Configure SSSD to Expire SSH Known Hosts

An XCCDF Rule

Description

SSSD should be configured to expire keys from known SSH hosts after seconds. To configure SSSD to known SSH hosts, set ssh_known_hosts_timeout to under the [ssh] section in /etc/sssd/sssd.conf. For example:

[ssh]
ssh_known_hosts_timeout =

Rationale

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

ID: xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
Severity: Medium
References: 1 12 15 16 5

DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10

CCI-002007

4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4

SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1

A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3

CM-6(a) IA-5(13)

PR.AC-1 PR.AC-6 PR.AC-7

SRG-OS-000383-GPOS-00166

CCE-80366-8
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

var_sssd_ssh_known_hosts_timeout='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sssd_ssh_known_hosts_timeout" use="legacy"/>'

# sssd configuration files must be created with 600 permissions if they don't exist
# otherwise the sssd module fails to start
OLD_UMASK=$(umask)
umask u=rw,go=

found=false

# set value in all files if they contain section or key
for f in $(echo -n "/etc/sssd/sssd.conf"); do
    if [ ! -e "$f" ]; then
        continue
    fi

    # find key in section and change value
    if grep -qzosP "[[:space:]]*\[ssh\]([^\n\[]*\n+)+?[[:space:]]*ssh_known_hosts_timeout" "$f"; then
            sed -i "s/ssh_known_hosts_timeout[^(\n)]*/ssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout/" "$f"
            found=true

    # find section and add key = value to it
    elif grep -qs "[[:space:]]*\[ssh\]" "$f"; then
            sed -i "/[[:space:]]*\[ssh\]/a ssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" "$f"
            found=true
    fi
done

# if section not in any file, append section with key = value to FIRST file in files parameter
if ! $found ; then
    file=$(echo "/etc/sssd/sssd.conf" | cut -f1 -d ' ')
    mkdir -p "$(dirname "$file")"
    echo -e "[ssh]\nssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" >> "$file"
fi

umask $OLD_UMASK

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-80366-8
  - NIST-800-53-CM-6(a)  - NIST-800-53-IA-5(13)
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_ssh_known_hosts_timeout
  - unknown_strategy
- name: XCCDF Value var_sssd_ssh_known_hosts_timeout # promote to variable
  set_fact:
    var_sssd_ssh_known_hosts_timeout: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sssd_ssh_known_hosts_timeout" use="legacy"/>
  tags:
    - always

- name: Test for domain group
  command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
  register: test_grep_domain
  ignore_errors: true
  changed_when: false
  check_mode: false
  when:
  - '"sssd-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80366-8
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(13)
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_ssh_known_hosts_timeout
  - unknown_strategy

- name: Add default domain group (if no domain there)
  ini_file:
    path: /etc/sssd/sssd.conf
    section: '{{ item.section }}'
    option: '{{ item.option }}'
    value: '{{ item.value }}'
    create: true
    mode: 384
  with_items:
  - section: sssd
    option: domains
    value: default
  - section: domain/default
    option: id_provider
    value: files
  when:
  - '"sssd-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - test_grep_domain.stdout is defined
  - test_grep_domain.stdout | length < 1
  tags:
  - CCE-80366-8
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(13)
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_ssh_known_hosts_timeout
  - unknown_strategy

- name: Configure SSSD to Expire SSH Known Hosts
  ini_file:
    dest: /etc/sssd/sssd.conf
    section: ssh
    option: ssh_known_hosts_timeout
    value: '{{ var_sssd_ssh_known_hosts_timeout }}'
    create: true
    mode: 384
  when:
  - '"sssd-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80366-8
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(13)
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_ssh_known_hosts_timeout
  - unknown_strategy

Configure SSSD to Expire SSH Known Hosts

Description

Rationale

Remediation - Shell Script

Remediation - Ansible