From: Rui Bernardino rui-p-bernardino@telecom.pt
Signed-off-by: Rui Bernardino rui-p-bernardino@telecom.pt --- Fedora/input/fixes/bash/sshd_disable_rhosts.sh | 1 + .../fixes/bash/sshd_do_not_permit_user_env.sh | 1 + .../input/fixes/bash/sshd_enable_warning_banner.sh | 1 + .../input/fixes/bash/sshd_use_approved_ciphers.sh | 1 + .../fixes/bash/sshd_disable_empty_passwords.sh | 6 +-- RHEL/6/input/fixes/bash/sshd_disable_rhosts.sh | 6 +-- RHEL/6/input/fixes/bash/sshd_disable_root_login.sh | 6 +-- .../fixes/bash/sshd_do_not_permit_user_env.sh | 6 +-- .../input/fixes/bash/sshd_enable_warning_banner.sh | 6 +-- RHEL/6/input/fixes/bash/sshd_set_idle_timeout.sh | 9 +--- RHEL/6/input/fixes/bash/sshd_set_keepalive.sh | 6 +-- .../input/fixes/bash/sshd_use_approved_ciphers.sh | 6 +-- .../fixes/bash/sshd_disable_empty_passwords.sh | 6 +-- RHEL/7/input/fixes/bash/sshd_disable_rhosts.sh | 6 +-- RHEL/7/input/fixes/bash/sshd_disable_root_login.sh | 6 +-- .../fixes/bash/sshd_do_not_permit_user_env.sh | 6 +-- .../input/fixes/bash/sshd_enable_warning_banner.sh | 6 +-- RHEL/7/input/fixes/bash/sshd_set_idle_timeout.sh | 9 +--- RHEL/7/input/fixes/bash/sshd_set_keepalive.sh | 6 +-- .../input/fixes/bash/sshd_use_approved_ciphers.sh | 6 +-- shared/fixes/bash/sshd_disable_empty_passwords.sh | 42 ++++++++------- shared/fixes/bash/sshd_disable_rhosts.sh | 57 ++++++++++++++++++++ shared/fixes/bash/sshd_disable_root_login.sh | 42 ++++++++------- shared/fixes/bash/sshd_do_not_permit_user_env.sh | 57 ++++++++++++++++++++ shared/fixes/bash/sshd_enable_warning_banner.sh | 57 ++++++++++++++++++++ shared/fixes/bash/sshd_set_idle_timeout.sh | 43 ++++++++------- shared/fixes/bash/sshd_set_keepalive.sh | 42 ++++++++------- shared/fixes/bash/sshd_use_approved_ciphers.sh | 57 ++++++++++++++++++++ 28 files changed, 337 insertions(+), 166 deletions(-) create mode 120000 Fedora/input/fixes/bash/sshd_disable_rhosts.sh create mode 120000 Fedora/input/fixes/bash/sshd_do_not_permit_user_env.sh create mode 120000 Fedora/input/fixes/bash/sshd_enable_warning_banner.sh create mode 120000 Fedora/input/fixes/bash/sshd_use_approved_ciphers.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_disable_empty_passwords.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_disable_rhosts.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_disable_root_login.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_do_not_permit_user_env.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_enable_warning_banner.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_set_idle_timeout.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_set_keepalive.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_use_approved_ciphers.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_disable_empty_passwords.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_disable_rhosts.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_disable_root_login.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_do_not_permit_user_env.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_enable_warning_banner.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_set_idle_timeout.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_set_keepalive.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_use_approved_ciphers.sh create mode 100755 shared/fixes/bash/sshd_disable_rhosts.sh create mode 100755 shared/fixes/bash/sshd_do_not_permit_user_env.sh create mode 100755 shared/fixes/bash/sshd_enable_warning_banner.sh create mode 100755 shared/fixes/bash/sshd_use_approved_ciphers.sh
diff --git a/Fedora/input/fixes/bash/sshd_disable_rhosts.sh b/Fedora/input/fixes/bash/sshd_disable_rhosts.sh new file mode 120000 index 0000000..94579fe --- /dev/null +++ b/Fedora/input/fixes/bash/sshd_disable_rhosts.sh @@ -0,0 +1 @@ +../../../../shared/fixes/bash/sshd_disable_rhosts.sh \ No newline at end of file diff --git a/Fedora/input/fixes/bash/sshd_do_not_permit_user_env.sh b/Fedora/input/fixes/bash/sshd_do_not_permit_user_env.sh new file mode 120000 index 0000000..1e39646 --- /dev/null +++ b/Fedora/input/fixes/bash/sshd_do_not_permit_user_env.sh @@ -0,0 +1 @@ +../../../../shared/fixes/bash/sshd_do_not_permit_user_env.sh \ No newline at end of file diff --git a/Fedora/input/fixes/bash/sshd_enable_warning_banner.sh b/Fedora/input/fixes/bash/sshd_enable_warning_banner.sh new file mode 120000 index 0000000..a7707eb --- /dev/null +++ b/Fedora/input/fixes/bash/sshd_enable_warning_banner.sh @@ -0,0 +1 @@ +../../../../shared/fixes/bash/sshd_enable_warning_banner.sh \ No newline at end of file diff --git a/Fedora/input/fixes/bash/sshd_use_approved_ciphers.sh b/Fedora/input/fixes/bash/sshd_use_approved_ciphers.sh new file mode 120000 index 0000000..dfec454 --- /dev/null +++ b/Fedora/input/fixes/bash/sshd_use_approved_ciphers.sh @@ -0,0 +1 @@ +../../../../shared/fixes/bash/sshd_use_approved_ciphers.sh \ No newline at end of file diff --git a/RHEL/6/input/fixes/bash/sshd_disable_empty_passwords.sh b/RHEL/6/input/fixes/bash/sshd_disable_empty_passwords.sh deleted file mode 100644 index f71fff1..0000000 --- a/RHEL/6/input/fixes/bash/sshd_disable_empty_passwords.sh +++ /dev/null @@ -1,5 +0,0 @@ -grep -q ^PermitEmptyPasswords /etc/ssh/sshd_config && \ - sed -i "s/PermitEmptyPasswords.*/PermitEmptyPasswords no/g" /etc/ssh/sshd_config -if ! [ $? -eq 0 ]; then - echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config -fi diff --git a/RHEL/6/input/fixes/bash/sshd_disable_empty_passwords.sh b/RHEL/6/input/fixes/bash/sshd_disable_empty_passwords.sh new file mode 120000 index 0000000..802aa84 --- /dev/null +++ b/RHEL/6/input/fixes/bash/sshd_disable_empty_passwords.sh @@ -0,0 +1 @@ +../../../../../shared/fixes/bash/sshd_disable_empty_passwords.sh \ No newline at end of file diff --git a/RHEL/6/input/fixes/bash/sshd_disable_rhosts.sh b/RHEL/6/input/fixes/bash/sshd_disable_rhosts.sh deleted file mode 100644 index 24d22db..0000000 --- a/RHEL/6/input/fixes/bash/sshd_disable_rhosts.sh +++ /dev/null @@ -1,5 +0,0 @@ -grep -q ^IgnoreRhosts /etc/ssh/sshd_config && \ - sed -i "s/IgnoreRhosts.