convert more rules to sshd_lineinfile template #12301
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There is set of rules which checks that the value is between 0 and the XCCDF variable. Set the wrong value higher than the correct one.
The OVAL is kept for now with modification to support distributed sshd configuration.
The OVAL is kept not templated because the rule has a special check which checks that the value is less than or equal the variable and greater than zero.
OVAL is kept because it has a special condition which is not handled by the template.
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffOVAL for rule 'xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout' differs.
--- oval:ssg-sshd_set_idle_timeout:def:1
+++ oval:ssg-sshd_set_idle_timeout:def:1
@@ -5,5 +5,6 @@
criteria AND
extend_definition oval:ssg-sshd_required_or_unset:def:1
extend_definition oval:ssg-package_openssh-server_installed:def:1
-criteria OR
+criteria AND
criterion oval:ssg-test_sshd_idle_timeout:tst:1
+criterion oval:ssg-test_clientaliveinterval_present:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
+++ xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
@@ -2,6 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
sshd_idle_timeout_value=''
+
if [ -e "/etc/ssh/sshd_config" ] ; then
OVAL for rule 'xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2' differs.
--- oval:ssg-sshd_allow_only_protocol2:def:1
+++ oval:ssg-sshd_allow_only_protocol2:def:1
@@ -5,6 +5,7 @@
criteria AND
extend_definition oval:ssg-sshd_required_or_unset:def:1
extend_definition oval:ssg-package_openssh-server_installed:def:1
-criteria OR
-extend_definition oval:ssg-sshd_version_equal_or_higher_than_74:def:1
+criteria AND
+criteria AND
criterion oval:ssg-test_sshd_allow_only_protocol2:tst:1
+criterion oval:ssg-test_Protocol_present_sshd_allow_only_protocol2:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2' differs.
--- xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
+++ xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
@@ -1,27 +1,21 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^Protocol")
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*Protocol\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
-# shellcheck disable=SC2059
-printf -v formatted_output "%s %s" "$stripped_key" "2"
-
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^Protocol\\>" "/etc/ssh/sshd_config"; then
- escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- LC_ALL=C sed -i --follow-symlinks "s/^Protocol\\>.*/$escaped_formatted_output/gi" "/etc/ssh/sshd_config"
-else
- if [[ -s "/etc/ssh/sshd_config" ]] && [[ -n "$(tail -c 1 -- "/etc/ssh/sshd_config" || true)" ]]; then
- LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/ssh/sshd_config"
- fi
- cce="CCE-80894-9"
- printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/ssh/sshd_config" >> "/etc/ssh/sshd_config"
- printf '%s\n' "$formatted_output" >> "/etc/ssh/sshd_config"
-fi
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert at the beginning of the file
+printf '%s\n' "Protocol 2" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
else
>&2 echo 'Remediation is not applicable, nothing was done'
OVAL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_compression' differs.
--- oval:ssg-sshd_disable_compression:def:1
+++ oval:ssg-sshd_disable_compression:def:1
@@ -5,4 +5,7 @@
criteria AND
extend_definition oval:ssg-sshd_required_or_unset:def:1
extend_definition oval:ssg-package_openssh-server_installed:def:1
+criteria AND
+criteria AND
criterion oval:ssg-test_sshd_disable_compression:tst:1
+criterion oval:ssg-test_Compression_present_sshd_disable_compression:tst:1
OVAL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa' differs.
--- oval:ssg-sshd_disable_rhosts_rsa:def:1
+++ oval:ssg-sshd_disable_rhosts_rsa:def:1
@@ -5,6 +5,7 @@
criteria AND
extend_definition oval:ssg-sshd_required_or_unset:def:1
extend_definition oval:ssg-package_openssh-server_installed:def:1
-criteria OR
-extend_definition oval:ssg-sshd_version_equal_or_higher_than_74:def:1
+criteria AND
+criteria AND
criterion oval:ssg-test_sshd_disable_rhosts_rsa:tst:1
+criterion oval:ssg-test_RhostsRSAAuthentication_present_sshd_disable_rhosts_rsa:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa
+++ xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa
@@ -1,27 +1,21 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^RhostsRSAAuthentication")
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*RhostsRSAAuthentication\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
-# shellcheck disable=SC2059
-printf -v formatted_output "%s %s" "$stripped_key" "no"
-
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^RhostsRSAAuthentication\\>" "/etc/ssh/sshd_config"; then
- escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- LC_ALL=C sed -i --follow-symlinks "s/^RhostsRSAAuthentication\\>.*/$escaped_formatted_output/gi" "/etc/ssh/sshd_config"
-else
- if [[ -s "/etc/ssh/sshd_config" ]] && [[ -n "$(tail -c 1 -- "/etc/ssh/sshd_config" || true)" ]]; then
- LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/ssh/sshd_config"
- fi
- cce="CCE-80900-4"
- printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/ssh/sshd_config" >> "/etc/ssh/sshd_config"
- printf '%s\n' "$formatted_output" >> "/etc/ssh/sshd_config"
-fi
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert at the beginning of the file
+printf '%s\n' "RhostsRSAAuthentication no" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
else
>&2 echo 'Remediation is not applicable, nothing was done'
OVAL for rule 'xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time' differs.
--- oval:ssg-sshd_set_login_grace_time:def:1
+++ oval:ssg-sshd_set_login_grace_time:def:1
@@ -6,3 +6,4 @@
extend_definition oval:ssg-sshd_required_or_unset:def:1
extend_definition oval:ssg-package_openssh-server_installed:def:1
criterion oval:ssg-test_sshd_login_grace_time:tst:1
+criterion oval:ssg-test_LoginGraceTime_present_sshd_set_login_grace_time:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
+++ xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
@@ -2,6 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
var_sshd_set_login_grace_time=''
+
if [ -e "/etc/ssh/sshd_config" ] ; then
OVAL for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries' differs.
--- oval:ssg-sshd_set_max_auth_tries:def:1
+++ oval:ssg-sshd_set_max_auth_tries:def:1
@@ -6,3 +6,4 @@
extend_definition oval:ssg-sshd_required_or_unset:def:1
extend_definition oval:ssg-package_openssh-server_installed:def:1
criterion oval:ssg-test_sshd_max_auth_tries:tst:1
+criterion oval:ssg-test_MaxAuthTries_present_sshd_set_max_auth_tries:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
@@ -2,6 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
sshd_max_auth_tries_value=''
+
if [ -e "/etc/ssh/sshd_config" ] ; then
OVAL for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_sessions' differs.
--- oval:ssg-sshd_set_max_sessions:def:1
+++ oval:ssg-sshd_set_max_sessions:def:1
@@ -6,3 +6,4 @@
extend_definition oval:ssg-sshd_required_or_unset:def:1
extend_definition oval:ssg-package_openssh-server_installed:def:1
criterion oval:ssg-test_sshd_max_sessions:tst:1
+criterion oval:ssg-test_MaxSessions_present_sshd_set_max_sessions:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_sessions' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
@@ -2,6 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
var_sshd_max_sessions=''
+
if [ -e "/etc/ssh/sshd_config" ] ; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_sessions' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
@@ -38,9 +38,9 @@
tags:
- CCE-83357-4
- PCI-DSSv4-2.2.6
- - configure_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
+ - restrict_strategy
- sshd_set_max_sessions
OVAL for rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' differs.
--- oval:ssg-sshd_use_priv_separation:def:1
+++ oval:ssg-sshd_use_priv_separation:def:1
@@ -2,4 +2,10 @@
criteria AND
extend_definition oval:ssg-sshd_not_required_or_unset:def:1
extend_definition oval:ssg-package_openssh-server_removed:def:1
+criteria AND
+extend_definition oval:ssg-sshd_required_or_unset:def:1
+extend_definition oval:ssg-package_openssh-server_installed:def:1
+criteria AND
+criteria AND
criterion oval:ssg-test_sshd_use_priv_separation:tst:1
+criterion oval:ssg-test_UsePrivilegeSeparation_present_sshd_use_priv_separation:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
+++ xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
@@ -2,6 +2,7 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
var_sshd_priv_separation=''
+
if [ -e "/etc/ssh/sshd_config" ] ; then |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
The OVAL is kept because there is a special condition where ClientAliveInterval is expected to be 0.
vojtapolasek
added
refactoring
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
Code Climate has analyzed commit 7fc1dd6 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.4% (0.0% change). View more on Code Climate. |
|
Everything looks good. I will approve once the CI passes. |
Mab879
approved these changes
Aug 14, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Rationale:
It decreases code duplication. It also unifies rules. Mentioned rules were not able to check sshd configuration within /etc/ssh/sshd_config.d directory and this created discrepancies.
Note that there is at least one more rule which should be converted so that it is aware of sshd dropin configuration; sshd_set_maxstartups.
But the rule is very special and I think it should be tackled in a separate PR.
Review Hints:
Testing rules with Automatus should be enough.