diff --git a/doc/metadata/rhel7/RHEL-07-010441.rst b/doc/metadata/rhel7/RHEL-07-010441.rst index 65491c73..1a9dd73f 100644 --- a/doc/metadata/rhel7/RHEL-07-010441.rst +++ b/doc/metadata/rhel7/RHEL-07-010441.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-010441 -status: not implemented -tag: misc +status: implemented +tag: sshd --- -This STIG requirement is not yet implemented. +The ``PermitUserEnvironment`` configuration is set to ``no`` in +``/etc/ssh/sshd_config`` and sshd is restarted. + +Deployers can opt out of this change by setting the following Ansible variable: + +.. code-block:: yaml + + security_sshd_disallow_environment_override: no diff --git a/doc/metadata/rhel7/RHEL-07-010442.rst b/doc/metadata/rhel7/RHEL-07-010442.rst index e462de94..18b0f359 100644 --- a/doc/metadata/rhel7/RHEL-07-010442.rst +++ b/doc/metadata/rhel7/RHEL-07-010442.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-010442 -status: not implemented -tag: misc +status: implemented +tag: sshd --- -This STIG requirement is not yet implemented. +The ``HostbasedAuthentication`` configuration is set to ``no`` in +``/etc/ssh/sshd_config`` and sshd is restarted. + +Deployers can opt out of this change by setting the following Ansible variable: + +.. code-block:: yaml + + security_sshd_disallow_host_based_auth: no diff --git a/doc/metadata/rhel7/RHEL-07-040110.rst b/doc/metadata/rhel7/RHEL-07-040110.rst index ea806a47..e677da65 100644 --- a/doc/metadata/rhel7/RHEL-07-040110.rst +++ b/doc/metadata/rhel7/RHEL-07-040110.rst @@ -1,7 +1,15 @@ --- id: RHEL-07-040110 -status: not implemented -tag: misc +status: implemented +tag: sshd --- -This STIG requirement is not yet implemented. +The ``Ciphers`` configuration is set to ``aes128-ctr,aes192-ctr,aes256-ctr`` in +``/etc/ssh/sshd_config`` and sshd is restarted. + +Deployers can change the list of ciphers by setting the following Ansible +variable: + +.. code-block:: yaml + + security_sshd_cipher_list: 'cipher1,cipher2,cipher3' diff --git a/doc/metadata/rhel7/RHEL-07-040170.rst b/doc/metadata/rhel7/RHEL-07-040170.rst index 35930972..bb309995 100644 --- a/doc/metadata/rhel7/RHEL-07-040170.rst +++ b/doc/metadata/rhel7/RHEL-07-040170.rst @@ -1,7 +1,10 @@ --- id: RHEL-07-040170 -status: not implemented -tag: misc +status: implemented +tag: sshd --- -This STIG requirement is not yet implemented. +The ``Banner`` configuration is set to ``/etc/issue.net`` in +``/etc/ssh/sshd_config`` and sshd is restarted. In addition, the +``files/login_banner.txt`` file is copied from the openstack-ansible-security +role directory to ``/etc/issue.net`` on each host. diff --git a/doc/metadata/rhel7/RHEL-07-040190.rst b/doc/metadata/rhel7/RHEL-07-040190.rst index a0ebcbcd..58fbf4ec 100644 --- a/doc/metadata/rhel7/RHEL-07-040190.rst +++ b/doc/metadata/rhel7/RHEL-07-040190.rst @@ -1,7 +1,30 @@ --- id: RHEL-07-040190 -status: not implemented -tag: misc +status: implemented +tag: sshd --- -This STIG requirement is not yet implemented. +The ``ClientAliveInterval`` configuration is set to ``600`` in +``/etc/ssh/sshd_config`` and sshd is restarted. + +Deployers can adjust the length of the interval by changing the following +Ansible variable: + +.. code-block:: yaml + + security_sshd_client_alive_interval: 600 + +.. note:: + + The STIG requires that ``ClientAliveInterval`` is set to 600 and + ``ClientAliveCountMax`` is set to zero, which sets a 10 minute session + timeout. If no data is transferred in a 10 minute period, the session is + disconnected. + + The ``ClientAliveInterval`` specifies how long the ssh daemon waits + before it sends a message to the client to see if it is still alive. The + ``ClientAliveCountMax`` specifies how many of these messages are sent + without receiving a response. + + Deployers should refer to :ref:`stig-RHEL-07-040191` to customize the + ``ClientAliveCountMax`` setting. diff --git a/doc/metadata/rhel7/RHEL-07-040191.rst b/doc/metadata/rhel7/RHEL-07-040191.rst index e70d5a14..d3e1f4a8 100644 --- a/doc/metadata/rhel7/RHEL-07-040191.rst +++ b/doc/metadata/rhel7/RHEL-07-040191.rst @@ -1,7 +1,30 @@ --- id: RHEL-07-040191 -status: not implemented -tag: misc +status: implemented +tag: sshd --- -This STIG requirement is not yet implemented. +The ``ClientAliveCountMax`` configuration is set to ``0`` in +``/etc/ssh/sshd_config`` and sshd is restarted. + +Deployers can adjust the maximum amount of client alive intervals by changing +the following Ansible variable. + +.. code-block:: yaml + + security_sshd_client_alive_count_max: 0 + +.. note:: + + The STIG requires that ``ClientAliveInterval`` is set to 600 and + ``ClientAliveCountMax`` is set to zero, which sets a 10 minute session + timeout. If no data is transferred in a 10 minute period, the session is + disconnected. + + The ``ClientAliveInterval`` specifies how long the ssh daemon waits + before it sends a message to the client to see if it is still alive. The + ``ClientAliveCountMax`` specifies how many of these messages are sent + without receiving a response. + + Deployers should refer to :ref:`stig-RHEL-07-040190` to customize the + ``ClientAliveInterval`` setting. diff --git a/doc/metadata/rhel7/RHEL-07-040301.rst b/doc/metadata/rhel7/RHEL-07-040301.rst index f35b8283..905ae307 100644 --- a/doc/metadata/rhel7/RHEL-07-040301.rst +++ b/doc/metadata/rhel7/RHEL-07-040301.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-040301 -status: not implemented -tag: misc +status: implemented +tag: sshd --- -This STIG requirement is not yet implemented. +The ``PrintLastLog`` configuration is set to ``yes`` in +``/etc/ssh/sshd_config`` and sshd is restarted. + +Deployers can opt out of this change by setting the following Ansible variable: + +.. code-block:: yaml + + security_sshd_print_last_log: no diff --git a/doc/metadata/rhel7/RHEL-07-040310.rst b/doc/metadata/rhel7/RHEL-07-040310.rst index 8ee52bd1..a1cacd84 100644 --- a/doc/metadata/rhel7/RHEL-07-040310.rst +++ b/doc/metadata/rhel7/RHEL-07-040310.rst @@ -1,7 +1,21 @@ --- id: RHEL-07-040310 -status: not implemented -tag: misc +status: implemented +tag: sshd --- -This STIG requirement is not yet implemented. +The ``PermitRootLogin`` configuration is set to ``no`` in +``/etc/ssh/sshd_config`` and sshd is restarted. + +Deployers can opt out of this change by setting the following Ansible variable: + +.. code-block:: yaml + + security_sshd_permit_root_login: no + +.. warning:: + + Ensure that a regular user account exists with a pathway to root access + (preferably via ``sudo``) before applying the security role. This + configuration change disallows any direct logins with the ``root`` + user. diff --git a/doc/metadata/rhel7/RHEL-07-040332.rst b/doc/metadata/rhel7/RHEL-07-040332.rst index a2b961a0..7cec9d06 100644 --- a/doc/metadata/rhel7/RHEL-07-040332.rst +++ b/doc/metadata/rhel7/RHEL-07-040332.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-040332 -status: not implemented -tag: misc +status: implemented +tag: sshd --- -This STIG requirement is not yet implemented. +The ``IgnoreUserKnownHosts`` configuration is set to ``yes`` in +``/etc/ssh/sshd_config`` and sshd is restarted. + +Deployers can opt out of this change by setting the following Ansible variable: + +.. code-block:: yaml + + security_sshd_disallow_known_hosts_auth: no diff --git a/doc/metadata/rhel7/RHEL-07-040333.rst b/doc/metadata/rhel7/RHEL-07-040333.rst index 62b80cc6..f7d53218 100644 --- a/doc/metadata/rhel7/RHEL-07-040333.rst +++ b/doc/metadata/rhel7/RHEL-07-040333.rst @@ -1,7 +1,7 @@ --- id: RHEL-07-040333 -status: not implemented -tag: misc +status: implemented +tag: sshd --- -This STIG requirement is not yet implemented. +This STIG is already applied by the changes for :ref:`stig-RHEL-07-040332`. diff --git a/doc/metadata/rhel7/RHEL-07-040334.rst b/doc/metadata/rhel7/RHEL-07-040334.rst index 435ea230..4c437efc 100644 --- a/doc/metadata/rhel7/RHEL-07-040334.rst +++ b/doc/metadata/rhel7/RHEL-07-040334.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-040334 -status: not implemented -tag: misc +status: implemented +tag: sshd --- -This STIG requirement is not yet implemented. +The ``IgnoreRhosts`` configuration is set to ``yes`` in +``/etc/ssh/sshd_config`` and sshd is restarted. + +Deployers can opt out of this change by setting the following Ansible variable: + +.. code-block:: yaml + + security_sshd_disallow_rhosts_auth: no diff --git a/doc/metadata/rhel7/RHEL-07-040490.rst b/doc/metadata/rhel7/RHEL-07-040490.rst index deb4dd75..853a20b7 100644 --- a/doc/metadata/rhel7/RHEL-07-040490.rst +++ b/doc/metadata/rhel7/RHEL-07-040490.rst @@ -1,7 +1,19 @@ --- id: RHEL-07-040490 -status: not implemented -tag: misc +status: implemented +tag: sshd --- -This STIG requirement is not yet implemented. +The ``Protocol`` configuration is set to ``2`` in +``/etc/ssh/sshd_config`` and sshd is restarted. + +Deployers can opt out of this change by setting the following Ansible variable: + +.. code-block:: yaml + + security_sshd_protocol: 2 + +.. warning:: + + There is no reason to enable any other protocol than SSHv2. SSHv1 has + multiple vulnerabilities, and it is no longer widely used. diff --git a/doc/metadata/rhel7/RHEL-07-040540.rst b/doc/metadata/rhel7/RHEL-07-040540.rst index 2abdf5e3..63945b9c 100644 --- a/doc/metadata/rhel7/RHEL-07-040540.rst +++ b/doc/metadata/rhel7/RHEL-07-040540.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-040540 -status: not implemented -tag: misc +status: implemented +tag: sshd --- -This STIG requirement is not yet implemented. +The ``X11Forwarding`` configuration is set to ``yes`` in +``/etc/ssh/sshd_config`` and sshd is restarted. + +Deployers can opt out of this change by setting the following Ansible variable: + +.. code-block:: yaml + + security_sshd_enable_x11_forwarding: no diff --git a/doc/metadata/rhel7/RHEL-07-040620.rst b/doc/metadata/rhel7/RHEL-07-040620.rst index 5c783fa3..65d8bcfd 100644 --- a/doc/metadata/rhel7/RHEL-07-040620.rst +++ b/doc/metadata/rhel7/RHEL-07-040620.rst @@ -1,7 +1,15 @@ --- id: RHEL-07-040620 -status: not implemented -tag: misc +status: implemented +tag: sshd --- -This STIG requirement is not yet implemented. +The ``MACs`` configuration is set to ``hmac-sha2-256,hmac-sha2-512`` in +``/etc/ssh/sshd_config`` and sshd is restarted. + +Deployers can adjust the allowed Message Authentication Codes (MACs) by setting +the following Ansible variable: + +.. code-block:: yaml + + security_sshd_allowed_macs: 'hmac-sha2-256,hmac-sha2-512' diff --git a/doc/metadata/rhel7/RHEL-07-040670.rst b/doc/metadata/rhel7/RHEL-07-040670.rst index cbc91b3d..1214fe4c 100644 --- a/doc/metadata/rhel7/RHEL-07-040670.rst +++ b/doc/metadata/rhel7/RHEL-07-040670.