From 91c7ff65572b51b52eaf14f3b147b118dc85cc9f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 19 May 2020 15:49:34 +0200
Subject: [PATCH 1/5] Made the rule sshd_rekey_limit parametrized.
Introduce the rekey_limit_size and rekey_limit_time XCCDF values
to make the rule more flexible.
---
.../sshd_rekey_limit/bash/shared.sh | 9 ++++
.../sshd_rekey_limit/oval/shared.xml | 43 +++++++++++++++++++
.../ssh/ssh_server/sshd_rekey_limit/rule.yml | 12 +-----
.../sshd_rekey_limit/tests/bad_size.fail.sh | 4 ++
.../sshd_rekey_limit/tests/bad_time.fail.sh | 4 ++
.../sshd_rekey_limit/tests/no_line.fail.sh | 3 ++
.../sshd_rekey_limit/tests/ok.pass.sh | 4 ++
.../ssh/ssh_server/var_rekey_limit_size.var | 14 ++++++
.../ssh/ssh_server/var_rekey_limit_time.var | 14 ++++++
rhel8/profiles/ospp.profile | 2 +
10 files changed, 99 insertions(+), 10 deletions(-)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
new file mode 100644
index 0000000000..2620c2d49e
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+populate var_rekey_limit_size
+populate var_rekey_limit_time
+
+{{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
new file mode 100644
index 0000000000..57aa090948
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
@@ -0,0 +1,43 @@
+{{% set filepath = "/etc/ssh/sshd_config" %}}
+{{% set parameter = "RekeyLimit" %}}
+
+
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ <metadata>
+ <title>{{{ rule_title }}}</title>
+ {{{- oval_affected(products) }}}
+ <description>Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}'</description>
+ </metadata>
+ <criteria comment="sshd is configured correctly or is not installed" operator="OR">
+ {{{- application_not_required_or_requirement_unset() }}}
+ {{{- application_required_or_requirement_unset() }}}
+ {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
+ </criteria>
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_sshd_rekey_limit" version="1">
+ <ind:object object_ref="obj_sshd_rekey_limit"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_sshd_rekey_limit" version="1">
+ <ind:filepath>{{{ filepath }}}</ind:filepath>
+ <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
+ <concat>
+ <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
+ <variable_component var_ref="var_rekey_limit_size"/>
+ <literal_component>[\s]+</literal_component>
+ <variable_component var_ref="var_rekey_limit_time"/>
+ <literal_component>[\s]*$</literal_component>
+ </concat>
+ </local_variable>
+
+ <external_variable comment="Size component of the rekey limit" datatype="string" id="var_rekey_limit_size" version="1" />
+ <external_variable comment="Time component of the rekey limit" datatype="string" id="var_rekey_limit_time" version="1" />
+</def-group>
+
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
index e11678faa0..4936a381f5 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
@@ -7,7 +7,7 @@ description: |-
the session key of the is renegotiated, both in terms of
amount of data that may be transmitted and the time
elapsed. To decrease the default limits, put line
- <tt>RekeyLimit 512M 1h</tt> to file <tt>/etc/ssh/sshd_config</tt>.
+ <tt>RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/sshd_config</tt>.
rationale: |-
By decreasing the limit based on the amount of data and enabling
@@ -30,12 +30,4 @@ ocil: |-
following command:
<pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config</pre>
If configured properly, output should be
- <pre>RekeyLimit 512M 1h</pre>
-
-template:
- name: sshd_lineinfile
- vars:
- missing_parameter_pass: 'false'
- parameter: RekeyLimit
- rule_id: sshd_rekey_limit
- value: 512M 1h
+ <pre>RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}</pre>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
new file mode 100644
index 0000000000..2ac0bbf350
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
new file mode 100644
index 0000000000..fec859fe05
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
new file mode 100644
index 0000000000..a6cd10163f
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
new file mode 100644
index 0000000000..a6a2ba7adf
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
new file mode 100644
index 0000000000..16dc376508
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
@@ -0,0 +1,14 @@
+documentation_complete: true
+
+title: 'SSH RekeyLimit - size'
+
+description: 'Specify the size component of the rekey limit.'
+
+type: string
+
+operator: equals
+
+options:
+ sshd_default: "default"
+ default: "512M"
+ "512M": "512M"
diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
new file mode 100644
index 0000000000..8801fbbf6f
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
@@ -0,0 +1,14 @@
+documentation_complete: true
+
+title: 'SSH RekeyLimit - size'
+
+description: 'Specify the size component of the rekey limit.'
+
+type: string
+
+operator: equals
+
+options:
+ sshd_default: "none"
+ default: "1h"
+ "1hour": "1h"
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index c672066050..a5223a187f 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -58,6 +58,8 @@ selections:
- sshd_set_keepalive
- sshd_enable_warning_banner
- sshd_rekey_limit
+ - var_rekey_limit_size=512M
+ - var_rekey_limit_time=1hour
- sshd_use_strong_rng
- openssl_use_strong_entropy
From 85efae481db88792de138916c242fbbf0a7adeb1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 19 May 2020 17:57:12 +0200
Subject: [PATCH 2/5] Updated stable profile definitions.
---
tests/data/profile_stability/rhel8/ospp.profile | 2 ++
tests/data/profile_stability/rhel8/stig.profile | 3 ++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 23039c82b4..bdda39a903 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -214,6 +214,8 @@ selections:
- timer_dnf-automatic_enabled
- usbguard_allow_hid_and_hub
- var_sshd_set_keepalive=0
+- var_rekey_limit_size=512M
+- var_rekey_limit_time=1hour
- var_accounts_user_umask=027
- var_password_pam_difok=4
- var_password_pam_maxrepeat=3
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index cd31b73700..ebef541921 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -21,7 +21,6 @@ description: 'This profile contains configuration checks that align to the
- Red Hat Containers with a Red Hat Enterprise Linux 8 image'
documentation_complete: true
-extends: ospp
selections:
- account_disable_post_pw_expiration
- account_temp_expire_date
@@ -243,6 +242,8 @@ selections:
- timer_dnf-automatic_enabled
- usbguard_allow_hid_and_hub
- var_sshd_set_keepalive=0
+- var_rekey_limit_size=512M
+- var_rekey_limit_time=1hour
- var_accounts_user_umask=027
- var_password_pam_difok=4
- var_password_pam_maxrepeat=3
From d75161c4f7232380a1b46aa8d99fa5d562503c80 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 22 May 2020 11:43:36 +0200
Subject: [PATCH 3/5] Improved how variables are handled in remediations.
---
shared/macros-ansible.jinja | 14 ++++++++++++++
shared/macros-bash.jinja | 15 +++++++++++++++
2 files changed, 29 insertions(+)
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 56a3f5f3ec..6798a25d1f 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -1,3 +1,17 @@
+{{#
+Pass strings that correspond to XCCDF value names as arguments to this macro:
+ansible_instantiate_variables("varname1", "varname2")
+
+Then, assume that the task that follows can work with the variable by referencing it, e.g.
+value: "Setting={{ varname1 }}"
+
+#}}
+{{%- macro ansible_instantiate_variables() -%}}
+{{%- for name in varargs -%}}
+- (xccdf-var {{{ name }}})
+{{% endfor -%}}
+{{%- endmacro -%}}
+
{{#
A wrapper over the Ansible lineinfile module. This handles the most common
options for us. regex is optional and when blank, it won't be included in
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 01b9e62e7b..3a94fe5dd8 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -1,5 +1,20 @@
{{# ##### High level macros ##### #}}
+{{#
+Pass strings that correspond to XCCDF value names as arguments to this macro:
+bash_instantiate_variables("varname1", "varname2")
+
+Then, assume that variables of that names are defined and contain the correct value, e.g.
+echo "Setting=$varname1" >> config_file
+
+#}}
+{{%- macro bash_instantiate_variables() -%}}
+{{%- for name in varargs -%}}
+populate {{{ name }}}
+{{# this line is intentionally left blank #}}
+{{% endfor -%}}
+{{%- endmacro -%}}
+
{{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}}
{{% if no_quotes -%}}
{{% if "$" in value %}}
From 912ce0a4ade9aa335c044314a6cc018f1ead1abe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 22 May 2020 11:44:08 +0200
Subject: [PATCH 4/5] Fixed Bash and Ansible remediations.
---
.../ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml | 8 ++++++++
.../ssh/ssh_server/sshd_rekey_limit/bash/shared.sh | 3 +--
2 files changed, 9 insertions(+), 2 deletions(-)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
new file mode 100644
index 0000000000..43a2d4521f
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
@@ -0,0 +1,8 @@
+# platform = multi_platform_all [0/453]
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+{{{ ansible_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
+
+{{{ ansible_sshd_set(parameter="RekeyLimit", value="{{ var_rekey_limit_size}} {{var_rekey_limit_time}}") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
index 2620c2d49e..0277f31392 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
@@ -3,7 +3,6 @@
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
-populate var_rekey_limit_size
-populate var_rekey_limit_time
+{{{ bash_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
{{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}}
From d0ac47945e14017e522d523267d3a4bfb5ecdf71 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 22 May 2020 11:49:04 +0200
Subject: [PATCH 5/5] Improved the OVAL according to the review feedback.
---
.../services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
index 57aa090948..47796e5332 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
@@ -1,5 +1,4 @@
-{{% set filepath = "/etc/ssh/sshd_config" %}}
-{{% set parameter = "RekeyLimit" %}}
+{{% set filepath = "/etc/ssh/sshd_config" -%}}
<def-group>
@@ -7,7 +6,7 @@
<metadata>
<title>{{{ rule_title }}}</title>
{{{- oval_affected(products) }}}
- <description>Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}'</description>
+ <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
</metadata>
<criteria comment="sshd is configured correctly or is not installed" operator="OR">
{{{- application_not_required_or_requirement_unset() }}}