365ad6529c
This patch adds several configurations for sshd per the STIG's requirements. The following STIG requirements are met with this patch: - RHEL-07-010270 - RHEL-07-010440 - RHEL-07-010441 - RHEL-07-010442 - RHEL-07-040110 - RHEL-07-040170 - RHEL-07-040190 - RHEL-07-040191 - RHEL-07-040301 - RHEL-07-040310 - RHEL-07-040332 - RHEL-07-040334 - RHEL-07-040334 - RHEL-07-040540 - RHEL-07-040590 - RHEL-07-040620 - RHEL-07-040690 - RHEL-07-040700 - RHEL-07-040670 - RHEL-07-040680 Only two tasks are needed for all of this work and this should speed up the deployment nicely. Documentation will be updated in a follow-on patch. Implements: blueprint security-rhel7-stig Change-Id: I80579533eac2dd983f6d370445d9796d7c22eefc
59 lines
1.6 KiB
Django/Jinja
59 lines
1.6 KiB
Django/Jinja
{% if security_sshd_disallow_empty_password | bool %}
|
|
# RHEL-07-010270 / RHEL-07-010440
|
|
PermitEmptyPasswords no
|
|
{% endif %}
|
|
{% if security_sshd_disallow_environment_override | bool %}
|
|
# RHEL-07-010441
|
|
PermitUserEnvironment no
|
|
{% endif %}
|
|
{% if security_sshd_disallow_host_based_auth | bool %}
|
|
# RHEL-07-010442
|
|
HostbasedAuthentication no
|
|
{% endif %}
|
|
# RHEL-07-040110
|
|
Ciphers {{ security_sshd_cipher_list }}
|
|
# RHEL-07-040170
|
|
Banner {{ security_sshd_banner_file }}
|
|
# RHEL-07-040190
|
|
ClientAliveInterval {{ security_sshd_client_alive_interval }}
|
|
# RHEL-07-040191
|
|
ClientAliveCountMax {{ security_sshd_client_alive_count_max }}
|
|
{% if security_sshd_print_last_log | bool %}
|
|
# RHEL-07-040301
|
|
PrintLastLog yes
|
|
{% endif %}
|
|
{% if security_sshd_permit_root_login | bool %}
|
|
# RHEL-07-040310
|
|
PermitRootLogin no
|
|
{% endif %}
|
|
{% if security_sshd_disallow_known_hosts_auth | bool %}
|
|
# RHEL-07-040332 / RHEL-07-040333
|
|
IgnoreUserKnownHosts yes
|
|
{% endif %}
|
|
{% if security_sshd_disallow_rhosts_auth | bool %}
|
|
# RHEL-07-040334
|
|
IgnoreRhosts yes
|
|
{% endif %}
|
|
{% if security_sshd_enable_x11_forwarding | bool %}
|
|
# RHEL-07-040540
|
|
X11Forwarding yes
|
|
{% endif %}
|
|
# RHEL-07-040590
|
|
Protocol {{ security_sshd_protocol }}
|
|
# RHEL-07-040620
|
|
MACs {{security_sshd_allowed_macs }}
|
|
{% if security_sshd_enable_privilege_separation | bool %}
|
|
# RHEL-07-040690
|
|
UsePrivilegeSeparation sandbox
|
|
{% endif %}
|
|
# RHEL-07-040700
|
|
Compression {{ security_sshd_compression }}
|
|
{% if security_sshd_disable_kerberos_auth | bool %}
|
|
# RHEL-07-040670
|
|
KerberosAuthentication no
|
|
{% endif %}
|
|
{% if security_sshd_enable_strict_modes| bool %}
|
|
# RHEL-07-040680
|
|
StrictModes yes
|
|
{% endif %}
|