#!/bin/bash
#
# kate: tab-indents off; tab-width 4; indent-width 4;
#
# This file implements the following CIS controls
# --------------------------------------------------------------------
#  5.2.4   Ensure SSH Protocol is set to 2
#  5.2.5   Ensure SSH LogLevel is appropriate
#  5.2.6   Ensure SSH X11 forwarding is disabled
#  5.2.7   Ensure SSH MaxAuthTries is set to 4 or less
#  5.2.8   Ensure SSH IgnoreRhosts is enabled
#  5.2.9   Ensure SSH HostbasedAuthentication is disabled
#  5.2.10  Ensure SSH root login is disabled
#  5.2.11  Ensure SSH PermitEmptyPasswords is disabled
#  5.2.12  Ensure SSH PermitUserEnvironment is disabled
#  5.2.14  Ensure only strong MAC algorithms are used
#  5.2.15  Ensure that strong Key Exchange algorithms are used
#  5.2.16  Ensure SSH Idle Timeout Interval is configured
#  5.2.18  Ensure SSH access is limited
#  5.2.19  Ensure SSH warning banner is configured
#
# The following Australian Government ISM controls are also implemented for ssh
#----------------------------------------------------------------------
# 1506    The use of SSH version 1 is disabled
# 0484    Only listen on required interfaces (not possible/practical)
#         + have a suitable login banner
#         + have a login authentication timeout of no more than 60 seconds
#         + disable host-based authentication
#         + disable rhosts authentication
#         + disable the ability to login directly as root
#         + disable empty passwords
#         + disable connection forwarding
#         + disable gateway ports
#         + disable X11 forwarding
# Additionally Kex/MACs/Ciphers are all reviewed for Approved ciphers,
# key-exchange (Kex) and message authentication hashing (MACs)
#----------------------------------------------------------------------

SELF=$(readlink -f $0)

#
# Note that 'Sshd.lns' (the default) treats MACs as a list, but Ciphers and KexAlgorithms as strings
#           'Sshd_140.lns' however treats all three keys as lists
#
augtool --autosave --backup --noautoload >/dev/null <<'EOD'
    transform Sshd.lns incl /etc/ssh/sshd_config
    load

    #  5.2.4   Ensure SSH Protocol is set to 2
    set /files/etc/ssh/sshd_config/Protocol 2

    #  5.2.4   Ensure SSH LogLevel is appropriate
    set /files/etc/ssh/sshd_config/LogLevel INFO

    #  5.2.6   Ensure SSH X11 forwarding is disabled
    set /files/etc/ssh/sshd_config/X11Forwarding no

    #  5.2.7   Ensure SSH MaxAuthTries is set to 4 or less
    set /files/etc/ssh/sshd_config/MaxAuthTries 4

    #  5.2.8   Ensure SSH IgnoreRhosts is enabled
    set /files/etc/ssh/sshd_config/IgnoreRhosts yes

    #  5.2.9   Ensure SSH HostbasedAuthentication is disabled
    set /files/etc/ssh/sshd_config/HostbasedAuthentication no

    #  5.2.10  Ensure SSH root login is disabled
    set /files/etc/ssh/sshd_config/PermitRootLogin no

    #  5.2.11  Ensure SSH PermitEmptyPasswords is disabled
    set /files/etc/ssh/sshd_config/PermitEmptyPasswords no

    #  5.2.12  Ensure SSH PermitUserEnvironment is disabled
    set /files/etc/ssh/sshd_config/PermitUserEnvironment no

    #  5.2.13  Ensure only strong ciphers used
    #          NOTE: This must be ISM compliant too!
    set /files/etc/ssh/sshd_config/Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

    #  5.2.14  Ensure only strong MAC algorithms are used
    #          NOTE: This must be ISM compliant too!
    rm /files/etc/ssh/sshd_config/MACs/
    set /files/etc/ssh/sshd_config/MACs/1 hmac-sha2-512-etm@openssh.com
    set /files/etc/ssh/sshd_config/MACs/2 hmac-sha2-256-etm@openssh.com
    set /files/etc/ssh/sshd_config/MACs/3 hmac-sha2-512
    set /files/etc/ssh/sshd_config/MACs/4 hmac-sha2-256

    #  5.2.15  Ensure that strong Key Exchange algorithms are used
    #          NOTE: This must be ISM compliant too!
    set /files/etc/ssh/sshd_config/KexAlgorithms  ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

    #  5.2.16  Ensure SSH Idle Timeout Interval is configured
    set /files/etc/ssh/sshd_config/ClientAliveInterval 300
    set /files/etc/ssh/sshd_config/ClientAliveCountMax 0

    # 5.2.17 Ensure SSH LoginGraceTime is set to one minute or less
    set /files/etc/ssh/sshd_config/LoginGraceTime 60

    #  5.2.18  Ensure SSH access is limited
    rm /files/etc/ssh/sshd_config/AllowUsers
    set /files/etc/ssh/sshd_config/AllowUsers/1 ec2-user

    #  5.2.19  Ensure SSH warning banner is configured
    set /files/etc/ssh/sshd_config/Banner /etc/issue.net

    # Additional items from ISM Control 0484
    # Note due to the dynamic nature of autoscaling / DHCP setting ListenAddress is not viable
    rm /files/etc/ssh/sshd_config/TCPForwarding
    set /files/etc/ssh/sshd_config/AllowTCPForwarding no
    set /files/etc/ssh/sshd_config/GatewayPorts no

EOD

