Disable Compression Or Set Compression to delayed

An XCCDF Rule

Description

Compression is useful for slow network connections over long distances but can cause performance issues on local LANs. If use of compression is required, it should be enabled only after a user has authenticated; otherwise, it should be disabled. To disable compression or delay compression until after a user has successfully authenticated, add or correct the following line in the /etc/ssh/sshd_config file:

Compression

Rationale

If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.

ID: xccdf_org.ssgproject.content_rule_sshd_disable_compression
Severity: Medium
References: 11 3 9

BAI10.01 BAI10.02 BAI10.03 BAI10.05

3.1.12

CCI-000366

164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii)

4.3.4.3.2 4.3.4.3.3

SR 7.6

A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4

AC-17(a) CM-6(a) CM-7(a) CM-7(b)

PR.IP-1

SRG-OS-000480-GPOS-00227

SLES-12-030250

CCE-83062-0

SV-217279r880925_rule
Updated: about 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83062-0
  - DISA-STIG-SLES-12-030250  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_disable_compression
- name: XCCDF Value var_sshd_disable_compression # promote to variable
  set_fact:
    var_sshd_disable_compression: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sshd_disable_compression" use="legacy"/>
  tags:
    - always

- name: Disable Compression Or Set Compression to delayed
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*Compression\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*Compression\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*Compression\s+
      line: Compression {{ var_sshd_disable_compression }}
      state: present
      insertbefore: BOF
      validate: /usr/sbin/sshd -t -f %s
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - '"openssh" in ansible_facts.packages and (((((ansible_facts.packages["openssh"]
    | last)["epoch"]) != None) | ternary((ansible_facts.packages["openssh"] | last)["epoch"]
    ~ ":", "0:")) + ((ansible_facts.packages["openssh"] | last)["version"] | split("-")
    | first)) is version("0:7.4", "<")'
  tags:
  - CCE-83062-0
  - DISA-STIG-SLES-12-030250
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_disable_compression

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q openssh && { real="$(epoch=$(rpm -q --queryformat '%{EPOCH}' openssh); version=$(rpm -q --queryformat '%{VERSION}' openssh); [ "$epoch" = "(none)" ] && echo "0:$version" || echo "$epoch:$version")"; expected="0:7.4"; [[ "$real" != "$expected" ]] && printf "%s\n%s" "$real" "$expected" | sort -VC; }; }; then

var_sshd_disable_compression='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sshd_disable_compression" use="legacy"/>'


if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*Compression\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert at the beginning of the file
printf '%s\n' "Compression $var_sshd_disable_compression" > "/etc/ssh/sshd_config"
cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Compression Or Set Compression to delayed

Description

Rationale

Remediation - Ansible

Remediation - Shell Script