[Docs] Configure sshd based on the RHEL 7 STIG

This patch is a follow-on docs patch for the sshd configuration work.

Implements: blueprint security-rhel7-stig
Change-Id: Ie140302bd0a20282f2f08a1296e04217e52da114

doc/metadata/rhel7/RHEL-07-010441.rst

@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-010441
-status: not implemented
-tag: misc
+status: implemented
+tag: sshd
 ---
 
-This STIG requirement is not yet implemented.
+The ``PermitUserEnvironment`` configuration is set to ``no`` in
+``/etc/ssh/sshd_config`` and sshd is restarted.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_sshd_disallow_environment_override: no

doc/metadata/rhel7/RHEL-07-010442.rst

@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-010442
-status: not implemented
-tag: misc
+status: implemented
+tag: sshd
 ---
 
-This STIG requirement is not yet implemented.
+The ``HostbasedAuthentication`` configuration is set to ``no`` in
+``/etc/ssh/sshd_config`` and sshd is restarted.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_sshd_disallow_host_based_auth: no

doc/metadata/rhel7/RHEL-07-040110.rst

@@ -1,7 +1,15 @@
 ---
 id: RHEL-07-040110
-status: not implemented
-tag: misc
+status: implemented
+tag: sshd
 ---
 
-This STIG requirement is not yet implemented.
+The ``Ciphers`` configuration is set to ``aes128-ctr,aes192-ctr,aes256-ctr`` in
+``/etc/ssh/sshd_config`` and sshd is restarted.
+
+Deployers can change the list of ciphers by setting the following Ansible
+variable:
+
+.. code-block:: yaml
+
+    security_sshd_cipher_list: 'cipher1,cipher2,cipher3'

doc/metadata/rhel7/RHEL-07-040170.rst

@@ -1,7 +1,10 @@
 ---
 id: RHEL-07-040170
-status: not implemented
-tag: misc
+status: implemented
+tag: sshd
 ---
 
-This STIG requirement is not yet implemented.
+The ``Banner`` configuration is set to ``/etc/issue.net`` in
+``/etc/ssh/sshd_config`` and sshd is restarted. In addition, the
+``files/login_banner.txt`` file is copied from the openstack-ansible-security
+role directory to ``/etc/issue.net`` on each host.

doc/metadata/rhel7/RHEL-07-040190.rst

@@ -1,7 +1,30 @@
 ---
 id: RHEL-07-040190
-status: not implemented
-tag: misc
+status: implemented
+tag: sshd
 ---
 
-This STIG requirement is not yet implemented.
+The ``ClientAliveInterval`` configuration is set to ``600`` in
+``/etc/ssh/sshd_config`` and sshd is restarted.
+
+Deployers can adjust the length of the interval by changing the following
+Ansible variable:
+
+.. code-block:: yaml
+
+    security_sshd_client_alive_interval: 600
+
+.. note::
+
+    The STIG requires that ``ClientAliveInterval`` is set to 600 and
+    ``ClientAliveCountMax`` is set to zero, which sets a 10 minute session
+    timeout. If no data is transferred in a 10 minute period, the session is
+    disconnected.
+
+    The ``ClientAliveInterval`` specifies how long the ssh daemon waits
+    before it sends a message to the client to see if it is still alive. The
+    ``ClientAliveCountMax`` specifies how many of these messages are sent
+    without receiving a response.
+
+    Deployers should refer to :ref:`stig-RHEL-07-040191` to customize the
+    ``ClientAliveCountMax`` setting.

doc/metadata/rhel7/RHEL-07-040191.rst

@@ -1,7 +1,30 @@
 ---
 id: RHEL-07-040191
-status: not implemented
-tag: misc
+status: implemented
+tag: sshd
 ---
 
-This STIG requirement is not yet implemented.
+The ``ClientAliveCountMax`` configuration is set to ``0`` in
+``/etc/ssh/sshd_config`` and sshd is restarted.
+
+Deployers can adjust the maximum amount of client alive intervals by changing
+the following Ansible variable.
+
+.. code-block:: yaml
+
+    security_sshd_client_alive_count_max: 0
+
+.. note::
+
+    The STIG requires that ``ClientAliveInterval`` is set to 600 and
+    ``ClientAliveCountMax`` is set to zero, which sets a 10 minute session
+    timeout. If no data is transferred in a 10 minute period, the session is
+    disconnected.
+
+    The ``ClientAliveInterval`` specifies how long the ssh daemon waits
+    before it sends a message to the client to see if it is still alive. The
+    ``ClientAliveCountMax`` specifies how many of these messages are sent
+    without receiving a response.
+
+    Deployers should refer to :ref:`stig-RHEL-07-040190` to customize the
+    ``ClientAliveInterval`` setting.

doc/metadata/rhel7/RHEL-07-040301.rst

@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-040301
-status: not implemented
-tag: misc
+status: implemented
+tag: sshd
 ---
 
-This STIG requirement is not yet implemented.
+The ``PrintLastLog`` configuration is set to ``yes`` in
+``/etc/ssh/sshd_config`` and sshd is restarted.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_sshd_print_last_log: no

doc/metadata/rhel7/RHEL-07-040310.rst

@@ -1,7 +1,21 @@
 ---
 id: RHEL-07-040310
-status: not implemented
-tag: misc
+status: implemented
+tag: sshd
 ---
 
-This STIG requirement is not yet implemented.
+The ``PermitRootLogin`` configuration is set to ``no`` in
+``/etc/ssh/sshd_config`` and sshd is restarted.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_sshd_permit_root_login: no
+
+.. warning::
+
+    Ensure that a regular user account exists with a pathway to root access
+    (preferably via ``sudo``) before applying the security role.  This
+    configuration change disallows any direct logins with the ``root``
+    user.

doc/metadata/rhel7/RHEL-07-040332.rst

@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-040332
-status: not implemented
-tag: misc
+status: implemented
+tag: sshd
 ---
 
-This STIG requirement is not yet implemented.
+The ``IgnoreUserKnownHosts`` configuration is set to ``yes`` in
+``/etc/ssh/sshd_config`` and sshd is restarted.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_sshd_disallow_known_hosts_auth: no

doc/metadata/rhel7/RHEL-07-040333.rst

@@ -1,7 +1,7 @@
 ---
 id: RHEL-07-040333
-status: not implemented
-tag: misc
+status: implemented
+tag: sshd
 ---
 
-This STIG requirement is not yet implemented.
+This STIG is already applied by the changes for :ref:`stig-RHEL-07-040332`.

doc/metadata/rhel7/RHEL-07-040334.rst

@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-040334
-status: not implemented
-tag: misc
+status: implemented
+tag: sshd
 ---
 
-This STIG requirement is not yet implemented.
+The ``IgnoreRhosts`` configuration is set to ``yes`` in
+``/etc/ssh/sshd_config`` and sshd is restarted.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_sshd_disallow_rhosts_auth: no

doc/metadata/rhel7/RHEL-07-040490.rst

@@ -1,7 +1,19 @@
 ---
 id: RHEL-07-040490
-status: not implemented
-tag: misc
+status: implemented
+tag: sshd
 ---
 
-This STIG requirement is not yet implemented.
+The ``Protocol`` configuration is set to ``2`` in
+``/etc/ssh/sshd_config`` and sshd is restarted.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_sshd_protocol: 2
+
+.. warning::
+
+    There is no reason to enable any other protocol than SSHv2. SSHv1 has
+    multiple vulnerabilities, and it is no longer widely used.

doc/metadata/rhel7/RHEL-07-040540.rst

@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-040540
-status: not implemented
-tag: misc
+status: implemented
+tag: sshd
 ---
 
-This STIG requirement is not yet implemented.
+The ``X11Forwarding`` configuration is set to ``yes`` in
+``/etc/ssh/sshd_config`` and sshd is restarted.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_sshd_enable_x11_forwarding: no

doc/metadata/rhel7/RHEL-07-040620.rst

@@ -1,7 +1,15 @@
 ---
 id: RHEL-07-040620
-status: not implemented
-tag: misc
+status: implemented
+tag: sshd
 ---
 
-This STIG requirement is not yet implemented.
+The ``MACs`` configuration is set to ``hmac-sha2-256,hmac-sha2-512`` in
+``/etc/ssh/sshd_config`` and sshd is restarted.
+
+Deployers can adjust the allowed Message Authentication Codes (MACs) by setting
+the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_sshd_allowed_macs: 'hmac-sha2-256,hmac-sha2-512'

doc/metadata/rhel7/RHEL-07-040670.rst

@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-040670
-status: not implemented
-tag: misc
+status: implemented
+tag: sshd
 ---
 
-This STIG requirement is not yet implemented.
+The ``KerberosAuthentication`` configuration is set to ``no`` in
+``/etc/ssh/sshd_config`` and sshd is restarted.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_sshd_disable_kerberos_auth: no

doc/metadata/rhel7/RHEL-07-040680.rst

@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-040680
-status: not implemented
-tag: misc
+status: implemented
+tag: sshd
 ---
 
-This STIG requirement is not yet implemented.
+The ``StrictModes`` configuration is set to ``yes`` in ``/etc/ssh/sshd_config``
+and sshd is restarted.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_sshd_enable_strict_modes: no

doc/metadata/rhel7/RHEL-07-040690.rst

@@ -1,7 +1,20 @@
 ---
 id: RHEL-07-040690
-status: not implemented
-tag: misc
+status: implemented
+tag: sshd
 ---
 
-This STIG requirement is not yet implemented.
+The ``UsePrivilegeSeparation`` configuration is set to ``sandbox`` in
+``/etc/ssh/sshd_config`` and sshd is restarted.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_sshd_enable_privilege_separation: no
+
+.. note::
+
+    Although the STIG requires this setting to be ``yes``, the ``sandbox``
+    setting actually provides more security because it enables privilege
+    separation during the early authentication process.

doc/metadata/rhel7/RHEL-07-040700.rst

@@ -1,7 +1,27 @@
 ---
 id: RHEL-07-040700
-status: not implemented
-tag: misc
+status: implemented
+tag: implemented
 ---
 
-This STIG requirement is not yet implemented.
+The ``Compression`` configuration is set to ``delayed`` in
+``/etc/ssh/sshd_config`` and sshd is restarted.
+
+Deployers can choose another option by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_sshd_compression: 'no'
+
+.. note::
+
+    The following are the available settings for ``Compression`` in the ssh
+    configuration file:
+
+    * ``delayed``: Compression is enabled after authentication.
+    * ``no``: Compression is disabled.
+    * ``yes``: Compression is enabled during authentication and during the
+      session (not allowed by the STIG).
+
+    The ``delayed`` option balances security with performance and is an
+    approved option in the STIG.