From d0ab72dd26f4f30d9dfe910a53468a6cba96531a Mon Sep 17 00:00:00 2001
From: Thibault Ayanides <thibault.ayanides@ovhcloud.com>
Date: Wed, 23 Dec 2020 11:41:53 +0100
Subject: [PATCH] ADD(5.2.20-23): add new sshd checks

---
 bin/hardening/5.2.20_enable_ssh_pam.sh        | 59 +++++++++++++++++-
 ...5.2.21_disable_ssh_allow_tcp_forwarding.sh | 59 +++++++++++++++++-
 .../5.2.22_configure_ssh_max_startups.sh      | 62 ++++++++++++++++++-
 .../5.2.23_limit_ssh_max_sessions.sh          | 59 +++++++++++++++++-
 tests/hardening/5.2.20_enable_ssh_pam.sh      | 13 +++-
 ...5.2.21_disable_ssh_allow_tcp_forwarding.sh | 13 +++-
 .../5.2.22_configure_ssh_max_startups.sh      | 13 +++-
 .../5.2.23_limit_ssh_max_sessions.sh          | 13 +++-
 8 files changed, 279 insertions(+), 12 deletions(-)

diff --git a/bin/hardening/5.2.20_enable_ssh_pam.sh b/bin/hardening/5.2.20_enable_ssh_pam.sh
index 2c97335..f4e5635 100755
--- a/bin/hardening/5.2.20_enable_ssh_pam.sh
+++ b/bin/hardening/5.2.20_enable_ssh_pam.sh
@@ -17,14 +17,59 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Enable SSH PAM."
 
+PACKAGE='openssh-server'
+OPTIONS=''
+FILE='/etc/ssh/sshd_config'
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    :
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed"
+        for SSH_OPTION in $OPTIONS; do
+            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
+            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
+            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
+            does_pattern_exist_in_file $FILE "$PATTERN"
+            if [ "$FNRET" = 0 ]; then
+                ok "$PATTERN is present in $FILE"
+            else
+                crit "$PATTERN is not present in $FILE"
+            fi
+        done
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    :
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        ok "$PACKAGE is installed"
+    else
+        crit "$PACKAGE is absent, installing it"
+        apt_install "$PACKAGE"
+    fi
+    for SSH_OPTION in $OPTIONS; do
+        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
+        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
+        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            ok "$PATTERN is present in $FILE"
+        else
+            warn "$PATTERN is not present in $FILE, adding it"
+            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            if [ "$FNRET" != 0 ]; then
+                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
+            else
+                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+            fi
+            /etc/init.d/ssh reload
+        fi
+    done
 }
 
 # This function will check config parameters required
@@ -32,6 +77,16 @@ check_config() {
     :
 }
 
+# This function will check config parameters required
+create_config() {
+    cat <<EOF
+status=audit
+# Value of usepam
+# Settles sshd usepam
+OPTIONS='usepam=yes'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
diff --git a/bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh b/bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh
index 04567e9..1158667 100755
--- a/bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh
+++ b/bin/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh
@@ -17,14 +17,59 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Disable SSH AllowTCPForwarding."
 
+PACKAGE='openssh-server'
+OPTIONS=''
+FILE='/etc/ssh/sshd_config'
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    :
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed"
+        for SSH_OPTION in $OPTIONS; do
+            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
+            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
+            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
+            does_pattern_exist_in_file $FILE "$PATTERN"
+            if [ "$FNRET" = 0 ]; then
+                ok "$PATTERN is present in $FILE"
+            else
+                crit "$PATTERN is not present in $FILE"
+            fi
+        done
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    :
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        ok "$PACKAGE is installed"
+    else
+        crit "$PACKAGE is absent, installing it"
+        apt_install "$PACKAGE"
+    fi
+    for SSH_OPTION in $OPTIONS; do
+        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
+        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
+        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            ok "$PATTERN is present in $FILE"
+        else
+            warn "$PATTERN is not present in $FILE, adding it"
+            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            if [ "$FNRET" != 0 ]; then
+                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
+            else
+                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+            fi
+            /etc/init.d/ssh reload
+        fi
+    done
 }
 
