Puppet Class: cis_security_hardening::rules::sshd_compression

Defined in:
manifests/rules/sshd_compression.pp

Summary

Ensure SSH compressions setting is delayed

Overview

The operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.

Rationale: If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.

Examples:

class { 'cis_security_hardening::rules::sshd_compression':
  enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule.

  • compression (Enum['no','delayed']) (defaults to: 'no')

    Compression type.



22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
 
# File 'manifests/rules/sshd_compression.pp', line 22

class cis_security_hardening::rules::sshd_compression (
  Boolean $enforce                  = false,
  Enum['no','delayed'] $compression = 'no',
) {
  if $enforce {
    $path = ($facts['os']['name'] == 'SLES' and $facts['os']['release']['major'] == '12') ? {
      true    => '/usr/etc/ssh/sshd_config',
      default => '/etc/ssh/sshd_config',
    }
    file_line { 'sshd-compression':
      ensure             => present,
      path               => $path,
      line               => "Compression ${compression}",
      match              => '^#?Compression.*',
      append_on_no_match => true,
      notify             => Exec['reload-sshd'],
    }
  }
}