secc_sshd

pdk
Dieses Modul bietet eine teilweise Abdeckung der SoC Anforderungen für SSH unter Linux.

T-Systems Multimedia Solutions GmbH

tsystemsmms

15,782 downloads

769 latest version

5.0 quality score

Version information

  • 4.0.0 (latest)
  • 3.2.0
  • 3.1.0
  • 3.0.0
  • 2.9.0
  • 2.8.0
  • 2.7.0
  • 2.6.0
released Oct 4th 2020
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >= 4.0.0 < 7.0.0
  • RedHat
    ,
    CentOS

Start using this module

Documentation

tsystemsmms/secc_sshd — version 4.0.0 Oct 4th 2020

AMCS SecC - OpenSSH Module

Build Status

Table of Contents

  1. Overview
  2. Some important remarks
  3. Module Description - What the module does and why it is useful
  4. Usage - Configuration options and additional functionality
  5. Reference - An under-the-hood peek at what the module is doing and how
  6. Limitations - OS compatibility, etc.
  7. Development - Guide for contributing to the module

Overview

This module is used widely (on every machine) within T-Systems MMS to ensure compliance to our regulations (Telekom Security), Privacy and Security Assessment - 304_Secure_Shell(SSH). Both, client (ssh) and server (sshd), are covered.

Important

Hardening is always a tradeoff between security and useability. Therefore the parameters of that puppet module allow flexible changes on some settings, but is also providing secure defaults. If there is a missing parameter, please open an issue. If a default parameter is changed, the compliance has to be verified by the user or the project.

Module Description

This module controls /etc/ssh/sshd_config, /etc/ssh/ssh_config, /etc/issue and /etc/motd

sshd_config

  • SoC Requirements 1 - 8, (9), 10-12 are fulfilled without restrictions.
  • SoC Requirement 9 has a parameter, because that module is used on our administration jump hosts, where we need the agent forwarding.
    • default parameter is compliant
  • SoC Requirements 13, (14), 17, 18 are fulfilled via public key authentication and their settings.
    • challengeresponseauthentication has a parameter, because that's sometimes necessary for bootstrapping. Some images are allowing that initially, and are hardened after provisioning.
  • SoC Requirement 15 is not compliant by default, because other modules are being used for user management, which are either not supporting the change of the key folders or do not secure that folder according to the requirement.
    • This module atleast can be adjusted to a matching module, by adjusting the parameter AuthorizedKeysFile.
  • SoC Requirement 16 has to be taken care by every project individually.
  • SoC Requirement 21 (the daemon part) is compliant without restrictions.

ssh_config

  • SoC Requirements 19, 22 are fulfilled without restrictions.
  • SoC Requirement 20 (security of the private key) cannot be verified by ssh client or daemon.
  • SoC Requirement 21 (usage of the ssh auth-agent) cannot be verified by ssh client or daemon.

Usage

  • Either include the module via git or puppetforge. (T-Systems is using r10k)

Usage without Puppet

  • The templates, ssh_config.erb and sshd_config.erb, can be used without puppet. There is no deep ruby or puppet knowhow needed.
  • The disclaimer, that those files are managed by puppet, should be removed.

Verification

  • The tests (spec/acceptance) can be used to verify the hardening, even without using the module on your servers.

Reference

Limitations

  • Module is being developed and verified on CentOS6, CentOS7 and RHEL6, RHEL7.

Development

  • Any changes to the module should also be implemented into the test scripts (see spec/acceptance).