Blob Blame History Raw
From 1d9a85c7b4e2f168d48884db10c7c71a534588d2 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 14 Apr 2020 16:38:09 +0200
Subject: [PATCH 1/2] sshd_allow_only_protocol2 revert from template to
 individual check and remediations

---
 .../ansible/shared.yml                        |  6 +++
 .../sshd_allow_only_protocol2/bash/shared.sh  |  6 +++
 .../sshd_allow_only_protocol2/oval/shared.xml | 45 +++++++++++++++++++
 .../sshd_allow_only_protocol2/rule.yml        |  8 ----
 4 files changed, 57 insertions(+), 8 deletions(-)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml
new file mode 100644
index 0000000000..39102e5d78
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/ansible/shared.yml
@@ -0,0 +1,6 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ ansible_sshd_set(parameter="Protocol", value="2") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
new file mode 100644
index 0000000000..590e96d150
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+replace_or_append '/etc/ssh/sshd_config' '^Protocol' '2' '@CCENUM@' '%s %s'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
new file mode 100644
index 0000000000..948c40561c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
@@ -0,0 +1,45 @@
+<def-group>
+  <definition class="compliance" id="sshd_allow_only_protocol2" version="1">
+    <metadata>
+      <title>Ensure Only Protocol 2 Connections Allowed</title>
+      <affected family="unix">
+        <platform>multi_platform_wrlinux</platform>
+        <platform>multi_platform_rhel</platform>
+        <platform>multi_platform_rhv</platform>
+        <platform>multi_platform_debian</platform>
+        <platform>multi_platform_ubuntu</platform>
+        <platform>multi_platform_ol</platform>
+      </affected>
+      <description>The OpenSSH daemon should be running protocol 2.</description>
+    </metadata>
+    <criteria comment="SSH is configured correctly or is not installed"
+    operator="OR">
+      <criteria comment="sshd is not installed" operator="AND">
+        <extend_definition comment="sshd is not required or requirement is unset"
+        definition_ref="sshd_not_required_or_unset" />
+        <extend_definition comment="rpm package openssh-server removed"
+        definition_ref="package_openssh-server_removed" />
+      </criteria>
+      <criteria comment="sshd is installed and configured" operator="AND">
+        <extend_definition comment="sshd is required or requirement is unset"
+        definition_ref="sshd_required_or_unset" />
+        <extend_definition comment="rpm package openssh-server installed"
+        definition_ref="package_openssh-server_installed" />
+        <criteria comment="SSH version is equal or higher than 7.4 or it is configured with protocol 2" operator="OR">
+          <extend_definition comment="OpenSSH version 7.4 or higher supports only protocol 2" definition_ref="sshd_version_equal_or_higher_than_74" />
+          <criterion comment="Check Protocol in /etc/ssh/sshd_config"
+          test_ref="test_sshd_allow_only_protocol2" />
+        </criteria>
+      </criteria>
+    </criteria>
+  </definition>
+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+  comment="sshd uses protocol 2" id="test_sshd_allow_only_protocol2" version="1">
+    <ind:object object_ref="object_sshd_allow_only_protocol2" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_sshd_allow_only_protocol2" version="3">
+    <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*(?i)Protocol[\s]+2[\s]*(?:|(?:#.*))?$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml
index c0cb97c9e8..2c91fd0c36 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml
@@ -62,11 +62,3 @@ warnings:
         As of <tt>openssh-server</tt> version <tt>7.4</tt> and above, the only protocol
         supported is version 2, and line <pre>Protocol 2</pre> in
         <tt>/etc/ssh/sshd_config</tt> is not necessary.
-
-template:
-    name: sshd_lineinfile
-    vars:
-        missing_parameter_pass: 'false'
-        parameter: Protocol
-        rule_id: sshd_allow_only_protocol2
-        value: '2'

From 4993ccd288caa17aad8888b065cfbff605ff1c24 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 15 Apr 2020 09:56:35 +0200
Subject: [PATCH 2/2] add oval_affected jinja macro

---
 .../ssh_server/sshd_allow_only_protocol2/oval/shared.xml | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
index 948c40561c..e1a4ee4448 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
@@ -2,14 +2,7 @@
   <definition class="compliance" id="sshd_allow_only_protocol2" version="1">
     <metadata>
       <title>Ensure Only Protocol 2 Connections Allowed</title>
-      <affected family="unix">
-        <platform>multi_platform_wrlinux</platform>
-        <platform>multi_platform_rhel</platform>
-        <platform>multi_platform_rhv</platform>
-        <platform>multi_platform_debian</platform>
-        <platform>multi_platform_ubuntu</platform>
-        <platform>multi_platform_ol</platform>
-      </affected>
+      {{{- oval_affected(products) }}}
       <description>The OpenSSH daemon should be running protocol 2.</description>
     </metadata>
     <criteria comment="SSH is configured correctly or is not installed"