Remove Host-Based Authentication Files

An XCCDF Rule

Description

The shosts.equiv file lists remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location:

$ sudo rm /[path]/[to]/[file]/shosts.equiv

Rationale

The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.

ID: xccdf_org.ssgproject.content_rule_no_host_based_files
Severity: High
References: CCI-000366

SRG-OS-000480-GPOS-00227

SLES-15-040030

SV-234985r622137_rule

CCE-85622-9
Updated: about 1 year ago


# Identify local mounts
MOUNT_LIST=$(df --local | awk '{ print $6 }')

# Find file on each listed mount point
for cur_mount in ${MOUNT_LIST}do
	find ${cur_mount} -xdev -type f -name "shosts.equiv" -exec rm -f {} \;
done

- name: Remove Host-Based Authentication Files - Define Excluded (Non-Local) File
    Systems and Paths
  ansible.builtin.set_fact:
    excluded_fstypes:
    - afs
    - ceph    - cifs
    - smb3
    - smbfs
    - sshfs
    - ncpfs
    - ncp
    - nfs
    - nfs4
    - gfs
    - gfs2
    - glusterfs
    - gpfs
    - pvfs2
    - ocfs2
    - lustre
    - davfs
    - fuse.sshfs
    excluded_paths:
    - dev
    - proc
    - run
    - sys
    search_paths: []
  tags:
  - CCE-85622-9
  - DISA-STIG-SLES-15-040030
  - high_severity
  - low_complexity
  - low_disruption
  - no_host_based_files
  - no_reboot_needed
  - restrict_strategy

- name: Remove Host-Based Authentication Files - Find Relevant Root Directories Ignoring
    Pre-Defined Excluded Paths
  ansible.builtin.find:
    paths: /
    file_type: directory
    excludes: '{{ excluded_paths }}'
    hidden: true
    recurse: false
  register: result_relevant_root_dirs
  tags:
  - CCE-85622-9
  - DISA-STIG-SLES-15-040030
  - high_severity
  - low_complexity
  - low_disruption
  - no_host_based_files
  - no_reboot_needed
  - restrict_strategy

- name: Remove Host-Based Authentication Files - Include Relevant Root Directories
    in a List of Paths to be Searched
  ansible.builtin.set_fact:
    search_paths: '{{ search_paths | union([item.path]) }}'
  loop: '{{ result_relevant_root_dirs.files }}'
  tags:
  - CCE-85622-9
  - DISA-STIG-SLES-15-040030
  - high_severity
  - low_complexity
  - low_disruption
  - no_host_based_files
  - no_reboot_needed
  - restrict_strategy

- name: Remove Host-Based Authentication Files - Increment Search Paths List with
    Local Partitions Mount Points
  ansible.builtin.set_fact:
    search_paths: '{{ search_paths | union([item.mount]) }}'
  loop: '{{ ansible_mounts }}'
  when:
  - item.fstype not in excluded_fstypes
  - item.mount != '/'
  tags:
  - CCE-85622-9
  - DISA-STIG-SLES-15-040030
  - high_severity
  - low_complexity
  - low_disruption
  - no_host_based_files
  - no_reboot_needed
  - restrict_strategy

- name: Remove Host-Based Authentication Files - Increment Search Paths List with
    Local NFS File System Targets
  ansible.builtin.set_fact:
    search_paths: '{{ search_paths | union([item.device.split('':'')[1]]) }}'
  loop: '{{ ansible_mounts }}'
  when: item.device is search("localhost:")
  tags:
  - CCE-85622-9
  - DISA-STIG-SLES-15-040030
  - high_severity
  - low_complexity
  - low_disruption
  - no_host_based_files
  - no_reboot_needed
  - restrict_strategy

- name: Remove Host-Based Authentication Files - Define Rule Specific Facts
  ansible.builtin.set_fact:
    shosts_equiv_files:
    - /shosts.equiv
  tags:
  - CCE-85622-9
  - DISA-STIG-SLES-15-040030
  - high_severity
  - low_complexity
  - low_disruption
  - no_host_based_files
  - no_reboot_needed
  - restrict_strategy

- name: Remove Host-Based Authentication Files - Find All shosts.equiv Files in Local
    File Systems
  ansible.builtin.command:
    cmd: find {{ item }} -xdev -type f -name "shosts.equiv"
  loop: '{{ search_paths }}'
  changed_when: false
  register: result_found_shosts_equiv_files
  tags:
  - CCE-85622-9
  - DISA-STIG-SLES-15-040030
  - high_severity
  - low_complexity
  - low_disruption
  - no_host_based_files
  - no_reboot_needed
  - restrict_strategy

- name: Remove Host-Based Authentication Files - Create List of shosts.equiv Files
    Present in Local File Systems
  ansible.builtin.set_fact:
    shosts_equiv_files: '{{ shosts_equiv_files | union(item.stdout_lines) | list }}'
  loop: '{{ result_found_shosts_equiv_files.results }}'
  tags:
  - CCE-85622-9
  - DISA-STIG-SLES-15-040030
  - high_severity
  - low_complexity
  - low_disruption
  - no_host_based_files
  - no_reboot_needed
  - restrict_strategy

- name: Remove Host-Based Authentication Files - Ensure No shosts.equiv Files Are
    Present in the System
  ansible.builtin.file:
    path: '{{ item }}'
    state: absent
  loop: '{{ shosts_equiv_files }}'
  tags:
  - CCE-85622-9
  - DISA-STIG-SLES-15-040030
  - high_severity
  - low_complexity
  - low_disruption
  - no_host_based_files
  - no_reboot_needed
  - restrict_strategy

Remove Host-Based Authentication Files

Description

Rationale

Remediation - Shell Script

Remediation - Ansible