|
 |
9be3b2 |
From 4b33c56a87a3fdce778dd1deedb6e226a522cfed Mon Sep 17 00:00:00 2001
|
|
|
9be3b2 |
From: Alexander Scheel <alex.scheel@canonical.com>
|
|
|
9be3b2 |
Date: Tue, 27 Apr 2021 11:22:48 -0400
|
|
|
9be3b2 |
Subject: [PATCH 1/4] Add sshd_enable_pam for CIS 5.2.19
|
|
|
9be3b2 |
|
|
|
9be3b2 |
Signed-off-by: Alexander Scheel <alex.scheel@canonical.com>
|
|
|
9be3b2 |
---
|
|
|
9be3b2 |
.../ssh/ssh_server/sshd_enable_pam/rule.yml | 40 +++++++++++++++++++
|
|
|
9be3b2 |
1 file changed, 40 insertions(+)
|
|
|
9be3b2 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
|
|
|
9be3b2 |
|
|
|
9be3b2 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
|
|
|
9be3b2 |
new file mode 100644
|
|
|
9be3b2 |
index 00000000000..8fed6ca14bf
|
|
|
9be3b2 |
--- /dev/null
|
|
|
9be3b2 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
|
|
|
9be3b2 |
@@ -0,0 +1,40 @@
|
|
|
9be3b2 |
+documentation_complete: true
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+title: 'Enable PAM'
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+description: |-
|
|
|
9be3b2 |
+ UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will
|
|
|
9be3b2 |
+ enable PAM authentication using ChallengeResponseAuthentication and
|
|
|
9be3b2 |
+ PasswordAuthentication in addition to PAM account and session module processing for all
|
|
|
9be3b2 |
+ authentication types.
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+ To enable PAM authentication, add or correct the following line in the
|
|
|
9be3b2 |
+ <tt>/etc/ssh/sshd_config</tt> file:
|
|
|
9be3b2 |
+ UsePAM yes
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+rationale: |-
|
|
|
9be3b2 |
+ When UsePAM is set to yes, PAM runs through account and session types properly. This is
|
|
|
9be3b2 |
+ important if you want to restrict access to services based off of IP, time or other factors of
|
|
|
9be3b2 |
+ the account. Additionally, you can make sure users inherit certain environment variables
|
|
|
9be3b2 |
+ on login or disallow access to the server.
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+references:
|
|
|
9be3b2 |
+ cis@ubuntu2004: 5.2.19
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+severity: medium
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+ocil_clause: 'it is commented out or is not enabled'
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+ocil: |-
|
|
|
9be3b2 |
+ To check if UsePAM is enabled or set correctly, run the following
|
|
|
9be3b2 |
+ command:
|
|
|
9be3b2 |
+ $ sudo grep UsePAM /etc/ssh/sshd_config
|
|
|
9be3b2 |
+ If configured properly, output should be yes
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+template:
|
|
|
9be3b2 |
+ name: sshd_lineinfile
|
|
|
9be3b2 |
+ vars:
|
|
|
9be3b2 |
+ missing_parameter_pass: 'false'
|
|
|
9be3b2 |
+ parameter: UsePAM
|
|
|
9be3b2 |
+ rule_id: sshd_enable_pam
|
|
|
9be3b2 |
+ value: 'yes'
|
|
|
9be3b2 |
|
|
|
9be3b2 |
From 278709a62300afe172b2e8733ef7060aa9e9c372 Mon Sep 17 00:00:00 2001
|
|
|
9be3b2 |
From: Eduardo Barretto <eduardo.barretto@canonical.com>
|
|
|
9be3b2 |
Date: Wed, 11 Aug 2021 17:10:30 +0200
|
|
|
9be3b2 |
Subject: [PATCH 2/4] Add tests to sshd_enable_pam
|
|
|
9be3b2 |
|
|
|
9be3b2 |
---
|
|
|
9be3b2 |
.../ssh/ssh_server/sshd_enable_pam/tests/commented.fail.sh | 3 +++
|
|
|
9be3b2 |
.../ssh/ssh_server/sshd_enable_pam/tests/correct.pass.sh | 3 +++
|
|
|
9be3b2 |
.../ssh/ssh_server/sshd_enable_pam/tests/disabled.fail.sh | 3 +++
|
|
|
9be3b2 |
.../ssh/ssh_server/sshd_enable_pam/tests/nothing.fail.sh | 3 +++
|
|
|
9be3b2 |
.../ssh/ssh_server/sshd_enable_pam/tests/substring.fail.sh | 3 +++
|
|
|
9be3b2 |
5 files changed, 15 insertions(+)
|
|
|
9be3b2 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/commented.fail.sh
|
|
|
9be3b2 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/correct.pass.sh
|
|
|
9be3b2 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/disabled.fail.sh
|
|
|
9be3b2 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/nothing.fail.sh
|
|
|
9be3b2 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/substring.fail.sh
|
|
|
9be3b2 |
|
|
|
9be3b2 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/commented.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/commented.fail.sh
|
|
|
9be3b2 |
new file mode 100644
|
|
|
9be3b2 |
index 00000000000..1adcabb8f42
|
|
|
9be3b2 |
--- /dev/null
|
|
|
9be3b2 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/commented.fail.sh
|
|
|
9be3b2 |
@@ -0,0 +1,3 @@
|
|
|
9be3b2 |
+#!/bin/bash
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+echo '#UsePAM yes' > /etc/ssh/sshd_config
|
|
|
9be3b2 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/correct.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/correct.pass.sh
|
|
|
9be3b2 |
new file mode 100644
|
|
|
9be3b2 |
index 00000000000..0ada91f1e60
|
|
|
9be3b2 |
--- /dev/null
|
|
|
9be3b2 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/correct.pass.sh
|
|
|
9be3b2 |
@@ -0,0 +1,3 @@
|
|
|
9be3b2 |
+#!/bin/bash
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+echo 'UsePAM yes' > /etc/ssh/sshd_config
|
|
|
9be3b2 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/disabled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/disabled.fail.sh
|
|
|
9be3b2 |
new file mode 100644
|
|
|
9be3b2 |
index 00000000000..2115bc428b9
|
|
|
9be3b2 |
--- /dev/null
|
|
|
9be3b2 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/disabled.fail.sh
|
|
|
9be3b2 |
@@ -0,0 +1,3 @@
|
|
|
9be3b2 |
+#!/bin/bash
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+echo 'UsePAM no' > /etc/ssh/sshd_config
|
|
|
9be3b2 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/nothing.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/nothing.fail.sh
|
|
|
9be3b2 |
new file mode 100644
|
|
|
9be3b2 |
index 00000000000..d24871ccdf1
|
|
|
9be3b2 |
--- /dev/null
|
|
|
9be3b2 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/nothing.fail.sh
|
|
|
9be3b2 |
@@ -0,0 +1,3 @@
|
|
|
9be3b2 |
+#!/bin/bash
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+echo > /etc/ssh/sshd_config
|
|
|
9be3b2 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/substring.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/substring.fail.sh
|
|
|
9be3b2 |
new file mode 100644
|
|
|
9be3b2 |
index 00000000000..ab36134d639
|
|
|
9be3b2 |
--- /dev/null
|
|
|
9be3b2 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/substring.fail.sh
|
|
|
9be3b2 |
@@ -0,0 +1,3 @@
|
|
|
9be3b2 |
+#!/bin/bash
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+echo 'UUsePAMM yes' > /etc/ssh/sshd_config
|
|
|
9be3b2 |
|
|
|
9be3b2 |
From 055ebf0108065d9d80e837e37d588301c51ec484 Mon Sep 17 00:00:00 2001
|
|
|
9be3b2 |
From: Eduardo Barretto <eduardo.barretto@canonical.com>
|
|
|
9be3b2 |
Date: Tue, 21 Sep 2021 15:55:48 +0200
|
|
|
9be3b2 |
Subject: [PATCH 3/4] Add stigid, disa and srg to sshd_enable_pam
|
|
|
9be3b2 |
|
|
|
9be3b2 |
---
|
|
|
9be3b2 |
.../guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml | 3 +++
|
|
|
9be3b2 |
1 file changed, 3 insertions(+)
|
|
|
9be3b2 |
|
|
|
9be3b2 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
|
|
|
9be3b2 |
index 8fed6ca14bf..fe02c963e58 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
|
|
|
9be3b2 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
|
|
|
9be3b2 |
@@ -20,6 +20,9 @@ rationale: |-
|
|
|
9be3b2 |
|
|
|
9be3b2 |
references:
|
|
|
9be3b2 |
cis@ubuntu2004: 5.2.19
|
|
|
9be3b2 |
+ disa: CCI-000877
|
|
|
9be3b2 |
+ srg: SRG-OS-000125-GPOS-00065
|
|
|
9be3b2 |
+ stigid@ubuntu2004: UBTU-20-010035
|
|
|
9be3b2 |
|
|
|
9be3b2 |
severity: medium
|
|
|
9be3b2 |
|
|
|
9be3b2 |
|
|
|
9be3b2 |
From 57c22643bb2c6825f60a9c637a66ccfbd6acdbb4 Mon Sep 17 00:00:00 2001
|
|
|
9be3b2 |
From: Eduardo Barretto <eduardo.barretto@canonical.com>
|
|
|
9be3b2 |
Date: Tue, 21 Sep 2021 15:56:18 +0200
|
|
|
9be3b2 |
Subject: [PATCH 4/4] Add sshd_enable_pam to ubuntu2004 stig profile
|
|
|
9be3b2 |
|
|
|
9be3b2 |
---
|
|
|
9be3b2 |
products/ubuntu2004/profiles/stig.profile | 1 +
|
|
|
9be3b2 |
1 file changed, 1 insertion(+)
|
|
|
9be3b2 |
|
|
|
9be3b2 |
diff --git a/products/ubuntu2004/profiles/stig.profile b/products/ubuntu2004/profiles/stig.profile
|
|
|
9be3b2 |
index 0515fe6f22a..2dc3c0d11a9 100644
|
|
|
9be3b2 |
--- a/products/ubuntu2004/profiles/stig.profile
|
|
|
9be3b2 |
+++ b/products/ubuntu2004/profiles/stig.profile
|
|
|
9be3b2 |
@@ -58,6 +58,7 @@ selections:
|
|
|
9be3b2 |
- smartcard_pam_enabled
|
|
|
9be3b2 |
|
|
|
9be3b2 |
# UBTU-20-010035 The Ubuntu operating system must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions.
|
|
|
9be3b2 |
+ - sshd_enable_pam
|
|
|
9be3b2 |
|
|
|
9be3b2 |
# UBTU-20-010036 The Ubuntu operating system must immediately terminate all network connections associated with SSH traffic after a period of inactivity.
|
|
|
9be3b2 |
- sshd_set_keepalive
|