diff --git a/linux_os/guide/services/ssh/directory_groupowner_sshd_config_d/rule.yml b/linux_os/guide/services/ssh/directory_groupowner_sshd_config_d/rule.yml index 9dd2ecc766b5..7c990240df3e 100644 --- a/linux_os/guide/services/ssh/directory_groupowner_sshd_config_d/rule.yml +++ b/linux_os/guide/services/ssh/directory_groupowner_sshd_config_d/rule.yml @@ -3,7 +3,7 @@ documentation_complete: true title: 'Verify Group Who Owns SSH Server Configuration Files' description: |- - {{{ describe_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}} + {{{ describe_directory_group_owner(directory=sshd_config_dir, group="root") }}} rationale: |- Service configuration files enable or disable features of their respective @@ -28,19 +28,19 @@ references: nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 -ocil_clause: '{{{ ocil_clause_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}' +ocil_clause: '{{{ ocil_clause_directory_group_owner(directory=sshd_config_dir, group="root") }}}' ocil: |- - {{{ ocil_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}} + {{{ ocil_directory_group_owner(directory=sshd_config_dir, group="root") }}} -fixtext: '{{{ fixtext_directory_group_owner(file="/etc/ssh/sshd_config.d", group="root") }}}' +fixtext: '{{{ fixtext_directory_group_owner(file=sshd_config_dir, group="root") }}}' -srg_requirement: '{{{ srg_requirement_directory_group_owner(file="/etc/ssh/sshd_config.d", group="root") }}}' +srg_requirement: '{{{ srg_requirement_directory_group_owner(file=sshd_config_dir, group="root") }}}' template: name: file_groupowner vars: - filepath: '/etc/ssh/sshd_config.d/' + filepath: '{{{ sshd_config_dir }}}/' gid_or_name: '0' platform: system_with_kernel diff --git a/linux_os/guide/services/ssh/directory_owner_sshd_config_d/rule.yml b/linux_os/guide/services/ssh/directory_owner_sshd_config_d/rule.yml index 73713872c946..0d4dcc611827 100644 --- a/linux_os/guide/services/ssh/directory_owner_sshd_config_d/rule.yml +++ b/linux_os/guide/services/ssh/directory_owner_sshd_config_d/rule.yml @@ -3,7 +3,7 @@ documentation_complete: true title: 'Verify Owner on SSH Server Configuration Files' description: |- - {{{ describe_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}} + {{{ describe_directory_owner(directory=sshd_config_dir, owner="root") }}} rationale: |- Service configuration files enable or disable features of their respective @@ -28,19 +28,19 @@ references: nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 -ocil_clause: '{{{ ocil_clause_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}' +ocil_clause: '{{{ ocil_clause_directory_owner(directory=sshd_config_dir, owner="root") }}}' ocil: |- - {{{ ocil_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}} + {{{ ocil_directory_owner(directory=sshd_config_dir, owner="root") }}} -fixtext: '{{{ fixtext_directory_owner(file="/etc/ssh/sshd_config.d", owner="root") }}}' +fixtext: '{{{ fixtext_directory_owner(file=sshd_config_dir, owner="root") }}}' -srg_requirement: '{{{ srg_requirement_directory_owner(file="/etc/ssh/sshd_config.d", owner="root") }}}' +srg_requirement: '{{{ srg_requirement_directory_owner(file=sshd_config_dir, owner="root") }}}' template: name: file_owner vars: - filepath: '/etc/ssh/sshd_config.d/' + filepath: '{{{ sshd_config_dir }}}/' uid_or_name: '0' platform: system_with_kernel diff --git a/linux_os/guide/services/ssh/directory_permissions_sshd_config_d/rule.yml b/linux_os/guide/services/ssh/directory_permissions_sshd_config_d/rule.yml index 6a50abb97e99..9496c6c0efc3 100644 --- a/linux_os/guide/services/ssh/directory_permissions_sshd_config_d/rule.yml +++ b/linux_os/guide/services/ssh/directory_permissions_sshd_config_d/rule.yml @@ -3,7 +3,7 @@ documentation_complete: true title: 'Verify Permissions on SSH Server Config File' description: |- - {{{ describe_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="0700") }}} + {{{ describe_directory_permissions(directory=sshd_config_dir, perms="0700") }}} rationale: |- Service configuration files enable or disable features of their respective @@ -28,19 +28,19 @@ references: nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 -ocil_clause: '{{{ ocil_clause_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rwx------") }}}' +ocil_clause: '{{{ ocil_clause_directory_permissions(directory=sshd_config_dir, perms="-rwx------") }}}' ocil: |- - {{{ ocil_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rwx------") }}} + {{{ ocil_directory_permissions(directory=sshd_config_dir, perms="-rwx------") }}} -fixtext: '{{{ fixtext_directory_permissions(file="/etc/ssh/sshd_config.d", mode="0700") }}}' +fixtext: '{{{ fixtext_directory_permissions(file=sshd_config_dir, mode="0700") }}}' -srg_requirement: '{{{ srg_requirement_directory_permission(file="/etc/ssh/sshd_config.d", mode="0700") }}}' +srg_requirement: '{{{ srg_requirement_directory_permission(file=sshd_config_dir, mode="0700") }}}' template: name: file_permissions vars: - filepath: /etc/ssh/sshd_config.d/ + filepath: '{{{ sshd_config_dir }}}/' filemode: '0700' platform: system_with_kernel diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml index f0ea9c5cf13d..4958f6caca25 100644 --- a/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml +++ b/linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml @@ -4,7 +4,7 @@ documentation_complete: true title: 'Verify Group Who Owns SSH Server config file' description: |- - {{{ describe_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}} + {{{ describe_file_group_owner(file=sshd_main_config_file, group="root") }}} rationale: |- Service configuration files enable or disable features of their respective @@ -35,19 +35,19 @@ references: nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 -ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}}' +ocil_clause: '{{{ ocil_clause_file_group_owner(file=sshd_main_config_file, group="root") }}}' ocil: |- - {{{ ocil_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}} + {{{ ocil_file_group_owner(file=sshd_main_config_file, group="root") }}} -fixtext: '{{{ fixtext_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}}' +fixtext: '{{{ fixtext_file_group_owner(file=sshd_main_config_file, group="root") }}}' -srg_requirement: '{{{ srg_requirement_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}}' +srg_requirement: '{{{ srg_requirement_file_group_owner(file=sshd_main_config_file, group="root") }}}' template: name: file_groupowner vars: - filepath: /etc/ssh/sshd_config + filepath: '{{{ sshd_main_config_file }}}' gid_or_name: '0' platform: system_with_kernel diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_drop_in_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_drop_in_config/rule.yml index 5f1728ab2a8b..3fd050bca108 100644 --- a/linux_os/guide/services/ssh/file_groupowner_sshd_drop_in_config/rule.yml +++ b/linux_os/guide/services/ssh/file_groupowner_sshd_drop_in_config/rule.yml @@ -3,7 +3,7 @@ documentation_complete: true title: 'Verify Group Who Owns SSH Server Configuration Files' description: |- - {{{ describe_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}} + {{{ describe_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}} rationale: |- Service configuration files enable or disable features of their respective @@ -28,19 +28,19 @@ references: nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 -ocil_clause: '{{{ ocil_clause_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}' +ocil_clause: '{{{ ocil_clause_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}}' ocil: |- - {{{ ocil_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}} + {{{ ocil_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}} -fixtext: '{{{ fixtext_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}' +fixtext: '{{{ fixtext_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}}' -srg_requirement: '{{{ srg_requirement_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}' +srg_requirement: '{{{ srg_requirement_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}}' template: name: file_groupowner vars: - filepath: '/etc/ssh/sshd_config.d/' + filepath: '{{{ sshd_config_dir }}}/' file_regex: '^.*$' gid_or_name: '0' diff --git a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml index 4fefa1a5a591..8eb4b1090351 100644 --- a/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml +++ b/linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml @@ -4,7 +4,7 @@ documentation_complete: true title: 'Verify Owner on SSH Server config file' description: |- - {{{ describe_file_owner(file="/etc/ssh/sshd_config", owner="root") }}} + {{{ describe_file_owner(file=sshd_main_config_file, owner="root") }}} rationale: |- Service configuration files enable or disable features of their respective @@ -35,19 +35,19 @@ references: nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 -ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/ssh/sshd_config", owner="root") }}}' +ocil_clause: '{{{ ocil_clause_file_owner(file=sshd_main_config_file, owner="root") }}}' ocil: |- - {{{ ocil_file_owner(file="/etc/ssh/sshd_config", owner="root") }}} + {{{ ocil_file_owner(file=sshd_main_config_file, owner="root") }}} -fixtext: '{{{ fixtext_file_owner(file="/etc/ssh/sshd_config", owner="root") }}}' +fixtext: '{{{ fixtext_file_owner(file=sshd_main_config_file, owner="root") }}}' -srg_requirement: '{{{ srg_requirement_file_owner(file="/etc/ssh/sshd_config", owner="root") }}}' +srg_requirement: '{{{ srg_requirement_file_owner(file=sshd_main_config_file, owner="root") }}}' template: name: file_owner vars: - filepath: /etc/ssh/sshd_config + filepath: '{{{ sshd_main_config_file }}}' uid_or_name: '0' platform: system_with_kernel diff --git a/linux_os/guide/services/ssh/file_owner_sshd_drop_in_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_drop_in_config/rule.yml index f0832ad73e6b..bb0cf97aa84a 100644 --- a/linux_os/guide/services/ssh/file_owner_sshd_drop_in_config/rule.yml +++ b/linux_os/guide/services/ssh/file_owner_sshd_drop_in_config/rule.yml @@ -3,7 +3,7 @@ documentation_complete: true title: 'Verify Owner on SSH Server Configuration Files' description: |- - {{{ describe_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}} + {{{ describe_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}} rationale: |- Service configuration files enable or disable features of their respective @@ -29,19 +29,19 @@ references: nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 -ocil_clause: '{{{ ocil_clause_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}' +ocil_clause: '{{{ ocil_clause_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}}' ocil: |- - {{{ ocil_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}} + {{{ ocil_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}} -fixtext: '{{{ fixtext_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}' +fixtext: '{{{ fixtext_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}}' -srg_requirement: '{{{ srg_requirement_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}' +srg_requirement: '{{{ srg_requirement_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}}' template: name: file_owner vars: - filepath: '/etc/ssh/sshd_config.d/' + filepath: '{{{ sshd_config_dir }}}/' file_regex: '^.*$' uid_or_name: '0' diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml index f36678bf6753..d9d311f83a97 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml @@ -4,7 +4,7 @@ documentation_complete: true title: 'Verify Permissions on SSH Server config file' description: |- - {{{ describe_file_permissions(file="/etc/ssh/sshd_config", perms="0600") }}} + {{{ describe_file_permissions(file=sshd_main_config_file, perms="0600") }}} rationale: |- Service configuration files enable or disable features of their respective @@ -36,20 +36,20 @@ references: nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 -ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/sshd_config", perms="-rw-------") }}}' +ocil_clause: '{{{ ocil_clause_file_permissions(file=sshd_main_config_file, perms="-rw-------") }}}' ocil: |- - {{{ ocil_file_permissions(file="/etc/ssh/sshd_config", perms="-rw-------") }}} + {{{ ocil_file_permissions(file=sshd_main_config_file, perms="-rw-------") }}} -fixtext: '{{{ fixtext_file_permissions(file="/etc/ssh/sshd_config", mode="0600") }}}' +fixtext: '{{{ fixtext_file_permissions(file=sshd_main_config_file, mode="0600") }}}' -srg_requirement: '{{{ srg_requirement_file_permission(file="/etc/ssh/sshd_config", mode="0600") }}}' +srg_requirement: '{{{ srg_requirement_file_permission(file=sshd_main_config_file, mode="0600") }}}' template: name: file_permissions vars: filepath: - - /etc/ssh/sshd_config + - '{{{ sshd_main_config_file }}}' filemode: '0600' platform: system_with_kernel diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_drop_in_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_drop_in_config/rule.yml index 26a1815bce4d..0cfaa9f10f6b 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_drop_in_config/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_drop_in_config/rule.yml @@ -3,7 +3,7 @@ documentation_complete: true title: 'Verify Permissions on SSH Server Config File' description: |- - {{{ describe_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="0600") }}} + {{{ describe_files_in_directory_permissions(directory=sshd_config_dir, perms="0600") }}} rationale: |- Service configuration files enable or disable features of their respective @@ -28,19 +28,19 @@ references: nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 -ocil_clause: '{{{ ocil_clause_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rw-------") }}}' +ocil_clause: '{{{ ocil_clause_files_in_directory_permissions(directory=sshd_config_dir, perms="-rw-------") }}}' ocil: |- - {{{ ocil_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rw-------") }}} + {{{ ocil_files_in_directory_permissions(directory=sshd_config_dir, perms="-rw-------") }}} -fixtext: '{{{ fixtext_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", mode="0600") }}}' +fixtext: '{{{ fixtext_files_in_directory_permissions(directory=sshd_config_dir, mode="0600") }}}' -srg_requirement: '{{{ srg_requirement_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", mode="0600") }}}' +srg_requirement: '{{{ srg_requirement_files_in_directory_permissions(directory=sshd_config_dir, mode="0600") }}}' template: name: file_permissions vars: - filepath: '/etc/ssh/sshd_config.d/' + filepath: '{{{ sshd_config_dir }}}/' file_regex: '^.*$' filemode: '0600' diff --git a/linux_os/guide/services/ssh/file_sshd_50_redhat_exists/rule.yml b/linux_os/guide/services/ssh/file_sshd_50_redhat_exists/rule.yml index ffa34166c034..db813093f611 100644 --- a/linux_os/guide/services/ssh/file_sshd_50_redhat_exists/rule.yml +++ b/linux_os/guide/services/ssh/file_sshd_50_redhat_exists/rule.yml @@ -1,9 +1,10 @@ +{{% set sshd_redhat_drop_in_file = sshd_config_dir ~ "/50-redhat.conf" %}} documentation_complete: true -title: 'The File /etc/ssh/sshd_config.d/50-redhat.conf Must Exist' +title: 'The File {{{ sshd_redhat_drop_in_file }}} Must Exist' description: |- - The /etc/ssh/sshd_config.d/50-redhat.conf file must exist as it contains important + The {{{ sshd_redhat_drop_in_file }}} file must exist as it contains important settings to secure SSH. @@ -29,7 +30,7 @@ warnings: template: name: 'file_existence' vars: - filepath: '/etc/ssh/sshd_config.d/50-redhat.conf' + filepath: '{{{ sshd_redhat_drop_in_file }}}' exists: true backends: ansible: off diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml index 0370a61865c4..4f652f5c1c22 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml @@ -1,3 +1,9 @@ +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} +{{%- set sshd_drop_in_include_regex = (sshd_drop_in_dir | replace(".", "\\.")) ~ "/\\*\\.conf" -%}} +{{%- set sshd_main_config_regex = sshd_main_config | replace(".", "\\.") -%}} +{{%- set sshd_drop_in_dir_regex = sshd_drop_in_dir | replace(".", "\\.") -%}} +{{%- set sshd_config_locations_regex = "^(" ~ sshd_main_config_regex ~ "|" ~ sshd_drop_in_dir_regex ~ "/.*\\.conf)$" -%}} {{{ oval_metadata("Ensure SSHD to include the system crypto policy", rule_title=rule_title) }}} @@ -13,8 +19,8 @@ - /etc/ssh/sshd_config - ^[ \t]*(?i)Include(?-i)[ \t]+/etc/ssh/sshd_config\.d/\*.conf$ + {{{ sshd_main_config }}} + ^[ \t]*(?i)Include(?-i)[ \t]+{{{ sshd_drop_in_include_regex }}}$ 1 @@ -25,7 +31,7 @@ - /etc/ssh/(sshd_config|sshd_config\.d/.*\.conf) + {{{ sshd_config_locations_regex }}} ^[ \t]*(?i)Include(?-i)[ \t]+/etc/crypto-policies/back-ends/opensshserver\.config$ 1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/shared.xml index aff4c3172b75..64801d0bb571 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/shared.xml @@ -1,3 +1,8 @@ +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} +{{%- set sshd_main_config_regex = sshd_main_config | replace(".", "\\.") -%}} +{{%- set sshd_drop_in_dir_regex = sshd_drop_in_dir | replace(".", "\\.") -%}} +{{%- set sshd_any_config_regex = "^(" ~ sshd_main_config_regex ~ "|" ~ sshd_drop_in_dir_regex ~ "/.*\\.conf)$" -%}} {{{ oval_metadata("One of the following parameters of the sshd configuration file is set: AllowUsers, DenyUsers, AllowGroups, DenyGroups.", rule_title=rule_title) }}} @@ -27,22 +32,22 @@ - ^\/etc\/ssh\/sshd_config.*$ + {{{ sshd_any_config_regex }}} (?i)^[ ]*AllowUsers[ ]+((?:[^ \n]+[ ]*)+)$ 1 - ^/etc/ssh/sshd_config.*$ + {{{ sshd_any_config_regex }}} (?i)^[ ]*AllowGroups[ ]+((?:[^ \n]+[ ]*)+)$ 1 - ^/etc/ssh/sshd_config.*$ + {{{ sshd_any_config_regex }}} (?i)^[ ]*DenyUsers[ ]+((?:[^ \n]+[ ]*)+)$ 1 - ^/etc/ssh/sshd_config.*$ + {{{ sshd_any_config_regex }}} (?i)^[ ]*DenyGroups[ ]+((?:[^ \n]+[ ]*)+)$ 1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml index 918c6c789006..f8056fa2f5fc 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml @@ -1,9 +1,9 @@ {{%- set parameter = "RekeyLimit" %}} -{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}} -{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}} -{{%- set description = "Ensure " ~ parameter ~ " is configured with the appropriate value in " ~ sshd_config_path %}} +{{%- set sshd_main_config = sshd_main_config_file %}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} +{{%- set description = "Ensure " ~ parameter ~ " is configured with the appropriate value in " ~ sshd_main_config %}} {{%- if sshd_distributed_config == "true" %}} -{{%- set description = description ~ " or in " ~ sshd_config_dir -%}} +{{%- set description = description ~ " or in " ~ sshd_drop_in_dir -%}} {{%- endif %}} @@ -14,15 +14,15 @@ {{{- application_required_or_requirement_unset() }}} {{%- if sshd_distributed_config == "true" %}} - {{{- oval_line_in_directory_criterion(sshd_config_dir, parameter, rule_id=rule_id) | indent(8) }}} + {{{- oval_line_in_directory_criterion(sshd_drop_in_dir, parameter, rule_id=rule_id) | indent(8) }}} - {{{- oval_line_in_file_criterion(sshd_config_path, parameter, rule_id=rule_id) }}} + {{{- oval_line_in_file_criterion(sshd_main_config, parameter, rule_id=rule_id) }}} {{%- else %}} - {{{- oval_line_in_file_criterion(sshd_config_path, parameter, rule_id=rule_id) }}} + {{{- oval_line_in_file_criterion(sshd_main_config, parameter, rule_id=rule_id) }}} {{%- endif %}} @@ -35,7 +35,7 @@ - {{{ sshd_config_path }}} + {{{ sshd_main_config }}} ^[\s]*{{{ parameter }}}[\s]+(.*)$ 1 @@ -54,7 +54,7 @@ - {{{ sshd_config_dir}}} + {{{ sshd_drop_in_dir }}} .*\.conf$ ^[\s]*{{{ parameter }}}[\s]+(.*)$ 1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml index d9d64b684db5..70d69a882e6c 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml @@ -1,3 +1,5 @@ +{{% set sshd_main_config = sshd_main_config_file %}} +{{% set sshd_drop_in_glob = sshd_config_dir ~ "/*" %}} documentation_complete: true title: 'Force frequent session key renegotiation' @@ -34,24 +36,17 @@ ocil: |- To check if RekeyLimit is set correctly, run the following command: {{% if sshd_distributed_config == "true" %}} - 
$ sudo grep RekeyLimit /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+ 
$ sudo grep RekeyLimit {{{ sshd_main_config }}} {{{ sshd_drop_in_glob }}}
{{% else %}} - 
$ sudo grep RekeyLimit /etc/ssh/sshd_config
+ 
$ sudo grep RekeyLimit {{{ sshd_main_config }}}
{{% endif %}} If configured properly, output should be 
RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}
fixtext: |- - {{% if sshd_distributed_config == "true" %}} - Configure {{{ full_name }}} to force a frequent session key renegotiation for SSH connections to the server by adding or modifying the following line in the "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" file: - {{% else %}} - Configure {{{ full_name }}} to force a frequent session key renegotiation for SSH connections to the server by adding or modifying the following line in the "/etc/ssh/sshd_config" file: - {{% endif %}} - - RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}} - - Restart the SSH daemon for the settings to take effect. - - $ sudo systemctl restart sshd.service + {{{ fixtext_sshd_lineinfile( + parameter="RekeyLimit", + value=xccdf_value("var_rekey_limit_size") ~ " " ~ xccdf_value("var_rekey_limit_time"), + config_is_distributed=(sshd_distributed_config == "true")) }}} srg_requirement: '{{{ full_name }}} must force a frequent session key renegotiation for SSH connections to the server.' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml index c4f7f309a530..d5a4b06fe916 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml @@ -1,3 +1,6 @@ +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} +{{%- set sshd_base_dir = sshd_config_base_dir -%}} {{{ oval_metadata("The SSH idle timeout interval should be set to an @@ -53,7 +56,7 @@ - /etc/ssh/sshd_config + {{{ sshd_main_config }}} ^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$ 1 @@ -67,7 +70,7 @@ - /etc/ssh/sshd_config.d + {{{ sshd_drop_in_dir }}} .*\.conf$ ^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$ 1 @@ -76,7 +79,7 @@ {{%- if product in ["ol8", "ol9"] %}} - /etc/ssh/sshd_config + {{{ sshd_main_config }}} (?i)^\s*Include\s+(.*)$ 1 @@ -84,7 +87,7 @@ - ^(/etc/ssh/(?!/))? + ^({{{ sshd_base_dir }}}/(?!/))? diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/shared.xml index f1c5911ebcc0..53d51f2abb17 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/shared.xml @@ -1,3 +1,5 @@ +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} {{{ oval_metadata("The SSH number seconds for login grace time should be set to an @@ -44,7 +46,7 @@ - /etc/ssh/sshd_config + {{{ sshd_main_config }}} ^[\s]*(?i)LoginGraceTime[\s]+(\d+)[\s]*(?:#.*)?$ 1 @@ -59,7 +61,7 @@ - /etc/ssh/sshd_config.d + {{{ sshd_drop_in_dir }}} .*\.conf$ ^[ \t]*(?i)LoginGraceTime(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml index 117054f7f9eb..ce045e925251 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml @@ -1,3 +1,5 @@ +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} {{{ oval_metadata("The SSH MaxAuthTries should be set to an @@ -44,7 +46,7 @@ - /etc/ssh/sshd_config + {{{ sshd_main_config }}} ^[\s]*(?i)MaxAuthTries[\s]+(\d+)[\s]*(?:#.*)?$ 1 @@ -59,7 +61,7 @@ - /etc/ssh/sshd_config.d + {{{ sshd_drop_in_dir }}} .*\.conf$ ^[ \t]*(?i)MaxAuthTries(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml index 0eff641eb037..207e84401ee0 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml @@ -1,3 +1,5 @@ +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} {{{ oval_metadata("The SSH number of max sessions should be set to an @@ -44,7 +46,7 @@ - /etc/ssh/sshd_config + {{{ sshd_main_config }}} ^[\s]*(?i)MaxSessions[\s]+(\d+)[\s]*(?:#.*)?$ 1 @@ -59,7 +61,7 @@ - /etc/ssh/sshd_config.d + {{{ sshd_drop_in_dir }}} .*\.conf$ ^[ \t]*(?i)MaxSessions(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh index 5163c19d87f8..0c9d1b452478 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh @@ -2,4 +2,8 @@ {{{ bash_instantiate_variables("sshd_approved_ciphers") }}} -{{{ bash_replace_or_append('/etc/ssh/sshd_config', '^Ciphers', "$sshd_approved_ciphers", '%s %s', cce_identifiers=cce_identifiers) }}} +{{{ bash_sshd_remediation( + parameter="Ciphers", + value="$sshd_approved_ciphers", + config_is_distributed=sshd_distributed_config, + rule_id=rule_id) }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml index ec798161c368..52ca8097c258 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml @@ -1,3 +1,4 @@ +{{%- set sshd_main_config = sshd_main_config_file -%}} {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.", rule_title=rule_title) }}} @@ -36,7 +37,7 @@ - /etc/ssh/sshd_config + {{{ sshd_main_config }}} ^[\s]*(?i)Ciphers(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$ 1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml index f6dc16cfe0cf..c642d4c55fb4 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml @@ -8,11 +8,5 @@ {{{ ansible_instantiate_variables('sshd_approved_ciphers') }}} {{{ ansible_sshd_set(parameter="Ciphers", value="{{ sshd_approved_ciphers }}", config_is_distributed=sshd_distributed_config, rule_title=rule_title) }}} {{%- else %}} -- name: "Configure sshd to use approved ciphers" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - line: 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' - state: present - regexp: '^[\s]*[Cc]iphers[\s]+(aes256-ctr(?=[\w,-@]+|$),?)?(aes192-ctr(?=[\w,-@]+|$),?)?(aes128-ctr(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$' - create: True +{{{ ansible_sshd_set(parameter="Ciphers", value="aes256-ctr,aes192-ctr,aes128-ctr", config_is_distributed=sshd_distributed_config, rule_title=rule_title) }}} {{%- endif %}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh index 680c9db7adac..cedc3c42510b 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh @@ -1,7 +1,7 @@ # platform = Oracle Linux 7,multi_platform_sle,multi_platform_slmicro -if grep -q -P '^\s*[Cc]iphers\s+' /etc/ssh/sshd_config; then - sed -i 's/^\s*[Cc]iphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config -else - echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config -fi +{{{ bash_sshd_remediation( + parameter="Ciphers", + value="aes256-ctr,aes192-ctr,aes128-ctr", + config_is_distributed=sshd_distributed_config, + rule_id=rule_id) }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml index b32003ca96ae..452e2c8e1d0f 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml @@ -1,3 +1,4 @@ +{{%- set sshd_main_config = sshd_main_config_file -%}} {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.", rule_title=rule_title) }}} @@ -27,7 +28,7 @@ - /etc/ssh/sshd_config + {{{ sshd_main_config }}} ^[\s]*(?i)Ciphers(?-i)[\s]+(?=[\w]+)(aes256-ctr(?=[\w,]+|$),?)?(aes192-ctr(?=[\w,]+|$),?)?(aes128-ctr)?[\s]*(?:#.*)?$ 1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/ubuntu.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/ubuntu.xml index 384c5f6589fa..9301044fa185 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/ubuntu.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/ubuntu.xml @@ -5,6 +5,8 @@ {{%- else %}} {{%- set sshd_approved_ciphers = "aes256-ctr,aes192-ctr,aes128-ctr" %}} {{%- endif %}} +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.", rule_title=rule_title) }}} @@ -43,7 +45,7 @@ - /etc/ssh/sshd_config + {{{ sshd_main_config }}} ^[ \t]*(?i)ciphers(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 @@ -56,7 +58,7 @@ - /etc/ssh/sshd_config.d + {{{ sshd_drop_in_dir }}} .*\.conf$ ^[ \t]*(?i)ciphers(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/ansible/shared.yml index 24f56f81dea1..2ad614753576 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/ansible/shared.yml @@ -4,13 +4,7 @@ # complexity = low # disruption = low -{{% set prefix_conf="^\s*KexAlgorithms\s*" %}} {{% set kex_algos=["ecdh-sha2-nistp256","ecdh-sha2-nistp384","ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256"] %}} -- name: "Configure sshd to use FIPS 140-2 approved key exchange algorithms" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - line: 'KexAlgorithms {{{ kex_algos|join(",") }}}' - state: present - regexp: '{{{ prefix_conf }}}' - create: True +{{% set approved_kex_algos = kex_algos|join(",") %}} +{{{ ansible_sshd_set(parameter="KexAlgorithms", value=approved_kex_algos, config_is_distributed=sshd_distributed_config, rule_title=rule_title) }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/bash/shared.sh index 155d76cd8a52..eda467ef544e 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/bash/shared.sh @@ -9,10 +9,5 @@ KEX_ALGOS="ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellm {{%- if 'ubuntu' in product %}} {{{ bash_sshd_remediation(parameter="KexAlgorithms", value="$KEX_ALGOS", config_is_distributed=sshd_distributed_config, rule_id=rule_id) }}} {{%- else %}} - -if grep -q -P '^\s*KexAlgorithms\s+' /etc/ssh/sshd_config; then - sed -i "s/^\s*KexAlgorithms.*/KexAlgorithms ${KEX_ALGOS}/" /etc/ssh/sshd_config -else - echo "KexAlgorithms ${KEX_ALGOS}" >> /etc/ssh/sshd_config -fi +{{{ bash_sshd_remediation(parameter="KexAlgorithms", value="$KEX_ALGOS", config_is_distributed=sshd_distributed_config, rule_id=rule_id) }}} {{%- endif %}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/shared.xml index 59e39247137d..57adf654f1ca 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/shared.xml @@ -7,7 +7,7 @@ "diffie-hellman-group18-sha512"] %}} {{% set sufix_conf="(\s.*)?'" %}} {{% elif product in ['ol7', 'sle12', 'sle15', 'slmicro5', 'slmicro6'] %}} -{{% set path='/etc/ssh/sshd_config' %}} +{{% set path=sshd_main_config_file %}} {{% set prefix_conf="^\s*KexAlgorithms\s*" %}} {{% set kex_algos=["ecdh-sha2-nistp256","ecdh-sha2-nistp384","ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256"] %}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/ubuntu.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/ubuntu.xml index ea32cfadeb56..52fbf0d0bbb3 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/ubuntu.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/ubuntu.xml @@ -3,6 +3,8 @@ {{%- else %}} {{%- set sshd_approved_kexalgorithms = "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" %}} {{%- endif %}} +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} {{{ oval_metadata("Limit the KexAlgorithms to those which are FIPS-approved.", rule_title=rule_title) }}} @@ -41,7 +43,7 @@ - /etc/ssh/sshd_config + {{{ sshd_main_config }}} ^[ \t]*(?i)KexAlgorithms(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 @@ -54,7 +56,7 @@ - /etc/ssh/sshd_config.d + {{{ sshd_drop_in_dir }}} .*\.conf$ ^[ \t]*(?i)KexAlgorithms(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml index 90e59a76e962..54265ea53bc9 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml @@ -5,11 +5,11 @@ ",diffie-hellman-group14-sha256,diffie-hellman-group16-sha512" ~ ",diffie-hellman-group18-sha512'" %}} {{% elif product in ['ol7'] %}} -{{% set path='/etc/ssh/sshd_config' %}} +{{% set path=sshd_main_config_file %}} {{% set conf="KexAlgorithms ecdh-sha1-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521" ~ ",diffie-hellman-group-exchange-sha256" %}} {{% elif product in ['sle12', 'sle15', 'slmicro5', 'slmicro6', 'ubuntu2204', 'ubuntu2404'] %}} -{{% set path='/etc/ssh/sshd_config' %}} +{{% set path=sshd_main_config_file %}} {{% set conf="KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521" ~ ",diffie-hellman-group-exchange-sha256" %}} {{% endif %}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh index 34025970a52f..6eee376dbf96 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh @@ -2,4 +2,8 @@ {{{ bash_instantiate_variables("sshd_approved_macs") }}} -{{{ bash_replace_or_append('/etc/ssh/sshd_config', '^MACs', "$sshd_approved_macs", '%s %s', cce_identifiers=cce_identifiers) }}} +{{{ bash_sshd_remediation( + parameter="MACs", + value="$sshd_approved_macs", + config_is_distributed=sshd_distributed_config, + rule_id=rule_id) }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml index c87db511d054..ce8530423105 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml @@ -1,3 +1,4 @@ +{{%- set sshd_main_config = sshd_main_config_file -%}} {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.", rule_title=rule_title) }}} @@ -46,7 +47,7 @@ - /etc/ssh/sshd_config + {{{ sshd_main_config }}} ^[\s]*(?i)MACs(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$ 1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml index 0acefd7516c1..c3e236f2fcf6 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml @@ -8,11 +8,5 @@ {{{ ansible_instantiate_variables('sshd_approved_macs') }}} {{{ ansible_sshd_set(parameter="Macs", value="{{ sshd_approved_macs }}", config_is_distributed=sshd_distributed_config, rule_title=rule_title) }}} {{%- else %}} -- name: "Configure sshd to use approved MACs" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - line: 'MACs hmac-sha2-512,hmac-sha2-256' - state: present - regexp: '^[\s]*MACs[\s]+(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$' - create: True +{{{ ansible_sshd_set(parameter="MACs", value="hmac-sha2-512,hmac-sha2-256", config_is_distributed=sshd_distributed_config, rule_title=rule_title) }}} {{%- endif %}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh index 0e0205a98818..83cb8cb6e1c9 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh @@ -1,7 +1,7 @@ # platform = Oracle Linux 7,multi_platform_sle,multi_platform_slmicro -if grep -q -P '^\s*MACs\s+' /etc/ssh/sshd_config; then - sed -i 's/^\s*MACs.*/MACs hmac-sha2-512,hmac-sha2-256/' /etc/ssh/sshd_config -else - echo "MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config -fi +{{{ bash_sshd_remediation( + parameter="MACs", + value="hmac-sha2-512,hmac-sha2-256", + config_is_distributed=sshd_distributed_config, + rule_id=rule_id) }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml index 1b4781ef43d1..158d94d30e2b 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml @@ -1,3 +1,4 @@ +{{%- set sshd_main_config = sshd_main_config_file -%}} {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.", rule_title=rule_title) }}} @@ -27,7 +28,7 @@ - /etc/ssh/sshd_config + {{{ sshd_main_config }}} ^[\s]*(?i)MACs(?-i)[\s]+(?=[\w]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$ 1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/ubuntu.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/ubuntu.xml index cdef6cc539a6..25c618e5ae26 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/ubuntu.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/ubuntu.xml @@ -5,6 +5,8 @@ {{%- else %}} {{%- set sshd_approved_macs = "hmac-sha2-512,hmac-sha2-256" %}} {{%- endif %}} +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.", rule_title=rule_title) }}} @@ -43,7 +45,7 @@ - /etc/ssh/sshd_config + {{{ sshd_main_config }}} ^[ \t]*(?i)MACs(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 @@ -56,7 +58,7 @@ - /etc/ssh/sshd_config.d + {{{ sshd_drop_in_dir }}} .*\.conf$ ^[ \t]*(?i)MACs(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh index 9317b23992dc..91548a10db65 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh @@ -1,18 +1,21 @@ # platform = multi_platform_all -{{% set target_file = "/etc/ssh/sshd_config.d/sshd_config_original.conf" -%}} -{{% set base_config = "/etc/ssh/sshd_config" -%}} +{{% set base_config = sshd_main_config_file -%}} +{{% set config_dir = sshd_config_dir -%}} +{{% set target_file = config_dir ~ "/sshd_config_original.conf" -%}} +{{% set include_directive = "Include " ~ config_dir ~ "/*.conf" -%}} +{{% set include_regex = "^\\s*Include\\s+" ~ (config_dir | replace(".", "\\.")) ~ "/\\*\\.conf" -%}} if test -f {{{ target_file}}}; then {{{ die("Remediation probably already happened, '" ~ target_file ~ "' already exists, not doing anything.", action="false") }}} -elif grep -Eq '^\s*Include\s+/etc/ssh/sshd_config\.d/\*\.conf' {{{ base_config }}} && ! grep -Eq '^\s*Match\s' {{{ base_config }}}; then +elif grep -Eq '{{{ include_regex }}}' {{{ base_config }}} && ! grep -Eq '^\s*Match\s' {{{ base_config }}}; then {{{ die("Remediation probably already happened, '" ~ base_config ~ "' already contains the include directive.", action="false") }}} else - mkdir -p /etc/ssh/sshd_config.d + mkdir -p {{{ config_dir }}} mv {{{ base_config }}} {{{ target_file }}} cat > {{{ base_config }}} << EOF # To modify the system-wide sshd configuration, create a *.conf file under -# /etc/ssh/sshd_config.d/ which will be automatically included below +# {{{ config_dir }}}/ which will be automatically included below -Include /etc/ssh/sshd_config.d/*.conf +{{{ include_directive }}} EOF fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml index a0bf190007d0..055f63c20fd2 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml @@ -1,4 +1,4 @@ -{{%- set config_path = "/etc/ssh/sshd_config" %}} +{{%- set config_path = sshd_main_config_file %}} @@ -26,4 +26,3 @@ {{{ oval_line_in_file_test(config_path, "match", missing_parameter_pass=true, rule_id=rule_id) | indent (2) }}} {{{ oval_line_in_file_object(config_path, parameter="match", missing_parameter_pass=true, prefix_regex="^[ \\t]*(?i)", separator_regex="(?-i)\s+\S+", rule_id=rule_id) | indent (2) }}} - diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml index 9e097ca403a8..b47bab42117f 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml @@ -1,3 +1,5 @@ +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} {{{ oval_metadata("Limit the Key Exchange Algorithms to those which are FIPS-approved.", rule_title=rule_title) }}} @@ -52,7 +54,7 @@ - /etc/ssh/sshd_config + {{{ sshd_main_config }}} ^[\s]*(?i)KexAlgorithms(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$ 1 @@ -80,7 +82,7 @@ - /etc/ssh/sshd_config.d + {{{ sshd_drop_in_dir }}} .*\.conf$ ^[\s]*(?i)KexAlgorithms(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$ 1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml index cefbd207730f..c50826514438 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml @@ -1,4 +1,5 @@ -{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}} +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} {{%- set case_insensitivity_kwargs = dict(prefix_regex="^[ \\t]*(?i)", separator_regex = "(?-i)[ \\t]+") -%}} @@ -56,7 +57,7 @@ - /etc/ssh/sshd_config + {{{ sshd_main_config }}} ^[\s]*(?i)MACs(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$ 1 @@ -78,7 +79,7 @@ - /etc/ssh/sshd_config.d + {{{ sshd_drop_in_dir }}} .*\.conf$ ^[\s]*(?i)MACs(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$ 1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml index b8240ae667a3..0b43a2b32b1a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml @@ -1,4 +1,5 @@ documentation_complete: true +{{% set sshd_sysconfig = sshd_sysconfig_file %}} # TODO: The plan is not to need this for RHEL>=8.4 # TODO: Compliant setting is SSH_USE_STRONG_RNG set to 32 or more @@ -6,7 +7,7 @@ documentation_complete: true title: 'SSH server uses strong entropy to seed' description: |- - To set up SSH server to use entropy from a high-quality source, edit the /etc/sysconfig/sshd file. + To set up SSH server to use entropy from a high-quality source, edit the {{{ sshd_sysconfig }}} file. The SSH_USE_STRONG_RNG configuration value determines how many bytes of entropy to use, so make sure that the file contains line 
SSH_USE_STRONG_RNG=32
@@ -31,17 +32,17 @@ references: ocil: |- To determine whether the SSH service is configured to use strong entropy seed, - run 
$ sudo grep SSH_USE_STRONG_RNG /etc/sysconfig/sshd
+ run 
$ sudo grep SSH_USE_STRONG_RNG {{{ sshd_sysconfig }}}
If a line indicating that SSH_USE_STRONG_RNG is set to 32 is returned, then the option is set correctly. ocil_clause: |- - the SSH_USE_STRONG_RNG is not set to 32 in /etc/sysconfig/sshd + the SSH_USE_STRONG_RNG is not set to 32 in {{{ sshd_sysconfig }}} fixtext: |- Configure the {{{ full_name }}} SSH server to use strong entropy. - Add or modify the following line in the "/etc/sysconfig/sshd" file. + Add or modify the following line in the "{{{ sshd_sysconfig }}}" file. SSH_USE_STRONG_RNG=32 @@ -55,7 +56,7 @@ warnings: template: name: shell_lineinfile vars: - path: '/etc/sysconfig/sshd' + path: '{{{ sshd_sysconfig }}}' parameter: 'SSH_USE_STRONG_RNG' value: '32' datatype: int diff --git a/linux_os/guide/system/permissions/files/file_groupowner_etc_sysconfig_sshd/rule.yml b/linux_os/guide/system/permissions/files/file_groupowner_etc_sysconfig_sshd/rule.yml index 6a57207cc9b5..09a5d5beac04 100644 --- a/linux_os/guide/system/permissions/files/file_groupowner_etc_sysconfig_sshd/rule.yml +++ b/linux_os/guide/system/permissions/files/file_groupowner_etc_sysconfig_sshd/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true title: 'Verify Group Who Owns /etc/sysconfig/sshd File' -description: '{{{ describe_file_group_owner(file="/etc/sysconfig/sshd", group="root") }}}' +description: '{{{ describe_file_group_owner(file=sshd_sysconfig_file, group="root") }}}' rationale: |- The /etc/sysconfig/sshd file contains configuration options for the SSH daemon. @@ -14,19 +14,19 @@ severity: medium identifiers: cce@rhel8: CCE-89268-7 -ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/sysconfig/sshd", group="root") }}}' +ocil_clause: '{{{ ocil_clause_file_group_owner(file=sshd_sysconfig_file, group="root") }}}' ocil: |- - {{{ ocil_file_group_owner(file="/etc/sysconfig/sshd", group="root") }}} + {{{ ocil_file_group_owner(file=sshd_sysconfig_file, group="root") }}} -fixtext: '{{{ fixtext_file_group_owner(file="/etc/sysconfig/sshd", group="root") }}}' +fixtext: '{{{ fixtext_file_group_owner(file=sshd_sysconfig_file, group="root") }}}' -srg_requirement: '{{{ srg_requirement_file_group_owner(file="/etc/sysconfig/sshd", group="root") }}}' +srg_requirement: '{{{ srg_requirement_file_group_owner(file=sshd_sysconfig_file, group="root") }}}' template: name: file_groupowner vars: - filepath: /etc/sysconfig/sshd + filepath: '{{{ sshd_sysconfig_file }}}' gid_or_name: '0' platform: system_with_kernel diff --git a/linux_os/guide/system/permissions/files/file_owner_etc_sysconfig_sshd/rule.yml b/linux_os/guide/system/permissions/files/file_owner_etc_sysconfig_sshd/rule.yml index 64785d24ce67..758f6cc3dc7e 100644 --- a/linux_os/guide/system/permissions/files/file_owner_etc_sysconfig_sshd/rule.yml +++ b/linux_os/guide/system/permissions/files/file_owner_etc_sysconfig_sshd/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true title: 'Verify User Who Owns /etc/sysconfig/sshd File' -description: '{{{ describe_file_owner(file="/etc/sysconfig/sshd", owner="root") }}}' +description: '{{{ describe_file_owner(file=sshd_sysconfig_file, owner="root") }}}' rationale: |- The /etc/sysconfig/sshd file contains configuration options for the SSH daemon. @@ -14,19 +14,19 @@ severity: medium identifiers: cce@rhel8: CCE-89269-5 -ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/sysconfig/sshd", owner="root") }}}' +ocil_clause: '{{{ ocil_clause_file_owner(file=sshd_sysconfig_file, owner="root") }}}' ocil: |- - {{{ ocil_file_owner(file="/etc/sysconfig/sshd", owner="root") }}} + {{{ ocil_file_owner(file=sshd_sysconfig_file, owner="root") }}} -fixtext: '{{{ fixtext_file_owner(file="/etc/sysconfig/sshd", owner="root") }}}' +fixtext: '{{{ fixtext_file_owner(file=sshd_sysconfig_file, owner="root") }}}' -srg_requirement: '{{{ srg_requirement_file_owner(file="/etc/sysconfig/sshd", owner="root") }}}' +srg_requirement: '{{{ srg_requirement_file_owner(file=sshd_sysconfig_file, owner="root") }}}' template: name: file_owner vars: - filepath: /etc/sysconfig/sshd + filepath: '{{{ sshd_sysconfig_file }}}' uid_or_name: '0' platform: system_with_kernel diff --git a/linux_os/guide/system/permissions/files/file_permissions_etc_sysconfig_sshd/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_etc_sysconfig_sshd/rule.yml index 156efad15e09..fab349e834b8 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_etc_sysconfig_sshd/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_etc_sysconfig_sshd/rule.yml @@ -3,7 +3,7 @@ documentation_complete: true title: 'Verify Permissions on /etc/sysconfig/sshd File' description: |- - {{{ describe_file_permissions(file="/etc/sysconfig/sshd", perms="0640") }}} + {{{ describe_file_permissions(file=sshd_sysconfig_file, perms="0640") }}} rationale: |- The /etc/sysconfig/sshd file contains configuration options for the SSH daemon. @@ -15,19 +15,19 @@ severity: medium identifiers: cce@rhel8: CCE-89270-3 -ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/sysconfig/sshd", perms="-rw-r-----") }}}' +ocil_clause: '{{{ ocil_clause_file_permissions(file=sshd_sysconfig_file, perms="-rw-r-----") }}}' ocil: |- - {{{ ocil_file_permissions(file="/etc/sysconfig/sshd", perms="-rw-r-----") }}} + {{{ ocil_file_permissions(file=sshd_sysconfig_file, perms="-rw-r-----") }}} -fixtext: '{{{ fixtext_file_permissions(file="/etc/sysconfig/sshd", mode="0640") }}}' +fixtext: '{{{ fixtext_file_permissions(file=sshd_sysconfig_file, mode="0640") }}}' -srg_requirement: '{{{ srg_requirement_file_permission(file="/etc/sysconfig/sshd", mode="0640") }}}' +srg_requirement: '{{{ srg_requirement_file_permission(file=sshd_sysconfig_file, mode="0640") }}}' template: name: file_permissions vars: - filepath: /etc/sysconfig/sshd + filepath: '{{{ sshd_sysconfig_file }}}' filemode: '0640' allow_stricter_permissions: "true" diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/ansible/shared.yml index cfbff70b845c..65dccf57d6e7 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/ansible/shared.yml @@ -6,6 +6,6 @@ - name: "{{{ rule_title }}}" ansible.builtin.lineinfile: - dest: /etc/sysconfig/sshd + dest: '{{{ sshd_sysconfig_file }}}' state: absent regexp: (?i)^\s*CRYPTO_POLICY.*$ diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/bash/shared.sh index 2a04f5ea6bc0..8066e15c264a 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/bash/shared.sh @@ -1,5 +1,5 @@ # platform = multi_platform_all -SSH_CONF="/etc/sysconfig/sshd" +SSH_CONF="{{{ sshd_sysconfig_file }}}" sed -i "/^\s*CRYPTO_POLICY.*$/Id" $SSH_CONF diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml index e51181528eb3..0265d746b9ab 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml @@ -1,3 +1,4 @@ +{{%- set sshd_sysconfig = sshd_sysconfig_file -%}} {{{ oval_metadata("SSH should be configured to use the system-wide crypto policy setting.", rule_title=rule_title) }}} @@ -14,7 +15,7 @@ - /etc/sysconfig/sshd + {{{ sshd_sysconfig }}} ^\s*(?i)CRYPTO_POLICY\s*=.*$ 1 diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml index 7e722ab1170f..ccd2d2b2b5e5 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/rule.yml @@ -1,4 +1,5 @@ documentation_complete: true +{{% set sshd_sysconfig = sshd_sysconfig_file %}} title: 'Configure SSH to use System Crypto Policy' @@ -9,7 +10,7 @@ description: |- set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the CRYPTO_POLICY variable is either commented or not set at all - in the /etc/sysconfig/sshd. + in the {{{ sshd_sysconfig }}}. rationale: |- Overriding the system crypto policy makes the behavior of the SSH service violate expectations, @@ -34,23 +35,23 @@ references: srg: SRG-OS-000250-GPOS-00093 stigid@ol8: OL08-00-010287 -ocil_clause: 'the CRYPTO_POLICY variable is set or is not commented out in the /etc/sysconfig/sshd' +ocil_clause: 'the CRYPTO_POLICY variable is set or is not commented out in {{{ sshd_sysconfig }}}' ocil: |- Verify that sshd isn't configured to ignore the system wide cryptographic policy. Check that the CRYPTO_POLICY variable is not set or is commented out in the - /etc/sysconfig/sshd. + {{{ sshd_sysconfig }}}. Run the following command: - $ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd + $ sudo grep CRYPTO_POLICY {{{ sshd_sysconfig }}} fixtext: |- Configure OpenSSH to not ignore the system wide cryptographic policy. Run the following command: - $ sudo sed -i "/^\s*CRYPTO_POLICY.*$/Id" /etc/sysconfig/sshd + $ sudo sed -i "/^\s*CRYPTO_POLICY.*$/Id" {{{ sshd_sysconfig }}} srg_requirement: |- {{{ full_name }}} must implement approved encryption in the OpenSSH package. diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index fe432b975fc5..b69baf93226e 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -198,7 +198,7 @@ value: :code:`Setting={{ varname1 }}` (but case-sensitive values). We also specify the validation program here; -t specifies test and -f allows Ansible to pass a file at a different path. - Set set a parameter in /etc/sshd_config or /etc/ssh/sshd_config.d/ + Set a parameter in ``sshd_main_config_file`` or ``sshd_config_dir``. :parameter msg: Message to be set as Task Title, if not set the rule's title will be used instead :type msg: str @@ -206,17 +206,20 @@ value: :code:`Setting={{ varname1 }}` :type parameter: str :parameter value: The value to set :type value: str -:parameter config_is_distributed: If true, will ok look in /etc/ssh/sshd_config.d +:parameter config_is_distributed: If true, use ``sshd_config_dir`` for configuration :type config_is_distributed: str :parameter config_basename: Filename of configuration file when using distributed configuration :type config_basename: str #}} -{{%- macro ansible_sshd_set(msg='', parameter='', value='', config_is_distributed="false", config_basename="00-complianceascode-hardening.conf", rule_title=None) %}} +{{%- macro ansible_sshd_set(msg='', parameter='', value='', config_is_distributed="false", config_basename="", rule_title=None) %}} +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} +{{%- set sshd_base_dir = sshd_config_base_dir -%}} {{% if product in ["ol8", "ol9"] %}} - name: "Find sshd_config included files" ansible.builtin.shell: |- - included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|') + included_files=$(grep -oP "^\s*(?i)include.*" {{{ sshd_main_config }}} | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|{{{ sshd_base_dir }}}/&|') [[ -n $included_files ]] && ls $included_files || true register: sshd_config_included_files @@ -229,9 +232,10 @@ value: :code:`Setting={{ varname1 }}` {{% endif %}} {{%- if config_is_distributed == "true" %}} -{{% set config_dir = "/etc/ssh/sshd_config.d" %}} -{{% set config_file = "/etc/ssh/sshd_config.d" ~ "/" ~ config_basename %}} -{{{ ansible_set_config_file_dir(msg, config_file="/etc/ssh/sshd_config", config_dir=config_dir, set_file=config_file, parameter=parameter, separator_regex="\s+", value=value, prefix_regex="(?i)^\s*", create='yes', validate='/usr/sbin/sshd -t -f %s', insert_after='', insert_before="BOF", rule_title=rule_title) }}} +{{% set hardening_config_basename = config_basename or sshd_hardening_config_basename %}} +{{% set config_dir = sshd_drop_in_dir %}} +{{% set config_file = sshd_drop_in_dir ~ "/" ~ hardening_config_basename %}} +{{{ ansible_set_config_file_dir(msg, config_file=sshd_main_config, config_dir=config_dir, set_file=config_file, parameter=parameter, separator_regex="\s+", value=value, prefix_regex="(?i)^\s*", create='yes', validate='/usr/sbin/sshd -t -f %s', insert_after='', insert_before="BOF", rule_title=rule_title) }}} - name: {{{ rule_title }}} - set file mode for {{{ config_file }}} ansible.builtin.file: path: {{{ config_file }}} @@ -240,7 +244,7 @@ value: :code:`Setting={{ varname1 }}` modification_time: preserve access_time: preserve {{%- else %}} -{{{ ansible_set_config_file(msg, "/etc/ssh/sshd_config", parameter, value=value, create="yes", prefix_regex='(?i)^\s*', validate="/usr/sbin/sshd -t -f %s", insert_before="BOF", rule_title=rule_title) }}} +{{{ ansible_set_config_file(msg, sshd_main_config, parameter, value=value, create="yes", prefix_regex='(?i)^\s*', validate="/usr/sbin/sshd -t -f %s", insert_before="BOF", rule_title=rule_title) }}} {{%- endif %}} {{%- endmacro %}} diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 7ad8a71c0246..2ffdd0ee9785 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -173,8 +173,9 @@ test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)" #}} {{%- macro bash_sshd_config_set(parameter, value, rule_id=None) -%}} +{{%- set sshd_config_path = sshd_main_config_file -%}} {{{ set_config_file( - path="/etc/ssh/sshd_config", + path=sshd_config_path, parameter=parameter, value=value, create=true, @@ -201,14 +202,15 @@ test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)" :type config_basename: str #}} -{{% macro bash_sshd_remediation(parameter, value, config_is_distributed="false", config_basename="00-complianceascode-hardening.conf", rule_id=None) -%}} -{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}} -{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}} +{{% macro bash_sshd_remediation(parameter, value, config_is_distributed="false", config_basename="", rule_id=None) -%}} +{{%- set sshd_config_path = sshd_main_config_file %}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} +{{%- set sshd_base_dir = sshd_config_base_dir -%}} {{% if product in ["ol8", "ol9"] %}} # Find the include keyword, extract from the line the glob expression representing included files. -# And if it is a relative path prepend '/etc/ssh/' -included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*include\s*//I' | sed -e 's|^[^/]|/etc/ssh/&|') +# And if it is a relative path prepend '{{{ sshd_base_dir }}}/' +included_files=$(grep -oP "^\s*(?i)include.*" {{{ sshd_config_path }}} | sed -e 's/\s*include\s*//I' | sed -e 's|^[^/]|{{{ sshd_base_dir }}}/&|') for included_file in ${included_files} ; do {{{ lineinfile_absent("$included_file", "^\s*" ~ parameter, insensitive=true, rule_id=rule_id) | indent(4) }}} done @@ -216,15 +218,15 @@ done {{%- if config_is_distributed == "true" %}} {{%- set prefix_regex = "^\s*" -%}} {{%- set separator_regex = "\s\+" -%}} -{{%- set hardening_config_basename = config_basename %}} +{{%- set hardening_config_basename = config_basename or sshd_hardening_config_basename %}} {{%- set line_regex = prefix_regex ~ parameter ~ separator_regex %}} -mkdir -p {{{ sshd_config_dir }}} -touch {{{ sshd_config_dir }}}/{{{ hardening_config_basename }}} -chmod 0600 {{{ sshd_config_dir }}}/{{{ hardening_config_basename }}} +mkdir -p {{{ sshd_drop_in_dir }}} +touch {{{ sshd_drop_in_dir }}}/{{{ hardening_config_basename }}} +chmod 0600 {{{ sshd_drop_in_dir }}}/{{{ hardening_config_basename }}} {{{ lineinfile_absent(sshd_config_path, line_regex, insensitive=true, rule_id=rule_id) }}} -{{{ lineinfile_absent_in_directory(sshd_config_dir, line_regex, insensitive=true, filename_glob="*.conf") }}} +{{{ lineinfile_absent_in_directory(sshd_drop_in_dir, line_regex, insensitive=true, filename_glob="*.conf") }}} {{{ set_config_file( - path=sshd_config_dir ~ "/" ~ hardening_config_basename, + path=sshd_drop_in_dir ~ "/" ~ hardening_config_basename, parameter=parameter, value=value, create=true, diff --git a/shared/macros/10-fixtext.jinja b/shared/macros/10-fixtext.jinja index 1ecca316fe66..ebba0ef3a26b 100644 --- a/shared/macros/10-fixtext.jinja +++ b/shared/macros/10-fixtext.jinja @@ -233,10 +233,12 @@ The audit daemon must be restarted for the changes to take effect. #}} {{%- macro fixtext_sshd_lineinfile(parameter, value, config_is_distributed) -%}} +{{%- set sshd_main_config = sshd_main_config_file -%}} +{{%- set sshd_hardening_config = sshd_config_dir ~ "/" ~ sshd_hardening_config_basename -%}} {{%- if config_is_distributed -%}} -{{%- set path = "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" -%}} +{{%- set path = sshd_hardening_config -%}} {{%- else -%}} -{{%- set path = "/etc/ssh/sshd_config" -%}} +{{%- set path = sshd_main_config -%}} {{%- endif -%}} To configure the system add or modify the following line in "{{{ path }}}". diff --git a/shared/macros/10-ocil.jinja b/shared/macros/10-ocil.jinja index ab94d0956921..76759bdde775 100644 --- a/shared/macros/10-ocil.jinja +++ b/shared/macros/10-ocil.jinja @@ -26,10 +26,12 @@ $ oc get {{% if all_namespaces %}}--all-namespaces{{% elif namespace %}}-n {{{ n {{% macro sshd_config_file() %}} + {{% set sshd_main_config = sshd_main_config_file %}} + {{% set sshd_hardening_config = sshd_config_dir ~ "/" ~ sshd_hardening_config_basename %}} {{% if sshd_distributed_config == "true" %}} - /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf: + {{{ sshd_hardening_config }}}: {{% else %}} - /etc/ssh/sshd_config: + {{{ sshd_main_config }}}: {{% endif %}} {{%- endmacro %}} @@ -509,14 +511,17 @@ ocil_clause: "the required value is not set" #}} {{% macro ocil_sshd_option(default, option, value) -%}} + {{% set sshd_main_config = sshd_main_config_file %}} + {{% set sshd_hardening_config = sshd_config_dir ~ "/" ~ sshd_hardening_config_basename %}} + {{% set sshd_reinforce_defaults_config = sshd_config_dir ~ "/01-complianceascode-reinforce-os-defaults.conf" %}} To determine how the SSH daemon's {{{ option }}} option is set, run the following command: {{% if sshd_distributed_config == "true" %}} - 
$ sudo grep -i {{{ option }}} /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+ 
$ sudo grep -i {{{ option }}} {{{ sshd_hardening_config }}}
{{% if default == "yes" -%}} - 
$ sudo grep -i {{{ option }}} /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+ 
