From 604f70aa2d0cce64aed5d699178394523969ba37 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 27 May 2020 14:34:50 +0200
Subject: [PATCH 01/11] add rule, variables, check, remediations
---
.../ssh_client_rekey_limit/ansible/shared.yml | 8 ++++
.../ssh_client_rekey_limit/bash/shared.sh | 8 ++++
.../ssh_client_rekey_limit/oval/shared.xml | 39 +++++++++++++++++++
.../crypto/ssh_client_rekey_limit/rule.yml | 34 ++++++++++++++++
.../var_ssh_client_rekey_limit_size.var | 15 +++++++
.../var_ssh_client_rekey_limit_time.var | 14 +++++++
shared/references/cce-redhat-avail.txt | 1 -
7 files changed, 118 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
new file mode 100644
index 0000000000..6d2bcbbd44
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
@@ -0,0 +1,8 @@
+# platform = multi_platform_all [0/453]
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+{{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
+
+{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}}
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
new file mode 100644
index 0000000000..43d0971ffc
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
@@ -0,0 +1,8 @@
+# platform = multi_platform_all
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+{{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
+
+{{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}}
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
new file mode 100644
index 0000000000..2412763e3f
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
@@ -0,0 +1,39 @@
+{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}}
+
+
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ <metadata>
+ <title>{{{ rule_title }}}</title>
+ {{{- oval_affected(products) }}}
+ <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
+ </metadata>
+ <criteria comment="RekeyLimit is correctly configured for ssh client">
+ {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_ssh_client_rekey_limit" version="1">
+ <ind:object object_ref="obj_ssh_client_rekey_limit"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit" version="1">
+ <ind:filepath>{{{ filepath }}}</ind:filepath>
+ <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <local_variable id="ssh_client_line_regex" datatype="string" comment="The regex of the directive" version="1">
+ <concat>
+ <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
+ <variable_component var_ref="var_ssh_client_rekey_limit_size"/>
+ <literal_component>[\s]+</literal_component>
+ <variable_component var_ref="var_ssh_client_rekey_limit_time"/>
+ <literal_component>[\s]*$</literal_component>
+ </concat>
+ </local_variable>
+
+ <external_variable comment="Size component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_size" version="1" />
+ <external_variable comment="Time component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_time" version="1" />
+</def-group>
+
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
new file mode 100644
index 0000000000..a1b85b0ee5
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
@@ -0,0 +1,34 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Configure session renegotiation for SSH client'
+
+description: |-
+ The <tt>RekeyLimit</tt> parameter specifies how often
+ the session key is renegotiated, both in terms of
+ amount of data that may be transmitted and the time
+ elapsed. To decrease the default limits, put line
+ <tt>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.
+
+rationale: |-
+ By decreasing the limit based on the amount of data and enabling
+ time-based limit, effects of potential attacks against
+ encryption keys are limited.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82880-6
+
+references:
+ ospp: FCS_SSHS_EXT.1
+
+ocil_clause: 'it is commented out or is not set'
+
+ocil: |-
+ To check if RekeyLimit is set correctly, run the
+ following command:
+ <pre>$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf</pre>
+ If configured properly, output should be
+ <pre>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</pre>
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
new file mode 100644
index 0000000000..bcf051fd97
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
@@ -0,0 +1,15 @@
+documentation_complete: true
+
+title: 'SSH client RekeyLimit - size'
+
+description: 'Specify the size component of the rekey limit.'
+
+type: string
+
+operator: equals
+
+options:
+ ssh_client_default: "default"
+ default: "512M"
+ "512M": "512M"
+ "1G": "1G"
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
new file mode 100644
index 0000000000..31c76f9ab5
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
@@ -0,0 +1,14 @@
+documentation_complete: true
+
+title: 'SSH client RekeyLimit - size'
+
+description: 'Specify the size component of the rekey limit.'
