skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.50-sshd_allow_p2.patch

c7 c7-alt c7-beta c8 c8-beta c8s
  1.   c957b4e696e5ecf0a69844b2dd37d073e4d34868
  2.   SOURCES
  3.   scap-security-guide-0.1.50-sshd_allow_p2.patch
Blob History Raw
dac76a 
From 1d9a85c7b4e2f168d48884db10c7c71a534588d2 Mon Sep 17 00:00:00 2001
dac76a 
From: Vojtech Polasek <vpolasek@redhat.com>
dac76a 
Date: Tue, 14 Apr 2020 16:38:09 +0200
dac76a 
Subject: [PATCH 1/2] sshd_allow_only_protocol2 revert from template to
dac76a 
 individual check and remediations
dac76a
dac76a 
---
dac76a 
 .../ansible/shared.yml                        |  6 +++
dac76a 
 .../sshd_allow_only_protocol2/bash/shared.sh  |  6 +++
dac76a 
 .../sshd_allow_only_protocol2/oval/shared.xml | 45 +++++++++++++++++++
dac76a 
 .../sshd_allow_only_protocol2/rule.yml        |  8 ----
dac76a 
 4 files changed, 57 insertions(+), 8 deletions(-)
dac76a 
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml
dac76a 
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
dac76a 
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
dac76a
dac76a 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml
dac76a 
new file mode 100644
dac76a 
index 0000000000..39102e5d78
dac76a 
--- /dev/null
dac76a 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml
dac76a 
@@ -0,0 +1,6 @@
dac76a 
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
dac76a 
+# reboot = false
dac76a 
+# strategy = restrict
dac76a 
+# complexity = low
dac76a 
+# disruption = low
dac76a 
+{{{ ansible_sshd_set(parameter="Protocol", value="2") }}}
dac76a 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
dac76a 
new file mode 100644
dac76a 
index 0000000000..590e96d150
dac76a 
--- /dev/null
dac76a 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
dac76a 
@@ -0,0 +1,6 @@
dac76a 
+# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv
dac76a 
+
dac76a 
+# Include source function library.
dac76a 
+. /usr/share/scap-security-guide/remediation_functions
dac76a 
+
dac76a 
+replace_or_append '/etc/ssh/sshd_config' '^Protocol' '2' '@CCENUM@' '%s %s'
dac76a 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
dac76a 
new file mode 100644
dac76a 
index 0000000000..948c40561c
dac76a 
--- /dev/null
dac76a 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
dac76a 
@@ -0,0 +1,45 @@
dac76a 
+<def-group>
dac76a 
+  <definition class="compliance" id="sshd_allow_only_protocol2" version="1">
dac76a 
+    <metadata>
dac76a 
+      <title>Ensure Only Protocol 2 Connections Allowed</title>
dac76a 
+      <affected family="unix">
dac76a 
+        <platform>multi_platform_wrlinux</platform>
dac76a 
+        <platform>multi_platform_rhel</platform>
dac76a 
+        <platform>multi_platform_rhv</platform>
dac76a 
+        <platform>multi_platform_debian</platform>
dac76a 
+        <platform>multi_platform_ubuntu</platform>
dac76a 
+        <platform>multi_platform_ol</platform>
dac76a 
+      </affected>
dac76a 
+      <description>The OpenSSH daemon should be running protocol 2.</description>
dac76a 
+    </metadata>
dac76a 
+
dac76a 
+    operator="OR">
dac76a 
+      <criteria comment="sshd is not installed" operator="AND">
dac76a 
+
dac76a 
+        definition_ref="sshd_not_required_or_unset" />
dac76a 
+
dac76a 
+        definition_ref="package_openssh-server_removed" />
dac76a 
+      </criteria>
dac76a 
+      <criteria comment="sshd is installed and configured" operator="AND">
dac76a 
+
dac76a 
+        definition_ref="sshd_required_or_unset" />
dac76a 
+
dac76a 
+        definition_ref="package_openssh-server_installed" />
dac76a 
+        <criteria comment="SSH version is equal or higher than 7.4 or it is configured with protocol 2" operator="OR">
dac76a 
+          <extend_definition comment="OpenSSH version 7.4 or higher supports only protocol 2" definition_ref="sshd_version_equal_or_higher_than_74" />
dac76a 
+
dac76a 
+          test_ref="test_sshd_allow_only_protocol2" />
dac76a 
+        </criteria>
dac76a 
+      </criteria>
dac76a 
+    </criteria>
dac76a 
+  </definition>
dac76a 
+
dac76a 
+  comment="sshd uses protocol 2" id="test_sshd_allow_only_protocol2" version="1">
dac76a 
+    <ind:object object_ref="object_sshd_allow_only_protocol2" />
dac76a 
+  </ind:textfilecontent54_test>
dac76a 
+  <ind:textfilecontent54_object id="object_sshd_allow_only_protocol2" version="3">
dac76a 
+    <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
dac76a 
+    <ind:pattern operation="pattern match">^[\s]*(?i)Protocol[\s]+2[\s]*(?:|(?:#.*))?$</ind:pattern>
dac76a 
+    <ind:instance datatype="int">1</ind:instance>
dac76a 
+  </ind:textfilecontent54_object>
dac76a 
+</def-group>
dac76a 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml
dac76a 
index c0cb97c9e8..2c91fd0c36 100644
dac76a 
--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml
dac76a 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml
dac76a 
@@ -62,11 +62,3 @@ warnings:
dac76a 
         As of <tt>openssh-server</tt> version <tt>7.4</tt> and above, the only protocol
dac76a 
         supported is version 2, and line 
Protocol 2
 in
dac76a 
         <tt>/etc/ssh/sshd_config</tt> is not necessary.
dac76a 
-
dac76a 
-template:
dac76a 
-    name: sshd_lineinfile
dac76a 
-    vars:
dac76a 
-        missing_parameter_pass: 'false'
dac76a 
-        parameter: Protocol
dac76a 
-        rule_id: sshd_allow_only_protocol2
dac76a 
-        value: '2'
dac76a
dac76a 
From 4993ccd288caa17aad8888b065cfbff605ff1c24 Mon Sep 17 00:00:00 2001
dac76a 
From: Vojtech Polasek <vpolasek@redhat.com>
dac76a 
Date: Wed, 15 Apr 2020 09:56:35 +0200
dac76a 
Subject: [PATCH 2/2] add oval_affected jinja macro
dac76a
dac76a 
---
dac76a 
 .../ssh_server/sshd_allow_only_protocol2/oval/shared.xml | 9 +--------
dac76a 
 1 file changed, 1 insertion(+), 8 deletions(-)
dac76a
dac76a 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
dac76a 
index 948c40561c..e1a4ee4448 100644
dac76a 
--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
dac76a 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
dac76a 
@@ -2,14 +2,7 @@
dac76a 
   <definition class="compliance" id="sshd_allow_only_protocol2" version="1">
dac76a 
     <metadata>
dac76a 
       <title>Ensure Only Protocol 2 Connections Allowed</title>
dac76a 
-      <affected family="unix">
dac76a 
-        <platform>multi_platform_wrlinux</platform>
dac76a 
-        <platform>multi_platform_rhel</platform>
dac76a 
-        <platform>multi_platform_rhv</platform>
dac76a 
-        <platform>multi_platform_debian</platform>
dac76a 
-        <platform>multi_platform_ubuntu</platform>
dac76a 
-        <platform>multi_platform_ol</platform>
dac76a 
-      </affected>
dac76a 
+      {{{- oval_affected(products) }}}
dac76a 
       <description>The OpenSSH daemon should be running protocol 2.</description>
dac76a 
     </metadata>
dac76a

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation