rpms / scap-security-guide

Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch

c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   540324ac8e8cbe0e749c41a1eac59a234a3b7ea3
  2.   SOURCES
  3.   scap-security-guide-0.1.51-parametrize-ssh-PR5772.patch
Blob History Raw
540324 
From 91c7ff65572b51b52eaf14f3b147b118dc85cc9f Mon Sep 17 00:00:00 2001
540324 
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
540324 
Date: Tue, 19 May 2020 15:49:34 +0200
540324 
Subject: [PATCH 1/5] Made the rule sshd_rekey_limit parametrized.
540324
540324 
Introduce the rekey_limit_size and rekey_limit_time XCCDF values
540324 
to make the rule more flexible.
540324 
---
540324 
 .../sshd_rekey_limit/bash/shared.sh           |  9 ++++
540324 
 .../sshd_rekey_limit/oval/shared.xml          | 43 +++++++++++++++++++
540324 
 .../ssh/ssh_server/sshd_rekey_limit/rule.yml  | 12 +-----
540324 
 .../sshd_rekey_limit/tests/bad_size.fail.sh   |  4 ++
540324 
 .../sshd_rekey_limit/tests/bad_time.fail.sh   |  4 ++
540324 
 .../sshd_rekey_limit/tests/no_line.fail.sh    |  3 ++
540324 
 .../sshd_rekey_limit/tests/ok.pass.sh         |  4 ++
540324 
 .../ssh/ssh_server/var_rekey_limit_size.var   | 14 ++++++
540324 
 .../ssh/ssh_server/var_rekey_limit_time.var   | 14 ++++++
540324 
 rhel8/profiles/ospp.profile                   |  2 +
540324 
 10 files changed, 99 insertions(+), 10 deletions(-)
540324 
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
540324 
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
540324 
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
540324 
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
540324 
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
540324 
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
540324 
 create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
540324 
 create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
540324
540324 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
540324 
new file mode 100644
540324 
index 0000000000..2620c2d49e
540324 
--- /dev/null
540324 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
540324 
@@ -0,0 +1,9 @@
540324 
+# platform = multi_platform_all
540324 
+
540324 
+# Include source function library.
540324 
+. /usr/share/scap-security-guide/remediation_functions
540324 
+
540324 
+populate var_rekey_limit_size
540324 
+populate var_rekey_limit_time
540324 
+
540324 
+{{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}}
540324 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
540324 
new file mode 100644
540324 
index 0000000000..57aa090948
540324 
--- /dev/null
540324 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
540324 
@@ -0,0 +1,43 @@
540324 
+{{% set filepath = "/etc/ssh/sshd_config" %}}
540324 
+{{% set parameter = "RekeyLimit" %}}
540324 
+
540324 
+
540324 
+<def-group>
540324 
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
540324 
+    <metadata>
540324 
+      <title>{{{ rule_title }}}</title>
540324 
+      {{{- oval_affected(products) }}}
540324 
+      <description>Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}'</description>
540324 
+    </metadata>
540324 
+    <criteria comment="sshd is configured correctly or is not installed" operator="OR">
540324 
+        {{{- application_not_required_or_requirement_unset() }}}
540324 
+        {{{- application_required_or_requirement_unset() }}}
540324 
+        {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
540324 
+    </criteria>
540324 
+    </criteria>
540324 
+  </definition>
540324 
+
540324 
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the  file" id="test_sshd_rekey_limit" version="1">
540324 
+     <ind:object object_ref="obj_sshd_rekey_limit"/>
540324 
+  </ind:textfilecontent54_test>
540324 
+
540324 
+  <ind:textfilecontent54_object id="obj_sshd_rekey_limit" version="1">
540324 
+     <ind:filepath>{{{ filepath }}}</ind:filepath>
540324 
+     <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
540324 
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
540324 
+  </ind:textfilecontent54_object>
540324 
+
540324 
+  <local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
540324 
+    <concat>
540324 
+      <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
540324 
+      <variable_component var_ref="var_rekey_limit_size"/>
540324 
+      <literal_component>[\s]+</literal_component>
540324 
+      <variable_component var_ref="var_rekey_limit_time"/>
540324 
+      <literal_component>[\s]*$</literal_component>
540324 
+    </concat>
540324 
+  </local_variable>
540324 
+
540324 
+  <external_variable comment="Size component of the rekey limit" datatype="string" id="var_rekey_limit_size" version="1" />
540324 
+  <external_variable comment="Time component of the rekey limit" datatype="string" id="var_rekey_limit_time" version="1" />
540324 
+</def-group>
540324 
+
540324 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
540324 
index e11678faa0..4936a381f5 100644
540324 
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
540324 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
540324 
@@ -7,7 +7,7 @@ description: |-
540324 
     the session key of the is renegotiated, both in terms of
540324 
     amount of data that may be transmitted and the time
540324 
     elapsed. To decrease the default limits, put line
540324 
-    <tt>RekeyLimit 512M 1h</tt> to file <tt>/etc/ssh/sshd_config</tt>.
540324 
+    <tt>RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/sshd_config</tt>.
540324
540324 
 rationale: |-
540324 
     By decreasing the limit based on the amount of data and enabling
540324 
@@ -30,12 +30,4 @@ ocil: |-
540324 
     following command:
540324 
     
$ sudo grep RekeyLimit /etc/ssh/sshd_config
540324 
     If configured properly, output should be
540324 
-    
RekeyLimit 512M 1h
540324 
-
540324 
-template:
540324 
-    name: sshd_lineinfile
540324 
-    vars:
540324 
-        missing_parameter_pass: 'false'
540324 
-        parameter: RekeyLimit
540324 
-        rule_id: sshd_rekey_limit
540324 
-        value: 512M 1h
540324 
+    
RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}
540324 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
540324 
new file mode 100644
540324 
index 0000000000..2ac0bbf350
540324 
--- /dev/null
540324 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
540324 
@@ -0,0 +1,4 @@
540324 
+# platform = multi_platform_all
540324 
+
540324 
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
540324 
+echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
540324 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
540324 
new file mode 100644
540324 
index 0000000000..fec859fe05
540324 
--- /dev/null
540324 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
540324 
@@ -0,0 +1,4 @@
540324 
+# platform = multi_platform_all
540324 
+
540324 
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
540324 
+echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
540324 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
540324 
new file mode 100644
540324 
index 0000000000..a6cd10163f
540324 
--- /dev/null
540324 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
540324 
@@ -0,0 +1,3 @@
540324 
+# platform = multi_platform_all
540324 
+
540324 
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
540324 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
540324 
new file mode 100644
540324 
index 0000000000..a6a2ba7adf
540324 
--- /dev/null
540324 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
540324 
@@ -0,0 +1,4 @@
540324 
+# platform = multi_platform_all
540324 
+
540324 
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
540324 
+echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
540324 
diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
540324 
new file mode 100644
540324 
index 0000000000..16dc376508
540324 
--- /dev/null
540324 
+++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
540324 
@@ -0,0 +1,14 @@
540324 
+documentation_complete: true
540324 
+
540324 
+title: 'SSH RekeyLimit - size'
540324 
+
540324 
+description: 'Specify the size component of the rekey limit.'
540324 
+
540324 
+type: string
540324 
+
540324 
+operator: equals
540324 
+
540324 
+options:
540324 
+    sshd_default: "default"
540324 
+    default: "512M"
540324 
+    "512M": "512M"
540324 
diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
540324 
new file mode 100644
540324 
index 0000000000..8801fbbf6f
540324 
--- /dev/null
540324 
+++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
540324 
@@ -0,0 +1,14 @@
540324 
+documentation_complete: true
540324 
+
540324 
+title: 'SSH RekeyLimit - size'
540324 
+
540324 
+description: 'Specify the size component of the rekey limit.'
