Issue 5529

linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian8,debian9,fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,ubuntu1404,ubuntu1604,ubuntu1804,wrlinux1019,wrlinux8
+prodtype: debian10,debian8,debian9,fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,sle15,ubuntu1404,ubuntu1604,ubuntu1804,wrlinux1019,wrlinux8
 
 title: 'Install the OpenSSH Server Package'
 

linux_os/guide/services/ssh/package_openssh-server_removed/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian8,debian9,fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,ubuntu1404,ubuntu1604,ubuntu1804,wrlinux1019,wrlinux8
+prodtype: debian10,debian8,debian9,fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,sle15,ubuntu1404,ubuntu1604,ubuntu1804,wrlinux1019,wrlinux8
 
 title: 'Remove the OpenSSH Server Package'
 

linux_os/guide/services/ssh/package_openssh_removed/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: opensuse,sle11,sle12
+prodtype: opensuse,sle11,sle12,sle15
 
 title: 'Remove the OpenSSH Client and Server Package'
 

linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml

@@ -0,0 +1,67 @@
+<def-group>
+  <definition class="compliance" id="sshd_set_max_sessions" version="1">
+    <metadata>
+      <title>Set OpenSSH MaxSessions</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <description>The SSH number of max sessions should be set to an
+      appropriate value.</description>
+    </metadata>
+    <criteria comment="SSH is configured correctly or is not installed"
+    operator="OR">
+      <criteria comment="sshd is not installed" operator="AND">
+        <extend_definition comment="sshd is not required or requirement is unset"
+        definition_ref="sshd_not_required_or_unset" />
+        {{% if product in ['opensuse', 'sle11', 'sle12', 'sle15'] %}}
+        <extend_definition comment="rpm package openssh removed"
+        definition_ref="package_openssh_removed" />
+        {{% else %}}
+        <extend_definition comment="rpm package openssh-server removed"
+        definition_ref="package_openssh-server_removed" />
+        {{% endif %}}
+      </criteria>
+      <criteria comment="sshd is installed and configured" operator="AND">
+        <extend_definition comment="sshd is required or requirement is unset"
+        definition_ref="sshd_required_or_unset" />
+        {{% if product in ['opensuse', 'sle11', 'sle12', 'sle15'] %}}
+        <extend_definition comment="rpm package openssh installed"
+        definition_ref="package_openssh_installed" />
+        {{% else %}}
+        <extend_definition comment="rpm package openssh-server installed"
+        definition_ref="package_openssh-server_installed" />
+        {{% endif %}}
+        <criterion comment="Check MaxSessions in /etc/ssh/sshd_config"
+        test_ref="test_sshd_max_sessions" />
+      </criteria>
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+  comment="maxsessions is configured" id="test_sshd_max_sessions" version="1">
+    <ind:object object_ref="object_sshd_max_sessions" />
+    <ind:state state_ref="state_maxsessions_value_upper_bound" />
+    <ind:state state_ref="state_maxsessions_value_lower_bound" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_sshd_max_sessions" version="2">
+    <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*(?i)MaxSessions[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state comment="upper bound of MaxSessions in number of sessions"
+  id="state_maxsessions_value_upper_bound" version="1">
+    <ind:subexpression datatype="int" operation="less than or equal" var_check="all"
+    var_ref="sshd_max_sessions" />
+  </ind:textfilecontent54_state>
+
+  <ind:textfilecontent54_state comment="lower bound of MaxSessions in number of sessions"
+  id="state_maxsessions_value_lower_bound" version="1">
+    <ind:subexpression datatype="int" operation="greater than">0</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+  <external_variable comment="maxsessions value" datatype="int"
+  id="sshd_max_sessions" version="1" />
+
+</def-group>

linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml

@@ -0,0 +1,27 @@
+documentation_complete: true
+
+title: 'Set SSH MaxSessions limit'
+
+description: |-
+    The <tt>MaxSessions</tt> parameter specifies the maximum number of open sessions permitted
+    from a given connection. To set MaxSessions edit
+    <tt>/etc/ssh/sshd_config</tt> as follows: <pre>MaxSessions <b>sessions</b></pre>
+
+rationale: |-
+    To protect a system from denial of service due to a large number of concurrent
+    sessions, use the rate limiting function of MaxSessions to protect availability
+    of sshd logins and prevent overwhelming the daemon.
+
+severity: medium
+
+references:
+  cis@rhel8: 5.2.19
+  cis@sle15: 5.2.23
+
+ocil_clause: "MaxSessions is configured to the default of 10"
+
+ocil: |-
+    Run the following command to see what the max sessions number is:
+    <pre>$ sudo grep MaxSessions /etc/ssh/sshd_config</pre>
+    If properly configured, the output should be:
+    <pre>MaxSessions <sub idref="sshd_max_sessions" /></pre>

linux_os/guide/services/ssh/sshd_max_sessions.var

@@ -0,0 +1,20 @@
+documentation_complete: true
+
+title: 'SSH Max Sessions Count'
+
+description: 'Specify the maximum number of open sessions permitted.'
+
+type: number
+
+operator: equals
+
+interactive: false
+
+options:
+    10: 10
+    4: 4
+    3: 3
+    2: 2
+    1: 1
+    0: 0
+    default: 10

rhel8/profiles/cis.profile

@@ -804,7 +804,7 @@ selections:
 
 
     ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored)
-
+    - sshd_set_max_sessions=4
 
     ### 5.2.20 Ensure system-wide crypto policy is not over-ridden (Scored)
     - configure_ssh_crypto_policy

sle15/profiles/standard.profile

@@ -110,6 +110,7 @@ selections:
     - sshd_disable_root_login
     - sshd_disable_empty_passwords
     - sshd_set_keepalive
+    - sshd_set_max_sessions=4
     - audit_rules_time_adjtimex
     - audit_rules_time_settimeofday
     - audit_rules_time_stime