rpms / scap-security-guide

Clone
Source Code
GIT

Files

  1.   9be3b2b3a7baf71e5aae9dcb7cfb5328882f332d
  2.   SOURCES
  3.   scap-security-guide-0.1.59-new_rule_sshd_enable_pam-PR_7602.patch
Blob Blame History Raw 
From 4b33c56a87a3fdce778dd1deedb6e226a522cfed Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alex.scheel@canonical.com>
Date: Tue, 27 Apr 2021 11:22:48 -0400
Subject: [PATCH 1/4] Add sshd_enable_pam for CIS 5.2.19

Signed-off-by: Alexander Scheel <alex.scheel@canonical.com>
---
 .../ssh/ssh_server/sshd_enable_pam/rule.yml   | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
new file mode 100644
index 00000000000..8fed6ca14bf
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+title: 'Enable PAM'
+
+description: |-
+    UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will
+    enable PAM authentication using ChallengeResponseAuthentication and
+    PasswordAuthentication in addition to PAM account and session module processing for all
+    authentication types.
+
+    To enable PAM authentication, add or correct the following line in the
+    <tt>/etc/ssh/sshd_config</tt> file:
+    <pre>UsePAM yes</pre>
+
+rationale: |-
+    When UsePAM is set to yes, PAM runs through account and session types properly. This is
+    important if you want to restrict access to services based off of IP, time or other factors of
+    the account. Additionally, you can make sure users inherit certain environment variables
+    on login or disallow access to the server.
+
+references:
+    cis@ubuntu2004: 5.2.19
+
+severity: medium
+
+ocil_clause: 'it is commented out or is not enabled'
+
+ocil: |-
+    To check if UsePAM is enabled or set correctly, run the following
+    command:
+    <pre>$ sudo grep UsePAM /etc/ssh/sshd_config</pre>
+    If configured properly, output should be <pre>yes</pre>
+
+template:
+    name: sshd_lineinfile
+    vars:
+        missing_parameter_pass: 'false'
+        parameter: UsePAM
+        rule_id: sshd_enable_pam
+        value: 'yes'

From 278709a62300afe172b2e8733ef7060aa9e9c372 Mon Sep 17 00:00:00 2001
From: Eduardo Barretto <eduardo.barretto@canonical.com>
Date: Wed, 11 Aug 2021 17:10:30 +0200
Subject: [PATCH 2/4] Add tests to sshd_enable_pam

---
 .../ssh/ssh_server/sshd_enable_pam/tests/commented.fail.sh     | 3 +++
 .../ssh/ssh_server/sshd_enable_pam/tests/correct.pass.sh       | 3 +++
 .../ssh/ssh_server/sshd_enable_pam/tests/disabled.fail.sh      | 3 +++
 .../ssh/ssh_server/sshd_enable_pam/tests/nothing.fail.sh       | 3 +++
 .../ssh/ssh_server/sshd_enable_pam/tests/substring.fail.sh     | 3 +++
 5 files changed, 15 insertions(+)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/commented.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/correct.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/disabled.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/nothing.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/substring.fail.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/commented.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/commented.fail.sh
new file mode 100644
index 00000000000..1adcabb8f42
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/commented.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo '#UsePAM yes' > /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/correct.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/correct.pass.sh
new file mode 100644
index 00000000000..0ada91f1e60
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/correct.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo 'UsePAM yes' > /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/disabled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/disabled.fail.sh
new file mode 100644
index 00000000000..2115bc428b9
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/disabled.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo 'UsePAM no' > /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/nothing.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/nothing.fail.sh
new file mode 100644
index 00000000000..d24871ccdf1
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/nothing.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo > /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/substring.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/substring.fail.sh
new file mode 100644
index 00000000000..ab36134d639
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/tests/substring.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo 'UUsePAMM yes' > /etc/ssh/sshd_config

From 055ebf0108065d9d80e837e37d588301c51ec484 Mon Sep 17 00:00:00 2001
From: Eduardo Barretto <eduardo.barretto@canonical.com>
Date: Tue, 21 Sep 2021 15:55:48 +0200
Subject: [PATCH 3/4] Add stigid, disa and srg to sshd_enable_pam

---
 .../guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml     | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
index 8fed6ca14bf..fe02c963e58 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
@@ -20,6 +20,9 @@ rationale: |-
 
 references:
     cis@ubuntu2004: 5.2.19
+    disa: CCI-000877
+    srg: SRG-OS-000125-GPOS-00065
+    stigid@ubuntu2004: UBTU-20-010035
 
 severity: medium
 

From 57c22643bb2c6825f60a9c637a66ccfbd6acdbb4 Mon Sep 17 00:00:00 2001
From: Eduardo Barretto <eduardo.barretto@canonical.com>
Date: Tue, 21 Sep 2021 15:56:18 +0200
Subject: [PATCH 4/4] Add sshd_enable_pam to ubuntu2004 stig profile

---
 products/ubuntu2004/profiles/stig.profile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/products/ubuntu2004/profiles/stig.profile b/products/ubuntu2004/profiles/stig.profile
index 0515fe6f22a..2dc3c0d11a9 100644
--- a/products/ubuntu2004/profiles/stig.profile
+++ b/products/ubuntu2004/profiles/stig.profile
@@ -58,6 +58,7 @@ selections:
     - smartcard_pam_enabled
 
     # UBTU-20-010035 The Ubuntu operating system must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions.
+    - sshd_enable_pam
 
     # UBTU-20-010036 The Ubuntu operating system must immediately terminate all network connections associated with SSH traffic after a period of inactivity.
     - sshd_set_keepalive

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation