test data
|
|
|
|
---
|
|
tests/data/profile_stability/rhel8/stig.profile | 3 ++-
|
|
tests/data/profile_stability/rhel8/stig_gui.profile | 3 ++-
|
|
2 files changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
index cadc3f5fc7a..51971451996 100644
|
|
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
@@ -371,7 +371,7 @@ selections:
|
|
- sshd_print_last_log
|
|
- sshd_rekey_limit
|
|
- sshd_set_idle_timeout
|
|
-- sshd_set_keepalive_0
|
|
+- sshd_set_keepalive
|
|
- sshd_use_strong_rng
|
|
- sshd_x11_use_localhost
|
|
- sssd_certificate_verification
|
|
@@ -441,6 +441,7 @@ selections:
|
|
- var_password_pam_ucredit=1
|
|
- var_password_pam_lcredit=1
|
|
- var_password_pam_retry=3
|
|
+- var_sshd_set_keepalive=1
|
|
- sshd_approved_macs=stig
|
|
- sshd_approved_ciphers=stig
|
|
- sshd_idle_timeout_value=10_minutes
|
|
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
index bde4e18b068..fd150744167 100644
|
|
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
@@ -381,7 +381,7 @@ selections:
|
|
- sshd_print_last_log
|
|
- sshd_rekey_limit
|
|
- sshd_set_idle_timeout
|
|
-- sshd_set_keepalive_0
|
|
+- sshd_set_keepalive
|
|
- sshd_use_strong_rng
|
|
- sshd_x11_use_localhost
|
|
- sssd_certificate_verification
|
|
@@ -449,6 +449,7 @@ selections:
|
|
- var_password_pam_ucredit=1
|
|
- var_password_pam_lcredit=1
|
|
- var_password_pam_retry=3
|
|
+- var_sshd_set_keepalive=1
|
|
- sshd_approved_macs=stig
|
|
- sshd_approved_ciphers=stig
|
|
- sshd_idle_timeout_value=10_minutes
|