Merge pull request ComplianceAsCode#6434 from Caligatio/revert-ssh-ke…

…epalive Revert hardcoding of ClientAliveCountMax to 0
alanmcanonical · Mar 8, 2021 · d191108 · d191108
2 parents 9aa34dc + e6f0820
commit d191108
Show file tree

Hide file tree

Showing 58 changed files with 284 additions and 65 deletions.
diff --git a/debian10/profiles/anssi_np_nt28_average.profile b/debian10/profiles/anssi_np_nt28_average.profile
@@ -20,7 +20,8 @@ selections:
     - sshd_disable_root_login
     - sshd_disable_empty_passwords
     - sshd_allow_only_protocol2
-    - sshd_set_keepalive
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
     - file_owner_logfiles_value=adm
     - rsyslog_files_ownership
     - file_groupowner_logfiles_value=adm

diff --git a/debian10/profiles/standard.profile b/debian10/profiles/standard.profile
@@ -31,7 +31,8 @@ selections:
     - sshd_disable_root_login
     - sshd_disable_empty_passwords
     - sshd_allow_only_protocol2
-    - sshd_set_keepalive
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
     - file_owner_logfiles_value=adm
     - rsyslog_files_ownership
     - file_groupowner_logfiles_value=adm

diff --git a/debian9/profiles/anssi_np_nt28_average.profile b/debian9/profiles/anssi_np_nt28_average.profile
@@ -20,7 +20,8 @@ selections:
     - sshd_disable_root_login
     - sshd_disable_empty_passwords
     - sshd_allow_only_protocol2
-    - sshd_set_keepalive
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
     - file_owner_logfiles_value=adm
     - rsyslog_files_ownership
     - file_groupowner_logfiles_value=adm

diff --git a/debian9/profiles/standard.profile b/debian9/profiles/standard.profile
@@ -31,7 +31,8 @@ selections:
     - sshd_disable_root_login
     - sshd_disable_empty_passwords
     - sshd_allow_only_protocol2
-    - sshd_set_keepalive
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
     - file_owner_logfiles_value=adm
     - rsyslog_files_ownership
     - file_groupowner_logfiles_value=adm

diff --git a/example/profiles/example.profile b/example/profiles/example.profile
@@ -24,4 +24,5 @@ selections:
     - sshd_disable_empty_passwords
     - sshd_idle_timeout_value=5_minutes
     - sshd_set_idle_timeout
-    - sshd_set_keepalive
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
diff --git a/fedora/profiles/pci-dss.profile b/fedora/profiles/pci-dss.profile
@@ -100,6 +100,7 @@ selections:
     - dconf_gnome_screensaver_lock_enabled
     - dconf_gnome_screensaver_mode_blank
     - sshd_set_idle_timeout
+    - var_sshd_set_keepalive=1
     - sshd_set_keepalive
     - accounts_password_pam_minlen
     - accounts_password_pam_dcredit

diff --git a/fedora/profiles/standard.profile b/fedora/profiles/standard.profile
@@ -85,6 +85,7 @@ selections:
     - sshd_disable_empty_passwords
     - sshd_idle_timeout_value=5_minutes
     - sshd_set_idle_timeout
+    - var_sshd_set_keepalive=1
     - sshd_set_keepalive
     - configure_ssh_crypto_policy
     - configure_libreswan_crypto_policy

