From 0709b7c320974411d78b5c240b631cc6bf9acebf Mon Sep 17 00:00:00 2001
From: Matus Marhefka <mmarhefk@redhat.com>
Date: Thu, 19 Dec 2024 16:02:08 +0100
Subject: [PATCH] SSH host keys don't exist at bootable container build time

Add warnings to rules configuring SSH host keys permissions and ownership that
remediation is not possible at bootable container build time because SSH host
keys are generated post-deployment (only once bootable container is booted).
---
 .../ssh/file_groupownership_sshd_private_key/rule.yml        | 5 +++++
 .../services/ssh/file_groupownership_sshd_pub_key/rule.yml   | 5 +++++
 .../services/ssh/file_ownership_sshd_private_key/rule.yml    | 5 +++++
 .../guide/services/ssh/file_ownership_sshd_pub_key/rule.yml  | 5 +++++
 .../services/ssh/file_permissions_sshd_private_key/rule.yml  | 5 +++++
 .../services/ssh/file_permissions_sshd_pub_key/rule.yml      | 5 +++++
 6 files changed, 30 insertions(+)

diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml
index b04094c6148..51757172025 100644
--- a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml
@@ -31,3 +31,8 @@ template:
         file_regex:
             - ^.*_key$
         gid_or_name: '{{{ dedicated_ssh_groupname if dedicated_ssh_groupname else '0' }}}'
+
+warnings:
+    - general: |-
+        Remediation is not possible at bootable container build time because SSH host
+        keys are generated post-deployment.
diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml
index 5806b3e032d..7e7dfa574e3 100644
--- a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml
@@ -30,3 +30,8 @@ template:
         file_regex:
             - ^.*\.pub$
         gid_or_name: '0'
+
+warnings:
+    - general: |-
+        Remediation is not possible at bootable container build time because SSH host
+        keys are generated post-deployment.
diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml
index c6118e0156c..dbe08971222 100644
--- a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml
@@ -29,3 +29,8 @@ template:
         file_regex:
             - ^.*_key$
         fileuid: '0'
+
+warnings:
+    - general: |-
+        Remediation is not possible at bootable container build time because SSH host
+        keys are generated post-deployment.
diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml
index 3a91527fdaf..afb33a8d820 100644
--- a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml
@@ -30,3 +30,8 @@ template:
         file_regex:
             - ^.*\.pub$
         fileuid: '0'
+
+warnings:
+    - general: |-
+        Remediation is not possible at bootable container build time because SSH host
+        keys are generated post-deployment.
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
index d14c74ee195..8e73eb2e5cb 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
@@ -66,3 +66,8 @@ ocil: |-
 fixtext: '{{{ srg_requirement_file_permission(file="/etc/ssh/*_key", mode=perms_num) }}}'
 
 srg_requirement: 'The {{{ full_namne }}} SSH private host key files must have mode {{{ perms_num }}} or less permissive.'
+
+warnings:
+    - general: |-
+        Remediation is not possible at bootable container build time because SSH host
+        keys are generated post-deployment.
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
index 95eeb2d4194..9e802982d2e 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
@@ -57,3 +57,8 @@ template:
         filepath: /etc/ssh/
         file_regex: ^.*\.pub$
         filemode: '0644'
+
+warnings:
+    - general: |-
+        Remediation is not possible at bootable container build time because SSH host
+        keys are generated post-deployment.