From 7bc0c12b8a308ce982821186577e7e443449793c Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 20 Dec 2023 13:57:02 +0200 Subject: [PATCH 1/2] Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/5 by adding the necessary lines to both sshd_config file and sshd_config.d/ files. The same method is used for all the rules from 4.2.x, to make them compliant with CISs checks. Signed-off-by: Diana-Maria Dumitru --- tasks/prelim.yml | 19 +++++++++ tasks/section_4/cis_4.2.x.yml | 72 +++++++++++++++++++++++++++-------- 2 files changed, 76 insertions(+), 15 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 90bb606..a556392 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -161,6 +161,25 @@ - ssh - level1_server +- name: "PRELIM | Section 4.2 | SSH - Identify files in sshd_config.d Dir" + ansible.builtin.find: + patterns: '*.conf' + path: /etc/ssh/sshd_config.d + register: sshd_d_conf_files + when: + - "'openssh-server' in ansible_facts.packages" + tags: + - always + +- name: "PRELIM | Section 4.2 | SSH - Search for main cfg file" + ansible.builtin.stat: + path: "{{ amzn2023cis_sshd_config_file }}" + register: main_sshd_cfg + when: + - "'openssh-server' in ansible_facts.packages" + tags: + - always + - name: "PRELIM | Section 5.2 | Configure System Accounting (auditd)" ansible.builtin.package: name: audit diff --git a/tasks/section_4/cis_4.2.x.yml b/tasks/section_4/cis_4.2.x.yml index c8151a3..20f8a98 100644 --- a/tasks/section_4/cis_4.2.x.yml +++ b/tasks/section_4/cis_4.2.x.yml @@ -125,10 +125,13 @@ - name: "4.2.5 | PATCH | Ensure SSH LogLevel is appropriate" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: "^#LogLevel|^LogLevel" line: 'LogLevel {{ amzn2023cis_ssh_loglevel }}' validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_5 tags: @@ -142,10 +145,13 @@ - name: "4.2.6 | PATCH | Ensure SSH PAM is enabled" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: "^#UsePAM|^UsePAM" line: 'UsePAM yes' validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_6 tags: @@ -161,10 +167,13 @@ - name: "4.2.7 | PATCH | Ensure SSH root login is disabled" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: "^#PermitRootLogin|^PermitRootLogin" line: 'PermitRootLogin no' validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_7 tags: @@ -176,10 +185,13 @@ - name: "4.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: "^#HostbasedAuthentication|^HostbasedAuthentication" line: 'HostbasedAuthentication no' validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_8 tags: @@ -195,10 +207,13 @@ - name: "4.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" line: 'PermitEmptyPasswords no' validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_9 tags: @@ -214,10 +229,13 @@ - name: "4.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" line: 'PermitUserEnvironment no' validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_10 tags: @@ -252,10 +270,13 @@ - name: "4.2.12 | PATCH | Ensure SSH X11 forwarding is disabled" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: "^#X11Forwarding|^X11Forwarding" line: 'X11Forwarding no' validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_12 tags: @@ -267,10 +288,13 @@ - name: "4.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" line: 'AllowTcpForwarding no' validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_13 tags: @@ -327,10 +351,13 @@ - name: "4.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: '^(#)?MaxAuthTries \d' line: 'MaxAuthTries 4' validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_16 tags: @@ -342,10 +369,13 @@ - name: "4.2.17 | PATCH | Ensure SSH MaxStartups is configured" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: "^#MaxStartups|^MaxStartups" line: 'MaxStartups 10:30:60' validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_17 tags: @@ -361,10 +391,13 @@ - name: "4.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: "^#MaxSessions|^MaxSessions" line: 'MaxSessions {{ amzn2023cis_ssh_maxsessions }}' validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_18 tags: @@ -380,10 +413,13 @@ - name: "4.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: "^#LoginGraceTime|^LoginGraceTime" line: "LoginGraceTime {{ amzn2023cis_sshd['logingracetime'] }}" validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_19 tags: @@ -397,17 +433,23 @@ block: - name: "4.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: '^ClientAliveInterval' line: "ClientAliveInterval {{ amzn2023cis_sshd['clientaliveinterval'] }}" validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" - name: "4.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" ansible.builtin.lineinfile: - path: "{{ amzn2023cis_sshd_config_file }}" + path: "{{ item.path }}" regexp: '^ClientAliveCountMax' line: "ClientAliveCountMax {{ amzn2023cis_sshd['clientalivecountmax'] }}" validate: sshd -t -f %s + with_items: + - "{{ sshd_d_conf_files.files }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_20 tags: @@ -419,4 +461,4 @@ - nist_sp800-53r5_CM-2 - nist_sp800-53r5_CM-6 - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - nist_sp800-53r5_IA-5 \ No newline at end of file From 9488e1951f573897f86b033ab94887e736509a78 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Tue, 30 Jan 2024 10:12:11 +0200 Subject: [PATCH 2/2] Removing trailing whitespaces and fixing an end-of-file Signed-off-by: Diana-Maria Dumitru --- tasks/prelim.yml | 4 ++-- tasks/section_4/cis_4.2.x.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index a556392..bfbac94 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -167,7 +167,7 @@ path: /etc/ssh/sshd_config.d register: sshd_d_conf_files when: - - "'openssh-server' in ansible_facts.packages" + - "'openssh-server' in ansible_facts.packages" tags: - always @@ -176,7 +176,7 @@ path: "{{ amzn2023cis_sshd_config_file }}" register: main_sshd_cfg when: - - "'openssh-server' in ansible_facts.packages" + - "'openssh-server' in ansible_facts.packages" tags: - always diff --git a/tasks/section_4/cis_4.2.x.yml b/tasks/section_4/cis_4.2.x.yml index 20f8a98..6134cb4 100644 --- a/tasks/section_4/cis_4.2.x.yml +++ b/tasks/section_4/cis_4.2.x.yml @@ -213,7 +213,7 @@ validate: sshd -t -f %s with_items: - "{{ sshd_d_conf_files.files }}" - - "{{ main_sshd_cfg.stat }}" + - "{{ main_sshd_cfg.stat }}" when: - amzn2023cis_rule_4_2_9 tags: @@ -461,4 +461,4 @@ - nist_sp800-53r5_CM-2 - nist_sp800-53r5_CM-6 - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 \ No newline at end of file + - nist_sp800-53r5_IA-5