*/IgnoreRhosts yes/g" /etc/ssh/sshd_config -if ! [ $? -eq 0 ]; then - echo "IgnoreRhosts yes" >> /etc/ssh/sshd_config -fi diff --git a/RHEL/6/input/fixes/bash/sshd_disable_rhosts.sh b/RHEL/6/input/fixes/bash/sshd_disable_rhosts.sh new file mode 120000 index 0000000..8c5c07c --- /dev/null +++ b/RHEL/6/input/fixes/bash/sshd_disable_rhosts.sh @@ -0,0 +1 @@ +../../../../../shared/fixes/bash/sshd_disable_rhosts.sh \ No newline at end of file diff --git a/RHEL/6/input/fixes/bash/sshd_disable_root_login.sh b/RHEL/6/input/fixes/bash/sshd_disable_root_login.sh deleted file mode 100644 index ffd8262..0000000 --- a/RHEL/6/input/fixes/bash/sshd_disable_root_login.sh +++ /dev/null @@ -1,5 +0,0 @@ -grep -q ^PermitRootLogin /etc/ssh/sshd_config && \ - sed -i "s/PermitRootLogin.*/PermitRootLogin no/g" /etc/ssh/sshd_config -if ! [ $? -eq 0 ]; then - echo "PermitRootLogin "no >> /etc/ssh/sshd_config -fi diff --git a/RHEL/6/input/fixes/bash/sshd_disable_root_login.sh b/RHEL/6/input/fixes/bash/sshd_disable_root_login.sh new file mode 120000 index 0000000..928937f --- /dev/null +++ b/RHEL/6/input/fixes/bash/sshd_disable_root_login.sh @@ -0,0 +1 @@ +../../../../../shared/fixes/bash/sshd_disable_root_login.sh \ No newline at end of file diff --git a/RHEL/6/input/fixes/bash/sshd_do_not_permit_user_env.sh b/RHEL/6/input/fixes/bash/sshd_do_not_permit_user_env.sh deleted file mode 100644 index b886e3c..0000000 --- a/RHEL/6/input/fixes/bash/sshd_do_not_permit_user_env.sh +++ /dev/null @@ -1,5 +0,0 @@ -grep -q ^PermitUserEnvironment /etc/ssh/sshd_config && \ - sed -i "s/PermitUserEnvironment.*/PermitUserEnvironment no/g" /etc/ssh/sshd_config -if ! [ $? -eq 0 ]; then - echo "PermitUserEnvironment no" >> /etc/ssh/sshd_config -fi diff --git a/RHEL/6/input/fixes/bash/sshd_do_not_permit_user_env.sh b/RHEL/6/input/fixes/bash/sshd_do_not_permit_user_env.sh new file mode 120000 index 0000000..fef5614 --- /dev/null +++ b/RHEL/6/input/fixes/bash/sshd_do_not_permit_user_env.sh @@ -0,0 +1 @@ +../../../../../shared/fixes/bash/sshd_do_not_permit_user_env.sh \ No newline at end of file diff --git a/RHEL/6/input/fixes/bash/sshd_enable_warning_banner.sh b/RHEL/6/input/fixes/bash/sshd_enable_warning_banner.sh deleted file mode 100644 index b1ad28f..0000000 --- a/RHEL/6/input/fixes/bash/sshd_enable_warning_banner.sh +++ /dev/null @@ -1,5 +0,0 @@ -grep -q ^Banner /etc/ssh/sshd_config && \ - sed -i "s/Banner.*/Banner /etc/issue/g" /etc/ssh/sshd_config -if ! [ $? -eq 0 ]; then - echo "Banner /etc/issue" >> /etc/ssh/sshd_config -fi diff --git a/RHEL/6/input/fixes/bash/sshd_enable_warning_banner.sh b/RHEL/6/input/fixes/bash/sshd_enable_warning_banner.sh new file mode 120000 index 0000000..7fbbfc8 --- /dev/null +++ b/RHEL/6/input/fixes/bash/sshd_enable_warning_banner.sh @@ -0,0 +1 @@ +../../../../../shared/fixes/bash/sshd_enable_warning_banner.sh \ No newline at end of file diff --git a/RHEL/6/input/fixes/bash/sshd_set_idle_timeout.sh b/RHEL/6/input/fixes/bash/sshd_set_idle_timeout.sh deleted file mode 100644 index 0a2d226..0000000 --- a/RHEL/6/input/fixes/bash/sshd_set_idle_timeout.sh +++ /dev/null @@ -1,8 +0,0 @@ -source ./templates/support.sh -populate sshd_idle_timeout_value - -grep -q ^ClientAliveInterval /etc/ssh/sshd_config && \ - sed -i "s/ClientAliveInterval.*/ClientAliveInterval $sshd_idle_timeout_value/g" /etc/ssh/sshd_config -if ! [ $? -eq 0 ]; then - echo "ClientAliveInterval $sshd_idle_timeout_value" >> /etc/ssh/sshd_config -fi diff --git a/RHEL/6/input/fixes/bash/sshd_set_idle_timeout.sh b/RHEL/6/input/fixes/bash/sshd_set_idle_timeout.sh new file mode 120000 index 0000000..308dbb3 --- /dev/null +++ b/RHEL/6/input/fixes/bash/sshd_set_idle_timeout.sh @@ -0,0 +1 @@ +../../../../../shared/fixes/bash/sshd_set_idle_timeout.sh \ No newline at end of file diff --git a/RHEL/6/input/fixes/bash/sshd_set_keepalive.sh b/RHEL/6/input/fixes/bash/sshd_set_keepalive.sh deleted file mode 100644 index d54ba21..0000000 --- a/RHEL/6/input/fixes/bash/sshd_set_keepalive.sh +++ /dev/null @@ -1,5 +0,0 @@ -grep -q ^ClientAliveCountMax /etc/ssh/sshd_config && \ - sed -i "s/ClientAliveCountMax.*/ClientAliveCountMax 0/g" /etc/ssh/sshd_config -if ! [ $? -eq 0 ]; then - echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config -fi diff --git a/RHEL/6/input/fixes/bash/sshd_set_keepalive.sh b/RHEL/6/input/fixes/bash/sshd_set_keepalive.sh new file mode 120000 index 0000000..d01ccd3 --- /dev/null +++ b/RHEL/6/input/fixes/bash/sshd_set_keepalive.sh @@ -0,0 +1 @@ +../../../../../shared/fixes/bash/sshd_set_keepalive.sh \ No newline at end of file diff --git a/RHEL/6/input/fixes/bash/sshd_use_approved_ciphers.sh b/RHEL/6/input/fixes/bash/sshd_use_approved_ciphers.sh deleted file mode 100644 index a00eb95..0000000 --- a/RHEL/6/input/fixes/bash/sshd_use_approved_ciphers.sh +++ /dev/null @@ -1,5 +0,0 @@ -grep -q ^Ciphers /etc/ssh/sshd_config && \ - sed -i "s/Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc/g" /etc/ssh/sshd_config -if ! [ $? -eq 0 ]; then - echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc" >> /etc/ssh/sshd_config -fi diff --git a/RHEL/6/input/fixes/bash/sshd_use_approved_ciphers.sh b/RHEL/6/input/fixes/bash/sshd_use_approved_ciphers.sh new file mode 120000 index 0000000..5dc9592 --- /dev/null +++ b/RHEL/6/input/fixes/bash/sshd_use_approved_ciphers.sh @@ -0,0 +1 @@ +../../../../../shared/fixes/bash/sshd_use_approved_ciphers.sh \ No newline at end of file diff --git a/RHEL/7/input/fixes/bash/sshd_disable_empty_passwords.sh b/RHEL/7/input/fixes/bash/sshd_disable_empty_passwords.sh deleted file mode 100644 index c28fc77..0000000 --- a/RHEL/7/input/fixes/bash/sshd_disable_empty_passwords.sh +++ /dev/null @@ -1,5 +0,0 @@ -grep -qi ^PermitEmptyPasswords /etc/ssh/sshd_config && \ - sed -i "s/PermitEmptyPasswords.