From 96d1784001913cc8075f94bf65c8bff51402bfc8 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 8 Oct 2015 16:42:13 +0000 Subject: [PATCH] Adjust rkhunter and sshd config for releng so they stop alerting. --- roles/base/files/ssh/sshd_config.releng | 96 ++++++++--------------- roles/rkhunter/templates/rkhunter.conf.j2 | 4 +- 2 files changed, 34 insertions(+), 66 deletions(-) diff --git a/roles/base/files/ssh/sshd_config.releng b/roles/base/files/ssh/sshd_config.releng index 080de0d1ca..996c262579 100644 --- a/roles/base/files/ssh/sshd_config.releng +++ b/roles/base/files/ssh/sshd_config.releng @@ -1,65 +1,48 @@ -# $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $ +# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. -# This sshd was compiled with PATH=/usr/local/bin:/usr/bin +# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the +# possible, but leave them commented. Uncommented options change a # default value. -# If you want to change the port on a SELinux system, you have to tell -# SELinux about this change. -# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER -# #Port 22 +#Protocol 2,1 +Protocol 2 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: -# The default requires explicit activation of protocol 1 -#Protocol 2 - # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h -#ServerKeyBits 1024 +#ServerKeyBits 768 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV -#LogLevel INFO +LogLevel VERBOSE # Authentication: #LoginGraceTime 2m PermitRootLogin without-password StrictModes yes -PasswordAuthentication no - #MaxAuthTries 6 -#MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes - -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys -AuthorizedKeysFile .ssh/authorized_keys - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody +#AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no @@ -71,6 +54,11 @@ AuthorizedKeysFile .ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no +PasswordAuthentication no + # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no @@ -80,32 +68,32 @@ ChallengeResponseAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no -#KerberosUseKuserok yes # GSSAPI options #GSSAPIAuthentication no -GSSAPIAuthentication yes +GSSAPIAuthentication no #GSSAPICleanupCredentials yes -GSSAPICleanupCredentials yes -#GSSAPIStrictAcceptorCheck yes -#GSSAPIKeyExchange no +GSSAPICleanupCredentials no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -# WARNING: 'UsePAM no' is not supported in Fedora and may cause several -# problems. +# be allowed through the ChallengeResponseAuthentication mechanism. +# Depending on your PAM configuration, this may bypass the setting of +# PasswordAuthentication, PermitEmptyPasswords, and +# "PermitRootLogin without-password". If you just want the PAM account and +# session checks to run without PAM authentication, then enable this but set +# ChallengeResponseAuthentication=no #UsePAM no UsePAM yes -#AllowAgentForwarding yes +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL #AllowTcpForwarding yes +AllowTcpForwarding yes + + #GatewayPorts no #X11Forwarding no X11Forwarding yes @@ -115,7 +103,7 @@ X11Forwarding yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no -UsePrivilegeSeparation sandbox # Default for new installations. +#UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 @@ -123,29 +111,11 @@ UsePrivilegeSeparation sandbox # Default for new installations. #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none +#MaxStartups 10 +PermitTunnel no # no default banner path -#Banner none - -# Accept locale-related environment variables -AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE -AcceptEnv XMODIFIERS +#Banner /some/path # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server - -# Uncomment this if you want to use .local domain -#Host *.local -# CheckHostIP no - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# ForceCommand cvs server diff --git a/roles/rkhunter/templates/rkhunter.conf.j2 b/roles/rkhunter/templates/rkhunter.conf.j2 index 9a4c480fba..5f99d14a8a 100644 --- a/roles/rkhunter/templates/rkhunter.conf.j2 +++ b/roles/rkhunter/templates/rkhunter.conf.j2 @@ -329,10 +329,8 @@ ALLOWHIDDENFILE=/usr/share/man/man5/.k5identity.5.gz ALLOWHIDDENFILE=/sbin/.cryptsetup.hmac ALLOWHIDDENFILE=/dev/.udev/queue.bin ALLOWHIDDENFILE=/dev/.udev/uevent_seqnum -{% if ansible_distribution == 'Fedora' and ansible_distribution_major_version > 20 %} -# Fedora 21 and higher systems has a /dev/.updated file +# Fedora 21+ and RHEL 7.2+ have a /etc/.updated file ALLOWHIDDENFILE=/etc/.updated -{% endif %} {% if ansible_hostname.startswith('fed-cloud') %} ALLOWHIDDENFILE=/etc/.etckeeper ALLOWHIDDENFILE=/etc/.gitignore