skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch

c7 c7-alt c7-beta c8 c8-beta c8s
  1.   973b04979f25b8681652f31e096ad6a32f1cb9e8
  2.   SOURCES
  3.   scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch
Blob History Raw
475544 
From 91c7ff65572b51b52eaf14f3b147b118dc85cc9f Mon Sep 17 00:00:00 2001
475544 
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
475544 
Date: Tue, 19 May 2020 15:49:34 +0200
475544 
Subject: [PATCH 1/5] Made the rule sshd_rekey_limit parametrized.
475544
475544 
Introduce the rekey_limit_size and rekey_limit_time XCCDF values
475544 
to make the rule more flexible.
475544 
---
475544 
 .../sshd_rekey_limit/bash/shared.sh           |  9 ++++
475544 
 .../sshd_rekey_limit/oval/shared.xml          | 43 +++++++++++++++++++
475544 
 .../ssh/ssh_server/sshd_rekey_limit/rule.yml  | 12 +-----
475544 
 .../sshd_rekey_limit/tests/bad_size.fail.sh   |  4 ++
475544 
 .../sshd_rekey_limit/tests/bad_time.fail.sh   |  4 ++
475544 
 .../sshd_rekey_limit/tests/no_line.fail.sh    |  3 ++
475544 
 .../sshd_rekey_limit/tests/ok.pass.sh         |  4 ++
475544 
 .../ssh/ssh_server/var_rekey_limit_size.var   | 14 ++++++
475544 
 .../ssh/ssh_server/var_rekey_limit_time.var   | 14 ++++++
475544 
 rhel8/profiles/ospp.profile                   |  2 +
475544 
 10 files changed, 99 insertions(+), 10 deletions(-)
475544 
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
475544 
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
475544 
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
475544 
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
475544 
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
475544 
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
475544 
 create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
475544 
 create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
475544
475544 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
475544 
new file mode 100644
475544 
index 0000000000..2620c2d49e
475544 
--- /dev/null
475544 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
475544 
@@ -0,0 +1,9 @@
475544 
+# platform = multi_platform_all
475544 
+
475544 
+# Include source function library.
475544 
+. /usr/share/scap-security-guide/remediation_functions
475544 
+
475544 
+populate var_rekey_limit_size
475544 
+populate var_rekey_limit_time
475544 
+
475544 
+{{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}}
475544 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
475544 
new file mode 100644
475544 
index 0000000000..57aa090948
475544 
--- /dev/null
475544 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
475544 
@@ -0,0 +1,43 @@
475544 
+{{% set filepath = "/etc/ssh/sshd_config" %}}
475544 
+{{% set parameter = "RekeyLimit" %}}
475544 
+
475544 
+
475544 
+<def-group>
475544 
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
475544 
+    <metadata>
475544 
+      <title>{{{ rule_title }}}</title>
475544 
+      {{{- oval_affected(products) }}}
475544 
+      <description>Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}'</description>
475544 
+    </metadata>
475544 
+    <criteria comment="sshd is configured correctly or is not installed" operator="OR">
475544 
+        {{{- application_not_required_or_requirement_unset() }}}
475544 
+        {{{- application_required_or_requirement_unset() }}}
475544 
+        {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
475544 
+    </criteria>
475544 
+    </criteria>
475544 
+  </definition>
475544 
+
475544 
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the  file" id="test_sshd_rekey_limit" version="1">
475544 
+     <ind:object object_ref="obj_sshd_rekey_limit"/>
475544 
+  </ind:textfilecontent54_test>
475544 
+
475544 
+  <ind:textfilecontent54_object id="obj_sshd_rekey_limit" version="1">
475544 
+     <ind:filepath>{{{ filepath }}}</ind:filepath>
475544 
+     <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
475544 
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
475544 
+  </ind:textfilecontent54_object>
475544 
+
475544 
+  <local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
475544 
+    <concat>
475544 
+      <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
475544 
+      <variable_component var_ref="var_rekey_limit_size"/>
475544 
+      <literal_component>[\s]+</literal_component>
475544 
+      <variable_component var_ref="var_rekey_limit_time"/>
475544 
+      <literal_component>[\s]*$</literal_component>
475544 
+    </concat>
475544 
+  </local_variable>
475544 
+
475544 
+  <external_variable comment="Size component of the rekey limit" datatype="string" id="var_rekey_limit_size" version="1" />
475544 
+  <external_variable comment="Time component of the rekey limit" datatype="string" id="var_rekey_limit_time" version="1" />
475544 
+</def-group>
475544 
+
475544 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
475544 
index e11678faa0..4936a381f5 100644
475544 
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
475544 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
475544 
@@ -7,7 +7,7 @@ description: |-
475544 
     the session key of the is renegotiated, both in terms of
475544 
     amount of data that may be transmitted and the time
475544 
     elapsed. To decrease the default limits, put line
475544 
-    <tt>RekeyLimit 512M 1h</tt> to file <tt>/etc/ssh/sshd_config</tt>.
475544 
+    <tt>RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/sshd_config</tt>.
475544
475544 
 rationale: |-
475544 
     By decreasing the limit based on the amount of data and enabling
475544 
@@ -30,12 +30,4 @@ ocil: |-
475544 
     following command:
475544 
     
$ sudo grep RekeyLimit /etc/ssh/sshd_config
475544 
     If configured properly, output should be
475544 
-    
RekeyLimit 512M 1h
475544 
-
475544 
-template:
475544 
-    name: sshd_lineinfile
475544 
-    vars:
475544 
-        missing_parameter_pass: 'false'
475544 
-        parameter: RekeyLimit
475544 
-        rule_id: sshd_rekey_limit
475544 
-        value: 512M 1h
475544 
+    
RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}
475544 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
475544 
new file mode 100644
475544 
index 0000000000..2ac0bbf350
475544 
--- /dev/null
475544 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
475544 
@@ -0,0 +1,4 @@
475544 
+# platform = multi_platform_all
475544 
+
475544 
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
475544 
+echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
475544 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
475544 
new file mode 100644
475544 
index 0000000000..fec859fe05
475544 
--- /dev/null
475544 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
475544 
@@ -0,0 +1,4 @@
475544 
+# platform = multi_platform_all
475544 
+
475544 
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
475544 
+echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
475544 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
475544 
new file mode 100644
475544 
index 0000000000..a6cd10163f
475544 
--- /dev/null
475544 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
475544 
@@ -0,0 +1,3 @@
475544 
+# platform = multi_platform_all
475544 
+
475544 
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
475544 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
475544 
new file mode 100644
475544 
index 0000000000..a6a2ba7adf
475544 
--- /dev/null
475544 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
475544 
@@ -0,0 +1,4 @@
475544 
+# platform = multi_platform_all
475544 
+
475544 
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
475544 
+echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
475544 
diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
475544 
new file mode 100644
475544 
index 0000000000..16dc376508
475544 
--- /dev/null
475544 
+++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
475544 
@@ -0,0 +1,14 @@
475544 
+documentation_complete: true
475544 
+
475544 
+title: 'SSH RekeyLimit - size'
475544 
+
475544 
+description: 'Specify the size component of the rekey limit.'
475544 
+
475544 
+type: string
475544 
+
475544 
+operator: equals
475544 
+
475544 
+options:
475544 
+    sshd_default: "default"
475544 
+    default: "512M"
475544 
+    "512M": "512M"
475544 
diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
475544 
new file mode 100644
475544 
index 0000000000..8801fbbf6f
475544 
--- /dev/null
475544 
+++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
475544 
@@ -0,0 +1,14 @@
475544 
+documentation_complete: true
475544 
+
475544 
+title: 'SSH RekeyLimit - size'
475544 
+
475544 
+description: 'Specify the size component of the rekey limit.'