*/PermitEmptyPasswords no/gI" /etc/ssh/sshd_config -if ! [ $? -eq 0 ]; then - echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config -fi diff --git a/RHEL/7/input/fixes/bash/sshd_disable_empty_passwords.sh b/RHEL/7/input/fixes/bash/sshd_disable_empty_passwords.sh new file mode 120000 index 0000000..802aa84 --- /dev/null +++ b/RHEL/7/input/fixes/bash/sshd_disable_empty_passwords.sh @@ -0,0 +1 @@ +../../../../../shared/fixes/bash/sshd_disable_empty_passwords.sh \ No newline at end of file diff --git a/RHEL/7/input/fixes/bash/sshd_disable_rhosts.sh b/RHEL/7/input/fixes/bash/sshd_disable_rhosts.sh deleted file mode 100644 index e87e3c1..0000000 --- a/RHEL/7/input/fixes/bash/sshd_disable_rhosts.sh +++ /dev/null @@ -1,5 +0,0 @@ -grep -qi ^IgnoreRhosts /etc/ssh/sshd_config && \ - sed -i "s/IgnoreRhosts.*/IgnoreRhosts yes/gI" /etc/ssh/sshd_config -if ! [ $? -eq 0 ]; then - echo "IgnoreRhosts yes" >> /etc/ssh/sshd_config -fi diff --git a/RHEL/7/input/fixes/bash/sshd_disable_rhosts.sh b/RHEL/7/input/fixes/bash/sshd_disable_rhosts.sh new file mode 120000 index 0000000..8c5c07c --- /dev/null +++ b/RHEL/7/input/fixes/bash/sshd_disable_rhosts.sh @@ -0,0 +1 @@ +../../../../../shared/fixes/bash/sshd_disable_rhosts.sh \ No newline at end of file diff --git a/RHEL/7/input/fixes/bash/sshd_disable_root_login.sh b/RHEL/7/input/fixes/bash/sshd_disable_root_login.sh deleted file mode 100644 index e8b65aa..0000000 --- a/RHEL/7/input/fixes/bash/sshd_disable_root_login.sh +++ /dev/null @@ -1,5 +0,0 @@ -grep -qi ^PermitRootLogin /etc/ssh/sshd_config && \ - sed -i "s/PermitRootLogin.*/PermitRootLogin no/gI" /etc/ssh/sshd_config -if ! [ $? -eq 0 ]; then - echo "PermitRootLogin "no >> /etc/ssh/sshd_config -fi diff --git a/RHEL/7/input/fixes/bash/sshd_disable_root_login.sh b/RHEL/7/input/fixes/bash/sshd_disable_root_login.sh new file mode 120000 index 0000000..928937f --- /dev/null +++ b/RHEL/7/input/fixes/bash/sshd_disable_root_login.sh @@ -0,0 +1 @@ +../../../../../shared/fixes/bash/sshd_disable_root_login.sh \ No newline at end of file diff --git a/RHEL/7/input/fixes/bash/sshd_do_not_permit_user_env.sh b/RHEL/7/input/fixes/bash/sshd_do_not_permit_user_env.sh deleted file mode 100644 index fb3f545..0000000 --- a/RHEL/7/input/fixes/bash/sshd_do_not_permit_user_env.sh +++ /dev/null @@ -1,5 +0,0 @@ -grep -qi ^PermitUserEnvironment /etc/ssh/sshd_config && \ - sed -i "s/PermitUserEnvironment.*/PermitUserEnvironment no/gI" /etc/ssh/sshd_config -if ! [ $? -eq 0 ]; then - echo "PermitUserEnvironment no" >> /etc/ssh/sshd_config -fi diff --git a/RHEL/7/input/fixes/bash/sshd_do_not_permit_user_env.sh b/RHEL/7/input/fixes/bash/sshd_do_not_permit_user_env.sh new file mode 120000 index 0000000..fef5614 --- /dev/null +++ b/RHEL/7/input/fixes/bash/sshd_do_not_permit_user_env.sh @@ -0,0 +1 @@ +../../../../../shared/fixes/bash/sshd_do_not_permit_user_env.sh \ No newline at end of file diff --git a/RHEL/7/input/fixes/bash/sshd_enable_warning_banner.sh b/RHEL/7/input/fixes/bash/sshd_enable_warning_banner.sh deleted file mode 100644 index 24a385b..0000000 --- a/RHEL/7/input/fixes/bash/sshd_enable_warning_banner.sh +++ /dev/null @@ -1,5 +0,0 @@ -grep -qi ^Banner /etc/ssh/sshd_config && \ - sed -i "s/Banner.*/Banner /etc/issue/gI" /etc/ssh/sshd_config -if ! [ $? -eq 0 ]; then - echo "Banner /etc/issue" >> /etc/ssh/sshd_config -fi diff --git a/RHEL/7/input/fixes/bash/sshd_enable_warning_banner.sh b/RHEL/7/input/fixes/bash/sshd_enable_warning_banner.sh new file mode 120000 index 0000000..7fbbfc8 --- /dev/null +++ b/RHEL/7/input/fixes/bash/sshd_enable_warning_banner.sh @@ -0,0 +1 @@ +../../../../../shared/fixes/bash/sshd_enable_warning_banner.sh \ No newline at end of file diff --git a/RHEL/7/input/fixes/bash/sshd_set_idle_timeout.sh b/RHEL/7/input/fixes/bash/sshd_set_idle_timeout.sh deleted file mode 100644 index c491057..0000000 --- a/RHEL/7/input/fixes/bash/sshd_set_idle_timeout.sh +++ /dev/null @@ -1,8 +0,0 @@ -source ./templates/support.sh -populate sshd_idle_timeout_value - -grep -qi ^ClientAliveInterval /etc/ssh/sshd_config && \ - sed -i "s/ClientAliveInterval.*/ClientAliveInterval $sshd_idle_timeout_value/gI" /etc/ssh/sshd_config -if ! [ $? -eq 0 ]; then - echo "ClientAliveInterval $sshd_idle_timeout_value" >> /etc/ssh/sshd_config -fi diff --git a/RHEL/7/input/fixes/bash/sshd_set_idle_timeout.sh b/RHEL/7/input/fixes/bash/sshd_set_idle_timeout.sh new file mode 120000 index 0000000..308dbb3 --- /dev/null +++ b/RHEL/7/input/fixes/bash/sshd_set_idle_timeout.sh @@ -0,0 +1 @@ +../../../../../shared/fixes/bash/sshd_set_idle_timeout.sh \ No newline at end of file diff --git a/RHEL/7/input/fixes/bash/sshd_set_keepalive.sh b/RHEL/7/input/fixes/bash/sshd_set_keepalive.sh deleted file mode 100644 index 17b83ec..0000000 --- a/RHEL/7/input/fixes/bash/sshd_set_keepalive.sh +++ /dev/null @@ -1,5 +0,0 @@ -grep -qi ^ClientAliveCountMax /etc/ssh/sshd_config && \ - sed -i "s/ClientAliveCountMax.*/ClientAliveCountMax 0/gI" /etc/ssh/sshd_config -if ! [ $? -eq 0 ]; then - echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config -fi diff --git a/RHEL/7/input/fixes/bash/sshd_set_keepalive.sh b/RHEL/7/input/fixes/bash/sshd_set_keepalive.sh new file mode 120000 index 0000000..d01ccd3 --- /dev/null +++ b/RHEL/7/input/fixes/bash/sshd_set_keepalive.sh @@ -0,0 +1 @@ +../../../../../shared/fixes/bash/sshd_set_keepalive.sh \ No newline at end of file diff --git a/RHEL/7/input/fixes/bash/sshd_use_approved_ciphers.sh b/RHEL/7/input/fixes/bash/sshd_use_approved_ciphers.sh deleted file mode 100644 index 264553f..0000000 --- a/RHEL/7/input/fixes/bash/sshd_use_approved_ciphers.sh +++ /dev/null @@ -1,5 +0,0 @@ -grep -qi ^Ciphers /etc/ssh/sshd_config && \ - sed -i "s/Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc/gI" /etc/ssh/sshd_config -if ! [ $? -eq 0 ]; then - echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc" >> /etc/ssh/sshd_config -fi diff --git a/RHEL/7/input/fixes/bash/sshd_use_approved_ciphers.sh b/RHEL/7/input/fixes/bash/sshd_use_approved_ciphers.sh new file mode 120000 index 0000000..5dc9592 --- /dev/null +++ b/RHEL/7/input/fixes/bash/sshd_use_approved_ciphers.sh @@ -0,0 +1 @@ +../../../../../shared/fixes/bash/sshd_use_approved_ciphers.sh \ No newline at end of file diff --git a/shared/fixes/bash/sshd_disable_empty_passwords.sh b/shared/fixes/bash/sshd_disable_empty_passwords.sh index 0a5adfa..d075ec3 100755 --- a/shared/fixes/bash/sshd_disable_empty_passwords.sh +++ b/shared/fixes/bash/sshd_disable_empty_passwords.sh @@ -1,55 +1,57 @@