+
+type: string
+
+operator: equals
+
+options:
+ ssh_client_default: "none"
+ default: "1h"
+ "1hour": "1h"
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 45d03a2c1d..e060d2fb1c 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -1,4 +1,3 @@
-CCE-82880-6
CCE-82882-2
CCE-82883-0
CCE-82888-9
From a0d54462b9a1e65de3598d7fc262f61a8e3a06ea Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 27 May 2020 14:35:24 +0200
Subject: [PATCH 02/11] add tests
---
.../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 4 ++++
.../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 4 ++++
.../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 3 +++
.../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 4 ++++
4 files changed, 15 insertions(+)
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
new file mode 100644
index 0000000000..2ac0bbf350
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
new file mode 100644
index 0000000000..fec859fe05
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
new file mode 100644
index 0000000000..a6cd10163f
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
new file mode 100644
index 0000000000..a6a2ba7adf
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
From 6ce9e9d55eab07f1c2a3a8d0b28f104d0b5992da Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 27 May 2020 14:35:43 +0200
Subject: [PATCH 03/11] add rule to rhel8 ospp, update stable profiles
---
rhel8/profiles/ospp.profile | 5 +++++
tests/data/profile_stability/rhel8/ospp.profile | 3 +++
tests/data/profile_stability/rhel8/stig.profile | 3 +++
3 files changed, 11 insertions(+)
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 0dca8350f9..07d32b814d 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -410,3 +410,8 @@ selections:
# Prevent Kerberos use by system daemons
- kerberos_disable_no_keytab
+
+ # set ssh client rekey limit
+ - ssh_client_rekey_limit
+ - var_ssh_client_rekey_limit_size=1G
+ - var_ssh_client_rekey_limit_time=1hour
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 25f7922bf3..b0d7672c36 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -240,4 +240,7 @@ selections:
- grub2_vsyscall_argument.severity=info
- sysctl_user_max_user_namespaces.role=unscored
- sysctl_user_max_user_namespaces.severity=info
+- ssh_client_rekey_limit
+- var_ssh_client_rekey_limit_size=1G
+- var_ssh_client_rekey_limit_time=1hour
title: Protection Profile for General Purpose Operating Systems
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 6c4270925f..330ecc7e1e 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -269,4 +269,7 @@ selections:
- grub2_vsyscall_argument.severity=info
- sysctl_user_max_user_namespaces.role=unscored
- sysctl_user_max_user_namespaces.severity=info
+- ssh_client_rekey_limit
+- var_ssh_client_rekey_limit_size=1G
+- var_ssh_client_rekey_limit_time=1hour
title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'
From 763a79e337eecb24c640d1ac189edf02d20e53ad Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 28 May 2020 14:25:41 +0200
Subject: [PATCH 04/11] improve description of variables
---
.../crypto/var_ssh_client_rekey_limit_size.var | 10 ++++++++--
.../crypto/var_ssh_client_rekey_limit_time.var | 12 +++++++++---
2 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
index bcf051fd97..4e20104cba 100644
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
@@ -2,14 +2,20 @@ documentation_complete: true
title: 'SSH client RekeyLimit - size'
-description: 'Specify the size component of the rekey limit.'
+description: |-
+ Specify the size component of the rekey limit. This limit signifies amount
+ of data. After this amount of data is transferred through the connection,
+ the session key is renegotiated. The number is followed by K, M or G for
+ kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also
+ configured according to ellabsed time.
+
+interactive: true
type: string
operator: equals
options:
- ssh_client_default: "default"
default: "512M"
"512M": "512M"
"1G": "1G"
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
index 31c76f9ab5..6143a5448c 100644
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
@@ -1,14 +1,20 @@
documentation_complete: true
-title: 'SSH client RekeyLimit - size'
+title: 'SSH client RekeyLimit - time'
-description: 'Specify the size component of the rekey limit.'
+description: |-
+ Specify the time component of the rekey limit. This limit signifies amount
+ of data. The session key is renegotiated after the defined amount of time
+ passes. The number is followed by units such as H or M for hours or minutes.
+ Note that the RekeyLimit can be also configured according to amount of
+ transfered data.