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml
@@ -0,0 +1,8 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ ansible_instantiate_variables("var_sshd_set_keepalive") }}}
+
+{{{ ansible_sshd_set(parameter="ClientAliveCountMax", value="{{ var_sshd_set_keepalive }}") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh
@@ -0,0 +1,8 @@
+# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+{{{ bash_instantiate_variables("var_sshd_set_keepalive") }}}
+
+{{{ bash_sshd_config_set(parameter="ClientAliveCountMax", value="$var_sshd_set_keepalive") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml
@@ -0,0 +1,52 @@
+<def-group>
+  <definition class="compliance" id="sshd_set_keepalive" version="1">
+    {{{ oval_metadata("The SSH ClientAliveCountMax should be set to an appropriate
+      value (and dependencies are met)") }}}
+    <criteria comment="SSH is configured correctly or is not installed"
+    operator="OR">
+      <criteria comment="sshd is not installed" operator="AND">
+        <extend_definition comment="sshd is not required or requirement is unset"
+        definition_ref="sshd_not_required_or_unset" />
+        {{% if product in ['opensuse', 'sle12'] %}}
+        <extend_definition comment="rpm package openssh removed"
+        definition_ref="package_openssh_removed" />
+        {{% else %}}
+        <extend_definition comment="rpm package openssh-server removed"
+        definition_ref="package_openssh-server_removed" />
+        {{% endif %}}
+      </criteria>
+      <criteria comment="sshd is installed and configured" operator="AND">
+        <extend_definition comment="sshd is required or requirement is unset"
+        definition_ref="sshd_required_or_unset" />
+        {{% if product in ['opensuse', 'sle12'] %}}
+        <extend_definition comment="rpm package openssh installed"
+        definition_ref="package_openssh_installed" />
+        {{% else %}}
+        <extend_definition comment="rpm package openssh-server installed"
+        definition_ref="package_openssh-server_installed" />
+        {{% endif %}}
+        <criterion comment="Check ClientAliveCountMax in /etc/ssh/sshd_config"
+        test_ref="test_sshd_clientalivecountmax" />
+      </criteria>
+    </criteria>
+  </definition>
+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+  comment="Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file"
+  id="test_sshd_clientalivecountmax" version="1">
+    <ind:object object_ref="obj_sshd_clientalivecountmax" />
+    <ind:state state_ref="state_sshd_clientalivecountmax" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_state id="state_sshd_clientalivecountmax" version="1">
+    <ind:subexpression datatype="int" operation="less than or equal" var_check="all"
+    var_ref="var_sshd_set_keepalive" />
+  </ind:textfilecontent54_state>
+  <ind:textfilecontent54_object id="obj_sshd_clientalivecountmax" version="2">
+    <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:#.*)?$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <external_variable comment="ClientAliveCountMax value" datatype="int"
+  id="var_sshd_set_keepalive" version="1" />
+
+</def-group>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
@@ -9,10 +9,12 @@ description: |-
     each <tt>ClientAliveCountMax</tt> message. If the SSH server does not
     receive a response from the client, then the connection is considered idle
     and terminated.
-
-    To ensure the SSH idle timeout occurs precisely when the
-    <tt>ClientAliveInterval</tt> is set, set the <tt>ClientAliveCountMax</tt> to
-    value of <tt>0</tt>.
+    For SSH earlier than v8.2, a <tt>ClientAliveCountMax</tt> value of <tt>0</tt>
+    causes an idle timeout precisely when the <tt>ClientAliveInterval</tt> is set.
+    Starting with v8.2, a value of <tt>0</tt> disables the timeout functionality
+    completely. If the option is set to a number greater than <tt>0</tt>, then
+    the idle session will be disconnected after
+    <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds.
 