$ sudo grep -i {{{ option }}} {{{ sshd_reinforce_defaults_config }}}
{{%- endif %}} {{% else %}} - 
$ sudo grep -i {{{ option }}} /etc/ssh/sshd_config
+ 
$ sudo grep -i {{{ option }}} {{{ sshd_main_config }}}
{{% endif %}} If a line indicating {{{ value }}} is returned, then the required value is set. {{%- endmacro %}} diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 6466728189db..48c0cd829fd9 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -1034,16 +1034,17 @@ Generates the :code:`` tag for OVAL check using correct product platfo #}} {{%- macro sshd_oval_check(parameter, value, missing_parameter_pass, config_is_distributed, runtime_check="false", xccdf_variable="", datatype="", rule_id=None, rule_title=None) -%}} -{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}} -{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}} +{{%- set sshd_main_config = sshd_main_config_file %}} +{{%- set sshd_drop_in_dir = sshd_config_dir -%}} +{{%- set sshd_base_dir = sshd_config_base_dir -%}} {{%- set sshd_runtime_path = "/tmp/runtime/sshd_effective_config" -%}} {{%- if xccdf_variable -%}} -{{%- set description = "Ensure '" ~ parameter ~ "' is configured with value configured in " ~ xccdf_variable ~ " variable in " ~ sshd_config_path %}} +{{%- set description = "Ensure '" ~ parameter ~ "' is configured with value configured in " ~ xccdf_variable ~ " variable in " ~ sshd_main_config %}} {{%- else -%}} -{{%- set description = "Ensure '" ~ parameter ~ "' is configured with value '" ~ value ~ "' in " ~ sshd_config_path %}} +{{%- set description = "Ensure '" ~ parameter ~ "' is configured with value '" ~ value ~ "' in " ~ sshd_main_config %}} {{%- endif -%}} {{%- if config_is_distributed == "true" %}} -{{%- set description = description ~ " or in " ~ sshd_config_dir -%}} +{{%- set description = description ~ " or in " ~ sshd_drop_in_dir -%}} {{%- endif %}} {{%- set case_insensitivity_kwargs = dict(prefix_regex="^[ \\t]*(?i)", separator_regex = "(?-i)[ \\t]+") -%}} @@ -1081,10 +1082,10 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endif %}} {{%- if runtime_check != "true" %}} - - {{{- oval_line_in_file_criterion(sshd_config_path, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12)}}} + + {{{- oval_line_in_file_criterion(sshd_main_config, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12)}}} {{%- if config_is_distributed == "true" %}} - {{{- oval_line_in_directory_criterion(sshd_config_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12) }}} + {{{- oval_line_in_directory_criterion(sshd_drop_in_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent(12) }}} {{%- endif %}} {{% if product in ["ol8", "ol9"] %}} {{{- oval_line_in_file_criterion("sshd_config included", parameter, id_stem=rule_id ~ "_sshd_included_files", avoid_conflicting=true, rule_id=rule_id) | indent(12)}}} @@ -1105,11 +1106,11 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{% endif %}} {{% if product in ["ol8", "ol9"] %}} - {{{ oval_line_in_file_object(sshd_config_path, parameter="include", id_stem="sshd_include_value_" ~ rule_id, rule_id=rule_id, ** case_insensitivity_kwargs)| indent (2) }}} + {{{ oval_line_in_file_object(sshd_main_config, parameter="include", id_stem="sshd_include_value_" ~ rule_id, rule_id=rule_id, ** case_insensitivity_kwargs)| indent (2) }}} - ^(/etc/ssh/(?!/))? + ^({{{ sshd_base_dir }}}/(?!/))? @@ -1136,8 +1137,8 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{% endif %}} - {{{ oval_line_in_file_test(sshd_config_path, parameter, avoid_conflicting=true, rule_id=rule_id) | indent (2) }}} - {{{ oval_line_in_file_object(sshd_config_path, parameter=parameter, rule_id=rule_id, ** case_insensitivity_kwargs)| indent (2) }}} + {{{ oval_line_in_file_test(sshd_main_config, parameter, avoid_conflicting=true, rule_id=rule_id) | indent (2) }}} + {{{ oval_line_in_file_object(sshd_main_config, parameter=parameter, rule_id=rule_id, ** case_insensitivity_kwargs)| indent (2) }}} {{%- if xccdf_variable -%}} {{{ oval_line_in_file_state_xccdf_variable(xccdf_variable, datatype=datatype, rule_id=rule_id) }}} {{%- else -%}} @@ -1145,8 +1146,8 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endif -%}} {{%- if config_is_distributed == "true" %}} - {{{ oval_line_in_directory_test(sshd_config_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent (2) }}} - {{{ oval_line_in_directory_object(sshd_config_dir, parameter=parameter, rule_id=rule_id, ** case_insensitivity_kwargs) | indent (2) }}} + {{{ oval_line_in_directory_test(sshd_drop_in_dir, parameter, avoid_conflicting=true, rule_id=rule_id) | indent (2) }}} + {{{ oval_line_in_directory_object(sshd_drop_in_dir, parameter=parameter, rule_id=rule_id, ** case_insensitivity_kwargs) | indent (2) }}} {{%- if xccdf_variable -%}} {{{ oval_line_in_directory_state_xccdf_variable(xccdf_variable, datatype, rule_id=rule_id) | indent (2) }}} {{%- else -%}} diff --git a/ssg/constants.py b/ssg/constants.py index f104ecec2c34..1f4ae4a5631c 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -459,6 +459,10 @@ DEFAULT_FAILLOCK_PATH = '/var/run/faillock' DEFAULT_SSH_DISTRIBUTED_CONFIG = 'false' DEFAULT_SSH_RUNTIME_CHECK = 'false' +DEFAULT_SSHD_MAIN_CONFIG_FILE = '/etc/ssh/sshd_config' +DEFAULT_SSHD_CONFIG_DIR = '/etc/ssh/sshd_config.d' +DEFAULT_SSHD_HARDENING_CONFIG_BASENAME = '00-complianceascode-hardening.conf' +DEFAULT_SSHD_SYSCONFIG_FILE = '/etc/sysconfig/sshd' DEFAULT_PRODUCT = 'example' DEFAULT_CHRONY_CONF_PATH = '/etc/chrony.conf' DEFAULT_CHRONY_D_PATH = '/etc/chrony.d/' diff --git a/ssg/products.py b/ssg/products.py index 4c1e0c65367d..93eaa1857708 100644 --- a/ssg/products.py +++ b/ssg/products.py @@ -17,6 +17,10 @@ DEFAULT_RSYSLOG_CAFILE, DEFAULT_SSH_DISTRIBUTED_CONFIG, DEFAULT_SSH_RUNTIME_CHECK, + DEFAULT_SSHD_MAIN_CONFIG_FILE, + DEFAULT_SSHD_CONFIG_DIR, + DEFAULT_SSHD_HARDENING_CONFIG_BASENAME, + DEFAULT_SSHD_SYSCONFIG_FILE, DEFAULT_CHRONY_CONF_PATH, DEFAULT_CHRONY_D_PATH, DEFAULT_AUDISP_CONF_PATH, @@ -111,6 +115,21 @@ def _get_implied_properties(existing_properties): if "sshd_runtime_check" not in existing_properties: result["sshd_runtime_check"] = DEFAULT_SSH_RUNTIME_CHECK + if "sshd_main_config_file" not in existing_properties: + result["sshd_main_config_file"] = DEFAULT_SSHD_MAIN_CONFIG_FILE + + if "sshd_config_dir" not in existing_properties: + result["sshd_config_dir"] = DEFAULT_SSHD_CONFIG_DIR + + if "sshd_config_base_dir" not in existing_properties: + result["sshd_config_base_dir"] = os.path.dirname(result["sshd_main_config_file"]) + + if "sshd_hardening_config_basename" not in existing_properties: + result["sshd_hardening_config_basename"] = DEFAULT_SSHD_HARDENING_CONFIG_BASENAME + + if "sshd_sysconfig_file" not in existing_properties: + result["sshd_sysconfig_file"] = DEFAULT_SSHD_SYSCONFIG_FILE + if "product" not in existing_properties: result["product"] = DEFAULT_PRODUCT diff --git a/tests/data/product_stability/alinux2.yml b/tests/data/product_stability/alinux2.yml index 5c49951cfdfc..0722865b0d46 100644 --- a/tests/data/product_stability/alinux2.yml +++ b/tests/data/product_stability/alinux2.yml @@ -87,7 +87,12 @@ reference_uris: stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'false' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'false' target_oval_version: diff --git a/tests/data/product_stability/alinux3.yml b/tests/data/product_stability/alinux3.yml index 6a3f6906a444..cba2bf2f34e7 100644 --- a/tests/data/product_stability/alinux3.yml +++ b/tests/data/product_stability/alinux3.yml @@ -87,7 +87,12 @@ reference_uris: stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'false' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'false' target_oval_version: diff --git a/tests/data/product_stability/anolis23.yml b/tests/data/product_stability/anolis23.yml index a75b269f7a1d..f9689aaf8237 100644 --- a/tests/data/product_stability/anolis23.yml +++ b/tests/data/product_stability/anolis23.yml @@ -86,7 +86,12 @@ reference_uris: stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'false' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'false' target_oval_version: diff --git a/tests/data/product_stability/anolis8.yml b/tests/data/product_stability/anolis8.yml index 3718ddc46c3e..e643aa9311c8 100644 --- a/tests/data/product_stability/anolis8.yml +++ b/tests/data/product_stability/anolis8.yml @@ -86,7 +86,12 @@ reference_uris: stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'false' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'false' target_oval_version: diff --git a/tests/data/product_stability/debian11.yml b/tests/data/product_stability/debian11.yml index e158e949bf47..e05dfb4aedce 100644 --- a/tests/data/product_stability/debian11.yml +++ b/tests/data/product_stability/debian11.yml @@ -96,7 +96,12 @@ reference_uris: stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'false' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'false' target_oval_version: diff --git a/tests/data/product_stability/debian12.yml b/tests/data/product_stability/debian12.yml index 4433efbfa427..8306137e9b8a 100644 --- a/tests/data/product_stability/debian12.yml +++ b/tests/data/product_stability/debian12.yml @@ -98,7 +98,12 @@ reference_uris: stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'false' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'false' target_oval_version: diff --git a/tests/data/product_stability/debian13.yml b/tests/data/product_stability/debian13.yml index f396cebdb375..04738e3a3f61 100644 --- a/tests/data/product_stability/debian13.yml +++ b/tests/data/product_stability/debian13.yml @@ -98,7 +98,12 @@ reference_uris: stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'false' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'false' target_oval_version: diff --git a/tests/data/product_stability/eks.yml b/tests/data/product_stability/eks.yml index 749fc432b180..6ef528ecaf95 100644 --- a/tests/data/product_stability/eks.yml +++ b/tests/data/product_stability/eks.yml @@ -94,7 +94,12 @@ reference_uris: stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'false' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'false' target_oval_version: diff --git a/tests/data/product_stability/example.yml b/tests/data/product_stability/example.yml index 14d69b7c198f..53324adda77d 100644 --- a/tests/data/product_stability/example.yml +++ b/tests/data/product_stability/example.yml @@ -88,7 +88,12 @@ reference_uris: stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'false' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'false' target_oval_version: diff --git a/tests/data/product_stability/fedora.yml b/tests/data/product_stability/fedora.yml index d0885a22d8ad..a88dae3b8f08 100644 --- a/tests/data/product_stability/fedora.yml +++ b/tests/data/product_stability/fedora.yml @@ -132,7 +132,12 @@ reference_uris: stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'true' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'false' target_oval_version: diff --git a/tests/data/product_stability/firefox.yml b/tests/data/product_stability/firefox.yml index 23f9456dbaf5..80ae32c4a49f 100644 --- a/tests/data/product_stability/firefox.yml +++ b/tests/data/product_stability/firefox.yml @@ -83,7 +83,12 @@ reference_uris: stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'false' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'false' target_oval_version: diff --git a/tests/data/product_stability/ocp4.yml b/tests/data/product_stability/ocp4.yml index b0f8c5866d48..a2d25472d7fe 100644 --- a/tests/data/product_stability/ocp4.yml +++ b/tests/data/product_stability/ocp4.yml @@ -194,7 +194,12 @@ reference_uris: stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=container-platform stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'false' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'false' target_oval_version: diff --git a/tests/data/product_stability/ol7.yml b/tests/data/product_stability/ol7.yml index 4d692ffb7ca5..db78aa4b6942 100644 --- a/tests/data/product_stability/ol7.yml +++ b/tests/data/product_stability/ol7.yml @@ -98,7 +98,12 @@ reference_uris: stigref: https://www.cyber.mil/stigs/srg-stig-tools/ release_key_fingerprint: 42144123FECFC55B9086313D72F97B74EC551F03 rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'false' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'false' target_oval_version: diff --git a/tests/data/product_stability/ol8.yml b/tests/data/product_stability/ol8.yml index f3ac4181da82..150eeb532ad7 100644 --- a/tests/data/product_stability/ol8.yml +++ b/tests/data/product_stability/ol8.yml @@ -67,7 +67,12 @@ reference_uris: {anssi: 'https://cyber.gouv.fr/sites/default/files/document/linu stigref: 'https://www.cyber.mil/stigs/srg-stig-tools/'} release_key_fingerprint: 76FD3DB13AB67410B89DB10E82562EA9AD986DA3 rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'false' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'true' target_oval_version: [5, 11] diff --git a/tests/data/product_stability/ol9.yml b/tests/data/product_stability/ol9.yml index 1bf88e99cfd9..d3422a65d70b 100644 --- a/tests/data/product_stability/ol9.yml +++ b/tests/data/product_stability/ol9.yml @@ -70,7 +70,12 @@ reference_uris: {anssi: 'https://cyber.gouv.fr/sites/default/files/document/linu stigref: 'https://www.cyber.mil/stigs/srg-stig-tools/'} release_key_fingerprint: 3E6D826D3FBAB389C2F38E34BC4D06A08D8B756F rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'true' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'true' target_oval_version: [5, 11] diff --git a/tests/data/product_stability/openembedded.yml b/tests/data/product_stability/openembedded.yml index 344874dfc136..602e443be6c3 100644 --- a/tests/data/product_stability/openembedded.yml +++ b/tests/data/product_stability/openembedded.yml @@ -99,7 +99,12 @@ reference_uris: stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'false' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'false' target_oval_version: diff --git a/tests/data/product_stability/opensuse.yml b/tests/data/product_stability/opensuse.yml index 9174e81bd4df..e1ce92ccdae1 100644 --- a/tests/data/product_stability/opensuse.yml +++ b/tests/data/product_stability/opensuse.yml @@ -95,7 +95,12 @@ reference_uris: stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'false' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'false' target_oval_version: diff --git a/tests/data/product_stability/rhcos4.yml b/tests/data/product_stability/rhcos4.yml index ccb1445bee05..612a90c8ea9e 100644 --- a/tests/data/product_stability/rhcos4.yml +++ b/tests/data/product_stability/rhcos4.yml @@ -92,7 +92,12 @@ reference_uris: stigref: https://www.cyber.mil/stigs/srg-stig-tools/ release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51 rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'true' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'true' sysctl_remediate_drop_in_file: 'false' target_oval_version: diff --git a/tests/data/product_stability/rhel10.yml b/tests/data/product_stability/rhel10.yml index 1e96007149d5..56f541493d9d 100644 --- a/tests/data/product_stability/rhel10.yml +++ b/tests/data/product_stability/rhel10.yml @@ -102,7 +102,12 @@ reference_uris: stigref: https://www.cyber.mil/stigs/srg-stig-tools/ release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51 rsyslog_cafile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'true' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'true' target_oval_version: diff --git a/tests/data/product_stability/rhel8.yml b/tests/data/product_stability/rhel8.yml index 519c9ece1ffb..869f366f3c5f 100644 --- a/tests/data/product_stability/rhel8.yml +++ b/tests/data/product_stability/rhel8.yml @@ -149,7 +149,12 @@ reference_uris: stigref: https://www.cyber.mil/stigs/srg-stig-tools/ release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51 rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'false' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'true' target_oval_version: diff --git a/tests/data/product_stability/rhel9.yml b/tests/data/product_stability/rhel9.yml index 6e23814da258..acaaf0e4a45e 100644 --- a/tests/data/product_stability/rhel9.yml +++ b/tests/data/product_stability/rhel9.yml @@ -106,7 +106,12 @@ reference_uris: stigref: https://www.cyber.mil/stigs/srg-stig-tools/ release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51 rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'true' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'true' target_oval_version: diff --git a/tests/data/product_stability/rhv4.yml b/tests/data/product_stability/rhv4.yml index 18a495e60dde..4ad5097c8256 100644 --- a/tests/data/product_stability/rhv4.yml +++ b/tests/data/product_stability/rhv4.yml @@ -97,7 +97,12 @@ reference_uris: stigref: https://www.cyber.mil/stigs/srg-stig-tools/ release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51 rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'false' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'false' target_oval_version: diff --git a/tests/data/product_stability/sle12.yml b/tests/data/product_stability/sle12.yml index fd1c6c58f621..5a49e2cb5449 100644 --- a/tests/data/product_stability/sle12.yml +++ b/tests/data/product_stability/sle12.yml @@ -97,7 +97,12 @@ reference_uris: stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'false' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'true' target_oval_version: diff --git a/tests/data/product_stability/sle15.yml b/tests/data/product_stability/sle15.yml index df80c5c692d4..d98d61efdce0 100644 --- a/tests/data/product_stability/sle15.yml +++ b/tests/data/product_stability/sle15.yml @@ -103,7 +103,12 @@ reference_uris: suse-general: not_publicly_available release_key_fingerprint: FEAB502539D846DB2C0961CA70AF9E8139DB7C82 rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'false' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'true' target_oval_version: diff --git a/tests/data/product_stability/ubuntu2204.yml b/tests/data/product_stability/ubuntu2204.yml index 7010b1dae93a..7278eeec5f5a 100644 --- a/tests/data/product_stability/ubuntu2204.yml +++ b/tests/data/product_stability/ubuntu2204.yml @@ -106,7 +106,12 @@ reference_uris: stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'true' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'false' target_oval_version: diff --git a/tests/data/product_stability/ubuntu2404.yml b/tests/data/product_stability/ubuntu2404.yml index 9918311b1913..26934d9dbdf0 100644 --- a/tests/data/product_stability/ubuntu2404.yml +++ b/tests/data/product_stability/ubuntu2404.yml @@ -107,7 +107,12 @@ reference_uris: stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem +sshd_config_base_dir: /etc/ssh +sshd_config_dir: /etc/ssh/sshd_config.d sshd_distributed_config: 'true' +sshd_hardening_config_basename: 00-complianceascode-hardening.conf +sshd_main_config_file: /etc/ssh/sshd_config +sshd_sysconfig_file: /etc/sysconfig/sshd sshd_runtime_check: 'false' sysctl_remediate_drop_in_file: 'false' target_oval_version: