From dcefd47e94095cbb39059f5d0ec9ef42593ae595 Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Wed, 15 Apr 2020 17:15:39 +0200

Subject: [PATCH] Add ansible and bash remediation for rule

 sshd_set_max_auth_tries.

---

 .../ssh_server/sshd_set_max_auth_tries/ansible/shared.yml | 8 ++++++++

 .../ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh | 8 ++++++++

 .../ssh/ssh_server/sshd_set_max_auth_tries/rule.yml       | 4 ++--

 .../sshd_set_max_auth_tries/tests/comment.fail.sh         | 8 ++++++++

 .../sshd_set_max_auth_tries/tests/correct_value.pass.sh   | 8 ++++++++

 .../tests/correct_value_less_than.pass.sh                 | 8 ++++++++

 .../sshd_set_max_auth_tries/tests/line_not_there.fail.sh  | 3 +++

 .../sshd_set_max_auth_tries/tests/wrong_value.fail.sh     | 8 ++++++++

 rhel7/profiles/cis.profile                                | 1 +

 9 files changed, 54 insertions(+), 2 deletions(-)

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/comment.fail.sh

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value.pass.sh

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_less_than.pass.sh

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/line_not_there.fail.sh

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value.fail.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml

new file mode 100644

index 0000000000..28f3ef0cd2

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml

@@ -0,0 +1,8 @@

+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv

+# reboot = false

+# strategy = restrict

+# complexity = low

+# disruption = low

+- (xccdf-var sshd_max_auth_tries_value)

+

+{{{ ansible_sshd_set(parameter="MaxAuthTries", value="{{ sshd_max_auth_tries_value }}") }}}

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh

new file mode 100644

index 0000000000..eebe07158c

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh

@@ -0,0 +1,8 @@

+# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle

+

+# Include source function library.

+. /usr/share/scap-security-guide/remediation_functions

+

+populate sshd_max_auth_tries_value

+

+{{{ bash_sshd_config_set(parameter="MaxAuthTries", value="$sshd_max_auth_tries_value") }}}

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml

index 7b5750ee0d..437c4dd8c7 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml

@@ -6,7 +6,7 @@ description: |-

     The <tt>MaxAuthTries</tt> parameter specifies the maximum number of authentication attempts

     permitted per connection. Once the number of failures reaches half this value, additional failures are logged.

     to set MaxAUthTries edit <tt>/etc/ssh/sshd_config</tt> as follows:

-    
MaxAuthTries tries

+    
MaxAuthTries <sub idref="sshd_max_auth_tries_value"/>

 rationale: |-

     Setting the MaxAuthTries parameter to a low number will minimize the risk of successful

@@ -30,4 +30,4 @@ ocil: |-

     To ensure the <tt>MaxAuthTries</tt> parameter is set, run the following command:

     
$ sudo grep MaxAuthTries /etc/ssh/sshd_config

     If properly configured, output should be:

-    
MaxAuthTries tries

+    
MaxAuthTries <sub idref="sshd_max_auth_tries_value"/>

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/comment.fail.sh

new file mode 100644

index 0000000000..caf18a73c6

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/comment.fail.sh

@@ -0,0 +1,8 @@

+#!/bin/bash

+SSHD_CONFIG="/etc/ssh/sshd_config"

+

+if grep -q "^MaxAuthTries" $SSHD_CONFIG; then

+	sed -i "s/^MaxAuthTries.*/# MaxAuthTries 4/" $SSHD_CONFIG

+else

+	echo "# MaxAuthTries 4" >> $SSHD_CONFIG

+fi

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value.pass.sh

new file mode 100644

index 0000000000..32233d3a82

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value.pass.sh

@@ -0,0 +1,8 @@

+#!/bin/bash

+SSHD_CONFIG="/etc/ssh/sshd_config"

+

+if grep -q "^MaxAuthTries" $SSHD_CONFIG; then

+	sed -i "s/^MaxAuthTries.*/MaxAuthTries 4/" $SSHD_CONFIG

+else

+	echo "MaxAuthTries 4" >> $SSHD_CONFIG

+fi

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_less_than.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_less_than.pass.sh

new file mode 100644

index 0000000000..e98176320d

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_less_than.pass.sh

@@ -0,0 +1,8 @@

+#!/bin/bash

+SSHD_CONFIG="/etc/ssh/sshd_config"

+

+if grep -q "^MaxAuthTries" $SSHD_CONFIG; then

+	sed -i "s/^MaxAuthTries.*/MaxAuthTries 2/" $SSHD_CONFIG

+else

+	echo "MaxAuthTries 2" >> $SSHD_CONFIG

+fi

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/line_not_there.fail.sh

new file mode 100644

index 0000000000..f038aa9be0

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/line_not_there.fail.sh

@@ -0,0 +1,3 @@

+#!/bin/bash

+

+sed -i "/^MaxAuthTries.*/d" /etc/ssh/sshd_config

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value.fail.sh

new file mode 100644

index 0000000000..79940bded3

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value.fail.sh

@@ -0,0 +1,8 @@

+#!/bin/bash

+SSHD_CONFIG="/etc/ssh/sshd_config"

+

+if grep -q "^MaxAuthTries" $SSHD_CONFIG; then

+	sed -i "s/^MaxAuthTries.*/MaxAuthTries 50/" $SSHD_CONFIG

+else

+	echo "MaxAuthTries 50" >> $SSHD_CONFIG

+fi

diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile

index 2e68e73f34..886e9a963a 100644

--- a/rhel7/profiles/cis.profile

+++ b/rhel7/profiles/cis.profile

@@ -581,6 +581,7 @@ selections:

     - sshd_disable_x11_forwarding

     ### 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored)

+    - sshd_max_auth_tries_value=4

     - sshd_set_max_auth_tries

     ### 5.2.6 Ensure SSH IgnoreRhosts is enabled (Scored)