 rationale: |-
     This ensures a user login will be terminated as soon as the <tt>ClientAliveInterval</tt>
@@ -58,15 +60,9 @@ ocil: |-
     To ensure <tt>ClientAliveInterval</tt> is set correctly, run the following command:
     <pre>$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config</pre>
     If properly configured, the output should be:
-    <pre>ClientAliveCountMax 0</pre>
-
-    In this case, the SSH idle timeout occurs precisely when
-    the <tt>ClientAliveInterval</tt> is set.
-
-template:
-  name: sshd_lineinfile
-  vars:
-    parameter: "ClientAliveCountMax"
-    value: "0"
-    missing_parameter_pass: "false"
-    kubernetes: "off"
+    <pre>ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}</pre>
+    For SSH earlier than v8.2, a <tt>ClientAliveCountMax</tt> value of <tt>0</tt> causes an idle timeout precisely when
+    the <tt>ClientAliveInterval</tt> is set.  Starting with v8.2, a value of <tt>0</tt> disables the timeout
+    functionality completely.
+    If the option is set to a number greater than <tt>0</tt>, then the idle session will be disconnected after
+    <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds.
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/kubernetes/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/kubernetes/shared.yml
@@ -0,0 +1,6 @@
+# platform = multi_platform_ocp,multi_platform_rhcos
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ kubernetes_sshd_set() }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
@@ -0,0 +1,74 @@
+documentation_complete: true
+
+# applicable only to products that ship OpenSSH<8.2
+# prodtypes: ???
+
+title: 'Set SSH Client Alive Count Max to zero'
+
+description: |-
+    The SSH server sends at most <tt>ClientAliveCountMax</tt> messages
+    during a SSH session and waits for a response from the SSH client.
+    The option <tt>ClientAliveInterval</tt> configures timeout after
+    each <tt>ClientAliveCountMax</tt> message. If the SSH server does not
+    receive a response from the client, then the connection is considered idle
+    and terminated.
+
+    To ensure the SSH idle timeout occurs precisely when the
+    <tt>ClientAliveInterval</tt> is set, set the <tt>ClientAliveCountMax</tt> to
+    value of <tt>0</tt>.
+
+rationale: |-
+    This ensures a user login will be terminated as soon as the <tt>ClientAliveInterval</tt>
+    is reached.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-83399-6
+    cce@rhel8: CCE-83405-1
+    cce@rhcos4: CCE-83406-9
+    cce@sle12: CCE-83407-7
+
+references:
+    stigid@ol7: OL07-00-040340
+    cis@rhel7: 5.2.12
+    cis@rhel8: 5.2.13
+    cis@ubuntu2004: 5.2.15
+    cjis: 5.5.6
+    cui: 3.1.11
+    disa: CCI-000879,CCI-001133,CCI-002361
+    hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
+    nist: AC-2(5),AC-12,AC-17(a),SC-10,CM-6(a)
+    nist-csf: DE.CM-1,DE.CM-3,PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.IP-2
+    pcidss: Req-8.1.8
+    srg: SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109
+    vmmsrg: SRG-OS-000480-VMM-002000
+    stigid@rhel7: RHEL-07-040340
+    stigid@sle12: SLES-12-030191
+    isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 6.2'
+    isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.3
+    cobit5: APO13.01,BAI03.01,BAI03.02,BAI03.03,DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
+    iso27001-2013: A.12.4.1,A.12.4.3,A.14.1.1,A.14.2.1,A.14.2.5,A.18.1.4,A.6.1.2,A.6.1.5,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
+    cis-csc: 1,12,13,14,15,16,18,3,5,7,8
+
+requires:
+    - sshd_set_idle_timeout
+
+ocil_clause: 'it is commented out or not configured properly'
+
+ocil: |-
+    To ensure <tt>ClientAliveInterval</tt> is set correctly, run the following command:
+    <pre>$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config</pre>
+    If properly configured, the output should be:
+    <pre>ClientAliveCountMax 0</pre>
+
+    In this case, the SSH idle timeout occurs precisely when
+    the <tt>ClientAliveInterval</tt> is set.
+
+template:
+  name: sshd_lineinfile
+  vars:
+    parameter: "ClientAliveCountMax"
+    value: "0"
+    missing_parameter_pass: "false"
+    kubernetes: "off"
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/tests/comment.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+if grep -q "^ClientAliveCountMax" $SSHD_CONFIG; then
+	sed -i "s/^ClientAliveCountMax.*/# ClientAliveCountMax 0/" $SSHD_CONFIG
+else
+	echo "# ClientAliveCountMax 0" >> $SSHD_CONFIG
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/tests/correct_value.pass.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+if grep -q "^ClientAliveCountMax" $SSHD_CONFIG; then
+	sed -i "s/^ClientAliveCountMax.*/ClientAliveCountMax 0/" $SSHD_CONFIG
+else
+	echo "ClientAliveCountMax 0" >> $SSHD_CONFIG
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/tests/line_not_there.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+sed -i "/^ClientAliveCountMax.*/d" /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/tests/wrong_value.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+if grep -q "^ClientAliveCountMax" $SSHD_CONFIG; then
+	sed -i "s/^ClientAliveCountMax.*/ClientAliveCountMax 50/" $SSHD_CONFIG
+else
+	echo "ClientAliveCountMax 50" >> $SSHD_CONFIG
+fi
diff --git a/ol7/profiles/pci-dss.profile b/ol7/profiles/pci-dss.profile
@@ -87,7 +87,8 @@ selections:
     - ensure_logrotate_activated
     - sshd_idle_timeout_value=15_minutes
     - sshd_set_idle_timeout
-    - sshd_set_keepalive
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
     - disable_prelink
     - display_login_attempts
     - gid_passwd_group_same

