From dcefd47e94095cbb39059f5d0ec9ef42593ae595 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 15 Apr 2020 17:15:39 +0200
Subject: [PATCH] Add ansible and bash remediation for rule
 sshd_set_max_auth_tries.

---
 .../ssh_server/sshd_set_max_auth_tries/ansible/shared.yml | 8 ++++++++
 .../ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh | 8 ++++++++
 .../ssh/ssh_server/sshd_set_max_auth_tries/rule.yml       | 4 ++--
 .../sshd_set_max_auth_tries/tests/comment.fail.sh         | 8 ++++++++
 .../sshd_set_max_auth_tries/tests/correct_value.pass.sh   | 8 ++++++++
 .../tests/correct_value_less_than.pass.sh                 | 8 ++++++++
 .../sshd_set_max_auth_tries/tests/line_not_there.fail.sh  | 3 +++
 .../sshd_set_max_auth_tries/tests/wrong_value.fail.sh     | 8 ++++++++
 rhel7/profiles/cis.profile                                | 1 +
 9 files changed, 54 insertions(+), 2 deletions(-)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/comment.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_less_than.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/line_not_there.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value.fail.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml
new file mode 100644
index 0000000000..28f3ef0cd2
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml
@@ -0,0 +1,8 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- (xccdf-var sshd_max_auth_tries_value)
+
+{{{ ansible_sshd_set(parameter="MaxAuthTries", value="{{ sshd_max_auth_tries_value }}") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh
new file mode 100644
index 0000000000..eebe07158c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh
@@ -0,0 +1,8 @@
+# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+populate sshd_max_auth_tries_value
+
+{{{ bash_sshd_config_set(parameter="MaxAuthTries", value="$sshd_max_auth_tries_value") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
index 7b5750ee0d..437c4dd8c7 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
@@ -6,7 +6,7 @@ description: |-
     The <tt>MaxAuthTries</tt> parameter specifies the maximum number of authentication attempts
     permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
     to set MaxAUthTries edit <tt>/etc/ssh/sshd_config</tt> as follows:
-    <pre>MaxAuthTries <b>tries</b></pre>
+    <pre>MaxAuthTries <sub idref="sshd_max_auth_tries_value"/></pre>
 
 rationale: |-
     Setting the MaxAuthTries parameter to a low number will minimize the risk of successful
@@ -30,4 +30,4 @@ ocil: |-
     To ensure the <tt>MaxAuthTries</tt> parameter is set, run the following command:
     <pre>$ sudo grep MaxAuthTries /etc/ssh/sshd_config</pre>
     If properly configured, output should be:
-    <pre>MaxAuthTries <b>tries</b></pre>
+    <pre>MaxAuthTries <sub idref="sshd_max_auth_tries_value"/></pre>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/comment.fail.sh
new file mode 100644
index 0000000000..caf18a73c6
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/comment.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+if grep -q "^MaxAuthTries" $SSHD_CONFIG; then
+	sed -i "s/^MaxAuthTries.*/# MaxAuthTries 4/" $SSHD_CONFIG
+else
+	echo "# MaxAuthTries 4" >> $SSHD_CONFIG
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value.pass.sh
new file mode 100644
index 0000000000..32233d3a82
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+if grep -q "^MaxAuthTries" $SSHD_CONFIG; then
+	sed -i "s/^MaxAuthTries.*/MaxAuthTries 4/" $SSHD_CONFIG
+else
+	echo "MaxAuthTries 4" >> $SSHD_CONFIG
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_less_than.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_less_than.pass.sh
new file mode 100644
index 0000000000..e98176320d
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_less_than.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+if grep -q "^MaxAuthTries" $SSHD_CONFIG; then
+	sed -i "s/^MaxAuthTries.*/MaxAuthTries 2/" $SSHD_CONFIG
+else
+	echo "MaxAuthTries 2" >> $SSHD_CONFIG
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/line_not_there.fail.sh
new file mode 100644
index 0000000000..f038aa9be0
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/line_not_there.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sed -i "/^MaxAuthTries.*/d" /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value.fail.sh
new file mode 100644
index 0000000000..79940bded3
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+if grep -q "^MaxAuthTries" $SSHD_CONFIG; then
+	sed -i "s/^MaxAuthTries.*/MaxAuthTries 50/" $SSHD_CONFIG
+else
+	echo "MaxAuthTries 50" >> $SSHD_CONFIG
+fi
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index 2e68e73f34..886e9a963a 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -581,6 +581,7 @@ selections:
     - sshd_disable_x11_forwarding
     
     ### 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored)
+    - sshd_max_auth_tries_value=4
     - sshd_set_max_auth_tries
 
     ### 5.2.6 Ensure SSH IgnoreRhosts is enabled (Scored)