SSHD_CONFIG='/etc/ssh/sshd_config' +TOKEN='PermitEmptyPasswords' +VALUE='no'
# Obtain line number of first uncommented case-insensitive occurrence of Match # block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
# Obtain line number of first uncommented case-insensitive occurence of -# PermitEmptyPasswords directive (possibly prefixed with whitespace) present in +# Banner directive (possibly prefixed with whitespace) present in # $SSHD_CONFIG -FIRST_PERMIT_EMPTY_PASSWORDS=$(sed -n '/^[[:space:]]*PermitEmptyPasswords[^\n]*/I{=;q}' $SSHD_CONFIG) +FIRST_TOKEN=$(sed -n "|^[[:space:]]*$TOKEN[^\n]*|I{=;q}" $SSHD_CONFIG)
# Case: Match block directive not present in $SSHD_CONFIG if [ -z "$FIRST_MATCH_BLOCK" ] then
- # Case: PermitEmptyPasswords directive not present in $SSHD_CONFIG yet - if [ -z "$FIRST_PERMIT_EMPTY_PASSWORDS" ] + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] then - # Append 'PermitEmptyPasswords no' at the end of $SSHD_CONFIG - echo -e "\nPermitEmptyPasswords no" >> $SSHD_CONFIG + # Append 'TOKEN VALUE' at the end of $SSHD_CONFIG + echo -e "\n$TOKEN $VALUE" >> $SSHD_CONFIG
- # Case: PermitEmptyPasswords directive present in $SSHD_CONFIG already + # Case: Banner directive present in $SSHD_CONFIG already else # Replace first uncommented case-insensitive occurrence - # of PermitEmptyPasswords directive - sed -i "$FIRST_PERMIT_EMPTY_PASSWORDS s/^[[:space:]]*PermitEmptyPasswords.*$/PermitEmptyPasswords no/I" $SSHD_CONFIG + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN + $VALUE|I" $SSHD_CONFIG fi
# Case: Match block directive present in $SSHD_CONFIG else
- # Case: PermitEmptyPasswords directive not present in $SSHD_CONFIG yet - if [ -z "$FIRST_PERMIT_EMPTY_PASSWORDS" ] + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] then - # Prepend 'PermitEmptyPasswords no' before first uncommented + # Prepend 'TOKEN VALUE' before first uncommented # case-insensitive occurrence of Match block directive - sed -i "$FIRST_MATCH_BLOCK s/^([[:space:]]*Match[^\n]*)/PermitEmptyPasswords no\n\1/I" $SSHD_CONFIG + sed -i "$FIRST_MATCH_BLOCK + s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG
- # Case: PermitEmptyPasswords directive present in $SSHD_CONFIG and placed + # Case: Banner directive present in $SSHD_CONFIG and placed # before first Match block directive - elif [ "$FIRST_PERMIT_EMPTY_PASSWORDS" -lt "$FIRST_MATCH_BLOCK" ] + elif [ "$FIRST_TOKEN" -lt "$FIRST_MATCH_BLOCK" ] then # Replace first uncommented case-insensitive occurrence - # of PermitEmptyPasswords directive - sed -i "$FIRST_PERMIT_EMPTY_PASSWORDS s/^[[:space:]]*PermitEmptyPasswords.*$/PermitEmptyPasswords no/I" $SSHD_CONFIG + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN + $VALUE|I" $SSHD_CONFIG
- # Case: PermitEmptyPasswords directive present in $SSHD_CONFIG and placed + # Case: Banner directive present in $SSHD_CONFIG and placed # after first Match block directive else - # Prepend 'PermitEmptyPasswords no' before first uncommented + # Prepend 'TOKEN VALUE' before first uncommented # case-insensitive occurrence of Match block directive - sed -i "$FIRST_MATCH_BLOCK s/^([[:space:]]*Match[^\n]*)/PermitEmptyPasswords no\n\1/I" $SSHD_CONFIG + sed -i "$FIRST_MATCH_BLOCK + s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG fi fi diff --git a/shared/fixes/bash/sshd_disable_rhosts.sh b/shared/fixes/bash/sshd_disable_rhosts.sh new file mode 100755 index 0000000..4e78e71 --- /dev/null +++ b/shared/fixes/bash/sshd_disable_rhosts.sh @@ -0,0 +1,57 @@ + +SSHD_CONFIG='/etc/ssh/sshd_config' +TOKEN='IgnoreRhosts' +VALUE='yes' + +# Obtain line number of first uncommented case-insensitive occurrence +of Match # block directive (possibly prefixed with whitespace) present +in $SSHD_CONFIG FIRST_MATCH_BLOCK=$(sed -n +'/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG) + +# Obtain line number of first uncommented case-insensitive occurence of +# Banner directive (possibly prefixed with whitespace) present in # +$SSHD_CONFIG FIRST_TOKEN=$(sed -n "|^[[:space:]]*$TOKEN[^\n]*|I{=;q}" +$SSHD_CONFIG) + +# Case: Match block directive not present in $SSHD_CONFIG if [ -z +"$FIRST_MATCH_BLOCK" ] then + + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] + then + # Append 'TOKEN VALUE' at the end of $SSHD_CONFIG + echo -e "\n$TOKEN $VALUE" >> $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG already + else + # Replace first uncommented case-insensitive occurrence + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN $VALUE|I" $SSHD_CONFIG + fi + +# Case: Match block directive present in $SSHD_CONFIG else + + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] + then + # Prepend 'TOKEN VALUE' before first uncommented + # case-insensitive occurrence of Match block directive + sed -i "$FIRST_MATCH_BLOCK + s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG and placed + # before first Match block directive + elif [ "$FIRST_TOKEN" -lt "$FIRST_MATCH_BLOCK" ] + then + # Replace first uncommented case-insensitive occurrence + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN + $VALUE|I" $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG and placed + # after first Match block directive + else + # Prepend 'TOKEN VALUE' before first uncommented + # case-insensitive occurrence of Match block directive + sed -i "$FIRST_MATCH_BLOCK s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG + fi +fi diff --git a/shared/fixes/bash/sshd_disable_root_login.sh b/shared/fixes/bash/sshd_disable_root_login.sh index 5b05d53..1e1af5f 100755 --- a/shared/fixes/bash/sshd_disable_root_login.sh +++ b/shared/fixes/bash/sshd_disable_root_login.sh @@ -1,55 +1,57 @@
SSHD_CONFIG='/etc/ssh/sshd_config' +TOKEN='PermitRootLogin' +VALUE='no'
# Obtain line number of first uncommented case-insensitive occurrence of Match # block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
# Obtain line number of first uncommented case-insensitive occurence of -# PermitRootLogin directive (possibly prefixed with whitespace) present in +# Banner directive (possibly prefixed with whitespace) present in # $SSHD_CONFIG -FIRST_PERMIT_ROOT_LOGIN=$(sed -n '/^[[:space:]]*PermitRootLogin[^\n]*/I{=;q}' $SSHD_CONFIG) +FIRST_TOKEN=$(sed -n "|^[[:space:]]*$TOKEN[^\n]*|I{=;q}" $SSHD_CONFIG)
# Case: Match block directive not present in $SSHD_CONFIG if [ -z "$FIRST_MATCH_BLOCK" ] then
- # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet - if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ] + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] then - # Append 'PermitRootLogin no' at the end of $SSHD_CONFIG - echo -e "\nPermitRootLogin no" >> $SSHD_CONFIG + # Append 'TOKEN VALUE' at the end of $SSHD_CONFIG + echo -e "\n$TOKEN $VALUE" >> $SSHD_CONFIG
- # Case: PermitRootLogin directive present in $SSHD_CONFIG already + # Case: Banner directive present in $SSHD_CONFIG already else # Replace first uncommented case-insensitive occurrence - # of PermitRootLogin directive - sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN + $VALUE|I" $SSHD_CONFIG fi
# Case: Match block directive present in $SSHD_CONFIG else
- # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet - if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ] + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] then - # Prepend 'PermitRootLogin no' before first uncommented + # Prepend 'TOKEN VALUE' before first uncommented # case-insensitive occurrence of Match block directive - sed -i "$FIRST_MATCH_BLOCK s/^([[:space:]]*Match[^\n]*)/PermitRootLogin no\n\1/I" $SSHD_CONFIG + sed -i "$FIRST_MATCH_BLOCK + s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG
- # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed + # Case: Banner directive present in $SSHD_CONFIG and placed # before first Match block directive - elif [ "$FIRST_PERMIT_ROOT_LOGIN" -lt "$FIRST_MATCH_BLOCK" ] + elif [ "$FIRST_TOKEN" -lt "$FIRST_MATCH_BLOCK" ] then # Replace first uncommented case-insensitive occurrence - # of PermitRootLogin directive - sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN + $VALUE|I" $SSHD_CONFIG
- # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed + # Case: Banner directive present in $SSHD_CONFIG and placed # after first Match block directive else - # Prepend 'PermitRootLogin no' before first uncommented + # Prepend 'TOKEN VALUE' before first uncommented # case-insensitive occurrence of Match block directive - sed -i "$FIRST_MATCH_BLOCK s/^([[:space:]]*Match[^\n]*)/PermitRootLogin no\n\1/I" $SSHD_CONFIG + sed -i "$FIRST_MATCH_BLOCK + s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG fi fi diff --git a/shared/fixes/bash/sshd_do_not_permit_user_env.sh b/shared/fixes/bash/sshd_do_not_permit_user_env.sh new file mode 100755 index 0000000..5b1467b --- /dev/null +++ b/shared/fixes/bash/sshd_do_not_permit_user_env.sh @@ -0,0 +1,57 @@ + +SSHD_CONFIG='/etc/ssh/sshd_config' +TOKEN='PermitUserEnvironment' +VALUE='no' + +# Obtain line number of first uncommented case-insensitive occurrence +of Match # block directive (possibly prefixed with whitespace) present +in $SSHD_CONFIG FIRST_MATCH_BLOCK=$(sed -n +'/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG) + +# Obtain line number of first uncommented case-insensitive occurence of +# Banner directive (possibly prefixed with whitespace) present in # +$SSHD_CONFIG FIRST_TOKEN=$(sed -n "|^[[:space:]]*$TOKEN[^\n]*|I{=;q}" +$SSHD_CONFIG) + +# Case: Match block directive not present in $SSHD_CONFIG if [ -z +"$FIRST_MATCH_BLOCK" ] then + + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] + then + # Append 'TOKEN VALUE' at the end of $SSHD_CONFIG + echo -e "\n$TOKEN $VALUE" >> $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG already + else + # Replace first uncommented case-insensitive occurrence + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN $VALUE|I" $SSHD_CONFIG + fi + +# Case: Match block directive present in $SSHD_CONFIG else + + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] + then + # Prepend 'TOKEN VALUE' before first uncommented + # case-insensitive occurrence of Match block directive + sed -i "$FIRST_MATCH_BLOCK + s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG and placed + # before first Match block directive + elif [ "$FIRST_TOKEN" -lt "$FIRST_MATCH_BLOCK" ] + then + # Replace first uncommented case-insensitive occurrence + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN + $VALUE|I" $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG and placed + # after first Match block directive + else + # Prepend 'TOKEN VALUE' before first uncommented + # case-insensitive occurrence of Match block directive + sed -i "$FIRST_MATCH_BLOCK s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG + fi +fi diff --git a/shared/fixes/bash/sshd_enable_warning_banner.sh b/shared/fixes/bash/sshd_enable_warning_banner.sh new file mode 100755 index 0000000..10da269 --- /dev/null +++ b/shared/fixes/bash/sshd_enable_warning_banner.sh @@ -0,0 +1,57 @@ + +SSHD_CONFIG='/etc/ssh/sshd_config' +TOKEN='Banner' +VALUE='/etc/issue' + +# Obtain line number of first uncommented case-insensitive occurrence +of Match # block directive (possibly prefixed with whitespace) present +in $SSHD_CONFIG FIRST_MATCH_BLOCK=$(sed -n +'/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG) + +# Obtain line number of first uncommented case-insensitive occurence of +# Banner directive (possibly prefixed with whitespace) present in # +$SSHD_CONFIG FIRST_TOKEN=$(sed -n "|^[[:space:]]*$TOKEN[^\n]*|I{=;q}" +$SSHD_CONFIG) + +# Case: Match block directive not present in $SSHD_CONFIG if [ -z +"$FIRST_MATCH_BLOCK" ] then + + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] + then + # Append 'TOKEN VALUE' at the end of $SSHD_CONFIG + echo -e "\n$TOKEN $VALUE" >> $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG already + else + # Replace first uncommented case-insensitive occurrence + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN $VALUE|I" $SSHD_CONFIG + fi + +# Case: Match block directive present in $SSHD_CONFIG else + + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] + then + # Prepend 'TOKEN VALUE' before first uncommented + # case-insensitive occurrence of Match block directive + sed -i "$FIRST_MATCH_BLOCK + s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG and placed + # before first Match block directive + elif [ "$FIRST_TOKEN" -lt "$FIRST_MATCH_BLOCK" ] + then + # Replace first uncommented case-insensitive occurrence + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN + $VALUE|I" $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG and placed + # after first Match block directive + else + # Prepend 'TOKEN VALUE' before first uncommented + # case-insensitive occurrence of Match block directive + sed -i "$FIRST_MATCH_BLOCK s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG + fi +fi diff --git a/shared/fixes/bash/sshd_set_idle_timeout.sh b/shared/fixes/bash/sshd_set_idle_timeout.sh index 306476c..f83a4ad 100755 --- a/shared/fixes/bash/sshd_set_idle_timeout.sh +++ b/shared/fixes/bash/sshd_set_idle_timeout.sh @@ -1,57 +1,60 @@ + source ./templates/support.sh populate sshd_idle_timeout_value
