From c4afa942edea4b26498dc223d4965fb722d919ed Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 8 Nov 2022 13:53:14 +0100 Subject: [PATCH 1/7] RHEL8 STIG v1R8 requires ClientAliveCountMax 1 Following update from V1R8, update the STIG profile to configure ClientAliveCountMax to 1. This will timeout SSH connections when client alive messages are not received within ClientAliveInterval seconds. This serves the purpose of disconnecting sessions when the client has become unresponsive. --- .../guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml | 1 + .../services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 1 - products/rhel8/profiles/stig.profile | 4 ++-- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml index bc8ee914565..df0681f3f3a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml @@ -55,6 +55,7 @@ references: pcidss: Req-8.1.8 srg: SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109 stigid@ol7: OL07-00-040340 + stigid@rhel8: RHEL-08-010200 stigid@sle12: SLES-12-030191 stigid@ubuntu2004: UBTU-20-010036 vmmsrg: SRG-OS-000480-VMM-002000 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml index 024cb687382..a02fa8f40db 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml @@ -54,7 +54,6 @@ references: stigid@ol7: OL07-00-040340 stigid@ol8: OL08-00-010200 stigid@rhel7: RHEL-07-040340 - stigid@rhel8: RHEL-08-010200 stigid@sle12: SLES-12-030191 stigid@sle15: SLES-15-010320 vmmsrg: SRG-OS-000480-VMM-002000 diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 96dfbf6b203..d184957f28c 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -50,7 +50,7 @@ selections: - var_password_pam_lcredit=1 - var_password_pam_retry=3 - var_password_pam_minlen=15 - # - var_sshd_set_keepalive=0 + - var_sshd_set_keepalive=1 - sshd_approved_macs=stig - sshd_approved_ciphers=stig - sshd_idle_timeout_value=10_minutes @@ -174,7 +174,7 @@ selections: # they still need to be selected so it follows exactly what STIG # states. # RHEL-08-010200 - - sshd_set_keepalive_0 + - sshd_set_keepalive # RHEL-08-010201 - sshd_set_idle_timeout From a9f13cdff06ce7de53420b0ca65b3a8110eae85a Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 8 Nov 2022 14:06:42 +0100 Subject: [PATCH 2/7] Change verbiage on keepalive rules Stop using the 'idle', that implies an idle user; And start using unresponsive, which better describes the state of network. --- .../ssh/ssh_server/sshd_set_keepalive/rule.yml | 15 ++++++++------- .../ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 6 +++--- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml index df0681f3f3a..7a27c134f1e 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml @@ -7,14 +7,15 @@ description: |- during a SSH session and waits for a response from the SSH client. The option ClientAliveInterval configures timeout after each ClientAliveCountMax message. If the SSH server does not - receive a response from the client, then the connection is considered idle + receive a response from the client, then the connection is considered unresponsive and terminated. For SSH earlier than v8.2, a ClientAliveCountMax value of 0 - causes an idle timeout precisely when the ClientAliveInterval is set. + causes a timeout precisely when the ClientAliveInterval is set. Starting with v8.2, a value of 0 disables the timeout functionality completely. If the option is set to a number greater than 0, then - the idle session will be disconnected after - ClientAliveInterval * ClientAliveCountMax seconds. + the session will be disconnected after + ClientAliveInterval * ClientAliveCountMax seconds without receiving + a keep alive message. rationale: |- This ensures a user login will be terminated as soon as the ClientAliveInterval @@ -70,8 +71,8 @@ ocil: |- 
$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config
If properly configured, the output should be: 
ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}
- For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes an idle timeout precisely when + For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes a timeout precisely when the ClientAliveInterval is set. Starting with v8.2, a value of 0 disables the timeout functionality completely. - If the option is set to a number greater than 0, then the idle session will be disconnected after - ClientAliveInterval * ClientAliveCountMax seconds. + If the option is set to a number greater than 0, then the session will be disconnected after + ClientAliveInterval * ClientAliveCountMax seconds witout receiving a keep alive message. diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml index a02fa8f40db..55011ab66a7 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml @@ -10,10 +10,10 @@ description: |- during a SSH session and waits for a response from the SSH client. The option ClientAliveInterval configures timeout after each ClientAliveCountMax message. If the SSH server does not - receive a response from the client, then the connection is considered idle + receive a response from the client, then the connection is considered unresponsive and terminated. - To ensure the SSH idle timeout occurs precisely when the + To ensure the SSH timeout occurs precisely when the ClientAliveInterval is set, set the ClientAliveCountMax to value of 0 in {{{ sshd_config_file() }}} @@ -73,7 +73,7 @@ ocil: |- If properly configured, the output should be: 
ClientAliveCountMax 0
- In this case, the SSH idle timeout occurs precisely when + In this case, the SSH timeout occurs precisely when the ClientAliveInterval is set. template: From 587cec666b6379995e38a90bcd0ed86bbf4bd3e3 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 8 Nov 2022 14:27:50 +0100 Subject: [PATCH 3/7] Add tests to check for configuration conflicts --- .../sshd_set_keepalive/tests/param_conflict.fail.sh | 11 +++++++++++ .../tests/param_conflict_directory.fail.sh | 13 +++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh new file mode 100644 index 00000000000..54441cbb5b6 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +mkdir -p /etc/ssh/sshd_config.d +touch /etc/ssh/sshd_config.d/nothing + +if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then + sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* +fi + +echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config +echo "ClientAliveCountMax 1" >> /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh new file mode 100644 index 00000000000..aa6931cc243 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +# platform = multi_platform_fedora,Red Hat Enterprise Linux 9 + +mkdir -p /etc/ssh/sshd_config.d +touch /etc/ssh/sshd_config.d/nothing + +if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then + sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* +fi + +echo "ClientAliveCountMax 0" > /etc/ssh/sshd_config.d/good_config.conf +echo "ClientAliveCountMax 1" > /etc/ssh/sshd_config.d/bad_config.conf From d07a7f33cc5dd486d5d56ce71b90118366b68091 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 8 Nov 2022 17:09:16 +0100 Subject: [PATCH 4/7] Check all instances of ClientAliveCountMax The rule was only checking the first occurence of ClientAliveCountMax, but we need to check that all and any occurrences of ClientAliveCountMax are compliant. --- .../services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml index 5e07d982821..404c36c8dbc 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml @@ -49,7 +49,7 @@ /etc/ssh/sshd_config ^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:#.*)?$ - 1 + 1 {{%- if sshd_distributed_config == "true" %}} Date: Tue, 8 Nov 2022 17:40:26 +0100 Subject: [PATCH 5/7] Add test to check for configuration conflicts Add test for non distributed ssh config conflicts for ClientAliveInterval. --- .../tests/param_conflict.fail.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh new file mode 100644 index 00000000000..1e14aa3da36 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +mkdir -p /etc/ssh/sshd_config.d +touch /etc/ssh/sshd_config.d/nothing + +if grep -q "^\s*ClientAliveInterval" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then + sed -i "/^\s*ClientAliveInterval.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* +fi +if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then + sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* +fi + +echo "ClientAliveInterval 6000" >> /etc/ssh/sshd_config +echo "ClientAliveInterval 200" >> /etc/ssh/sshd_config +echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config From c19d5400bd3ded71aae9175f27361065c962069e Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 8 Nov 2022 17:41:19 +0100 Subject: [PATCH 6/7] Change verbiage on idle timeout rule The config is not really about idle user timeout, the config is about unresponsive network timeout. --- .../ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml index aa085894f61..c5606aac557 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml @@ -1,12 +1,12 @@ documentation_complete: true -title: 'Set SSH Idle Timeout Interval' +title: 'Set SSH Client Alive Interval' description: |- - SSH allows administrators to set an idle timeout interval. After this interval - has passed, the idle user will be automatically logged out. + SSH allows administrators to set a network responsiveness timeout interval. + After this interval has passed, the unresponsive client will be automatically logged out.

- To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as + To set this timeout interval, edit the following line in /etc/ssh/sshd_config as follows: 
ClientAliveInterval {{{ xccdf_value("sshd_idle_timeout_value") }}}


@@ -15,7 +15,7 @@ description: |-

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that - some processes may stop SSH from correctly detecting that the user is idle. + some processes may stop SSH from correctly detecting that the user is idle. rationale: |- Terminating an idle ssh session within a short time period reduces the window of @@ -81,7 +81,7 @@ ocil: |- warnings: - dependency: |- - SSH disconnecting idle clients will not have desired effect without also + SSH disconnecting unresponsive clients will not have desired effect without also configuring ClientAliveCountMax in the SSH service configuration. - general: |- Following conditions may prevent the SSH session to time out: From 86b1a6147582c896e1bb49a0649493eeec37a8d4 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 9 Nov 2022 11:31:50 +0100 Subject: [PATCH 7/7] Update profile stability test data --- tests/data/profile_stability/rhel8/stig.profile | 3 ++- tests/data/profile_stability/rhel8/stig_gui.profile | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index cadc3f5fc7a..51971451996 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -371,7 +371,7 @@ selections: - sshd_print_last_log - sshd_rekey_limit - sshd_set_idle_timeout -- sshd_set_keepalive_0 +- sshd_set_keepalive - sshd_use_strong_rng - sshd_x11_use_localhost - sssd_certificate_verification @@ -441,6 +441,7 @@ selections: - var_password_pam_ucredit=1 - var_password_pam_lcredit=1 - var_password_pam_retry=3 +- var_sshd_set_keepalive=1 - sshd_approved_macs=stig - sshd_approved_ciphers=stig - sshd_idle_timeout_value=10_minutes diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index bde4e18b068..fd150744167 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -381,7 +381,7 @@ selections: - sshd_print_last_log - sshd_rekey_limit - sshd_set_idle_timeout -- sshd_set_keepalive_0 +- sshd_set_keepalive - sshd_use_strong_rng - sshd_x11_use_localhost - sssd_certificate_verification @@ -449,6 +449,7 @@ selections: - var_password_pam_ucredit=1 - var_password_pam_lcredit=1 - var_password_pam_retry=3 +- var_sshd_set_keepalive=1 - sshd_approved_macs=stig - sshd_approved_ciphers=stig - sshd_idle_timeout_value=10_minutes