diff --git a/ol7/profiles/stig.profile b/ol7/profiles/stig.profile
@@ -232,7 +232,8 @@ selections:
     - sshd_set_idle_timeout
     - sshd_disable_rhosts
     - sshd_disable_rhosts_rsa
-    - sshd_set_keepalive
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
     - sshd_print_last_log
     - sshd_disable_root_login
     - sshd_allow_only_protocol2

diff --git a/ol8/profiles/cjis.profile b/ol8/profiles/cjis.profile
@@ -95,7 +95,8 @@ selections:
     - dconf_db_up_to_date
     - sshd_allow_only_protocol2
     - sshd_set_idle_timeout
-    - sshd_set_keepalive
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
     - disable_host_auth
     - sshd_disable_root_login
     - sshd_disable_empty_passwords

diff --git a/ol8/profiles/hipaa.profile b/ol8/profiles/hipaa.profile
@@ -59,7 +59,8 @@ selections:
     - sshd_do_not_permit_user_env
     - sshd_enable_strictmodes
     - sshd_enable_warning_banner
-    - sshd_set_keepalive
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
     - sshd_use_priv_separation
     - encrypt_partitions
     - var_system_crypto_policy=fips

diff --git a/ol8/profiles/ospp.profile b/ol8/profiles/ospp.profile
@@ -55,7 +55,8 @@ selections:
     - sshd_disable_empty_passwords
     - sshd_disable_kerb_auth
     - sshd_disable_gssapi_auth
-    - sshd_set_keepalive
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
     - sshd_enable_warning_banner
     - sshd_rekey_limit
 

diff --git a/ol8/profiles/pci-dss.profile b/ol8/profiles/pci-dss.profile
@@ -103,7 +103,8 @@ selections:
     - ensure_logrotate_activated
     - sshd_idle_timeout_value=15_minutes
     - sshd_set_idle_timeout
-    - sshd_set_keepalive
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
     - display_login_attempts
     - gid_passwd_group_same
     - grub2_audit_argument

diff --git a/rhcos4/profiles/moderate.profile b/rhcos4/profiles/moderate.profile
@@ -77,7 +77,8 @@ selections:
     #- sshd_disable_kerb_auth
     #- sshd_disable_gssapi_auth
     # AC-2(5)
-    - sshd_set_keepalive
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
     #- sshd_enable_warning_banner
     #- sshd_rekey_limit
 

diff --git a/rhcos4/profiles/ospp.profile b/rhcos4/profiles/ospp.profile
@@ -55,7 +55,8 @@ selections:
     - sshd_disable_kerb_auth
     - sshd_disable_gssapi_auth
     - var_sshd_set_keepalive=0
-    - sshd_set_keepalive
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
     - sshd_enable_warning_banner
     - sshd_rekey_limit
     - var_rekey_limit_size=1G

diff --git a/rhel7/profiles/C2S.profile b/rhel7/profiles/C2S.profile
@@ -202,7 +202,8 @@ selections:
     - sshd_use_approved_ciphers
     - sshd_use_approved_macs
     - sshd_set_idle_timeout
-    - sshd_set_keepalive
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
     - sshd_enable_warning_banner
     - var_password_pam_minlen=14
     - accounts_password_pam_minlen

diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
@@ -615,7 +615,8 @@ selections:
 
     ### 5.2.12 Ensure SSH Idle Timeout Interval is configured (Scored)
     - sshd_set_idle_timeout
-    - sshd_set_keepalive
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
 
     ### 5.2.13 Ensure SSH LoginGraceTime is set to one minute or less (Scored)
     ### 5.2.14 Ensure SSH access is limited (Scored)

diff --git a/rhel7/profiles/cjis.profile b/rhel7/profiles/cjis.profile
@@ -99,7 +99,8 @@ selections:
     - dconf_gnome_screensaver_mode_blank
     - sshd_allow_only_protocol2
     - sshd_set_idle_timeout
-    - sshd_set_keepalive
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
     - disable_host_auth
     - sshd_disable_root_login
     - sshd_disable_empty_passwords