Parameterize SSH-related file paths via product properties (preserve current defaults)#14445
Open
Smouhoune wants to merge 6 commits intoComplianceAsCode:masterfrom
Open
Parameterize SSH-related file paths via product properties (preserve current defaults)#14445Smouhoune wants to merge 6 commits intoComplianceAsCode:masterfrom
Smouhoune wants to merge 6 commits intoComplianceAsCode:masterfrom
Conversation
Smouhoune
requested review from
Mab879,
ggbecker,
jan-cerny,
marcusburghardt and
vojtapolasek
as code owners
|
Hi @Smouhoune. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Mab879
requested changes
Feb 24, 2026
|
This datastream diff is auto generated by the check Click here to see the full diffOCIL for rule 'xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy' differs.
--- ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1
+++ ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1
@@ -6,5 +6,5 @@
Run the following command:
$ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd
- Is it the case that the CRYPTO_POLICY variable is set or is not commented out in the /etc/sysconfig/sshd?
+ Is it the case that the CRYPTO_POLICY variable is set or is not commented out in /etc/sysconfig/sshd?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0'.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
@@ -15,6 +15,8 @@
value of 0 in
+
+
/etc/ssh/sshd_config:
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_disable_host_auth'.
--- xccdf_org.ssgproject.content_rule_disable_host_auth
+++ xccdf_org.ssgproject.content_rule_disable_host_auth
@@ -15,6 +15,8 @@
following line in
+
+
/etc/ssh/sshd_config:
HostbasedAuthentication no
OCIL for rule 'xccdf_org.ssgproject.content_rule_disable_host_auth' differs.
--- ocil:ssg-disable_host_auth_ocil:questionnaire:1
+++ ocil:ssg-disable_host_auth_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's HostbasedAuthentication option is set, run the following command:
$ sudo grep -i HostbasedAuthentication /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
+++ xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
@@ -11,6 +11,8 @@
add or correct the following line in
+
+
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords' differs.
--- ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command:
$ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_forwarding'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_forwarding
@@ -8,6 +8,8 @@
options and may simplify restricted configurations.
To explicitly disable SSHD forwarding, add or correct the following line in
+
+
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_forwarding' differs.
--- ocil:ssg-sshd_disable_forwarding_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_forwarding_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's DisableForwarding option is set, run the following command:
$ sudo grep -i DisableForwarding /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
@@ -10,6 +10,8 @@
configuration is used if no value is set for GSSAPIAuthentication.
To explicitly disable GSSAPI authentication, add or correct the following line in
+
+
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth' differs.
--- ocil:ssg-sshd_disable_gssapi_auth_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_gssapi_auth_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command:
$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
@@ -10,6 +10,8 @@
The appropriate configuration is used if no value is set for KerberosAuthentication.
To explicitly disable Kerberos authentication, add or correct the following line in
+
+
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth' differs.
--- ocil:ssg-sshd_disable_kerb_auth_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_kerb_auth_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's KerberosAuthentication option is set, run the following command:
$ sudo grep -i KerberosAuthentication /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
@@ -6,6 +6,8 @@
Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms. To disable PubkeyAuthentication authentication, add or
correct the following line in
+
+
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth' differs.
--- ocil:ssg-sshd_disable_pubkey_auth_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_pubkey_auth_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's PubkeyAuthentication option is set, run the following command:
$ sudo grep -i PubkeyAuthentication /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
@@ -13,6 +13,8 @@
To explicitly disable support for .rhosts files, add or correct the following line in
+
+
/etc/ssh/sshd_config:
IgnoreRhosts yes
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts' differs.
--- ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's IgnoreRhosts option is set, run the following command:
$ sudo grep -i IgnoreRhosts /etc/ssh/sshd_config
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa' differs.
--- ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1
@@ -3,6 +3,9 @@
$ rpm -qi openssh-server | grep Version
Versions equal to or higher than 7.4 have deprecated the RhostsRSAAuthentication option.
If version is lower than 7.4, run the following command to check configuration:
+
+
+
To determine how the SSH daemon's RhostsRSAAuthentication option is set, run the following command:
$ sudo grep -i RhostsRSAAuthentication /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_login
@@ -6,6 +6,8 @@
The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line in
+
+
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login' differs.
--- ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's PermitRootLogin option is set, run the following command:
$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
@@ -4,6 +4,8 @@
[description]:
To disable password-based root logins over SSH, add or correct the following line in
+
+
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login' differs.
--- ocil:ssg-sshd_disable_root_password_login_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_root_password_login_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's PermitRootLogin option is set, run the following command:
$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
@@ -5,6 +5,8 @@
[description]:
The AllowTcpForwarding parameter specifies whether TCP forwarding is permitted.
To disable TCP forwarding, add or correct the following line in
+
+
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding' differs.
--- ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's AllowTcpForwarding option is set, run the following command:
$ sudo grep -i AllowTcpForwarding /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
@@ -8,6 +8,8 @@
To ensure this behavior is disabled, add or correct the following line in
+
+
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts' differs.
--- ocil:ssg-sshd_disable_user_known_hosts_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_user_known_hosts_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command:
$ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
@@ -12,6 +12,8 @@
configuration is used if no value is set for X11Forwarding.
To explicitly disable X11 Forwarding, add or correct the following line in
+
+
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding' differs.
--- ocil:ssg-sshd_disable_x11_forwarding_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_x11_forwarding_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's X11Forwarding option is set, run the following command:
$ sudo grep -i X11Forwarding /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env'.
--- xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
+++ xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
@@ -9,6 +9,8 @@
configuration is used if no value is set for PermitUserEnvironment.
To explicitly disable Environment options, add or correct the following
+
+
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env' differs.
--- ocil:ssg-sshd_do_not_permit_user_env_ocil:questionnaire:1
+++ ocil:ssg-sshd_do_not_permit_user_env_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's PermitUserEnvironment option is set, run the following command:
$ sudo grep -i PermitUserEnvironment /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth'.
--- xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
@@ -6,6 +6,8 @@
Sites setup to use Kerberos or other GSSAPI Authentication require setting
sshd to accept this authentication.
To enable GSSAPI authentication, add or correct the following line in
+
+
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth' differs.
--- ocil:ssg-sshd_enable_gssapi_auth_ocil:questionnaire:1
+++ ocil:ssg-sshd_enable_gssapi_auth_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command:
$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pam'.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pam
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pam
@@ -9,6 +9,8 @@
authentication types.
To enable PAM authentication, add or correct the following line in
+
+
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pam' differs.
--- ocil:ssg-sshd_enable_pam_ocil:questionnaire:1
+++ ocil:ssg-sshd_enable_pam_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's UsePAM option is set, run the following command:
$ sudo grep -i UsePAM /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth'.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
@@ -9,6 +9,8 @@
configuration is used if no value is set for PubkeyAuthentication.
To explicitly enable Public Key Authentication, add or correct the following
+
+
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth' differs.
--- ocil:ssg-sshd_enable_pubkey_auth_ocil:questionnaire:1
+++ ocil:ssg-sshd_enable_pubkey_auth_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's PubkeyAuthentication option is set, run the following command:
$ sudo grep -i PubkeyAuthentication /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes'.
--- xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
+++ xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
@@ -13,6 +13,8 @@
To explicitly enable StrictModes in SSH, add or correct the following line in
+
+
/etc/ssh/sshd_config:
StrictModes yes
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes' differs.
--- ocil:ssg-sshd_enable_strictmodes_ocil:questionnaire:1
+++ ocil:ssg-sshd_enable_strictmodes_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's StrictModes option is set, run the following command:
$ sudo grep -i StrictModes /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner'.
--- xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
+++ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
@@ -5,6 +5,8 @@
[description]:
To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in
+
+
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner' differs.
--- ocil:ssg-sshd_enable_warning_banner_ocil:questionnaire:1
+++ ocil:ssg-sshd_enable_warning_banner_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's Banner option is set, run the following command:
$ sudo grep -i Banner /etc/ssh/sshd_config
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net' differs.
--- ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1
+++ ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's Banner option is set, run the following command:
$ sudo grep -i Banner /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding'.
--- xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
@@ -9,6 +9,8 @@
To enable X11 Forwarding, add or correct the following line in
+
+
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding' differs.
--- ocil:ssg-sshd_enable_x11_forwarding_ocil:questionnaire:1
+++ ocil:ssg-sshd_enable_x11_forwarding_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's X11Forwarding option is set, run the following command:
$ sudo grep -i X11Forwarding /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_print_last_log'.
--- xccdf_org.ssgproject.content_rule_sshd_print_last_log
+++ xccdf_org.ssgproject.content_rule_sshd_print_last_log
@@ -9,6 +9,8 @@
The appropriate configuration is used if no value is set for PrintLastLog.
To explicitly enable LastLog in SSH, add or correct the following line in
+
+
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_print_last_log' differs.
--- ocil:ssg-sshd_print_last_log_ocil:questionnaire:1
+++ ocil:ssg-sshd_print_last_log_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's PrintLastLog option is set, run the following command:
$ sudo grep -i PrintLastLog /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_rekey_limit'.
--- xccdf_org.ssgproject.content_rule_sshd_rekey_limit
+++ xccdf_org.ssgproject.content_rule_sshd_rekey_limit
@@ -8,6 +8,8 @@
amount of data that may be transmitted and the time
elapsed.
To decrease the default limits, add or correct the following line in
+
+
/etc/ssh/sshd_config:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info'.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
@@ -9,6 +9,8 @@
configuration is used if no value is set for LogLevel.
To explicitly specify the log level in SSH, add or correct the following line in
+
+
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info' differs.
--- ocil:ssg-sshd_set_loglevel_info_ocil:questionnaire:1
+++ ocil:ssg-sshd_set_loglevel_info_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's LogLevel option is set, run the following command:
$ sudo grep -i LogLevel /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose'.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
@@ -6,6 +6,8 @@
The VERBOSE parameter configures the SSH daemon to record login and logout activity.
To specify the log level in
SSH, add or correct the following line in
+
+
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose' differs.
--- ocil:ssg-sshd_set_loglevel_verbose_ocil:questionnaire:1
+++ ocil:ssg-sshd_set_loglevel_verbose_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's LogLevel option is set, run the following command:
$ sudo grep -i LogLevel /etc/ssh/sshd_config
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
+++ xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
@@ -4,27 +4,22 @@
sshd_approved_ciphers=''
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^Ciphers")
-# shellcheck disable=SC2059
-printf -v formatted_output "%s %s" "$stripped_key" "$sshd_approved_ciphers"
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*Ciphers\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^Ciphers\\>" "/etc/ssh/sshd_config"; then
- escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- LC_ALL=C sed -i --follow-symlinks "s/^Ciphers\\>.*/$escaped_formatted_output/gi" "/etc/ssh/sshd_config"
-else
- if [[ -s "/etc/ssh/sshd_config" ]] && [[ -n "$(tail -c 1 -- "/etc/ssh/sshd_config" || true)" ]]; then
- LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/ssh/sshd_config"
- fi
- cce="CCE-81032-5"
- printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/ssh/sshd_config" >> "/etc/ssh/sshd_config"
- printf '%s\n' "$formatted_output" >> "/etc/ssh/sshd_config"
-fi
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert at the beginning of the file
+printf '%s\n' "Ciphers $sshd_approved_ciphers" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
else
>&2 echo 'Remediation is not applicable, nothing was done'
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost'.
--- xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
+++ xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
@@ -11,6 +11,8 @@
To explicitly prevent remote connections to the proxy display, add or correct
the following line in
+
+
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost' differs.
--- ocil:ssg-sshd_x11_use_localhost_ocil:questionnaire:1
+++ ocil:ssg-sshd_x11_use_localhost_ocil:questionnaire:1
@@ -1,3 +1,6 @@
+
+
+
To determine how the SSH daemon's X11UseLocalhost option is set, run the following command:
$ sudo grep -i X11UseLocalhost /etc/ssh/sshd_config |
Smouhoune
force-pushed
the
feat/ssh-path-overrides-product-vars
branch
2 times, most recently
from
65ff70e to
cee6311
Compare
…ed macros Introduce product properties for SSH path customization:\n- sshd_main_config_file\n- sshd_config_dir\n- sshd_config_base_dir\n- sshd_hardening_config_basename\n- sshd_sysconfig_file\n\nWire these properties into shared SSH macros used by OVAL, Bash, Ansible, OCIL, and fixtext generation.\nDefaults preserve existing behavior for all current products.
Migrate ssh_server rule implementations to the new product-overridable SSH path model.\n\nThis updates OVAL checks, Bash remediations, Ansible remediations, and rule text where needed so rules derive paths from product variables instead of hardcoded /etc/ssh locations.\n\nDefault behavior remains unchanged via default product values.
…paths Update SSH ownership, permissions, and existence rules to consume product-overridable SSH path variables.\n\nThis keeps rule intent unchanged while allowing products with non-standard sshd config layouts to reuse the same rules without patching content.
Apply the new sshd_sysconfig_file product variable to rules that currently hardcode /etc/sysconfig/sshd.\n\nThis covers crypto-policy checks/remediations, strong-RNG guidance, and related file ownership/permission checks.\nDefault path stays /etc/sysconfig/sshd.
Smouhoune
force-pushed
the
feat/ssh-path-overrides-product-vars
branch
from
3e94e2b to
86a1b66
Compare
Author
|
Hi @Mab879 I’ve implemented the requested changes you asked for. I’m not fully familiar with the process yet—are there any other steps needed for this PR, or is it now just waiting for review from the other reviewers? |
Mab879
approved these changes
Feb 26, 2026
Member
Mab879
left a comment
Mab879
left a comment
There was a problem hiding this comment.
The changes look good now. I will leave this open for few days to let the other distros review.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
sshd_main_config_file,sshd_config_dir,sshd_config_base_dir,sshd_hardening_config_basename,sshd_sysconfig_file.Rationale:
Some rules assume product-specific paths (
/etc/ssh/...,/etc/sysconfig/sshd), which blocks reuse on products with different layouts.This change makes paths configurable per product without changing rule intent.
Backward compatibility is preserved through explicit defaults, so existing products keep current behavior with no override.
Fixes # (remove if not applicable)
Review Hints:
./build_product --datastream-only rhel9./build_product --datastream-only ubuntu2204./build_product --datastream-only ol7ctest -R python-unit-ssg-module --output-on-failurectest -R 'validate-ssg-rhel9-ds.xml|verify-references-ssg-rhel9-ds.xml' --output-on-failurectest -R 'validate-ssg-ol7-ds.xml|verify-references-ssg-ol7-ds.xml' --output-on-failure