|
|
c99e83 |
From be529f2ca1f3644db9ad436dbd35aa00a9a5cf14 Mon Sep 17 00:00:00 2001
|
|
|
c99e83 |
From: Watson Sato <wsato@redhat.com>
|
|
|
c99e83 |
Date: Wed, 13 May 2020 20:49:08 +0200
|
|
|
c99e83 |
Subject: [PATCH 1/2] Add simple tests for sshd_set_max_sessions
|
|
|
c99e83 |
|
|
|
c99e83 |
---
|
|
|
c99e83 |
.../sshd_set_max_sessions/tests/correct_value.pass.sh | 11 +++++++++++
|
|
|
c99e83 |
.../sshd_set_max_sessions/tests/wrong_value.fail.sh | 11 +++++++++++
|
|
|
c99e83 |
2 files changed, 22 insertions(+)
|
|
|
c99e83 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
|
|
|
c99e83 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
|
|
|
c99e83 |
|
|
|
c99e83 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
|
|
|
c99e83 |
new file mode 100644
|
|
|
c99e83 |
index 0000000000..a816eea390
|
|
|
c99e83 |
--- /dev/null
|
|
|
c99e83 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
|
|
|
c99e83 |
@@ -0,0 +1,11 @@
|
|
|
c99e83 |
+# profiles = xccdf_org.ssgproject.content_profile_cis
|
|
|
c99e83 |
+# platform = Red Hat Enterprise Linux 8
|
|
|
c99e83 |
+
|
|
|
c99e83 |
+#!/bin/bash
|
|
|
c99e83 |
+SSHD_CONFIG="/etc/ssh/sshd_config"
|
|
|
c99e83 |
+
|
|
|
c99e83 |
+if grep -q "^MaxSessions" $SSHD_CONFIG; then
|
|
|
c99e83 |
+ sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG
|
|
|
c99e83 |
+ else
|
|
|
c99e83 |
+ echo "MaxSessions 4" >> $SSHD_CONFIG
|
|
|
c99e83 |
+fi
|
|
|
c99e83 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
|
|
|
c99e83 |
new file mode 100644
|
|
|
c99e83 |
index 0000000000..b36125f5bb
|
|
|
c99e83 |
--- /dev/null
|
|
|
c99e83 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
|
|
|
c99e83 |
@@ -0,0 +1,11 @@
|
|
|
c99e83 |
+# profiles = xccdf_org.ssgproject.content_profile_cis
|
|
|
c99e83 |
+# platform = Red Hat Enterprise Linux 8
|
|
|
c99e83 |
+
|
|
|
c99e83 |
+#!/bin/bash
|
|
|
c99e83 |
+SSHD_CONFIG="/etc/ssh/sshd_config"
|
|
|
c99e83 |
+
|
|
|
c99e83 |
+if grep -q "^MaxSessions" $SSHD_CONFIG; then
|
|
|
c99e83 |
+ sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG
|
|
|
c99e83 |
+ else
|
|
|
c99e83 |
+ echo "MaxSessions 10" >> $SSHD_CONFIG
|
|
|
c99e83 |
+fi
|
|
|
c99e83 |
|
|
|
c99e83 |
From 027299726c805b451b02694c737514750fd14b94 Mon Sep 17 00:00:00 2001
|
|
|
c99e83 |
From: Watson Sato <wsato@redhat.com>
|
|
|
c99e83 |
Date: Wed, 13 May 2020 20:53:50 +0200
|
|
|
c99e83 |
Subject: [PATCH 2/2] Add remediations for sshd_set_max_sessions
|
|
|
c99e83 |
|
|
|
c99e83 |
---
|
|
|
c99e83 |
.../sshd_set_max_sessions/ansible/shared.yml | 8 ++++++++
|
|
|
c99e83 |
.../ssh_server/sshd_set_max_sessions/bash/shared.sh | 12 ++++++++++++
|
|
|
c99e83 |
.../tests/correct_value.pass.sh | 2 +-
|
|
|
c99e83 |
.../sshd_set_max_sessions/tests/wrong_value.fail.sh | 2 +-
|
|
|
c99e83 |
4 files changed, 22 insertions(+), 2 deletions(-)
|
|
|
c99e83 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
|
|
|
c99e83 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
|
|
|
c99e83 |
|
|
|
c99e83 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
|
|
|
c99e83 |
new file mode 100644
|
|
|
c99e83 |
index 0000000000..a7e171dfe9
|
|
|
c99e83 |
--- /dev/null
|
|
|
c99e83 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
|
|
|
c99e83 |
@@ -0,0 +1,8 @@
|
|
|
c99e83 |
+# platform = multi_platform_all
|
|
|
c99e83 |
+# reboot = false
|
|
|
c99e83 |
+# strategy = configure
|
|
|
c99e83 |
+# complexity = low
|
|
|
c99e83 |
+# disruption = low
|
|
|
c99e83 |
+- (xccdf-var var_sshd_max_sessions)
|
|
|
c99e83 |
+
|
|
|
c99e83 |
+{{{ ansible_sshd_set(parameter="MaxSessions", value="{{ var_sshd_max_sessions}}") }}}
|
|
|
c99e83 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
|
|
|
c99e83 |
new file mode 100644
|
|
|
c99e83 |
index 0000000000..fc0a1d8b42
|
|
|
c99e83 |
--- /dev/null
|
|
|
c99e83 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
|
|
|
c99e83 |
@@ -0,0 +1,12 @@
|
|
|
c99e83 |
+# platform = multi_platform_all
|
|
|
c99e83 |
+# reboot = false
|
|
|
c99e83 |
+# strategy = configure
|
|
|
c99e83 |
+# complexity = low
|
|
|
c99e83 |
+# disruption = low
|
|
|
c99e83 |
+
|
|
|
c99e83 |
+# Include source function library.
|
|
|
c99e83 |
+. /usr/share/scap-security-guide/remediation_functions
|
|
|
c99e83 |
+
|
|
|
c99e83 |
+populate var_sshd_max_sessions
|
|
|
c99e83 |
+
|
|
|
c99e83 |
+{{{ bash_sshd_config_set(parameter="MaxSessions", value="$var_sshd_max_sessions") }}}
|
|
|
c99e83 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
|
|
|
c99e83 |
index a816eea390..4cc6d65988 100644
|
|
|
c99e83 |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
|
|
|
c99e83 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
|
|
|
c99e83 |
@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config"
|
|
|
c99e83 |
if grep -q "^MaxSessions" $SSHD_CONFIG; then
|
|
|
c99e83 |
sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG
|
|
|
c99e83 |
else
|
|
|
c99e83 |
- echo "MaxSessions 4" >> $SSHD_CONFIG
|
|
|
c99e83 |
+ echo "MaxSessions 4" >> $SSHD_CONFIG
|
|
|
c99e83 |
fi
|
|
|
c99e83 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
|
|
|
c99e83 |
index b36125f5bb..bc0c47842a 100644
|
|
|
c99e83 |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
|
|
|
c99e83 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
|
|
|
c99e83 |
@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config"
|
|
|
c99e83 |
if grep -q "^MaxSessions" $SSHD_CONFIG; then
|
|
|
c99e83 |
sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG
|
|
|
c99e83 |
else
|
|
|
c99e83 |
- echo "MaxSessions 10" >> $SSHD_CONFIG
|
|
|
c99e83 |
+ echo "MaxSessions 10" >> $SSHD_CONFIG
|
|
|
c99e83 |
fi
|