#!/bin/bash
#
# kate: tab-indents off; tab-width 4; indent-width 4;
#
# This file implements the following CIS controls
# --------------------------------------------------------------------
#  5.2.4   Ensure SSH Protocol is set to 2
#  5.2.5   Ensure SSH LogLevel is appropriate
#  5.2.6   Ensure SSH X11 forwarding is disabled
#  5.2.7   Ensure SSH MaxAuthTries is set to 4 or less
#  5.2.8   Ensure SSH IgnoreRhosts is enabled
#  5.2.9   Ensure SSH HostbasedAuthentication is disabled
#  5.2.10  Ensure SSH root login is disabled
#  5.2.11  Ensure SSH PermitEmptyPasswords is disabled
#  5.2.12  Ensure SSH PermitUserEnvironment is disabled
#  5.2.14  Ensure only strong MAC algorithms are used
#  5.2.15  Ensure that strong Key Exchange algorithms are used
#  5.2.16  Ensure SSH Idle Timeout Interval is configured
#  5.2.18  Ensure SSH access is limited
#  5.2.19  Ensure SSH warning banner is configured
#
# The following Australian Government ISM controls are also implemented for ssh
#----------------------------------------------------------------------
# 1506    The use of SSH version 1 is disabled
# 0484    Only listen on required interfaces (not possible/practical)
#         + have a suitable login banner
#         + have a login authentication timeout of no more than 60 seconds
#         + disable host-based authentication
#         + disable rhosts authentication
#         + disable the ability to login directly as root
#         + disable empty passwords
#         + disable connection forwarding
#         + disable gateway ports
#         + disable X11 forwarding
# Additionally Kex/MACs/Ciphers are all reviewed for Approved ciphers,
# key-exchange (Kex) and message authentication hashing (MACs)
#----------------------------------------------------------------------

SELF=$(readlink -f $0)

#
# Note that on RHEl9 / OEL9 systems sshd requires that any crypto configuration is set BEFORE the base include file (50-redhat.conf)
# This will override the system-wide crypto policies (which can be set by update-crypto-policies) for sshd
#
if [[ -f /etc/ssh/sshd_config ]]; then
    augtool --autosave --backup --noautoload >/dev/null <<'EOD'
        transform Sshd.lns incl /etc/ssh/sshd_config
        load

        #  5.2.4   Ensure SSH Protocol is set to 2
        set /files/etc/ssh/sshd_config/Protocol 2

        #  5.2.4   Ensure SSH LogLevel is appropriate
        set /files/etc/ssh/sshd_config/LogLevel INFO

        #  5.2.6   Ensure SSH X11 forwarding is disabled
        set /files/etc/ssh/sshd_config/X11Forwarding no

        #  5.2.7   Ensure SSH MaxAuthTries is set to 4 or less
        set /files/etc/ssh/sshd_config/MaxAuthTries 4

        #  5.2.8   Ensure SSH IgnoreRhosts is enabled
        set /files/etc/ssh/sshd_config/IgnoreRhosts yes

        #  5.2.9   Ensure SSH HostbasedAuthentication is disabled
        set /files/etc/ssh/sshd_config/HostbasedAuthentication no

        #  5.2.10  Ensure SSH root login is disabled
        set /files/etc/ssh/sshd_config/PermitRootLogin no

        #  5.2.11  Ensure SSH PermitEmptyPasswords is disabled
        set /files/etc/ssh/sshd_config/PermitEmptyPasswords no

        #  5.2.12  Ensure SSH PermitUserEnvironment is disabled
        set /files/etc/ssh/sshd_config/PermitUserEnvironment no

        #  5.2.13  Ensure only strong ciphers used
        #          NOTE: This must be ISM compliant too!
        rm /files/etc/ssh/sshd_config/Ciphers
        ins Ciphers before /files/etc/ssh/sshd_config/Include["/etc/ssh/sshd_config.d/*.conf"]
        set /files/etc/ssh/sshd_config/Ciphers/1 aes256-gcm@openssh.com
        set /files/etc/ssh/sshd_config/Ciphers/2 aes128-gcm@openssh.com
        set /files/etc/ssh/sshd_config/Ciphers/3 aes256-ctr
        set /files/etc/ssh/sshd_config/Ciphers/4 aes192-ctr
        set /files/etc/ssh/sshd_config/Ciphers/5 aes128-ctr

        #  5.2.14  Ensure only strong MAC algorithms are used
        #          NOTE: This must be ISM compliant too!
        rm /files/etc/ssh/sshd_config/MACs
        ins MACs before /files/etc/ssh/sshd_config/Include["/etc/ssh/sshd_config.d/*.conf"]
        set /files/etc/ssh/sshd_config/MACs/1 hmac-sha2-512-etm@openssh.com
        set /files/etc/ssh/sshd_config/MACs/2 hmac-sha2-256-etm@openssh.com
        set /files/etc/ssh/sshd_config/MACs/3 hmac-sha2-512
        set /files/etc/ssh/sshd_config/MACs/4 hmac-sha2-256

        #  5.2.15  Ensure that strong Key Exchange algorithms are used
        #          NOTE: This must be ISM compliant too!
        rm /files/etc/ssh/sshd_config/KexAlgorithms
        ins KexAlgorithms before /files/etc/ssh/sshd_config/Include["/etc/ssh/sshd_config.d/*.conf"]
        defnode kexalg /files/etc/ssh/sshd_config/KexAlgorithms
        set $kexalg/1 ecdh-sha2-nistp521
        set $kexalg/2 ecdh-sha2-nistp384
        set $kexalg/3 ecdh-sha2-nistp256
        set $kexalg/4 diffie-hellman-group-exchange-sha256

        #  5.2.16  Ensure SSH Idle Timeout Interval is configured
        set /files/etc/ssh/sshd_config/ClientAliveInterval 300
        set /files/etc/ssh/sshd_config/ClientAliveCountMax 0

        # 5.2.17 Ensure SSH LoginGraceTime is set to one minute or less
        set /files/etc/ssh/sshd_config/LoginGraceTime 60

        #  5.2.18  Ensure SSH access is limited
        rm /files/etc/ssh/sshd_config/AllowUsers
        set /files/etc/ssh/sshd_config/AllowUsers/1 ec2-user

        #  5.2.19  Ensure SSH warning banner is configured
        set /files/etc/ssh/sshd_config/Banner /etc/issue.net

        # Additional items from ISM Control 0484
        # Note due to the dynamic nature of autoscaling / DHCP setting ListenAddress is not viable
        rm /files/etc/ssh/sshd_config/TCPForwarding
        set /files/etc/ssh/sshd_config/AllowTCPForwarding no
        set /files/etc/ssh/sshd_config/GatewayPorts no
EOD
fi
