Parameterize SSH-related file paths via product properties (preserve current defaults)

linux_os/guide/services/ssh/directory_groupowner_sshd_config_d/rule.yml

@@ -3,7 +3,7 @@ documentation_complete: true
 title: 'Verify Group Who Owns SSH Server Configuration Files'
 
 description: |-
-    {{{ describe_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}
+    {{{ describe_directory_group_owner(directory=sshd_config_dir, group="root") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -28,19 +28,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}'
+ocil_clause: '{{{ ocil_clause_directory_group_owner(directory=sshd_config_dir, group="root") }}}'
 
 ocil: |-
-    {{{ ocil_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}
+    {{{ ocil_directory_group_owner(directory=sshd_config_dir, group="root") }}}
 
-fixtext: '{{{ fixtext_directory_group_owner(file="/etc/ssh/sshd_config.d", group="root") }}}'
+fixtext: '{{{ fixtext_directory_group_owner(file=sshd_config_dir, group="root") }}}'
 
-srg_requirement: '{{{ srg_requirement_directory_group_owner(file="/etc/ssh/sshd_config.d", group="root") }}}'
+srg_requirement: '{{{ srg_requirement_directory_group_owner(file=sshd_config_dir, group="root") }}}'
 
 template:
     name: file_groupowner
     vars:
-        filepath: '/etc/ssh/sshd_config.d/'
+        filepath: '{{{ sshd_config_dir }}}/'
         gid_or_name: '0'
 
 platform: system_with_kernel

linux_os/guide/services/ssh/directory_owner_sshd_config_d/rule.yml

@@ -3,7 +3,7 @@ documentation_complete: true
 title: 'Verify Owner on SSH Server Configuration Files'
 
 description: |-
-    {{{ describe_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}
+    {{{ describe_directory_owner(directory=sshd_config_dir, owner="root") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -28,19 +28,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}'
+ocil_clause: '{{{ ocil_clause_directory_owner(directory=sshd_config_dir, owner="root") }}}'
 
 ocil: |-
-    {{{ ocil_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}
+    {{{ ocil_directory_owner(directory=sshd_config_dir, owner="root") }}}
 
-fixtext: '{{{ fixtext_directory_owner(file="/etc/ssh/sshd_config.d", owner="root") }}}'
+fixtext: '{{{ fixtext_directory_owner(file=sshd_config_dir, owner="root") }}}'
 
-srg_requirement: '{{{ srg_requirement_directory_owner(file="/etc/ssh/sshd_config.d", owner="root") }}}'
+srg_requirement: '{{{ srg_requirement_directory_owner(file=sshd_config_dir, owner="root") }}}'
 
 template:
     name: file_owner
     vars:
-        filepath: '/etc/ssh/sshd_config.d/'
+        filepath: '{{{ sshd_config_dir }}}/'
         uid_or_name: '0'
 
 platform: system_with_kernel

linux_os/guide/services/ssh/directory_permissions_sshd_config_d/rule.yml

@@ -3,7 +3,7 @@ documentation_complete: true
 title: 'Verify Permissions on SSH Server Config File'
 
 description: |-
-    {{{ describe_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="0700") }}}
+    {{{ describe_directory_permissions(directory=sshd_config_dir, perms="0700") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -28,19 +28,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rwx------") }}}'
+ocil_clause: '{{{ ocil_clause_directory_permissions(directory=sshd_config_dir, perms="-rwx------") }}}'
 
 ocil: |-
-    {{{ ocil_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rwx------") }}}
+    {{{ ocil_directory_permissions(directory=sshd_config_dir, perms="-rwx------") }}}
 
-fixtext: '{{{ fixtext_directory_permissions(file="/etc/ssh/sshd_config.d", mode="0700") }}}'
+fixtext: '{{{ fixtext_directory_permissions(file=sshd_config_dir, mode="0700") }}}'
 
-srg_requirement: '{{{ srg_requirement_directory_permission(file="/etc/ssh/sshd_config.d", mode="0700") }}}'
+srg_requirement: '{{{ srg_requirement_directory_permission(file=sshd_config_dir, mode="0700") }}}'
 
 template:
     name: file_permissions
     vars:
-        filepath: /etc/ssh/sshd_config.d/
+        filepath: '{{{ sshd_config_dir }}}/'
         filemode: '0700'
 
 platform: system_with_kernel

linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml

@@ -4,7 +4,7 @@ documentation_complete: true
 title: 'Verify Group Who Owns SSH Server config file'
 
 description: |-
-    {{{ describe_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}}
+    {{{ describe_file_group_owner(file=sshd_main_config_file, group="root") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -35,19 +35,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}}'
+ocil_clause: '{{{ ocil_clause_file_group_owner(file=sshd_main_config_file, group="root") }}}'
 
 ocil: |-
-    {{{ ocil_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}}
+    {{{ ocil_file_group_owner(file=sshd_main_config_file, group="root") }}}
 
-fixtext: '{{{ fixtext_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}}'
+fixtext: '{{{ fixtext_file_group_owner(file=sshd_main_config_file, group="root") }}}'
 
-srg_requirement: '{{{ srg_requirement_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}}'
+srg_requirement: '{{{ srg_requirement_file_group_owner(file=sshd_main_config_file, group="root") }}}'
 
 template:
     name: file_groupowner
     vars:
-        filepath: /etc/ssh/sshd_config
+        filepath: '{{{ sshd_main_config_file }}}'
         gid_or_name: '0'
 
 platform: system_with_kernel

linux_os/guide/services/ssh/file_groupowner_sshd_drop_in_config/rule.yml

@@ -3,7 +3,7 @@ documentation_complete: true
 title: 'Verify Group Who Owns SSH Server Configuration Files'
 
 description: |-
-    {{{ describe_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}
+    {{{ describe_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -28,19 +28,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}'
+ocil_clause: '{{{ ocil_clause_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}}'
 
 ocil: |-
-    {{{ ocil_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}
+    {{{ ocil_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}}
 
-fixtext: '{{{ fixtext_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}'
+fixtext: '{{{ fixtext_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}}'
 
-srg_requirement: '{{{ srg_requirement_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}'
+srg_requirement: '{{{ srg_requirement_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}}'
 
 template:
     name: file_groupowner
     vars:
-        filepath: '/etc/ssh/sshd_config.d/'
+        filepath: '{{{ sshd_config_dir }}}/'
         file_regex: '^.*$'
         gid_or_name: '0'
 

linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml

@@ -4,7 +4,7 @@ documentation_complete: true
 title: 'Verify Owner on SSH Server config file'
 
 description: |-
-    {{{ describe_file_owner(file="/etc/ssh/sshd_config", owner="root") }}}
+    {{{ describe_file_owner(file=sshd_main_config_file, owner="root") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -35,19 +35,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/ssh/sshd_config", owner="root") }}}'
+ocil_clause: '{{{ ocil_clause_file_owner(file=sshd_main_config_file, owner="root") }}}'
 
 ocil: |-
-    {{{ ocil_file_owner(file="/etc/ssh/sshd_config", owner="root") }}}
+    {{{ ocil_file_owner(file=sshd_main_config_file, owner="root") }}}
 
-fixtext: '{{{ fixtext_file_owner(file="/etc/ssh/sshd_config", owner="root") }}}'
+fixtext: '{{{ fixtext_file_owner(file=sshd_main_config_file, owner="root") }}}'
 
-srg_requirement: '{{{ srg_requirement_file_owner(file="/etc/ssh/sshd_config", owner="root") }}}'
+srg_requirement: '{{{ srg_requirement_file_owner(file=sshd_main_config_file, owner="root") }}}'
 
 template:
     name: file_owner
     vars:
-        filepath: /etc/ssh/sshd_config
+        filepath: '{{{ sshd_main_config_file }}}'
         uid_or_name: '0'
 
 platform: system_with_kernel

linux_os/guide/services/ssh/file_owner_sshd_drop_in_config/rule.yml

@@ -3,7 +3,7 @@ documentation_complete: true
 title: 'Verify Owner on SSH Server Configuration Files'
 
 description: |-
-    {{{ describe_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}
+    {{{ describe_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -29,19 +29,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}'
+ocil_clause: '{{{ ocil_clause_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}}'
 
 ocil: |-
-    {{{ ocil_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}
+    {{{ ocil_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}}
 
-fixtext: '{{{ fixtext_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}'
+fixtext: '{{{ fixtext_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}}'
 
-srg_requirement: '{{{ srg_requirement_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}'
+srg_requirement: '{{{ srg_requirement_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}}'
 
 template:
     name: file_owner
     vars:
-        filepath: '/etc/ssh/sshd_config.d/'
+        filepath: '{{{ sshd_config_dir }}}/'
         file_regex: '^.*$'
         uid_or_name: '0'
 

linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml

@@ -4,7 +4,7 @@ documentation_complete: true
 title: 'Verify Permissions on SSH Server config file'
 
 description: |-
-    {{{ describe_file_permissions(file="/etc/ssh/sshd_config", perms="0600") }}}
+    {{{ describe_file_permissions(file=sshd_main_config_file, perms="0600") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -36,20 +36,20 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/sshd_config", perms="-rw-------") }}}'
+ocil_clause: '{{{ ocil_clause_file_permissions(file=sshd_main_config_file, perms="-rw-------") }}}'
 
 ocil: |-
-    {{{ ocil_file_permissions(file="/etc/ssh/sshd_config", perms="-rw-------") }}}
+    {{{ ocil_file_permissions(file=sshd_main_config_file, perms="-rw-------") }}}
 
-fixtext: '{{{ fixtext_file_permissions(file="/etc/ssh/sshd_config", mode="0600") }}}'
+fixtext: '{{{ fixtext_file_permissions(file=sshd_main_config_file, mode="0600") }}}'
 
-srg_requirement: '{{{ srg_requirement_file_permission(file="/etc/ssh/sshd_config", mode="0600") }}}'
+srg_requirement: '{{{ srg_requirement_file_permission(file=sshd_main_config_file, mode="0600") }}}'
 
 template:
     name: file_permissions
     vars:
         filepath:
-            - /etc/ssh/sshd_config
+            - '{{{ sshd_main_config_file }}}'
         filemode: '0600'
 
 platform: system_with_kernel

linux_os/guide/services/ssh/file_permissions_sshd_drop_in_config/rule.yml

@@ -3,7 +3,7 @@ documentation_complete: true
 title: 'Verify Permissions on SSH Server Config File'
 
 description: |-
-    {{{ describe_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="0600") }}}
+    {{{ describe_files_in_directory_permissions(directory=sshd_config_dir, perms="0600") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -28,19 +28,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rw-------") }}}'
+ocil_clause: '{{{ ocil_clause_files_in_directory_permissions(directory=sshd_config_dir, perms="-rw-------") }}}'
 
 ocil: |-
-    {{{ ocil_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rw-------") }}}
+    {{{ ocil_files_in_directory_permissions(directory=sshd_config_dir, perms="-rw-------") }}}
 
-fixtext: '{{{ fixtext_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", mode="0600") }}}'
+fixtext: '{{{ fixtext_files_in_directory_permissions(directory=sshd_config_dir, mode="0600") }}}'
 
-srg_requirement: '{{{ srg_requirement_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", mode="0600") }}}'
+srg_requirement: '{{{ srg_requirement_files_in_directory_permissions(directory=sshd_config_dir, mode="0600") }}}'
 
 template:
     name: file_permissions
     vars:
-        filepath: '/etc/ssh/sshd_config.d/'
+        filepath: '{{{ sshd_config_dir }}}/'
         file_regex: '^.*$'
         filemode: '0600'
 

linux_os/guide/services/ssh/file_sshd_50_redhat_exists/rule.yml

@@ -1,9 +1,10 @@
+{{% set sshd_redhat_drop_in_file = sshd_config_dir ~ "/50-redhat.conf" %}}
 documentation_complete: true
 
-title: 'The File /etc/ssh/sshd_config.d/50-redhat.conf Must Exist'
+title: 'The File {{{ sshd_redhat_drop_in_file }}} Must Exist'
 
 description: |-
-    The <tt>/etc/ssh/sshd_config.d/50-redhat.conf</tt> file must exist as it contains important
+    The <tt>{{{ sshd_redhat_drop_in_file }}}</tt> file must exist as it contains important
     settings to secure SSH.
 
 
@@ -29,7 +30,7 @@ warnings:
 template:
     name: 'file_existence'
     vars:
-        filepath: '/etc/ssh/sshd_config.d/50-redhat.conf'
+        filepath: '{{{ sshd_redhat_drop_in_file }}}'
         exists: true
     backends:
         ansible: off

linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml

@@ -1,3 +1,9 @@
+{{%- set sshd_main_config = sshd_main_config_file -%}}
+{{%- set sshd_drop_in_dir = sshd_config_dir -%}}
+{{%- set sshd_drop_in_include_regex = (sshd_drop_in_dir | replace(".", "\\.")) ~ "/\\*\\.conf" -%}}
+{{%- set sshd_main_config_regex = sshd_main_config | replace(".", "\\.") -%}}
+{{%- set sshd_drop_in_dir_regex = sshd_drop_in_dir | replace(".", "\\.") -%}}
+{{%- set sshd_config_locations_regex = "^(" ~ sshd_main_config_regex ~ "|" ~ sshd_drop_in_dir_regex ~ "/.*\\.conf)$" -%}}
 <def-group>
     <definition class="compliance" id="{{{ rule_id }}}" version="1">
         {{{ oval_metadata("Ensure SSHD to include the system crypto policy", rule_title=rule_title) }}}
@@ -13,8 +19,8 @@
     </ind:textfilecontent54_test>
 
     <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_include_sshd_drop_in" version="1">
-        <ind:filepath operation="pattern match">/etc/ssh/sshd_config</ind:filepath>
-        <ind:pattern operation="pattern match">^[ \t]*(?i)Include(?-i)[ \t]+/etc/ssh/sshd_config\.d/\*.conf$</ind:pattern>
+        <ind:filepath>{{{ sshd_main_config }}}</ind:filepath>
+        <ind:pattern operation="pattern match">^[ \t]*(?i)Include(?-i)[ \t]+{{{ sshd_drop_in_include_regex }}}$</ind:pattern>
         <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
     </ind:textfilecontent54_object>
 
@@ -25,7 +31,7 @@
     </ind:textfilecontent54_test>
 
     <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_include_sshd_include_system_crypto" version="1">
-        <ind:filepath operation="pattern match">/etc/ssh/(sshd_config|sshd_config\.d/.*\.conf)</ind:filepath>
+        <ind:filepath operation="pattern match">{{{ sshd_config_locations_regex }}}</ind:filepath>
         <ind:pattern operation="pattern match">^[ \t]*(?i)Include(?-i)[ \t]+/etc/crypto-policies/back-ends/opensshserver\.config$</ind:pattern>
         <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
     </ind:textfilecontent54_object>

linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/shared.xml

@@ -1,3 +1,8 @@
+{{%- set sshd_main_config = sshd_main_config_file -%}}
+{{%- set sshd_drop_in_dir = sshd_config_dir -%}}
+{{%- set sshd_main_config_regex = sshd_main_config | replace(".", "\\.") -%}}
+{{%- set sshd_drop_in_dir_regex = sshd_drop_in_dir | replace(".", "\\.") -%}}
+{{%- set sshd_any_config_regex = "^(" ~ sshd_main_config_regex ~ "|" ~ sshd_drop_in_dir_regex ~ "/.*\\.conf)$" -%}}
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
     {{{ oval_metadata("One of the following parameters of the sshd configuration file is set:  AllowUsers, DenyUsers, AllowGroups, DenyGroups.", rule_title=rule_title) }}}
@@ -27,22 +32,22 @@
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="obj_allow_user" version="1">
-    <ind:filepath operation="pattern match">^\/etc\/ssh\/sshd_config.*$</ind:filepath>
+    <ind:filepath operation="pattern match">{{{ sshd_any_config_regex }}}</ind:filepath>
     <ind:pattern operation="pattern match" datatype="string">(?i)^[ ]*AllowUsers[ ]+((?:[^ \n]+[ ]*)+)$</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
   <ind:textfilecontent54_object id="obj_allow_group" version="1">
-    <ind:filepath operation="pattern match">^/etc/ssh/sshd_config.*$</ind:filepath>
+    <ind:filepath operation="pattern match">{{{ sshd_any_config_regex }}}</ind:filepath>
     <ind:pattern operation="pattern match" datatype="string">(?i)^[ ]*AllowGroups[ ]+((?:[^ \n]+[ ]*)+)$</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
   <ind:textfilecontent54_object id="obj_deny_user" version="1">
-    <ind:filepath operation="pattern match">^/etc/ssh/sshd_config.*$</ind:filepath>
+    <ind:filepath operation="pattern match">{{{ sshd_any_config_regex }}}</ind:filepath>
     <ind:pattern operation="pattern match" datatype="string">(?i)^[ ]*DenyUsers[ ]+((?:[^ \n]+[ ]*)+)$</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
   <ind:textfilecontent54_object id="obj_deny_group" version="1">
-    <ind:filepath operation="pattern match">^/etc/ssh/sshd_config.*$</ind:filepath>
+    <ind:filepath operation="pattern match">{{{ sshd_any_config_regex }}}</ind:filepath>
     <ind:pattern operation="pattern match" datatype="string">(?i)^[ ]*DenyGroups[ ]+((?:[^ \n]+[ ]*)+)$</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>