From 1d9a85c7b4e2f168d48884db10c7c71a534588d2 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 14 Apr 2020 16:38:09 +0200
Subject: [PATCH 1/2] sshd_allow_only_protocol2 revert from template to
individual check and remediations
---
.../ansible/shared.yml | 6 +++
.../sshd_allow_only_protocol2/bash/shared.sh | 6 +++
.../sshd_allow_only_protocol2/oval/shared.xml | 45 +++++++++++++++++++
.../sshd_allow_only_protocol2/rule.yml | 8 ----
4 files changed, 57 insertions(+), 8 deletions(-)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml
new file mode 100644
index 0000000000..39102e5d78
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml
@@ -0,0 +1,6 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ ansible_sshd_set(parameter="Protocol", value="2") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
new file mode 100644
index 0000000000..590e96d150
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+replace_or_append '/etc/ssh/sshd_config' '^Protocol' '2' '@CCENUM@' '%s %s'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
new file mode 100644
index 0000000000..948c40561c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
@@ -0,0 +1,45 @@
+<def-group>
+ <definition class="compliance" id="sshd_allow_only_protocol2" version="1">
+ <metadata>
+ <title>Ensure Only Protocol 2 Connections Allowed</title>
+ <affected family="unix">
+ <platform>multi_platform_wrlinux</platform>
+ <platform>multi_platform_rhel</platform>
+ <platform>multi_platform_rhv</platform>
+ <platform>multi_platform_debian</platform>
+ <platform>multi_platform_ubuntu</platform>
+ <platform>multi_platform_ol</platform>
+ </affected>
+ <description>The OpenSSH daemon should be running protocol 2.</description>
+ </metadata>
+ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+ <criteria comment="sshd is not installed" operator="AND">
+ <extend_definition comment="sshd is not required or requirement is unset"
+ definition_ref="sshd_not_required_or_unset" />
+ <extend_definition comment="rpm package openssh-server removed"
+ definition_ref="package_openssh-server_removed" />
+ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
+ <extend_definition comment="rpm package openssh-server installed"
+ definition_ref="package_openssh-server_installed" />
+ <criteria comment="SSH version is equal or higher than 7.4 or it is configured with protocol 2" operator="OR">
+ <extend_definition comment="OpenSSH version 7.4 or higher supports only protocol 2" definition_ref="sshd_version_equal_or_higher_than_74" />
+ <criterion comment="Check Protocol in /etc/ssh/sshd_config"
+ test_ref="test_sshd_allow_only_protocol2" />
+ </criteria>
+ </criteria>
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="sshd uses protocol 2" id="test_sshd_allow_only_protocol2" version="1">
+ <ind:object object_ref="object_sshd_allow_only_protocol2" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_sshd_allow_only_protocol2" version="3">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*(?i)Protocol[\s]+2[\s]*(?:|(?:#.*))?$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml
index c0cb97c9e8..2c91fd0c36 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml
@@ -62,11 +62,3 @@ warnings:
As of <tt>openssh-server</tt> version <tt>7.4</tt> and above, the only protocol
supported is version 2, and line <pre>Protocol 2</pre> in
<tt>/etc/ssh/sshd_config</tt> is not necessary.
-
-template:
- name: sshd_lineinfile
- vars:
- missing_parameter_pass: 'false'
- parameter: Protocol
- rule_id: sshd_allow_only_protocol2
- value: '2'
From 4993ccd288caa17aad8888b065cfbff605ff1c24 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 15 Apr 2020 09:56:35 +0200
Subject: [PATCH 2/2] add oval_affected jinja macro
---
.../ssh_server/sshd_allow_only_protocol2/oval/shared.xml | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
index 948c40561c..e1a4ee4448 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
@@ -2,14 +2,7 @@
<definition class="compliance" id="sshd_allow_only_protocol2" version="1">
<metadata>
<title>Ensure Only Protocol 2 Connections Allowed</title>
- <affected family="unix">
- <platform>multi_platform_wrlinux</platform>
- <platform>multi_platform_rhel</platform>
- <platform>multi_platform_rhv</platform>
- <platform>multi_platform_debian</platform>
- <platform>multi_platform_ubuntu</platform>
- <platform>multi_platform_ol</platform>
- </affected>
+ {{{- oval_affected(products) }}}
<description>The OpenSSH daemon should be running protocol 2.</description>
</metadata>
<criteria comment="SSH is configured correctly or is not installed"