 # This function will check config parameters required
@@ -32,6 +77,16 @@ check_config() {
     :
 }
 
+# This function will check config parameters required
+create_config() {
+    cat <<EOF
+status=audit
+# Value of AllowTCPForwarding
+# Settles sshd allowtcpforwarding
+OPTIONS='AllowTCPForwarding=no'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
diff --git a/bin/hardening/5.2.22_configure_ssh_max_startups.sh b/bin/hardening/5.2.22_configure_ssh_max_startups.sh
index e361fd5..31550ff 100755
--- a/bin/hardening/5.2.22_configure_ssh_max_startups.sh
+++ b/bin/hardening/5.2.22_configure_ssh_max_startups.sh
@@ -17,14 +17,59 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Configure SSHMaxStartups."
 
+PACKAGE='openssh-server'
+OPTIONS=''
+FILE='/etc/ssh/sshd_config'
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    :
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed"
+        for SSH_OPTION in $OPTIONS; do
+            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
+            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
+            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
+            does_pattern_exist_in_file $FILE "$PATTERN"
+            if [ "$FNRET" = 0 ]; then
+                ok "$PATTERN is present in $FILE"
+            else
+                crit "$PATTERN is not present in $FILE"
+            fi
+        done
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    :
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        ok "$PACKAGE is installed"
+    else
+        crit "$PACKAGE is absent, installing it"
+        apt_install "$PACKAGE"
+    fi
+    for SSH_OPTION in $OPTIONS; do
+        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
+        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
+        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            ok "$PATTERN is present in $FILE"
+        else
+            warn "$PATTERN is not present in $FILE, adding it"
+            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            if [ "$FNRET" != 0 ]; then
+                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
+            else
+                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+            fi
+            /etc/init.d/ssh reload
+        fi
+    done
 }
 
 # This function will check config parameters required
@@ -32,6 +77,19 @@ check_config() {
     :
 }
 
+# This function will check config parameters required
+create_config() {
+    cat <<EOF
+status=audit
+# Value of maxstartups 
+# 0: Number of unauthenticated connections before we start dropping
+# 30: Percentage chance of dropping once we reach 10 (increases linearly for more than 10)
+# 60: Maximum number of connections at which we start dropping everything
+# Settles sshd maxstartups
+OPTIONS='maxstartups=10:30:60'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
diff --git a/bin/hardening/5.2.23_limit_ssh_max_sessions.sh b/bin/hardening/5.2.23_limit_ssh_max_sessions.sh
index 4f756ac..730ca6a 100755
--- a/bin/hardening/5.2.23_limit_ssh_max_sessions.sh
+++ b/bin/hardening/5.2.23_limit_ssh_max_sessions.sh
@@ -17,14 +17,59 @@ HARDENING_LEVEL=3
 # shellcheck disable=2034
 DESCRIPTION="Limit SSH MaxSessions."
 
+PACKAGE='openssh-server'
+OPTIONS=''
+FILE='/etc/ssh/sshd_config'
+
 # This function will be called if the script status is on enabled / audit mode
 audit() {
-    :
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" != 0 ]; then
+        crit "$PACKAGE is not installed!"
+    else
+        ok "$PACKAGE is installed"
+        for SSH_OPTION in $OPTIONS; do
+            SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
+            SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
+            PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
+            does_pattern_exist_in_file $FILE "$PATTERN"
+            if [ "$FNRET" = 0 ]; then
+                ok "$PATTERN is present in $FILE"
+            else
+                crit "$PATTERN is not present in $FILE"
+            fi
+        done
+    fi
 }
 
 # This function will be called if the script status is on enabled mode
 apply() {
-    :
+    is_pkg_installed "$PACKAGE"
+    if [ "$FNRET" = 0 ]; then
+        ok "$PACKAGE is installed"
+    else
+        crit "$PACKAGE is absent, installing it"
+        apt_install "$PACKAGE"
+    fi
+    for SSH_OPTION in $OPTIONS; do
+        SSH_PARAM=$(echo "$SSH_OPTION" | cut -d= -f 1)
+        SSH_VALUE=$(echo "$SSH_OPTION" | cut -d= -f 2)
+        PATTERN="^${SSH_PARAM}[[:space:]]*$SSH_VALUE"
+        does_pattern_exist_in_file "$FILE" "$PATTERN"
+        if [ "$FNRET" = 0 ]; then
+            ok "$PATTERN is present in $FILE"
+        else
+            warn "$PATTERN is not present in $FILE, adding it"
+            does_pattern_exist_in_file "$FILE" "^${SSH_PARAM}"
+            if [ "$FNRET" != 0 ]; then
+                add_end_of_file "$FILE" "$SSH_PARAM $SSH_VALUE"
+            else
+                info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing"
+                replace_in_file "$FILE" "^${SSH_PARAM}[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE"
+            fi
+            /etc/init.d/ssh reload
+        fi
+    done
 }
 
 # This function will check config parameters required
@@ -32,6 +77,16 @@ check_config() {
     :
 }
 
+# This function will check config parameters required
+create_config() {
+    cat <<EOF
+status=audit
+# Value of maxsessions
+# Settles sshd maxsessions
+OPTIONS='maxsessions=10'
+EOF
+}
+
 # Source Root Dir Parameter
 if [ -r /etc/default/cis-hardening ]; then
     # shellcheck source=../../debian/default
diff --git a/tests/hardening/5.2.20_enable_ssh_pam.sh b/tests/hardening/5.2.20_enable_ssh_pam.sh
index f85b20d..ae7e949 100644
--- a/tests/hardening/5.2.20_enable_ssh_pam.sh
+++ b/tests/hardening/5.2.20_enable_ssh_pam.sh
@@ -7,5 +7,16 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    describe Correcting situation
+    # `apply` performs a service reload after each change in the config file
+    # the service needs to be started for the reload to succeed
+    service ssh start
+    # if the audit script provides "apply" option, enable and run it
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] ^usepam[[:space:]]*yes is present in /etc/ssh/sshd_config"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
diff --git a/tests/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh b/tests/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh
index f85b20d..7214c2a 100644
--- a/tests/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh
+++ b/tests/hardening/5.2.21_disable_ssh_allow_tcp_forwarding.sh
@@ -7,5 +7,16 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    describe Correcting situation
+    # `apply` performs a service reload after each change in the config file
+    # the service needs to be started for the reload to succeed
+    service ssh start
+    # if the audit script provides "apply" option, enable and run it
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] ^AllowTCPForwarding[[:space:]]*no is present in /etc/ssh/sshd_config"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
diff --git a/tests/hardening/5.2.22_configure_ssh_max_startups.sh b/tests/hardening/5.2.22_configure_ssh_max_startups.sh
index f85b20d..0ac4f2f 100644
--- a/tests/hardening/5.2.22_configure_ssh_max_startups.sh
+++ b/tests/hardening/5.2.22_configure_ssh_max_startups.sh
@@ -7,5 +7,16 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    describe Correcting situation
+    # `apply` performs a service reload after each change in the config file
+    # the service needs to be started for the reload to succeed
+    service ssh start
+    # if the audit script provides "apply" option, enable and run it
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] ^maxstartups[[:space:]]*10:30:60 is present in /etc/ssh/sshd_config"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }
diff --git a/tests/hardening/5.2.23_limit_ssh_max_sessions.sh b/tests/hardening/5.2.23_limit_ssh_max_sessions.sh
index f85b20d..e2aebe0 100644
--- a/tests/hardening/5.2.23_limit_ssh_max_sessions.sh
+++ b/tests/hardening/5.2.23_limit_ssh_max_sessions.sh
@@ -7,5 +7,16 @@ test_audit() {
     # shellcheck disable=2154
     run blank /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
-    # TODO fill comprehensive tests
+    describe Correcting situation
+    # `apply` performs a service reload after each change in the config file
+    # the service needs to be started for the reload to succeed
+    service ssh start
+    # if the audit script provides "apply" option, enable and run it
+    sed -i 's/audit/enabled/' /opt/debian-cis/etc/conf.d/"${script}".cfg
+    /opt/debian-cis/bin/hardening/"${script}".sh || true
+
+    describe Checking resolved state
+    register_test retvalshouldbe 0
+    register_test contain "[ OK ] ^maxsessions[[:space:]]*10 is present in /etc/ssh/sshd_config"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }