From f5ac7523b54055a14e4c2bf4c640e13cfbf9645c Mon Sep 17 00:00:00 2001 From: Tom Henderson Date: Tue, 26 Mar 2024 11:09:34 +1300 Subject: [PATCH] 4.2.16: Add variable for SSH MaxAuthTries Signed-off-by: Tom Henderson --- defaults/main.yml | 5 +++++ tasks/section_4/cis_4.2.x.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index a320856..0d82cb6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -858,6 +858,11 @@ amzn2023cis_sshd: # in legacy environments; amzn2023cis_ssh_loglevel: INFO +## Control 4.2.16 - Ensure SSH MaxAuthTries is set to 4 or less +# This variable contains the maximum number of authentication attempts permitted +# per connection. This number should be 10 or less. +amzn2023cis_ssh_maxsauthtries: 4 + ## Control 4.2.18 - Ensure SSH MaxSessions is set to 10 or less # This variable contains the maximum number of open sessions permitted # from a given connection. This number should be 10 or less. diff --git a/tasks/section_4/cis_4.2.x.yml b/tasks/section_4/cis_4.2.x.yml index 345a2ca..6ba0983 100644 --- a/tasks/section_4/cis_4.2.x.yml +++ b/tasks/section_4/cis_4.2.x.yml @@ -353,7 +353,7 @@ ansible.builtin.lineinfile: path: "{{ item.path }}" regexp: '^(#)?MaxAuthTries \d' - line: 'MaxAuthTries 4' + line: 'MaxAuthTries {{ amzn2023cis_ssh_maxsauthtries }}' validate: sshd -t -f %s with_items: - "{{ sshd_d_conf_files.files }}"