+
+interactive: true
type: string
operator: equals
options:
- ssh_client_default: "none"
default: "1h"
"1hour": "1h"
From 0800fcaff037a1b012b75e59d6771f5e7763e1de Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 28 May 2020 14:26:12 +0200
Subject: [PATCH 05/11] fix tests and ansible
---
.../crypto/ssh_client_rekey_limit/ansible/shared.yml | 2 +-
.../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 4 ++--
.../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 4 ++--
.../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 2 +-
.../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 5 +++--
5 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
index 6d2bcbbd44..bb6544a0a0 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_all [0/453]
+# platform = multi_platform_all
# reboot = false
# strategy = configure
# complexity = low
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
index 2ac0bbf350..22c465b08f 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
@@ -1,4 +1,4 @@
# platform = multi_platform_all
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
-echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
+
+echo "RekeyLimit 812M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
index fec859fe05..0dc621b1da 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
@@ -1,4 +1,4 @@
# platform = multi_platform_all
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
-echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
+
+echo "RekeyLimit 512M 2h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
index a6cd10163f..f6abf711da 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
@@ -1,3 +1,3 @@
# platform = multi_platform_all
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
index a6a2ba7adf..e64e4191bc 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
@@ -1,4 +1,5 @@
# platform = multi_platform_all
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
-echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
+
+rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf
+echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
From 9451e6d91c9975a3e9ecd4c627cbb0f9afce4c92 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 1 Jun 2020 14:29:47 +0200
Subject: [PATCH 06/11] fix test to use default value, remove rule from stig
---
.../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 2 +-
rhel8/profiles/stig.profile | 1 +
tests/data/profile_stability/rhel8/stig.profile | 1 -
3 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
index e64e4191bc..89d7069687 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
@@ -2,4 +2,4 @@
rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf
-echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 2bb81cf9dc..8f12852e26 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -44,3 +44,4 @@ selections:
- package_rsyslog-gnutls_installed
- rsyslog_remote_tls
- rsyslog_remote_tls_cacert
+ - "!ssh_client_rekey_limit"
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 330ecc7e1e..9b164eb5c2 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -269,7 +269,6 @@ selections:
- grub2_vsyscall_argument.severity=info
- sysctl_user_max_user_namespaces.role=unscored
- sysctl_user_max_user_namespaces.severity=info
-- ssh_client_rekey_limit
- var_ssh_client_rekey_limit_size=1G
- var_ssh_client_rekey_limit_time=1hour
title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'
From bd47b1145f17c97de719c887db6146d5e7b59616 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 3 Jun 2020 12:38:19 +0200
Subject: [PATCH 07/11] rewrite oval to check for multiple locations
---
.../ssh_client_rekey_limit/oval/shared.xml | 42 ++++++++++++-------
1 file changed, 26 insertions(+), 16 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
index 2412763e3f..41fa0497ae 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
@@ -1,28 +1,17 @@
-{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}}
-
<def-group>
<definition class="compliance" id="{{{ rule_id }}}" version="1">
<metadata>
<title>{{{ rule_title }}}</title>
{{{- oval_affected(products) }}}
- <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
+ <description>Ensure 'RekeyLimit' is configured with the correct value in /etc/ssh/ssh_config and /etc/ssh/ssh_config.d/*.conf</description>
</metadata>
- <criteria comment="RekeyLimit is correctly configured for ssh client">
- {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
+ <criteria comment="RekeyLimit is correctly configured for ssh client" operator="AND">
+ <criterion comment="check that RekeyLimit is not configured in /etc/ssh/ssh_config" test_ref="test_ssh_client_rekey_limit_main_config" negate="true" />
+ <criterion comment="check correct RekeyLimit configuration in /etc/ssh/ssh_config.d/*.conf" test_ref="test_ssh_client_rekey_limit_include_configs" />
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_ssh_client_rekey_limit" version="1">
