diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml index b04094c6148..51757172025 100644 --- a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml +++ b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml @@ -31,3 +31,8 @@ template: file_regex: - ^.*_key$ gid_or_name: '{{{ dedicated_ssh_groupname if dedicated_ssh_groupname else '0' }}}' + +warnings: + - general: |- + Remediation is not possible at bootable container build time because SSH host + keys are generated post-deployment. diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml index 5806b3e032d..7e7dfa574e3 100644 --- a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml +++ b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml @@ -30,3 +30,8 @@ template: file_regex: - ^.*\.pub$ gid_or_name: '0' + +warnings: + - general: |- + Remediation is not possible at bootable container build time because SSH host + keys are generated post-deployment. diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml index c6118e0156c..dbe08971222 100644 --- a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml +++ b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml @@ -29,3 +29,8 @@ template: file_regex: - ^.*_key$ fileuid: '0' + +warnings: + - general: |- + Remediation is not possible at bootable container build time because SSH host + keys are generated post-deployment. diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml index 3a91527fdaf..afb33a8d820 100644 --- a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml +++ b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml @@ -30,3 +30,8 @@ template: file_regex: - ^.*\.pub$ fileuid: '0' + +warnings: + - general: |- + Remediation is not possible at bootable container build time because SSH host + keys are generated post-deployment. diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml index d14c74ee195..8e73eb2e5cb 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml @@ -66,3 +66,8 @@ ocil: |- fixtext: '{{{ srg_requirement_file_permission(file="/etc/ssh/*_key", mode=perms_num) }}}' srg_requirement: 'The {{{ full_namne }}} SSH private host key files must have mode {{{ perms_num }}} or less permissive.' + +warnings: + - general: |- + Remediation is not possible at bootable container build time because SSH host + keys are generated post-deployment. diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml index 95eeb2d4194..9e802982d2e 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml @@ -57,3 +57,8 @@ template: filepath: /etc/ssh/ file_regex: ^.*\.pub$ filemode: '0644' + +warnings: + - general: |- + Remediation is not possible at bootable container build time because SSH host + keys are generated post-deployment.