475544 
+
475544 
+type: string
475544 
+
475544 
+operator: equals
475544 
+
475544 
+options:
475544 
+    sshd_default: "none"
475544 
+    default: "1h"
475544 
+    "1hour": "1h"
475544 
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
475544 
index c672066050..a5223a187f 100644
475544 
--- a/rhel8/profiles/ospp.profile
475544 
+++ b/rhel8/profiles/ospp.profile
475544 
@@ -58,6 +58,8 @@ selections:
475544 
     - sshd_set_keepalive
475544 
     - sshd_enable_warning_banner
475544 
     - sshd_rekey_limit
475544 
+    - var_rekey_limit_size=512M
475544 
+    - var_rekey_limit_time=1hour
475544 
     - sshd_use_strong_rng
475544 
     - openssl_use_strong_entropy
475544
475544
475544 
From 85efae481db88792de138916c242fbbf0a7adeb1 Mon Sep 17 00:00:00 2001
475544 
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
475544 
Date: Tue, 19 May 2020 17:57:12 +0200
475544 
Subject: [PATCH 2/5] Updated stable profile definitions.
475544
475544 
---
475544 
 tests/data/profile_stability/rhel8/ospp.profile | 2 ++
475544 
 tests/data/profile_stability/rhel8/stig.profile | 3 ++-
475544 
 2 files changed, 4 insertions(+), 1 deletion(-)
475544
475544 
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
475544 
index 23039c82b4..bdda39a903 100644
475544 
--- a/tests/data/profile_stability/rhel8/ospp.profile
475544 
+++ b/tests/data/profile_stability/rhel8/ospp.profile
475544 
@@ -214,6 +214,8 @@ selections:
475544 
 - timer_dnf-automatic_enabled
475544 
 - usbguard_allow_hid_and_hub
475544 
 - var_sshd_set_keepalive=0
475544 
+- var_rekey_limit_size=512M
475544 
+- var_rekey_limit_time=1hour
475544 
 - var_accounts_user_umask=027
475544 
 - var_password_pam_difok=4
475544 
 - var_password_pam_maxrepeat=3
475544 
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
475544 
index cd31b73700..ebef541921 100644
475544 
--- a/tests/data/profile_stability/rhel8/stig.profile
475544 
+++ b/tests/data/profile_stability/rhel8/stig.profile
475544 
@@ -21,7 +21,6 @@ description: 'This profile contains configuration checks that align to the
475544
475544 
     - Red Hat Containers with a Red Hat Enterprise Linux 8 image'
475544 
 documentation_complete: true
475544 
-extends: ospp
475544 
 selections:
475544 
 - account_disable_post_pw_expiration
475544 
 - account_temp_expire_date
475544 
@@ -243,6 +242,8 @@ selections:
475544 
 - timer_dnf-automatic_enabled
475544 
 - usbguard_allow_hid_and_hub
475544 
 - var_sshd_set_keepalive=0
475544 
+- var_rekey_limit_size=512M
475544 
+- var_rekey_limit_time=1hour
475544 
 - var_accounts_user_umask=027
475544 
 - var_password_pam_difok=4
475544 
 - var_password_pam_maxrepeat=3
475544
475544 
From d75161c4f7232380a1b46aa8d99fa5d562503c80 Mon Sep 17 00:00:00 2001
475544 
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
475544 
Date: Fri, 22 May 2020 11:43:36 +0200
475544 
Subject: [PATCH 3/5] Improved how variables are handled in remediations.
475544
475544 
---
475544 
 shared/macros-ansible.jinja | 14 ++++++++++++++
475544 
 shared/macros-bash.jinja    | 15 +++++++++++++++
475544 
 2 files changed, 29 insertions(+)
475544
475544 
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
475544 
index 56a3f5f3ec..6798a25d1f 100644
475544 
--- a/shared/macros-ansible.jinja
475544 
+++ b/shared/macros-ansible.jinja
475544 
@@ -1,3 +1,17 @@
475544 
+{{#
475544 
+Pass strings that correspond to XCCDF value names as arguments to this macro:
475544 
+ansible_instantiate_variables("varname1", "varname2")
475544 
+
475544 
+Then, assume that the task that follows can work with the variable by referencing it, e.g.
475544 
+value: "Setting={{ varname1 }}"
475544 
+
475544 
+#}}
475544 
+{{%- macro ansible_instantiate_variables() -%}}
475544 
+{{%- for name in varargs -%}}
475544 
+- (xccdf-var {{{ name }}})
475544 
+{{% endfor -%}}
475544 
+{{%- endmacro -%}}
475544 
+
475544 
 {{#
475544 
   A wrapper over the Ansible lineinfile module. This handles the most common
475544 
   options for us. regex is optional and when blank, it won't be included in
475544 
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
475544 
index 01b9e62e7b..3a94fe5dd8 100644
475544 
--- a/shared/macros-bash.jinja
475544 
+++ b/shared/macros-bash.jinja
475544 
@@ -1,5 +1,20 @@
475544 
 {{# ##### High level macros ##### #}}
475544
475544 
+{{#
475544 
+Pass strings that correspond to XCCDF value names as arguments to this macro:
475544 
+bash_instantiate_variables("varname1", "varname2")
475544 
+
475544 
+Then, assume that variables of that names are defined and contain the correct value, e.g.
475544 
+echo "Setting=$varname1" >> config_file
475544 
+
475544 
+#}}
475544 
+{{%- macro bash_instantiate_variables() -%}}
475544 
+{{%- for name in varargs -%}}
475544 
+populate {{{ name }}}
475544 
+{{# this line is intentionally left blank #}}
475544 
+{{% endfor -%}}
475544 
+{{%- endmacro -%}}
475544 
+
475544 
 {{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}}
475544 
 {{% if no_quotes -%}}
475544 
   {{% if "$" in value %}}
475544
475544 
From 912ce0a4ade9aa335c044314a6cc018f1ead1abe Mon Sep 17 00:00:00 2001
475544 
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
475544 
Date: Fri, 22 May 2020 11:44:08 +0200
475544 
Subject: [PATCH 4/5] Fixed Bash and Ansible remediations.
475544
475544 
---
475544 
 .../ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml    | 8 ++++++++
475544 
 .../ssh/ssh_server/sshd_rekey_limit/bash/shared.sh        | 3 +--
475544 
 2 files changed, 9 insertions(+), 2 deletions(-)
475544 
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
475544
475544 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
475544 
new file mode 100644
475544 
index 0000000000..43a2d4521f
475544 
--- /dev/null
475544 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
475544 
@@ -0,0 +1,8 @@
475544 
+# platform = multi_platform_all                                                                                                                                                                                                                                                                                        [0/453]
475544 
+# reboot = false
475544 
+# strategy = configure
475544 
+# complexity = low
475544 
+# disruption = low
475544 
+{{{ ansible_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
475544 
+
475544 
+{{{ ansible_sshd_set(parameter="RekeyLimit", value="{{ var_rekey_limit_size}} {{var_rekey_limit_time}}") }}}
475544 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
475544 
index 2620c2d49e..0277f31392 100644
475544 
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
475544 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
475544 
@@ -3,7 +3,6 @@
475544 
 # Include source function library.
475544 
 . /usr/share/scap-security-guide/remediation_functions
475544
475544 
-populate var_rekey_limit_size
475544 
-populate var_rekey_limit_time
475544 
+{{{ bash_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
475544
475544 
 {{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}}
475544
475544 
From d0ac47945e14017e522d523267d3a4bfb5ecdf71 Mon Sep 17 00:00:00 2001
475544 
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
475544 
Date: Fri, 22 May 2020 11:49:04 +0200
475544 
Subject: [PATCH 5/5] Improved the OVAL according to the review feedback.
475544
475544 
---
475544 
 .../services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml | 5 ++---
475544 
 1 file changed, 2 insertions(+), 3 deletions(-)
475544
475544 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
475544 
index 57aa090948..47796e5332 100644
475544 
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
475544 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
475544 
@@ -1,5 +1,4 @@
475544 
-{{% set filepath = "/etc/ssh/sshd_config" %}}
475544 
-{{% set parameter = "RekeyLimit" %}}
475544 
+{{% set filepath = "/etc/ssh/sshd_config" -%}}
475544
475544
475544 
 <def-group>
475544 
@@ -7,7 +6,7 @@
475544 
     <metadata>
475544 
       <title>{{{ rule_title }}}</title>
475544 
       {{{- oval_affected(products) }}}
475544 
-      <description>Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}'</description>
475544 
+      <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
475544 
     </metadata>
475544 
     <criteria comment="sshd is configured correctly or is not installed" operator="OR">
475544 
         {{{- application_not_required_or_requirement_unset() }}}

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation