From 0d3f9e328fa016bad1ca6c2715e4954af86666ad Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 9 Aug 2024 16:32:50 +0200
Subject: [PATCH 1/9] convert rule sshd_allow_only_protocol2 to template

---
 .../ansible/shared.yml                        |  6 ----
 .../sshd_allow_only_protocol2/bash/shared.sh  |  4 ---
 .../sshd_allow_only_protocol2/oval/shared.xml | 34 -------------------
 .../sshd_allow_only_protocol2/rule.yml        |  7 ++++
 4 files changed, 7 insertions(+), 44 deletions(-)
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml
deleted file mode 100644
index 39102e5d788..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-# reboot = false
-# strategy = restrict
-# complexity = low
-# disruption = low
-{{{ ansible_sshd_set(parameter="Protocol", value="2") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
deleted file mode 100644
index ba59876210c..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv
-
-
-{{{ bash_replace_or_append('/etc/ssh/sshd_config', '^Protocol', '2', '%s %s') }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
deleted file mode 100644
index c1185817181..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
+++ /dev/null
@@ -1,34 +0,0 @@
-<def-group>
-  <definition class="compliance" id="sshd_allow_only_protocol2" version="1">
-    {{{ oval_metadata("The OpenSSH daemon should be running protocol 2.") }}}
-    <criteria comment="SSH is configured correctly or is not installed"
-    operator="OR">
-      <criteria comment="sshd is not installed" operator="AND">
-        <extend_definition comment="sshd is not required or requirement is unset"
-        definition_ref="sshd_not_required_or_unset" />
-        <extend_definition comment="rpm package openssh-server removed"
-        definition_ref="package_openssh-server_removed" />
-      </criteria>
-      <criteria comment="sshd is installed and configured" operator="AND">
-        <extend_definition comment="sshd is required or requirement is unset"
-        definition_ref="sshd_required_or_unset" />
-        <extend_definition comment="rpm package openssh-server installed"
-        definition_ref="package_openssh-server_installed" />
-        <criteria comment="SSH version is equal or higher than 7.4 or it is configured with protocol 2" operator="OR">
-          <extend_definition comment="OpenSSH version 7.4 or higher supports only protocol 2" definition_ref="sshd_version_equal_or_higher_than_74" />
-          <criterion comment="Check Protocol in /etc/ssh/sshd_config"
-          test_ref="test_sshd_allow_only_protocol2" />
-        </criteria>
-      </criteria>
-    </criteria>
-  </definition>
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-  comment="sshd uses protocol 2" id="test_sshd_allow_only_protocol2" version="1">
-    <ind:object object_ref="object_sshd_allow_only_protocol2" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_sshd_allow_only_protocol2" version="3">
-    <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*(?i)Protocol[\s]+2[\s]*(?:|(?:#.*))?$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-</def-group>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml
index 6127a683b26..b7b90f0a237 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml
@@ -60,3 +60,10 @@ warnings:
         As of <tt>openssh-server</tt> version <tt>7.4</tt> and above, the only protocol
         supported is version 2, and line <pre>Protocol 2</pre> in
         <tt>/etc/ssh/sshd_config</tt> is not necessary.
+
+template:
+    name: sshd_lineinfile
+    vars:
+        parameter: Protocol
+        value: "2"
+        datatype: int

From fafe78fa8680f0ff3a1db220aaf912931d55f29a Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 9 Aug 2024 16:38:42 +0200
Subject: [PATCH 2/9] convert sshd_disable_compression to templated rule

---
 .../ansible/shared.yml                        |  8 ----
 .../sshd_disable_compression/bash/shared.sh   |  4 --
 .../sshd_disable_compression/oval/shared.xml  | 42 -------------------
 .../sshd_disable_compression/rule.yml         |  8 ++++
 .../tests/comment.fail.sh                     | 10 -----
 .../tests/correct_value.pass.sh               |  7 ----
 .../tests/line_not_there.fail.sh              |  6 ---
 .../tests/param_conflict.fail.sh              | 13 ------
 .../tests/param_conflict_directory.fail.sh    | 15 -------
 9 files changed, 8 insertions(+), 105 deletions(-)
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/oval/shared.xml
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/comment.fail.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/correct_value.pass.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/line_not_there.fail.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
deleted file mode 100644
index f8d422c6c4c..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
-# reboot = false
-# strategy = restrict
-# complexity = low
-# disruption = low
-- (xccdf-var var_sshd_disable_compression)
-
-{{{ ansible_sshd_set(parameter="Compression", value="{{ var_sshd_disable_compression }}") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh
deleted file mode 100644
index c7212d5b859..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle
-
-{{{ bash_instantiate_variables("var_sshd_disable_compression") }}}
-{{{ bash_sshd_remediation("Compression", "$var_sshd_disable_compression") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/oval/shared.xml
deleted file mode 100644
index abcf3a5e1d6..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/oval/shared.xml
+++ /dev/null
@@ -1,42 +0,0 @@
-<def-group>
-  <definition class="compliance" id="{{{ rule_id }}}" version="1">
-    {{{ oval_metadata("SSH should either have compression disabled or set to delayed.") }}}
-    <criteria comment="SSH is configured correctly or is not installed"
-    operator="OR">
-      <criteria comment="sshd is not installed" operator="AND">
-        <extend_definition comment="sshd is not required or requirement is unset"
-        definition_ref="sshd_not_required_or_unset" />
-        {{% if product in ['sle12'] %}}
-        <extend_definition comment="rpm package openssh removed"
-          definition_ref="package_openssh_removed" />
-        {{% else %}}
-        <extend_definition comment="rpm package openssh-server removed"
-          definition_ref="package_openssh-server_removed" />
-        {{% endif %}}
-      </criteria>
-      <criteria comment="sshd is installed and configured" operator="AND">
-        <extend_definition comment="sshd is required or requirement is unset"
-        definition_ref="sshd_required_or_unset" />
-        {{% if product in ['sle12'] %}}
-        <extend_definition comment="rpm package openssh installed"
-          definition_ref="package_openssh_installed" />
-        {{% else %}}
-        <extend_definition comment="rpm package openssh-server installed"
-          definition_ref="package_openssh-server_installed" />
-        {{% endif %}}
-        <criterion comment="Check Compression in /etc/ssh/sshd_config"
-        test_ref="test_sshd_disable_compression" />
-      </criteria>
-    </criteria>
-  </definition>
-
-  {{{ oval_line_in_file_test(path='/etc/ssh/sshd_config', parameter='Compression') }}}
-  {{{ oval_line_in_file_object(path_or_filepath='/etc/ssh/sshd_config', prefix_regex="^[ \\t]*(?i)", parameter='Compression', separator_regex='(?-i)[ \\t]+') }}}
-
-  <ind:textfilecontent54_state id="state_sshd_disable_compression" version="1">
-    <ind:subexpression operation="equals" var_ref="var_sshd_disable_compression"/>
-  </ind:textfilecontent54_state>
-
-  <external_variable id="var_sshd_disable_compression" datatype="string" version="1"
-    comment="external variable for the desired value of Compression"/>
-</def-group>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
index 2b4df7841ed..566e847cb03 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
@@ -57,3 +57,11 @@ platform: package[openssh]<7.4
 fixtext: '{{{ fixtext_sshd_lineinfile("Compression", xccdf_value("var_sshd_disable_compression"), no) }}}'
 
 srg_requirement: 'The {{{ full_name }}} SSH daemon must not allow compression or must only allow compression after successful authentication.'
+
+template:
+    name: sshd_lineinfile
+    vars:
+        parameter: Compression
+        xccdf_variable: var_sshd_disable_compression
+        datatype: string
+
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/comment.fail.sh
deleted file mode 100644
index e3b5b920674..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/comment.fail.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-
-mkdir -p /etc/ssh/sshd_config.d
-touch /etc/ssh/sshd_config.d/nothing
-
-if grep -q "^\s*Compression" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
-        sed -i "s/^Compression.*/# Compression no/g" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
-    else
-        echo "# Compression no" >> /etc/ssh/sshd_config
-fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/correct_value.pass.sh
deleted file mode 100644
index b442c0ac9f4..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/correct_value.pass.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/bash
-
-if grep -q "^Compression" /etc/ssh/sshd_config; then
-	sed -i "s/^Compression.*/Compression no/" /etc/ssh/sshd_config
-else
-	echo "Compression no" >> /etc/ssh/sshd_config
-fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/line_not_there.fail.sh
deleted file mode 100644
index df40c0e037e..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/line_not_there.fail.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-
-mkdir -p /etc/ssh/sshd_config.d
-touch /etc/ssh/sshd_config.d/nothing
-
-sed -i "/^\s*Compression.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh
deleted file mode 100644
index a631b3207bd..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict.fail.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash
-
-SSHD_PARAM="Compression"
-
-mkdir -p /etc/ssh/sshd_config.d
-touch /etc/ssh/sshd_config.d/nothing
-
-if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
-    sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
-fi
-
-echo "${SSHD_PARAM} no" >> /etc/ssh/sshd_config
-echo "${SSHD_PARAM} yes" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh
deleted file mode 100644
index f1c15c139c7..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/param_conflict_directory.fail.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/bash
-
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
-
-SSHD_PARAM="Compression"
-
-mkdir -p /etc/ssh/sshd_config.d
-touch /etc/ssh/sshd_config.d/nothing
-
-if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
-   sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
-fi
-
-echo "${SSHD_PARAM} no" > /etc/ssh/sshd_config.d/good_config.conf
-echo "${SSHD_PARAM} yes" > /etc/ssh/sshd_config.d/bad_config.conf

From 52c99fb4d98d4d067c0bdb4f5d17a24a589467a0 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 9 Aug 2024 16:42:42 +0200
Subject: [PATCH 3/9] convert sshd_disable_rhosts_rsa to templated rule

---
 .../ansible/shared.yml                        |  6 ---
 .../sshd_disable_rhosts_rsa/bash/shared.sh    |  4 --
 .../sshd_disable_rhosts_rsa/oval/shared.xml   | 47 -------------------
 .../sshd_disable_rhosts_rsa/rule.yml          |  8 ++++
 4 files changed, 8 insertions(+), 57 deletions(-)
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/ansible/shared.yml
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/oval/shared.xml

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/ansible/shared.yml
deleted file mode 100644
index 228a1166a3e..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/ansible/shared.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-# reboot = false
-# strategy = restrict
-# complexity = low
-# disruption = low
-{{{ ansible_sshd_set(parameter="RhostsRSAAuthentication", value="no") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh
deleted file mode 100644
index 5a1ec5cf732..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/bash/shared.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
-
-
-{{{ bash_replace_or_append('/etc/ssh/sshd_config', '^RhostsRSAAuthentication', 'no', '%s %s') }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/oval/shared.xml
deleted file mode 100644
index 06da51811c7..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/oval/shared.xml
+++ /dev/null
@@ -1,47 +0,0 @@
-<def-group>
-  <definition class="compliance" id="sshd_disable_rhosts_rsa" version="1">
-    {{{ oval_metadata("SSH can allow authentication through the obsolete rsh command
-      through the use of the authenticating user's SSH keys. This should be disabled.") }}}
-    <criteria comment="SSH is configured correctly or is not installed"
-    operator="OR">
-      <criteria comment="sshd is not installed" operator="AND">
-        <extend_definition comment="sshd is not required or requirement is unset"
-        definition_ref="sshd_not_required_or_unset" />
-        {{% if product in ['opensuse', 'sle12', 'sle15'] %}}
-        <extend_definition comment="rpm package openssh removed"
-        definition_ref="package_openssh_removed" />
-        {{% else %}}
-        <extend_definition comment="rpm package openssh-server removed"
-        definition_ref="package_openssh-server_removed" />
-        {{% endif %}}
-      </criteria>
-      <criteria comment="sshd is installed and configured" operator="AND">
-        <extend_definition comment="sshd is required or requirement is unset"
-        definition_ref="sshd_required_or_unset" />
-        {{% if product in ['opensuse', 'sle12', 'sle15'] %}}
-        <extend_definition comment="rpm package openssh installed"
-        definition_ref="package_openssh_installed" />
-        {{% else %}}
-        <extend_definition comment="rpm package openssh-server installed"
-        definition_ref="package_openssh-server_installed" />
-        {{% endif %}}
-        <criteria comment="SSH version is equal or higher than 7.4 has deprecated RhostsRSAAuthentication" operator="OR">
-          <extend_definition comment="OpenSSH version 7.4 or higher has deprecated RhostsRSAAuthentication" definition_ref="sshd_version_equal_or_higher_than_74" />
-          <criterion comment="Check RhostsRSAAuthentication in /etc/ssh/sshd_config"
-          negate="true" test_ref="test_sshd_disable_rhosts_rsa" />
-        </criteria>
-      </criteria>
-    </criteria>
-  </definition>
-  <ind:textfilecontent54_test check="all" check_existence="none_exist"
-  comment="Tests the value of the RhostsRSAAuthentication[\s]*(&lt;:nocomment:&gt;*) setting in the /etc/ssh/sshd_config file"
-  id="test_sshd_disable_rhosts_rsa" version="1">
-    <ind:object object_ref="obj_sshd_disable_rhosts_rsa" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="obj_sshd_disable_rhosts_rsa"
-  version="2">
-    <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*(?i)RhostsRSAAuthentication(?-i)[\s]+no[\s]*(?:#.*)?$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-</def-group>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/rule.yml
index b1c9a5574d8..15475c0db0a 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/rule.yml
@@ -53,3 +53,11 @@ warnings:
         the <tt>RhostsRSAAuthentication</tt> option has been deprecated, and the line
         <pre>RhostsRSAAuthentication no</pre> in <tt>/etc/ssh/sshd_config</tt> is not
         necessary.
+
+template:
+    name: sshd_lineinfile
+    vars:
+        parameter: RhostsRSAAuthentication
+        value: "no"
+        datatype: string
+