- <ind:object object_ref="obj_ssh_client_rekey_limit"/>
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit" version="1">
- <ind:filepath>{{{ filepath }}}</ind:filepath>
- <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
-
<local_variable id="ssh_client_line_regex" datatype="string" comment="The regex of the directive" version="1">
<concat>
<literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
@@ -35,5 +24,26 @@
<external_variable comment="Size component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_size" version="1" />
<external_variable comment="Time component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_time" version="1" />
-</def-group>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config file" id="test_ssh_client_rekey_limit_main_config" version="1">
+ <ind:object object_ref="obj_ssh_client_rekey_limit_main_config"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_main_config" version="1">
+ <ind:filepath>/etc/ssh/ssh_config</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*RekeyLimit.*$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config.d/*.conf" id="test_ssh_client_rekey_limit_include_configs" version="1">
+ <ind:object object_ref="obj_ssh_client_rekey_limit_include_configs"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_include_configs" version="1">
+ <ind:filepath operation="pattern match">^/etc/ssh/ssh_config\.d/.*\.conf$</ind:filepath>
+ <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
From c090301ab1cf43a83994b654ccb2ab0b967d05b4 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 4 Jun 2020 08:24:54 +0200
Subject: [PATCH 08/11] reqrite remediations
---
.../ssh_client_rekey_limit/ansible/shared.yml | 16 ++++++++++++++++
.../crypto/ssh_client_rekey_limit/bash/shared.sh | 13 +++++++++++++
2 files changed, 29 insertions(+)
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
index bb6544a0a0..36de503806 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
@@ -5,4 +5,20 @@
# disruption = low
{{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
+{{{ ansible_lineinfile(msg='Ensure RekeyLimit is not configured in /etc/ssh/ssh_config', path='/etc/ssh/ssh_config', regex='^\s*RekeyLimit.*$', create='no', state='absent') }}}
+
+- name: Collect all include config files for ssh client which configure RekeyLimit
+ find:
+ paths: "/etc/ssh/ssh_config.d/"
+ contains: '^[\s]*RekeyLimit.*$'
+ patterns: "*.config"
+ register: ssh_config_include_files
+
+- name: Remove all occurences of RekeyLimit configuration from include config files of ssh client
+ lineinfile:
+ path: "{{ item }}"
+ regexp: '^[\s]*RekeyLimit.*$'
+ state: "absent"
+ loop: "{{ ssh_config_include_files.files }}"
+
{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}}
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
index 43d0971ffc..99f6f63c92 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
@@ -5,4 +5,17 @@
{{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
+main_config="/etc/ssh/ssh_config"
+include_directory="/etc/ssh/ssh_config.d"
+
+if grep -q '^[\s]*RekeyLimit.*$' "$main_config"; then
+ sed -i '/^[\s]*RekeyLimit.*/d' "$main_config"
+fi
+
+for file in "$include_directory"/*.conf; do
+ if grep -q '^[\s]*RekeyLimit.*$' "$file"; then
+ sed -i '/^[\s]*RekeyLimit.*/d' "$file"
+ fi
+done
+
{{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}}
From 22b8cb067cfc9d6d48065233973d1dba223ef5a4 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 4 Jun 2020 08:25:14 +0200
Subject: [PATCH 09/11] add more tests
---
.../tests/bad_main_config_good_include_config.fail.sh | 4 ++++
.../ssh_client_rekey_limit/tests/line_in_main_config.fail.sh | 4 ++++
.../tests/ok_different_config_file.pass.sh | 3 +++
3 files changed, 11 insertions(+)
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
new file mode 100644
index 0000000000..90314712af
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/basdh
+
+echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
new file mode 100644
index 0000000000..9ba20b0290
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+rm -rf /etc/ssh/ssh_config.d/*
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
new file mode 100644
index 0000000000..f725f6936f
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/05-some-file.conf
From 78904a0cc4461cc26786289095fd76e8ce15843e Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 4 Jun 2020 08:25:29 +0200
Subject: [PATCH 10/11] extend description and ocil
---
.../crypto/ssh_client_rekey_limit/rule.yml | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
index a1b85b0ee5..76f5f84090 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
@@ -10,6 +10,12 @@ description: |-
amount of data that may be transmitted and the time
elapsed. To decrease the default limits, put line
<tt>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.
+ Make sure that there is no other <tt>RekeyLimit</tt> configuration preceding
+ the <tt>include</tt> directive in the main config file
+ <tt>/etc/ssh/ssh_config</tt>. Check also other files in
+ <tt>/etc/ssh/ssh_config.d</tt> directory. Files are processed according to
+ their names. Make sure that there is no file processed before
+ <tt>02-rekey-limit.conf</tt> containing definition of <tt>RekeyLimit</tt>.
rationale: |-
By decreasing the limit based on the amount of data and enabling
@@ -27,8 +33,11 @@ references:
ocil_clause: 'it is commented out or is not set'
ocil: |-
- To check if RekeyLimit is set correctly, run the
- following command:
- <pre>$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf</pre>
- If configured properly, output should be
- <pre>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</pre>
+ To check if RekeyLimit is set correctly, run the following command: <pre>$
+ sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf</pre> If configured
+ properly, output should be <pre>/etc/ssh/ssh_config.d/02-rekey-limit.conf:
+ RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{
+ sub_var_value("var_ssh_client_rekey_limit_time") }}}</pre> Check also the
+ main configuration file with the following command: <pre>sudo grep
+ RekeyLimit /etc/ssh/ssh_config</pre> The command should not return any
+ output.
From 854d5c9d1e1a44e97fe59aeaace687adcff620d5 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 8 Jun 2020 11:44:44 +0200
Subject: [PATCH 11/11] fix typos and wording
---
.../integrity/crypto/ssh_client_rekey_limit/rule.yml | 5 +++--
.../tests/bad_main_config_good_include_config.fail.sh | 2 +-
.../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 1 +
.../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 1 +
.../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 1 +
.../crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 1 +
.../integrity/crypto/var_ssh_client_rekey_limit_size.var | 2 +-
.../integrity/crypto/var_ssh_client_rekey_limit_time.var | 9 ++++-----
8 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
index 76f5f84090..b054d9d221 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
@@ -14,8 +14,9 @@ description: |-
the <tt>include</tt> directive in the main config file
<tt>/etc/ssh/ssh_config</tt>. Check also other files in
<tt>/etc/ssh/ssh_config.d</tt> directory. Files are processed according to
- their names. Make sure that there is no file processed before
- <tt>02-rekey-limit.conf</tt> containing definition of <tt>RekeyLimit</tt>.
+ lexicographical order of file names. Make sure that there is no file
+ processed before <tt>02-rekey-limit.conf</tt> containing definition of
+ <tt>RekeyLimit</tt>.
rationale: |-
By decreasing the limit based on the amount of data and enabling
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
index 90314712af..58befb0107 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
@@ -1,4 +1,4 @@
-#!/bin/basdh
+#!/bin/bash
echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config
echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
index 22c465b08f..1803c26629 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
@@ -1,3 +1,4 @@
+#!/bin/bash
# platform = multi_platform_all
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
index 0dc621b1da..2c9e839255 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
@@ -1,3 +1,4 @@
+#!/bin/bash
# platform = multi_platform_all
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
index f6abf711da..7de108eafd 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
@@ -1,3 +1,4 @@
+#!/bin/bash
# platform = multi_platform_all
echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
index 89d7069687..4c047ed179 100644
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
@@ -1,3 +1,4 @@
+#!/bin/bash
# platform = multi_platform_all
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
index 4e20104cba..c8dd8ef10e 100644
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
@@ -7,7 +7,7 @@ description: |-
of data. After this amount of data is transferred through the connection,
the session key is renegotiated. The number is followed by K, M or G for
kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also
- configured according to ellabsed time.
+ configured according to elapsed time.
interactive: true
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
index 6143a5448c..6223e8e38f 100644
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
@@ -3,11 +3,10 @@ documentation_complete: true
title: 'SSH client RekeyLimit - time'
description: |-
- Specify the time component of the rekey limit. This limit signifies amount
- of data. The session key is renegotiated after the defined amount of time
- passes. The number is followed by units such as H or M for hours or minutes.
- Note that the RekeyLimit can be also configured according to amount of
- transfered data.
+ Specify the time component of the rekey limit. The session key is
+ renegotiated after the defined amount of time passes. The number is followed
+ by units such as H or M for hours or minutes. Note that the RekeyLimit can
+ be also configured according to amount of transfered data.
interactive: true