Implement CIS Benchmarks for OpenSSH (section 5.2) the Ubuntu guide.

[vpetersson]

The CIS Benchmarks are the gold standard for security. The PDF is available in the link above. This is about implementing the following checks:

• 5.2 SSH Server Configuration.............................................................................................................272
• 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored)............272
• 5.2.2 Ensure SSH Protocol is set to 2 (Scored) .......................................................................274
• 5.2.3 Ensure SSH LogLevel is set to INFO (Scored) ..............................................................275
• 5.2.4 Ensure SSH X11 forwarding is disabled (Scored) ......................................................276
• 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored) .............................................277
• 5.2.6 Ensure SSH IgnoreRhosts is enabled (Scored)............................................................278
• 5.2.7 Ensure SSH HostbasedAuthentication is disabled (Scored) ..................................279
• 5.2.8 Ensure SSH root login is disabled (Scored) ..................................................................280
• 5.2.9 Ensure SSH PermitEmptyPasswords is disabled (Scored).....................................281
• 5.2.10 Ensure SSH PermitUserEnvironment is disabled (Scored) .................................282
• 5.2.11 Ensure only approved MAC algorithms are used (Scored)..................................283
• 5.2.12 Ensure SSH Idle Timeout Interval is configured (Scored) ...................................285
• 5.2.13 Ensure SSH LoginGraceTime is set to one minute or less (Scored)..................287
• 5.2.14 Ensure SSH access is limited (Scored) .........................................................................288
• 5.2.15 Ensure SSH warning banner is configured (Scored) ..............................................290

Some of these checks we already have implemented

[a-martynovich]

@vpetersson Please attach the PDF as a file.

[vpetersson]

Let's start with these:

• Ensure SSH LogLevel is set to INFO
• Ensure SSH X11 forwarding is disabled
• Ensure SSH MaxAuthTries is set to 4 or less
• Ensure SSH IgnoreRhosts is enabled
• Ensure SSH HostbasedAuthentication is disabled
• Ensure SSH PermitUserEnvironment is disabled
• Ensure SSH LoginGraceTime is set to one minute or less
• Ensure SSH Idle Timeout Interval is configured

[rptrchv]

20 complexity points

[a-martynovich]

20

[a-martynovich]

The good news is that all those parameters are supported on all supported distros and have the same defaults:

Param	Safe	Ubuntu 18.04	Ubuntu 16.04	Amazon Linux 2	Debian Jessie
ClientAliveInterval	1..300	0	0	0	0
ClientAliveCountMax	0..3	3	3	3	3
HostbasedAuthentication	no	no	no	no	no
IgnoreRhosts	yes	yes	yes	yes	yes
LogLevel	INFO	INFO	INFO	INFO	INFO
LoginGraceTime	1..60	120	120	120	120
MaxAuthTries	0..4	6	6	6	6
PermitUserEnvironment	no	no	no	no	no
X11Forwarding	no	no	no	no	no

Bad news is that we need to implement a range-based comparison in addition to equality-based that we have now.