Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CIS Control 5.2.13 incorrect value #139

Closed
Zablove opened this issue Oct 8, 2021 · 2 comments · Fixed by #151
Closed

CIS Control 5.2.13 incorrect value #139

Zablove opened this issue Oct 8, 2021 · 2 comments · Fixed by #151
Assignees
@georgenalen
Labels
bug Something isn't working

Comments

@Zablove
Copy link

Zablove commented Oct 8, 2021

Issue
CIS Control 5.2.13 "Ensure SSH Idle Timeout Interval is configured" states that "The recommended ClientAliveCountMax setting is 0". However after running the playbook, the interval is set to 3.

Expected Behavior
Value clientalivecountmax in /etc/ssh/sshd_config is set to 0

Actual Behavior
Value clientalivecountmax in /etc/ssh/sshd_config is set to 3

Control(s) Affected
5.2.13 Ensure SSH Idle Timeout Interval is configured

Environment:

  • Ansible Version: 2.10.8
  • Host Python Version: 3.9.2
  • Ansible Server Python Version: 3.9.2

Possible Solution
Change the file defaults/main.yml section rhel8cis_sshd parameter clientalivecountmax to 0.
@Zablove Zablove added the bug Something isn't working label Oct 8, 2021
@georgenalen georgenalen self-assigned this Oct 8, 2021
@georgenalen
Copy link
Contributor

@Zablove,
Thanks for finding this one, that is indeed a mistake. I will add those in the next release which should be soon. In the mean time those variables in defaults/main. You can override those settings by using extra vars and there are two related to that control. Both need the values updated, so use the vars below instead. I will keep this open until it makes it into the release version.

rhel8cis_sshd:
clientalivecountmax: 0
clientaliveinterval: 900

@georgenalen georgenalen mentioned this issue Oct 8, 2021
Closed
uk-bolly added a commit that referenced this issue Dec 15, 2021
@uk-bolly
#139 clientalivemaxcount
77089cb 
Signed-off-by: Mark Bolwell <[email protected]>
uk-bolly added a commit that referenced this issue Dec 15, 2021
@uk-bolly
#139 clientaliveinterval
c94a828 
Signed-off-by: Mark Bolwell <[email protected]>
@uk-bolly uk-bolly mentioned this issue Dec 15, 2021
Merged
uk-bolly added a commit that referenced this issue Dec 21, 2021
@uk-bolly
Merge pull request #151 from ansible-lockdown/audit_script
6818bbd 
Audit script
Overall Review of Changes:
Addition of audit script
Many issues resolved and added to the release

Issue Fixes:
#138
#139
#140
#141
#142
#143
#144
#146
#147

Enhancements:

Addition of audit updates
Now consistent metadata
Inline with other os agnostic variables for audit
if run manually or via ansible
removal of included goss module no longer required
@uk-bolly
Copy link
Member

uk-bolly commented Dec 27, 2021
edited
Loading

hi @Zablove

Thank you again for the feedback.
An update the latest devel branch has now been released and this should address the issues you have seen here.
Please feel free to close the issue if all is working as expected or feedback accordingly.

Thanks again

uk-bolly

@uk-bolly uk-bolly linked a pull request Jan 5, 2022 that will close this issue
Audit script #151
Merged
@uk-bolly uk-bolly closed this as completed Jan 6, 2022
@georgenalen georgenalen mentioned this issue Apr 11, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@georgenalen georgenalen

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Audit script ansible-lockdown/RHEL8-CIS
3 participants
@georgenalen @uk-bolly @Zablove