SSHD_CONFIG='/etc/ssh/sshd_config' +TOKEN='ClientAliveInterval' +VALUE="$sshd_idle_timeout_value"
# Obtain line number of first uncommented case-insensitive occurrence of Match # block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
# Obtain line number of first uncommented case-insensitive occurence of -# ClientAliveInterval directive (possibly prefixed with whitespace) present in +# Banner directive (possibly prefixed with whitespace) present in # $SSHD_CONFIG -FIRST_CLIENT_ALIVE_INTERVAL=$(sed -n '/^[[:space:]]*ClientAliveInterval[^\n]*/I{=;q}' $SSHD_CONFIG) +FIRST_TOKEN=$(sed -n "|^[[:space:]]*$TOKEN[^\n]*|I{=;q}" $SSHD_CONFIG)
# Case: Match block directive not present in $SSHD_CONFIG if [ -z "$FIRST_MATCH_BLOCK" ] then
- # Case: ClientAliveInterval directive not present in $SSHD_CONFIG yet - if [ -z "$FIRST_CLIENT_ALIVE_INTERVAL" ] + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] then - # Append 'ClientAliveInterval $sshd_idle_timeout_value' at the end of $SSHD_CONFIG - echo -e "\nClientAliveInterval $sshd_idle_timeout_value" >> $SSHD_CONFIG + # Append 'TOKEN VALUE' at the end of $SSHD_CONFIG + echo -e "\n$TOKEN $VALUE" >> $SSHD_CONFIG
- # Case: ClientAliveInterval directive present in $SSHD_CONFIG already + # Case: Banner directive present in $SSHD_CONFIG already else # Replace first uncommented case-insensitive occurrence - # of ClientAliveInterval directive - sed -i "$FIRST_CLIENT_ALIVE_INTERVAL s/^[[:space:]]*ClientAliveInterval.*$/ClientAliveInterval $sshd_idle_timeout_value/I" $SSHD_CONFIG + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN + $VALUE|I" $SSHD_CONFIG fi
# Case: Match block directive present in $SSHD_CONFIG else
- # Case: ClientAliveInterval directive not present in $SSHD_CONFIG yet - if [ -z "$FIRST_CLIENT_ALIVE_INTERVAL" ] + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] then - # Prepend 'ClientAliveInterval $sshd_idle_timeout_value' before first uncommented + # Prepend 'TOKEN VALUE' before first uncommented # case-insensitive occurrence of Match block directive - sed -i "$FIRST_MATCH_BLOCK s/^([[:space:]]*Match[^\n]*)/ClientAliveInterval $sshd_idle_timeout_value\n\1/I" $SSHD_CONFIG + sed -i "$FIRST_MATCH_BLOCK + s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG
- # Case: ClientAliveInterval directive present in $SSHD_CONFIG and placed + # Case: Banner directive present in $SSHD_CONFIG and placed # before first Match block directive - elif [ "$FIRST_CLIENT_ALIVE_INTERVAL" -lt "$FIRST_MATCH_BLOCK" ] + elif [ "$FIRST_TOKEN" -lt "$FIRST_MATCH_BLOCK" ] then # Replace first uncommented case-insensitive occurrence - # of ClientAliveInterval directive - sed -i "$FIRST_CLIENT_ALIVE_INTERVAL s/^[[:space:]]*ClientAliveInterval.*$/ClientAliveInterval $sshd_idle_timeout_value/I" $SSHD_CONFIG + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN + $VALUE|I" $SSHD_CONFIG
- # Case: ClientAliveInterval directive present in $SSHD_CONFIG and placed + # Case: Banner directive present in $SSHD_CONFIG and placed # after first Match block directive else - # Prepend 'ClientAliveInterval $sshd_idle_timeout_value' before first uncommented + # Prepend 'TOKEN VALUE' before first uncommented # case-insensitive occurrence of Match block directive - sed -i "$FIRST_MATCH_BLOCK s/^([[:space:]]*Match[^\n]*)/ClientAliveInterval $sshd_idle_timeout_value\n\1/I" $SSHD_CONFIG + sed -i "$FIRST_MATCH_BLOCK + s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG fi fi diff --git a/shared/fixes/bash/sshd_set_keepalive.sh b/shared/fixes/bash/sshd_set_keepalive.sh index 35754da..ec359e0 100755 --- a/shared/fixes/bash/sshd_set_keepalive.sh +++ b/shared/fixes/bash/sshd_set_keepalive.sh @@ -1,55 +1,57 @@
SSHD_CONFIG='/etc/ssh/sshd_config' +TOKEN='ClientAliveCountMax' +VALUE='0'
# Obtain line number of first uncommented case-insensitive occurrence of Match # block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
# Obtain line number of first uncommented case-insensitive occurence of -# ClientAliveCountMax directive (possibly prefixed with whitespace) present in +# Banner directive (possibly prefixed with whitespace) present in # $SSHD_CONFIG -FIRST_CLIENT_ALIVE_COUNT_MAX=$(sed -n '/^[[:space:]]*ClientAliveCountMax[^\n]*/I{=;q}' $SSHD_CONFIG) +FIRST_TOKEN=$(sed -n "|^[[:space:]]*$TOKEN[^\n]*|I{=;q}" $SSHD_CONFIG)
# Case: Match block directive not present in $SSHD_CONFIG if [ -z "$FIRST_MATCH_BLOCK" ] then
- # Case: ClientAliveCountMax directive not present in $SSHD_CONFIG yet - if [ -z "$FIRST_CLIENT_ALIVE_COUNT_MAX" ] + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] then - # Append 'ClientAliveCountMax 0' at the end of $SSHD_CONFIG - echo -e "\nClientAliveCountMax 0" >> $SSHD_CONFIG + # Append 'TOKEN VALUE' at the end of $SSHD_CONFIG + echo -e "\n$TOKEN $VALUE" >> $SSHD_CONFIG
- # Case: ClientAliveCountMax directive present in $SSHD_CONFIG already + # Case: Banner directive present in $SSHD_CONFIG already else # Replace first uncommented case-insensitive occurrence - # of ClientAliveCountMax directive - sed -i "$FIRST_CLIENT_ALIVE_COUNT_MAX s/^[[:space:]]*ClientAliveCountMax.*$/ClientAliveCountMax 0/I" $SSHD_CONFIG + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN + $VALUE|I" $SSHD_CONFIG fi
# Case: Match block directive present in $SSHD_CONFIG else
- # Case: ClientAliveCountMax directive not present in $SSHD_CONFIG yet - if [ -z "$FIRST_CLIENT_ALIVE_COUNT_MAX" ] + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] then - # Prepend 'ClientAliveCountMax 0' before first uncommented + # Prepend 'TOKEN VALUE' before first uncommented # case-insensitive occurrence of Match block directive - sed -i "$FIRST_MATCH_BLOCK s/^([[:space:]]*Match[^\n]*)/ClientAliveCountMax 0\n\1/I" $SSHD_CONFIG + sed -i "$FIRST_MATCH_BLOCK + s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG
- # Case: ClientAliveCountMax directive present in $SSHD_CONFIG and placed + # Case: Banner directive present in $SSHD_CONFIG and placed # before first Match block directive - elif [ "$FIRST_CLIENT_ALIVE_COUNT_MAX" -lt "$FIRST_MATCH_BLOCK" ] + elif [ "$FIRST_TOKEN" -lt "$FIRST_MATCH_BLOCK" ] then # Replace first uncommented case-insensitive occurrence - # of ClientAliveCountMax directive - sed -i "$FIRST_CLIENT_ALIVE_COUNT_MAX s/^[[:space:]]*ClientAliveCountMax.*$/ClientAliveCountMax 0/I" $SSHD_CONFIG + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN + $VALUE|I" $SSHD_CONFIG
- # Case: ClientAliveCountMax directive present in $SSHD_CONFIG and placed + # Case: Banner directive present in $SSHD_CONFIG and placed # after first Match block directive else - # Prepend 'ClientAliveCountMax 0' before first uncommented + # Prepend 'TOKEN VALUE' before first uncommented # case-insensitive occurrence of Match block directive - sed -i "$FIRST_MATCH_BLOCK s/^([[:space:]]*Match[^\n]*)/ClientAliveCountMax 0\n\1/I" $SSHD_CONFIG + sed -i "$FIRST_MATCH_BLOCK + s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG fi fi diff --git a/shared/fixes/bash/sshd_use_approved_ciphers.sh b/shared/fixes/bash/sshd_use_approved_ciphers.sh new file mode 100755 index 0000000..8f37363 --- /dev/null +++ b/shared/fixes/bash/sshd_use_approved_ciphers.sh @@ -0,0 +1,57 @@ + +SSHD_CONFIG='/etc/ssh/sshd_config' +TOKEN='Ciphers' +VALUE='aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc' + +# Obtain line number of first uncommented case-insensitive occurrence +of Match # block directive (possibly prefixed with whitespace) present +in $SSHD_CONFIG FIRST_MATCH_BLOCK=$(sed -n +'/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG) + +# Obtain line number of first uncommented case-insensitive occurence of +# Banner directive (possibly prefixed with whitespace) present in # +$SSHD_CONFIG FIRST_TOKEN=$(sed -n "|^[[:space:]]*$TOKEN[^\n]*|I{=;q}" +$SSHD_CONFIG) + +# Case: Match block directive not present in $SSHD_CONFIG if [ -z +"$FIRST_MATCH_BLOCK" ] then + + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] + then + # Append 'TOKEN VALUE' at the end of $SSHD_CONFIG + echo -e "\n$TOKEN $VALUE" >> $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG already + else + # Replace first uncommented case-insensitive occurrence + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN $VALUE|I" $SSHD_CONFIG + fi + +# Case: Match block directive present in $SSHD_CONFIG else + + # Case: Banner directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_TOKEN" ] + then + # Prepend 'TOKEN VALUE' before first uncommented + # case-insensitive occurrence of Match block directive + sed -i "$FIRST_MATCH_BLOCK + s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG and placed + # before first Match block directive + elif [ "$FIRST_TOKEN" -lt "$FIRST_MATCH_BLOCK" ] + then + # Replace first uncommented case-insensitive occurrence + # of Banner directive + sed -i "$FIRST_TOKEN s|^[[:space:]]*${TOKEN}.*$|$TOKEN + $VALUE|I" $SSHD_CONFIG + + # Case: Banner directive present in $SSHD_CONFIG and placed + # after first Match block directive + else + # Prepend 'TOKEN VALUE' before first uncommented + # case-insensitive occurrence of Match block directive + sed -i "$FIRST_MATCH_BLOCK s|^([[:space:]]*Match[^\n]*)|$TOKEN $VALUE\n\1|I" $SSHD_CONFIG + fi +fi -- 1.7.1
On 5/28/14, 11:55 AM, Rui Pedro Bernardino wrote:
From: Rui Bernardinorui-p-bernardino@telecom.pt
Signed-off-by: Rui Bernardinorui-p-bernardino@telecom.pt
Fedora/input/fixes/bash/sshd_disable_rhosts.sh | 1 + .../fixes/bash/sshd_do_not_permit_user_env.sh | 1 + .../input/fixes/bash/sshd_enable_warning_banner.sh | 1 + .../input/fixes/bash/sshd_use_approved_ciphers.sh | 1 + .../fixes/bash/sshd_disable_empty_passwords.sh | 6 +-- RHEL/6/input/fixes/bash/sshd_disable_rhosts.sh | 6 +-- RHEL/6/input/fixes/bash/sshd_disable_root_login.sh | 6 +-- .../fixes/bash/sshd_do_not_permit_user_env.sh | 6 +-- .../input/fixes/bash/sshd_enable_warning_banner.sh | 6 +-- RHEL/6/input/fixes/bash/sshd_set_idle_timeout.sh | 9 +--- RHEL/6/input/fixes/bash/sshd_set_keepalive.sh | 6 +-- .../input/fixes/bash/sshd_use_approved_ciphers.sh | 6 +-- .../fixes/bash/sshd_disable_empty_passwords.sh | 6 +-- RHEL/7/input/fixes/bash/sshd_disable_rhosts.sh | 6 +-- RHEL/7/input/fixes/bash/sshd_disable_root_login.sh | 6 +-- .../fixes/bash/sshd_do_not_permit_user_env.sh | 6 +-- .../input/fixes/bash/sshd_enable_warning_banner.sh | 6 +-- RHEL/7/input/fixes/bash/sshd_set_idle_timeout.sh | 9 +--- RHEL/7/input/fixes/bash/sshd_set_keepalive.sh | 6 +-- .../input/fixes/bash/sshd_use_approved_ciphers.sh | 6 +-- shared/fixes/bash/sshd_disable_empty_passwords.sh | 42 ++++++++------- shared/fixes/bash/sshd_disable_rhosts.sh | 57 ++++++++++++++++++++ shared/fixes/bash/sshd_disable_root_login.sh | 42 ++++++++------- shared/fixes/bash/sshd_do_not_permit_user_env.sh | 57 ++++++++++++++++++++ shared/fixes/bash/sshd_enable_warning_banner.sh | 57 ++++++++++++++++++++ shared/fixes/bash/sshd_set_idle_timeout.sh | 43 ++++++++------- shared/fixes/bash/sshd_set_keepalive.sh | 42 ++++++++------- shared/fixes/bash/sshd_use_approved_ciphers.sh | 57 ++++++++++++++++++++ 28 files changed, 337 insertions(+), 166 deletions(-) create mode 120000 Fedora/input/fixes/bash/sshd_disable_rhosts.sh create mode 120000 Fedora/input/fixes/bash/sshd_do_not_permit_user_env.sh create mode 120000 Fedora/input/fixes/bash/sshd_enable_warning_banner.sh create mode 120000 Fedora/input/fixes/bash/sshd_use_approved_ciphers.