From 9f90dec5d85952ff10152a0f7dca3cad142b1359 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 13 Aug 2024 11:21:58 +0200
Subject: [PATCH 4/9] modify correct and incorrect value in test scenarios

There is set of rules which checks that the value is between 0 and the XCCDF variable.
Set the wrong value higher than the correct one.
---
 shared/templates/sshd_lineinfile/template.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/shared/templates/sshd_lineinfile/template.py b/shared/templates/sshd_lineinfile/template.py
index f553c9444a4..5d717efd8c0 100644
--- a/shared/templates/sshd_lineinfile/template.py
+++ b/shared/templates/sshd_lineinfile/template.py
@@ -5,8 +5,8 @@ def set_variables_for_test_scenarios(data):
     if data["datatype"] == "int":
         if not data.get("value"):
             # this implies XCCDF variable is used
-            data["wrong_value"] = 123456
-            data["correct_value"] = 0
+            data["wrong_value"] = 321
+            data["correct_value"] = 123
         else:
             data["wrong_value"] = str(int(data["value"]) + 1)
             data["correct_value"] = str(data["value"])

From 7ccc03fa5e320f5af228a1e769df3a399b7dc0c3 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 13 Aug 2024 11:31:02 +0200
Subject: [PATCH 5/9] partially convert sshd_set_login_grace_timeout to
 templated rule

The OVAL is kept for now with modification to support distributed sshd configuration.
---
 .../ansible/shared.yml                        |  8 ----
 .../sshd_set_login_grace_time/bash/shared.sh  |  9 ----
 .../sshd_set_login_grace_time/oval/shared.xml | 41 ++++++++++++++++++-
 .../sshd_set_login_grace_time/rule.yml        |  9 ++++
 .../tests/correct_value.pass.sh               | 11 -----
 5 files changed, 48 insertions(+), 30 deletions(-)
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/ansible/shared.yml
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/bash/shared.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value.pass.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/ansible/shared.yml
deleted file mode 100644
index 1e2d817759b..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/ansible/shared.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-# platform = multi_platform_all
-# reboot = false
-# strategy = restrict
-# complexity = low
-# disruption = low
-- (xccdf-var var_sshd_set_login_grace_time)
-
-{{{ ansible_sshd_set(parameter="LoginGraceTime", value="{{ var_sshd_set_login_grace_time }}") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/bash/shared.sh
deleted file mode 100644
index 9316d8625c7..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/bash/shared.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-# platform = multi_platform_all
-# reboot = false
-# strategy = configure
-# complexity = low
-# disruption = low
-
-{{{ bash_instantiate_variables("var_sshd_set_login_grace_time") }}}
-
-{{{ bash_sshd_config_set(parameter="LoginGraceTime", value="$var_sshd_set_login_grace_time") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/shared.xml
index d25444628df..5f61de7b3da 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/shared.xml
@@ -27,11 +27,16 @@
         {{% endif %}}
         <criterion comment="Check LoginGraceTime in /etc/ssh/sshd_config"
         test_ref="test_sshd_login_grace_time" />
+        {{% if sshd_distributed_config == "true" %}}
+        <criterion comment="Check LoginGraceTime in /etc/ssh/sshd_config.d if any"
+        test_ref="test_sshd_set_login_grace_time_config_dir" />
+        {{% endif %}}
+        <criterion comment="the configuration exists" test_ref="test_LoginGraceTime_present_sshd_set_login_grace_time" />
       </criteria>
     </criteria>
   </definition>
 
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+  <ind:textfilecontent54_test check="all" check_existence="any_exist"
   comment="LoginGraceTime is configured" id="test_sshd_login_grace_time" version="1">
     <ind:object object_ref="object_sshd_login_grace_time" />
     <ind:state state_ref="state_logingracetime_value_upper_bound" />
@@ -41,7 +46,39 @@
   <ind:textfilecontent54_object id="object_sshd_login_grace_time" version="2">
     <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
     <ind:pattern operation="pattern match">^[\s]*(?i)LoginGraceTime[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+{{% if sshd_distributed_config == "true" %}}
+  <ind:textfilecontent54_test check="all" check_existence="any_exist"
+    comment="tests the value of LoginGraceTime setting in the /etc/ssh/sshd_config.d file"
+    id="test_sshd_set_login_grace_time_config_dir" version="1">
+    <ind:object object_ref="obj_sshd_set_login_grace_time_config_dir" />
+    <ind:state state_ref="state_logingracetime_value_upper_bound" />
+    <ind:state state_ref="state_logingracetime_value_lower_bound" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_sshd_set_login_grace_time_config_dir" version="1">
+    <ind:path>/etc/ssh/sshd_config.d</ind:path>
+    <ind:filename operation="pattern match">.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^[ \t]*(?i)LoginGraceTime(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{% endif %}}
+
+  <ind:textfilecontent54_test id="test_LoginGraceTime_present_sshd_set_login_grace_time" version="1"
+    check="all" check_existence="at_least_one_exists"
+    comment="Verify that the value of LoginGraceTime is present">
+    <ind:object object_ref="obj_collection_obj_sshd_set_login_grace_time" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object comment="All confs collection" id="obj_collection_obj_sshd_set_login_grace_time" version="1">
+    <set>
+      <object_reference>object_sshd_login_grace_time</object_reference>
+      {{% if sshd_distributed_config == "true" %}}
+      <object_reference>obj_sshd_set_login_grace_time_config_dir</object_reference>
+      {{% endif %}}
+    </set>
   </ind:textfilecontent54_object>
 
   <ind:textfilecontent54_state comment="upper bound of LoginGraceTime in number of sessions"
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/rule.yml
index 9cd1f1209b6..fabede93214 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/rule.yml
@@ -37,3 +37,12 @@ ocil: |-
     <pre>LoginGraceTime {{{ xccdf_value("var_sshd_set_login_grace_time") }}}</pre>
     If the option is set to a number greater than <tt>0</tt>, then the unauthenticated session will be disconnected
     after the configured number seconds.
+
+template:
+    name: sshd_lineinfile
+    vars:
+        parameter: LoginGraceTime
+        xccdf_variable: var_sshd_set_login_grace_time
+        datatype: int
+        backends:
+            oval: "off"
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value.pass.sh
deleted file mode 100644
index 1c679fafdd3..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value.pass.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-# profiles = xccdf_org.ssgproject.content_profile_cis
-# platform = multi_platform_all
-
-SSHD_CONFIG="/etc/ssh/sshd_config"
-
-if grep -q "^LoginGraceTime" $SSHD_CONFIG; then
-        sed -i "s/^LoginGraceTime.*/LoginGraceTime 60/" $SSHD_CONFIG
-    else
-        echo "LoginGraceTime 60" >> $SSHD_CONFIG
-fi

From 64758a05bebf7599939fcc03589cbf8b218ae62f Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 13 Aug 2024 14:45:14 +0200
Subject: [PATCH 6/9] partially convert sshd_set_max_auth_tries to templated
 rule

The OVAL is kept not templated because the rule has a special check which checks that the value is less than or equal the variable and greater than zero.
---
 .../ansible/shared.yml                        |  8 ---
 .../sshd_set_max_auth_tries/bash/shared.sh    |  5 --
 .../sshd_set_max_auth_tries/oval/shared.xml   | 72 +++++++++++++++----
 .../sshd_set_max_auth_tries/rule.yml          |  9 +++
 .../tests/comment.fail.sh                     |  8 ---
 .../tests/correct_value.pass.sh               |  8 ---
 .../tests/line_not_there.fail.sh              |  3 -
 .../tests/wrong_value.fail.sh                 |  8 ---
 8 files changed, 69 insertions(+), 52 deletions(-)
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/comment.fail.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value.pass.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/line_not_there.fail.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value.fail.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml
deleted file mode 100644
index a7a2ed3d6f8..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
-# reboot = false
-# strategy = restrict
-# complexity = low
-# disruption = low
-{{{ ansible_instantiate_variables("sshd_max_auth_tries_value") }}}
-
-{{{ ansible_sshd_set(parameter="MaxAuthTries", value="{{ sshd_max_auth_tries_value }}") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh
deleted file mode 100644
index 2920273f9b8..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
-
-{{{ bash_instantiate_variables("sshd_max_auth_tries_value") }}}
-
-{{{ bash_sshd_config_set(parameter="MaxAuthTries", value="$sshd_max_auth_tries_value") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml
index d2b3c11f56e..3e03ec87ffc 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml
@@ -1,27 +1,43 @@
 <def-group>
-  <definition class="compliance" id="sshd_set_max_auth_tries" version="1">
+  <definition class="compliance" id="{{{rule_id}}}" version="1">
     {{{ oval_metadata("The SSH MaxAuthTries should be set to an
       appropriate value.") }}}
-    <criteria comment="sshd is configured correctly or is not installed" operator="OR">
+    <criteria comment="SSH is configured correctly or is not installed"
+    operator="OR">
       <criteria comment="sshd is not installed" operator="AND">
         <extend_definition comment="sshd is not required or requirement is unset"
-          definition_ref="sshd_not_required_or_unset" />
+        definition_ref="sshd_not_required_or_unset" />
+        {{% if product in ['opensuse', 'sle12', 'sle15'] %}}
+        <extend_definition comment="rpm package openssh removed"
+        definition_ref="package_openssh_removed" />
+        {{% else %}}
         <extend_definition comment="rpm package openssh-server removed"
-          definition_ref="package_openssh-server_removed" />
+        definition_ref="package_openssh-server_removed" />
+        {{% endif %}}
       </criteria>
       <criteria comment="sshd is installed and configured" operator="AND">
         <extend_definition comment="sshd is required or requirement is unset"
-          definition_ref="sshd_required_or_unset" />
+        definition_ref="sshd_required_or_unset" />
+        {{% if product in ['opensuse', 'sle12', 'sle15'] %}}
+        <extend_definition comment="rpm package openssh installed"
+        definition_ref="package_openssh_installed" />
+        {{% else %}}
         <extend_definition comment="rpm package openssh-server installed"
-          definition_ref="package_openssh-server_installed" />
+        definition_ref="package_openssh-server_installed" />
+        {{% endif %}}
         <criterion comment="Check MaxAuthTries in /etc/ssh/sshd_config"
         test_ref="test_sshd_max_auth_tries" />
+        {{% if sshd_distributed_config == "true" %}}
+        <criterion comment="Check MaxAuthTries in /etc/ssh/sshd_config.d if any"
+        test_ref="test_sshd_set_max_auth_tries_config_dir" />
+        {{% endif %}}
+        <criterion comment="the configuration exists" test_ref="test_MaxAuthTries_present_sshd_set_max_auth_tries" />
       </criteria>
     </criteria>
   </definition>
 
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-  comment="maxauthtries is configured" id="test_sshd_max_auth_tries" version="1">
+  <ind:textfilecontent54_test check="all" check_existence="any_exist"
+  comment="MaxAuthTries is configured" id="test_sshd_max_auth_tries" version="1">
     <ind:object object_ref="object_sshd_max_auth_tries" />
     <ind:state state_ref="state_maxauthtries_value_upper_bound" />
     <ind:state state_ref="state_maxauthtries_value_lower_bound" />
@@ -30,21 +46,53 @@
   <ind:textfilecontent54_object id="object_sshd_max_auth_tries" version="2">
     <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
     <ind:pattern operation="pattern match">^[\s]*(?i)MaxAuthTries[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
-  <ind:textfilecontent54_state comment="upper bound of MaxAuthTries"
+{{% if sshd_distributed_config == "true" %}}
+  <ind:textfilecontent54_test check="all" check_existence="any_exist"
+    comment="tests the value of MaxAuthTries setting in the /etc/ssh/sshd_config.d file"
+    id="test_sshd_set_max_auth_tries_config_dir" version="1">
+    <ind:object object_ref="obj_sshd_set_max_auth_tries_config_dir" />
+    <ind:state state_ref="state_maxauthtries_value_upper_bound" />
+    <ind:state state_ref="state_maxauthtries_value_lower_bound" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_sshd_set_max_auth_tries_config_dir" version="1">
+    <ind:path>/etc/ssh/sshd_config.d</ind:path>
+    <ind:filename operation="pattern match">.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^[ \t]*(?i)MaxAuthTries(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{% endif %}}
+
+  <ind:textfilecontent54_test id="test_MaxAuthTries_present_sshd_set_max_auth_tries" version="1"
+    check="all" check_existence="at_least_one_exists"
+    comment="Verify that the value of MaxAuthTries is present">
+    <ind:object object_ref="obj_collection_obj_sshd_set_max_auth_tries" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object comment="All confs collection" id="obj_collection_obj_sshd_set_max_auth_tries" version="1">
+    <set>
+      <object_reference>object_sshd_max_auth_tries</object_reference>
+      {{% if sshd_distributed_config == "true" %}}
+      <object_reference>obj_sshd_set_max_auth_tries_config_dir</object_reference>
+      {{% endif %}}
+    </set>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state comment="upper bound of MaxAuthTries in number of sessions"
   id="state_maxauthtries_value_upper_bound" version="1">
     <ind:subexpression datatype="int" operation="less than or equal" var_check="all"
     var_ref="sshd_max_auth_tries_value" />
   </ind:textfilecontent54_state>
 
-  <ind:textfilecontent54_state comment="lower bound of MaxAuthTries"
+  <ind:textfilecontent54_state comment="lower bound of MaxAuthTries in number of sessions"
   id="state_maxauthtries_value_lower_bound" version="1">
     <ind:subexpression datatype="int" operation="greater than">0</ind:subexpression>
   </ind:textfilecontent54_state>
 
-  <external_variable comment="maxauthtries value" datatype="int"
+  <external_variable comment="MaxAuthTries value" datatype="int"
   id="sshd_max_auth_tries_value" version="1" />
 
 </def-group>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
index e51ba5fe894..59395a6575f 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
@@ -36,3 +36,12 @@ ocil: |-
     <pre>$ sudo grep MaxAuthTries /etc/ssh/sshd_config</pre>
     If properly configured, output should be:
     <pre>MaxAuthTries {{{ xccdf_value("sshd_max_auth_tries_value") }}}</pre>
+
+template:
+    name: sshd_lineinfile
+    vars:
+        parameter: MaxAuthTries
+        xccdf_variable: sshd_max_auth_tries_value
+        datatype: int
+        backends:
+            oval: "off"
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/comment.fail.sh
deleted file mode 100644
index caf18a73c61..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/comment.fail.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/bash
-SSHD_CONFIG="/etc/ssh/sshd_config"
-
-if grep -q "^MaxAuthTries" $SSHD_CONFIG; then
-	sed -i "s/^MaxAuthTries.*/# MaxAuthTries 4/" $SSHD_CONFIG
-else
-	echo "# MaxAuthTries 4" >> $SSHD_CONFIG
-fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value.pass.sh
deleted file mode 100644
index 32233d3a825..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value.pass.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/bash
-SSHD_CONFIG="/etc/ssh/sshd_config"
-
-if grep -q "^MaxAuthTries" $SSHD_CONFIG; then
-	sed -i "s/^MaxAuthTries.*/MaxAuthTries 4/" $SSHD_CONFIG
-else
-	echo "MaxAuthTries 4" >> $SSHD_CONFIG
-fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/line_not_there.fail.sh
deleted file mode 100644
index f038aa9be00..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/line_not_there.fail.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/bash
-
-sed -i "/^MaxAuthTries.*/d" /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value.fail.sh
deleted file mode 100644
index 79940bded32..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value.fail.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/bash
-SSHD_CONFIG="/etc/ssh/sshd_config"
-
-if grep -q "^MaxAuthTries" $SSHD_CONFIG; then
-	sed -i "s/^MaxAuthTries.*/MaxAuthTries 50/" $SSHD_CONFIG
-else
-	echo "MaxAuthTries 50" >> $SSHD_CONFIG
-fi

From f5930c3d7bea76c1d8e967bc5a9c674cc9fbe09e Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 13 Aug 2024 15:41:08 +0200
Subject: [PATCH 7/9] partially convert sshd_set_max_sessions to templated rule

OVAL is kept because it has a special condition which is not handled by the template.
---
 .../sshd_set_max_sessions/ansible/shared.yml  |  8 ----
 .../sshd_set_max_sessions/bash/shared.sh      |  9 ----
 .../sshd_set_max_sessions/oval/shared.xml     | 45 +++++++++++++++++--
 .../ssh_server/sshd_set_max_sessions/rule.yml |  9 ++++
 ...rect_value.pass.sh => lower_bound.pass.sh} |  8 ++--
 .../tests/too_high.fail.sh                    | 11 +++++
 .../tests/wrong_value.fail.sh                 | 10 -----
 7 files changed, 65 insertions(+), 35 deletions(-)
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
 rename linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/{correct_value.pass.sh => lower_bound.pass.sh} (52%)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/too_high.fail.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
deleted file mode 100644
index 3f8b6f6013f..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-# platform = multi_platform_all
-# reboot = false
-# strategy = configure
-# complexity = low
-# disruption = low
-{{{ ansible_instantiate_variables("var_sshd_max_sessions") }}}
-
-{{{ ansible_sshd_set(parameter="MaxSessions", value="{{ var_sshd_max_sessions }}") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
deleted file mode 100644
index 808977f8daa..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-# platform = multi_platform_all
-# reboot = false
-# strategy = configure
-# complexity = low
-# disruption = low
-
-{{{ bash_instantiate_variables("var_sshd_max_sessions") }}}
-
-{{{ bash_sshd_config_set(parameter="MaxSessions", value="$var_sshd_max_sessions") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml
index ac5e4785102..15eecca7bc7 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml
@@ -1,5 +1,5 @@
 <def-group>
-  <definition class="compliance" id="sshd_set_max_sessions" version="1">
+  <definition class="compliance" id="{{{rule_id}}}" version="1">
     {{{ oval_metadata("The SSH number of max sessions should be set to an
       appropriate value.") }}}
     <criteria comment="SSH is configured correctly or is not installed"
@@ -27,12 +27,17 @@
         {{% endif %}}
         <criterion comment="Check MaxSessions in /etc/ssh/sshd_config"
         test_ref="test_sshd_max_sessions" />
+        {{% if sshd_distributed_config == "true" %}}
+        <criterion comment="Check MaxSessions in /etc/ssh/sshd_config.d if any"
+        test_ref="test_sshd_set_max_sessions_config_dir" />
+        {{% endif %}}
+        <criterion comment="the configuration exists" test_ref="test_MaxSessions_present_sshd_set_max_sessions" />
       </criteria>
     </criteria>
   </definition>
 
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-  comment="maxsessions is configured" id="test_sshd_max_sessions" version="1">
+  <ind:textfilecontent54_test check="all" check_existence="any_exist"
+  comment="MaxSessions is configured" id="test_sshd_max_sessions" version="1">
     <ind:object object_ref="object_sshd_max_sessions" />
     <ind:state state_ref="state_maxsessions_value_upper_bound" />
     <ind:state state_ref="state_maxsessions_value_lower_bound" />
@@ -41,7 +46,39 @@
   <ind:textfilecontent54_object id="object_sshd_max_sessions" version="2">
     <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
     <ind:pattern operation="pattern match">^[\s]*(?i)MaxSessions[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+{{% if sshd_distributed_config == "true" %}}
+  <ind:textfilecontent54_test check="all" check_existence="any_exist"
+    comment="tests the value of MaxSessions setting in the /etc/ssh/sshd_config.d file"
+    id="test_sshd_set_max_sessions_config_dir" version="1">
+    <ind:object object_ref="obj_sshd_set_max_sessions_config_dir" />
+    <ind:state state_ref="state_maxsessions_value_upper_bound" />
+    <ind:state state_ref="state_maxsessions_value_lower_bound" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_sshd_set_max_sessions_config_dir" version="1">
+    <ind:path>/etc/ssh/sshd_config.d</ind:path>
+    <ind:filename operation="pattern match">.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^[ \t]*(?i)MaxSessions(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{% endif %}}
+
+  <ind:textfilecontent54_test id="test_MaxSessions_present_sshd_set_max_sessions" version="1"
+    check="all" check_existence="at_least_one_exists"
+    comment="Verify that the value of MaxSessions is present">
+    <ind:object object_ref="obj_collection_obj_sshd_set_max_sessions" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object comment="All confs collection" id="obj_collection_obj_sshd_set_max_sessions" version="1">
+    <set>
+      <object_reference>object_sshd_max_sessions</object_reference>
+      {{% if sshd_distributed_config == "true" %}}
+      <object_reference>obj_sshd_set_max_sessions_config_dir</object_reference>
+      {{% endif %}}
+    </set>
   </ind:textfilecontent54_object>
 
   <ind:textfilecontent54_state comment="upper bound of MaxSessions in number of sessions"
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml
index 7111355300b..2603c7bc29c 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml
@@ -34,3 +34,12 @@ ocil: |-
     <pre>$ sudo grep MaxSessions /etc/ssh/sshd_config</pre>
     If properly configured, the output should be:
     <pre>MaxSessions {{{ xccdf_value("var_sshd_max_sessions") }}}</pre>
+
+template:
+    name: sshd_lineinfile
+    vars:
+        parameter: MaxSessions
+        xccdf_variable: var_sshd_max_sessions
+        datatype: int
+        backends:
+            oval: "off"
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/lower_bound.pass.sh
similarity index 52%
rename from linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
rename to linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/lower_bound.pass.sh
index 4cc6d659888..3aef4b5886d 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/lower_bound.pass.sh
@@ -1,11 +1,11 @@
+#!/bin/bash
 # profiles = xccdf_org.ssgproject.content_profile_cis
-# platform = Red Hat Enterprise Linux 8
+# platform = multi_platform_all
 
-#!/bin/bash
 SSHD_CONFIG="/etc/ssh/sshd_config"
 
 if grep -q "^MaxSessions" $SSHD_CONFIG; then
-        sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG
+        sed -i "s/^MaxSessions.*/MaxSessions 0/" $SSHD_CONFIG
     else
-        echo "MaxSessions 4" >> $SSHD_CONFIG
+        echo "MaxSessions 0" >> $SSHD_CONFIG
 fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/too_high.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/too_high.fail.sh
new file mode 100644
index 00000000000..db46a202630
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/too_high.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_cis
+# platform = multi_platform_all
+
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+if grep -q "^MaxSessions" $SSHD_CONFIG; then
+        sed -i "s/^MaxSessions.*/MaxSessions 61/" $SSHD_CONFIG
+    else
+        echo "MaxSessions 61" >> $SSHD_CONFIG
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
deleted file mode 100644
index fcdb800c2bb..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-# platform = multi_platform_rhel, multi_platform_fedora
-
-#!/bin/bash
-SSHD_CONFIG="/etc/ssh/sshd_config"
-
-if grep -q "^MaxSessions" $SSHD_CONFIG; then
-        sed -i "s/^MaxSessions.*/MaxSessions 100/" $SSHD_CONFIG
-    else
-        echo "MaxSessions 100" >> $SSHD_CONFIG
-fi

From 24fbff33b22c57328d1cd354e97526a9e9035e26 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 13 Aug 2024 17:34:53 +0200
Subject: [PATCH 8/9] convert sshd_use_priv_separation to templated rule

---
 .../ansible/shared.yml                        |  8 -----
 .../sshd_use_priv_separation/bash/shared.sh   |  9 ------
 .../sshd_use_priv_separation/oval/shared.xml  | 30 -------------------
 .../sshd_use_priv_separation/rule.yml         |  7 +++++
 .../tests/comment.fail.sh                     | 10 -------
 .../tests/correct_value.pass.sh               |  9 ------
 .../tests/line_not_there.fail.sh              |  5 ----
 .../tests/nothing.fail.sh                     |  5 ----
 .../tests/wrong_value_no.fail.sh              |  9 ------
 .../tests/wrong_value_yes.fail.sh             |  9 ------
 10 files changed, 7 insertions(+), 94 deletions(-)
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/ansible/shared.yml
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/oval/shared.xml
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/comment.fail.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/correct_value.pass.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/line_not_there.fail.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/nothing.fail.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/wrong_value_no.fail.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/wrong_value_yes.fail.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/ansible/shared.yml
deleted file mode 100644
index daee33f8c8d..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/ansible/shared.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-# platform = multi_platform_all
-# reboot = false
-# strategy = restrict
-# complexity = low
-# disruption = low
-- (xccdf-var var_sshd_priv_separation)
-
-{{{ ansible_sshd_set(parameter="UsePrivilegeSeparation", value="{{ var_sshd_priv_separation }}") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh
deleted file mode 100644
index 02b9e04a01b..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-# platform = multi_platform_all
-# reboot = false
-# strategy = restrict
-# complexity = low
-# disruption = low
-
-{{{ bash_instantiate_variables("var_sshd_priv_separation") }}}
-
-{{{ bash_sshd_config_set(parameter="UsePrivilegeSeparation", value="$var_sshd_priv_separation") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/oval/shared.xml
deleted file mode 100644
index 6c9c7b1d17a..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/oval/shared.xml
+++ /dev/null
@@ -1,30 +0,0 @@
-<def-group>
-  <definition class="compliance" id="sshd_use_priv_separation" version="1">
-    {{{ oval_metadata("Ensure 'UsePrivilegeSeparation' is configured with value 'sandbox' in '/etc/ssh/sshd_config'") }}}
-    <criteria comment="sshd is configured correctly or is not installed"
-    operator="OR">
-      <criteria comment="sshd is not installed" operator="AND">
-        <extend_definition comment="sshd is not required or requirement is unset"
-        definition_ref="sshd_not_required_or_unset" />
-        {{% if product in ['opensuse', 'sle12', 'sle15'] %}}
-        <extend_definition comment="rpm package openssh removed"
-        definition_ref="package_openssh_removed" />
-        {{% else %}}
-        <extend_definition comment="rpm package openssh-server removed"
-        definition_ref="package_openssh-server_removed" />
-        {{% endif %}}
-      </criteria>
-      <criterion comment="Check the UsePrivilegeSeparation in /etc/ssh/sshd_config"
-      test_ref="test_sshd_use_priv_separation" />
-    </criteria>
-  </definition>
-  
-  {{{ oval_line_in_file_test(path='/etc/ssh/sshd_config', parameter='UsePrivilegeSeparation') }}}
-  {{{ oval_line_in_file_object(path_or_filepath='/etc/ssh/sshd_config', prefix_regex="^[ \\t]*(?i)", parameter='UsePrivilegeSeparation', separator_regex='(?-i)[ \\t]+') }}}
-  
-  <ind:textfilecontent54_state id="state_sshd_use_priv_separation" version="1">
-    <ind:subexpression operation="equals" var_ref="var_sshd_priv_separation" />
-  </ind:textfilecontent54_state>
-
-  <external_variable comment="external variable for the desired value of UsePrivilegeSeparation" datatype="string" id="var_sshd_priv_separation" version="1" />
-</def-group>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
index a2a93d392ef..8f93519b179 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
@@ -46,3 +46,10 @@ ocil: |-
     following command:
     <pre>$ sudo grep UsePrivilegeSeparation /etc/ssh/sshd_config</pre>
     If configured properly, output should be <tt>{{{ xccdf_value("var_sshd_priv_separation") }}}</tt>.
+
+template:
+    name: sshd_lineinfile
+    vars:
+        parameter: UsePrivilegeSeparation
+        xccdf_variable: var_sshd_priv_separation
+        datatype: string
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/comment.fail.sh
deleted file mode 100644
index 5b04e822279..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/comment.fail.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-#
-# variables = var_sshd_priv_separation=sandbox
-
-if grep -q "^UsePrivilegeSeparation" /etc/ssh/sshd_config; then
-	sed -i "s/^UsePrivilegeSeparation.*/# UsePrivilegeSeparation sandbox/" /etc/ssh/sshd_config
-else
-	echo "# UsePrivilegeSeparation sandbox" >> /etc/ssh/sshd_config
-fi
-
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/correct_value.pass.sh
deleted file mode 100644
index 009bcae78d1..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/correct_value.pass.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/bin/bash
-#
-# variables = var_sshd_priv_separation=sandbox
-
-if grep -q "^UsePrivilegeSeparation" /etc/ssh/sshd_config; then
-	sed -i "s/^UsePrivilegeSeparation.*/UsePrivilegeSeparation sandbox/" /etc/ssh/sshd_config
-else
-	echo "UsePrivilegeSeparation sandbox" >> /etc/ssh/sshd_config
-fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/line_not_there.fail.sh
deleted file mode 100644
index 41491c591d7..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/line_not_there.fail.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-#
-# variables = var_sshd_priv_separation=sandbox
-
-sed -i "/^UsePrivilegeSeparation.*/d" /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/nothing.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/nothing.fail.sh
deleted file mode 100644
index cfd7abb3e71..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/nothing.fail.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-#
-# variables = var_sshd_priv_separation=sandbox
-
-true
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/wrong_value_no.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/wrong_value_no.fail.sh
deleted file mode 100644
index 3e0c6adb31f..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/wrong_value_no.fail.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/bin/bash
-#
-# variables = var_sshd_priv_separation=sandbox
-
-if grep -q "^UsePrivilegeSeparation" /etc/ssh/sshd_config; then
-	sed -i "s/^UsePrivilegeSeparation.*/UsePrivilegeSeparation no/" /etc/ssh/sshd_config
-else
-	echo "UsePrivilegeSeparation no" >> /etc/ssh/sshd_config
-fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/wrong_value_yes.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/wrong_value_yes.fail.sh
deleted file mode 100644
index c9e982fc2c1..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/tests/wrong_value_yes.fail.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/bin/bash
-#
-# variables = var_sshd_priv_separation=sandbox
-
-if grep -q "^UsePrivilegeSeparation" /etc/ssh/sshd_config; then
-	sed -i "s/^UsePrivilegeSeparation.*/UsePrivilegeSeparation yes/" /etc/ssh/sshd_config
-else
-	echo "UsePrivilegeSeparation yes" >> /etc/ssh/sshd_config
-fi

From 7fc1dd668b4f06edee022e27ee278d344862bdb0 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 14 Aug 2024 11:30:17 +0200
Subject: [PATCH 9/9] convert sshd_set_idle_timeout partially to templated rule

The OVAL is kept because there is a special condition where ClientAliveInterval is expected to be 0.
---
 .../sshd_set_idle_timeout/ansible/shared.yml  |  8 ------
 .../sshd_set_idle_timeout/bash/shared.sh      |  5 ----
 .../sshd_set_idle_timeout/oval/shared.xml     | 25 ++++++++++++++++---
 .../ssh_server/sshd_set_idle_timeout/rule.yml | 10 ++++++++
 .../tests/comment.fail.sh                     | 12 ---------
 .../tests/correct_value.pass.sh               |  7 ------
 .../tests/correct_value_directory.pass.sh     | 18 -------------
 .../tests/line_not_there.fail.sh              |  7 ------
 .../tests/param_conflict.fail.sh              | 15 -----------
 .../tests/param_conflict_directory.fail.sh    | 22 ----------------
 .../tests/wrong_value.fail.sh                 |  8 ------
 .../tests/wrong_value_directory.fail.sh       | 18 -------------
 12 files changed, 31 insertions(+), 124 deletions(-)
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/comment.fail.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/correct_value.pass.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/correct_value_directory.pass.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/line_not_there.fail.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict_directory.fail.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/wrong_value.fail.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/wrong_value_directory.fail.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml
deleted file mode 100644
index 5b54ab89246..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
-# reboot = false
-# strategy = restrict
-# complexity = low
-# disruption = low
-{{{ ansible_instantiate_variables("sshd_idle_timeout_value") }}}
-
-{{{ ansible_sshd_set(parameter="ClientAliveInterval", value="{{ sshd_idle_timeout_value }}") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh
deleted file mode 100644
index c516b5cd83d..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-# platform = multi_platform_all
-
-{{{ bash_instantiate_variables("sshd_idle_timeout_value") }}}
-
-{{{ bash_sshd_config_set("ClientAliveInterval", "$sshd_idle_timeout_value") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml
index 916d7ea9a9c..c001dfe9a6a 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml
@@ -25,13 +25,14 @@
         <extend_definition comment="rpm package openssh-server installed"
         definition_ref="package_openssh-server_installed" />
         {{% endif %}}
-        <criteria comment="ClientAliveInterval is configured correctly" operator="OR">
+        <criteria comment="ClientAliveInterval is configured correctly" operator="AND">
           <criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config"
           test_ref="test_sshd_idle_timeout" />
           {{%- if sshd_distributed_config == "true" %}}
           <criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config.d/"
           test_ref="test_sshd_idle_timeout_config_dir" />
           {{%- endif %}}
+          <criterion comment="the configuration exists" test_ref="test_clientaliveinterval_present" />
         </criteria>
         {{%- if product not in ["ol8", "ol9", "rhel8", "rhel9"] %}}
         <extend_definition comment="The SSH ClientAliveCountMax is set to zero" definition_ref="sshd_set_keepalive" />
@@ -40,7 +41,7 @@
     </criteria>
   </definition>
 
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+  <ind:textfilecontent54_test check="all" check_existence="any_exist"
   comment="timeout is configured" id="test_sshd_idle_timeout" version="1">
     <ind:object object_ref="object_sshd_idle_timeout" />
     <ind:state state_ref="state_timeout_value_upper_bound" />
@@ -50,11 +51,11 @@
   <ind:textfilecontent54_object id="object_sshd_idle_timeout" version="2">
     <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
     <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
   {{%- if sshd_distributed_config == "true" %}}
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+  <ind:textfilecontent54_test check="all" check_existence="any_exist"
   comment="timeout is configured in config directory" id="test_sshd_idle_timeout_config_dir" version="1">
     <ind:object object_ref="object_sshd_idle_timeout_config_dir" />
     <ind:state state_ref="state_timeout_value_upper_bound" />
@@ -80,6 +81,22 @@
     <ind:subexpression datatype="int" operation="greater than">0</ind:subexpression>
   </ind:textfilecontent54_state>
 
+  <ind:textfilecontent54_test id="test_clientaliveinterval_present" version="1"
+    check="all" check_existence="at_least_one_exists"
+    comment="Verify that the value of ClientAliveInterval is present">
+    <ind:object object_ref="obj_collection_obj_sshd_set_idle_timeout" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object comment="All confs collection" id="obj_collection_obj_sshd_set_idle_timeout" version="1">
+    <set>
+      <object_reference>object_sshd_idle_timeout</object_reference>
+      {{% if sshd_distributed_config == "true" %}}
+      <object_reference>object_sshd_idle_timeout_config_dir</object_reference>
+      {{% endif %}}
+    </set>
+  </ind:textfilecontent54_object>
+
+
   <external_variable comment="timeout value" datatype="int"
   id="sshd_idle_timeout_value" version="1" />
 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
index 35c431ad3be..b42ad4a6598 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
@@ -79,3 +79,13 @@ warnings:
         <li>Remote processes on the remote machine generates output. As the output has to be transferred over the network to the client, the timeout is reset every time such transfer happens.</li>
         <li>Any <tt>scp</tt> or <tt>sftp</tt> activity by the same user to the host resets the timeout.</li>
         </ul>
+
+template:
+    name: sshd_lineinfile
+    vars:
+        parameter: ClientAliveInterval
+        xccdf_variable: sshd_idle_timeout_value
+        datatype: int
+        backends:
+            oval: "off"
+
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/comment.fail.sh
deleted file mode 100644
index 2a338e3bbe4..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/comment.fail.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-# remediation = none
-
-# The rule doesn't remediate the ClientAliveCountMax setting, we have another rule for that.
-
-SSHD_CONFIG="/etc/ssh/sshd_config"
-
-. "$SHARED/utilities.sh"
-
-sed -i "/ClientAliveInterval/d" "$SSHD_CONFIG"
-assert_directive_in_file "$SSHD_CONFIG" ClientAliveInterval "# ClientAliveInterval 10"
-assert_directive_in_file "$SSHD_CONFIG" ClientAliveCountMax "ClientAliveCountMax 0"
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/correct_value.pass.sh
deleted file mode 100644
index 3715c322626..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/correct_value.pass.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/bash
-SSHD_CONFIG="/etc/ssh/sshd_config"
-
-. "$SHARED/utilities.sh"
-
-assert_directive_in_file "$SSHD_CONFIG" ClientAliveInterval "ClientAliveInterval 200"
-assert_directive_in_file "$SSHD_CONFIG" ClientAliveCountMax "ClientAliveCountMax 0"
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/correct_value_directory.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/correct_value_directory.pass.sh
deleted file mode 100644
index 66b0d783afd..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/correct_value_directory.pass.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
-
-SSHD_CONFIG_DIR="/etc/ssh/sshd_config.d"
-SSHD_CONFIG="${SSHD_CONFIG_DIR}/good_config.conf"
-
-mkdir -p $SSHD_CONFIG_DIR
-touch $SSHD_CONFIG
-
-if grep -q "^\s*ClientAliveInterval" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
-    sed -i "/^\s*ClientAliveInterval.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
-fi
-if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
-    sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
-fi
-
-echo "ClientAliveInterval 200" >> $SSHD_CONFIG
-echo "ClientAliveCountMax 0" >> $SSHD_CONFIG
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/line_not_there.fail.sh
deleted file mode 100644
index b4c4dc81aae..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/line_not_there.fail.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/bash
-# remediation = none
-
-# The rule doesn't remediate the ClientAliveCountMax setting, we have another rule for that.
-
-sed -i "/^ClientAliveInterval.*/d" /etc/ssh/sshd_config
-
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh
deleted file mode 100644
index 1e14aa3da36..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict.fail.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/bash
-
-mkdir -p /etc/ssh/sshd_config.d
-touch /etc/ssh/sshd_config.d/nothing
-
-if grep -q "^\s*ClientAliveInterval" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
-    sed -i "/^\s*ClientAliveInterval.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
-fi
-if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
-	sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
-fi
-
-echo "ClientAliveInterval 6000" >> /etc/ssh/sshd_config
-echo "ClientAliveInterval 200" >> /etc/ssh/sshd_config
-echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict_directory.fail.sh
deleted file mode 100644
index ea5e8f16c0a..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/param_conflict_directory.fail.sh
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
-
-SSHD_CONFIG_DIR="/etc/ssh/sshd_config.d"
-SSHD_CONFIG_BAD="${SSHD_CONFIG_DIR}/bad_config.conf"
-SSHD_CONFIG_GOOD="${SSHD_CONFIG_DIR}/good_config.conf"
-
-mkdir -p $SSHD_CONFIG_DIR
-touch $SSHD_CONFIG
-
-. "$SHARED/utilities.sh"
-
-if grep -q "^\s*ClientAliveInterval" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
-    sed -i "/^\s*ClientAliveInterval.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
-fi
-if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
-    sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
-fi
-
-echo "ClientAliveInterval 6000" > $SSHD_CONFIG_BAD
-echo "ClientAliveInterval 200" > $SSHD_CONFIG_GOOD
-echo "ClientAliveCountMax 0" > $SSHD_CONFIG_GOOD
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/wrong_value.fail.sh
deleted file mode 100644
index dbb6cfff6a8..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/wrong_value.fail.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/bash
-
-SSHD_CONFIG="/etc/ssh/sshd_config"
-
-. "$SHARED/utilities.sh"
-
-assert_directive_in_file "$SSHD_CONFIG" ClientAliveInterval "ClientAliveInterval 6000"
-assert_directive_in_file "$SSHD_CONFIG" ClientAliveCountMax "ClientAliveCountMax 0"
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/wrong_value_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/wrong_value_directory.fail.sh
deleted file mode 100644
index ead09cc2376..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/wrong_value_directory.fail.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
-
-SSHD_CONFIG_DIR="/etc/ssh/sshd_config.d"
-SSHD_CONFIG="${SSHD_CONFIG_DIR}/bad_config.conf"
-
-mkdir -p $SSHD_CONFIG_DIR
-touch $SSHD_CONFIG
-
-if grep -q "^\s*ClientAliveInterval" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
-    sed -i "/^\s*ClientAliveInterval.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
-fi
-if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
-    sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
-fi
-
-echo "ClientAliveInterval 6000" > $SSHD_CONFIG
-echo "ClientAliveCountMax 0" > $SSHD_CONFIG