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-040670 -status: not implemented -tag: misc +status: implemented +tag: sshd --- -This STIG requirement is not yet implemented. +The ``KerberosAuthentication`` configuration is set to ``no`` in +``/etc/ssh/sshd_config`` and sshd is restarted. + +Deployers can opt out of this change by setting the following Ansible variable: + +.. code-block:: yaml + + security_sshd_disable_kerberos_auth: no diff --git a/doc/metadata/rhel7/RHEL-07-040680.rst b/doc/metadata/rhel7/RHEL-07-040680.rst index 7d903ffe..0941e0ac 100644 --- a/doc/metadata/rhel7/RHEL-07-040680.rst +++ b/doc/metadata/rhel7/RHEL-07-040680.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-040680 -status: not implemented -tag: misc +status: implemented +tag: sshd --- -This STIG requirement is not yet implemented. +The ``StrictModes`` configuration is set to ``yes`` in ``/etc/ssh/sshd_config`` +and sshd is restarted. + +Deployers can opt out of this change by setting the following Ansible variable: + +.. code-block:: yaml + + security_sshd_enable_strict_modes: no diff --git a/doc/metadata/rhel7/RHEL-07-040690.rst b/doc/metadata/rhel7/RHEL-07-040690.rst index 2a13d6a7..6457b7e3 100644 --- a/doc/metadata/rhel7/RHEL-07-040690.rst +++ b/doc/metadata/rhel7/RHEL-07-040690.rst @@ -1,7 +1,20 @@ --- id: RHEL-07-040690 -status: not implemented -tag: misc +status: implemented +tag: sshd --- -This STIG requirement is not yet implemented. +The ``UsePrivilegeSeparation`` configuration is set to ``sandbox`` in +``/etc/ssh/sshd_config`` and sshd is restarted. + +Deployers can opt out of this change by setting the following Ansible variable: + +.. code-block:: yaml + + security_sshd_enable_privilege_separation: no + +.. note:: + + Although the STIG requires this setting to be ``yes``, the ``sandbox`` + setting actually provides more security because it enables privilege + separation during the early authentication process. diff --git a/doc/metadata/rhel7/RHEL-07-040700.rst b/doc/metadata/rhel7/RHEL-07-040700.rst index d7bdcc2c..953e6eef 100644 --- a/doc/metadata/rhel7/RHEL-07-040700.rst +++ b/doc/metadata/rhel7/RHEL-07-040700.rst @@ -1,7 +1,27 @@ --- id: RHEL-07-040700 -status: not implemented -tag: misc +status: implemented +tag: implemented --- -This STIG requirement is not yet implemented. +The ``Compression`` configuration is set to ``delayed`` in +``/etc/ssh/sshd_config`` and sshd is restarted. + +Deployers can choose another option by setting the following Ansible variable: + +.. code-block:: yaml + + security_sshd_compression: 'no' + +.. note:: + + The following are the available settings for ``Compression`` in the ssh + configuration file: + + * ``delayed``: Compression is enabled after authentication. + * ``no``: Compression is disabled. + * ``yes``: Compression is enabled during authentication and during the + session (not allowed by the STIG). + + The ``delayed`` option balances security with performance and is an + approved option in the STIG.