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_disable_empty_passwords.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_disable_rhosts.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_disable_root_login.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_do_not_permit_user_env.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_enable_warning_banner.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_set_idle_timeout.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_set_keepalive.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_use_approved_ciphers.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_disable_empty_passwords.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_disable_rhosts.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_disable_root_login.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_do_not_permit_user_env.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_enable_warning_banner.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_set_idle_timeout.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_set_keepalive.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_use_approved_ciphers.sh create mode 100755 shared/fixes/bash/sshd_disable_rhosts.sh create mode 100755 shared/fixes/bash/sshd_do_not_permit_user_env.sh create mode 100755 shared/fixes/bash/sshd_enable_warning_banner.sh create mode 100755 shared/fixes/bash/sshd_use_approved_ciphers.sh
Thanks, Rui! Gave a quick review and noted how you added logic to check the various stanzas for occurrence location of various configuration directives (e.g. in sshd_disable_empty_passwords).
The changes are a bit hard to parse as a single patch. Mind breaking this into multiple patches?
Hi,
The patch size is misleading: it's just a simple generalization of Jan Lieskovsky's Fedora's sshd_* fixes on shared/ and a bunch of symlinks. I could try to figure out how to break it, but I'm not sure it would help.
Thanks
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Shawn Wells Sent: quinta-feira, 29 de Maio de 2014 03:44 To: scap-security-guide@lists.fedorahosted.org Subject: Re: [PATCH 01/01] Several changes in sshd_* fixes (ignore previous)
On 5/28/14, 11:55 AM, Rui Pedro Bernardino wrote:
From: Rui Bernardinorui-p-bernardino@telecom.pt
Signed-off-by: Rui Bernardinorui-p-bernardino@telecom.pt
Fedora/input/fixes/bash/sshd_disable_rhosts.sh | 1 + .../fixes/bash/sshd_do_not_permit_user_env.sh | 1 + .../input/fixes/bash/sshd_enable_warning_banner.sh | 1 + .../input/fixes/bash/sshd_use_approved_ciphers.sh | 1 + .../fixes/bash/sshd_disable_empty_passwords.sh | 6 +-- RHEL/6/input/fixes/bash/sshd_disable_rhosts.sh | 6 +-- RHEL/6/input/fixes/bash/sshd_disable_root_login.sh | 6 +-- .../fixes/bash/sshd_do_not_permit_user_env.sh | 6 +-- .../input/fixes/bash/sshd_enable_warning_banner.sh | 6 +-- RHEL/6/input/fixes/bash/sshd_set_idle_timeout.sh | 9 +--- RHEL/6/input/fixes/bash/sshd_set_keepalive.sh | 6 +-- .../input/fixes/bash/sshd_use_approved_ciphers.sh | 6 +-- .../fixes/bash/sshd_disable_empty_passwords.sh | 6 +-- RHEL/7/input/fixes/bash/sshd_disable_rhosts.sh | 6 +-- RHEL/7/input/fixes/bash/sshd_disable_root_login.sh | 6 +-- .../fixes/bash/sshd_do_not_permit_user_env.sh | 6 +-- .../input/fixes/bash/sshd_enable_warning_banner.sh | 6 +-- RHEL/7/input/fixes/bash/sshd_set_idle_timeout.sh | 9 +--- RHEL/7/input/fixes/bash/sshd_set_keepalive.sh | 6 +-- .../input/fixes/bash/sshd_use_approved_ciphers.sh | 6 +-- shared/fixes/bash/sshd_disable_empty_passwords.sh | 42 ++++++++------- shared/fixes/bash/sshd_disable_rhosts.sh | 57 ++++++++++++++++++++ shared/fixes/bash/sshd_disable_root_login.sh | 42 ++++++++------- shared/fixes/bash/sshd_do_not_permit_user_env.sh | 57 ++++++++++++++++++++ shared/fixes/bash/sshd_enable_warning_banner.sh | 57 ++++++++++++++++++++ shared/fixes/bash/sshd_set_idle_timeout.sh | 43 ++++++++------- shared/fixes/bash/sshd_set_keepalive.sh | 42 ++++++++------- shared/fixes/bash/sshd_use_approved_ciphers.sh | 57 ++++++++++++++++++++ 28 files changed, 337 insertions(+), 166 deletions(-) create mode 120000 Fedora/input/fixes/bash/sshd_disable_rhosts.sh create mode 120000 Fedora/input/fixes/bash/sshd_do_not_permit_user_env.sh create mode 120000 Fedora/input/fixes/bash/sshd_enable_warning_banner.sh create mode 120000 Fedora/input/fixes/bash/sshd_use_approved_ciphers.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_disable_empty_passwords.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_disable_rhosts.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_disable_root_login.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_do_not_permit_user_env.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_enable_warning_banner.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_set_idle_timeout.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_set_keepalive.sh mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_use_approved_ciphers.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_disable_empty_passwords.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_disable_rhosts.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_disable_root_login.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_do_not_permit_user_env.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_enable_warning_banner.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_set_idle_timeout.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_set_keepalive.sh mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_use_approved_ciphers.sh create mode 100755 shared/fixes/bash/sshd_disable_rhosts.sh create mode 100755 shared/fixes/bash/sshd_do_not_permit_user_env.sh create mode 100755 shared/fixes/bash/sshd_enable_warning_banner.sh create mode 100755 shared/fixes/bash/sshd_use_approved_ciphers.sh
Thanks, Rui! Gave a quick review and noted how you added logic to check the various stanzas for occurrence location of various configuration directives (e.g. in sshd_disable_empty_passwords).
The changes are a bit hard to parse as a single patch. Mind breaking this into multiple patches? _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org