540324 
+
540324 
+type: string
540324 
+
540324 
+operator: equals
540324 
+
540324 
+options:
540324 
+    sshd_default: "none"
540324 
+    default: "1h"
540324 
+    "1hour": "1h"
540324 
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
540324 
index c672066050..a5223a187f 100644
540324 
--- a/rhel8/profiles/ospp.profile
540324 
+++ b/rhel8/profiles/ospp.profile
540324 
@@ -58,6 +58,8 @@ selections:
540324 
     - sshd_set_keepalive
540324 
     - sshd_enable_warning_banner
540324 
     - sshd_rekey_limit
540324 
+    - var_rekey_limit_size=512M
540324 
+    - var_rekey_limit_time=1hour
540324 
     - sshd_use_strong_rng
540324 
     - openssl_use_strong_entropy
540324
540324
540324 
From 85efae481db88792de138916c242fbbf0a7adeb1 Mon Sep 17 00:00:00 2001
540324 
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
540324 
Date: Tue, 19 May 2020 17:57:12 +0200
540324 
Subject: [PATCH 2/5] Updated stable profile definitions.
540324
540324 
---
540324 
 tests/data/profile_stability/rhel8/ospp.profile | 2 ++
540324 
 tests/data/profile_stability/rhel8/stig.profile | 3 ++-
540324 
 2 files changed, 4 insertions(+), 1 deletion(-)
540324
540324 
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
540324 
index 23039c82b4..bdda39a903 100644
540324 
--- a/tests/data/profile_stability/rhel8/ospp.profile
540324 
+++ b/tests/data/profile_stability/rhel8/ospp.profile
540324 
@@ -214,6 +214,8 @@ selections:
540324 
 - timer_dnf-automatic_enabled
540324 
 - usbguard_allow_hid_and_hub
540324 
 - var_sshd_set_keepalive=0
540324 
+- var_rekey_limit_size=512M
540324 
+- var_rekey_limit_time=1hour
540324 
 - var_accounts_user_umask=027
540324 
 - var_password_pam_difok=4
540324 
 - var_password_pam_maxrepeat=3
540324 
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
540324 
index cd31b73700..ebef541921 100644
540324 
--- a/tests/data/profile_stability/rhel8/stig.profile
540324 
+++ b/tests/data/profile_stability/rhel8/stig.profile
540324 
@@ -21,7 +21,6 @@ description: 'This profile contains configuration checks that align to the
540324
540324 
     - Red Hat Containers with a Red Hat Enterprise Linux 8 image'
540324 
 documentation_complete: true
540324 
-extends: ospp
540324 
 selections:
540324 
 - account_disable_post_pw_expiration
540324 
 - account_temp_expire_date
540324 
@@ -243,6 +242,8 @@ selections:
540324 
 - timer_dnf-automatic_enabled
540324 
 - usbguard_allow_hid_and_hub
540324 
 - var_sshd_set_keepalive=0
540324 
+- var_rekey_limit_size=512M
540324 
+- var_rekey_limit_time=1hour
540324 
 - var_accounts_user_umask=027
540324 
 - var_password_pam_difok=4
540324 
 - var_password_pam_maxrepeat=3
540324
540324 
From d75161c4f7232380a1b46aa8d99fa5d562503c80 Mon Sep 17 00:00:00 2001
540324 
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
540324 
Date: Fri, 22 May 2020 11:43:36 +0200
540324 
Subject: [PATCH 3/5] Improved how variables are handled in remediations.
540324
540324 
---
540324 
 shared/macros-ansible.jinja | 14 ++++++++++++++
540324 
 shared/macros-bash.jinja    | 15 +++++++++++++++
540324 
 2 files changed, 29 insertions(+)
540324
540324 
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
540324 
index 56a3f5f3ec..6798a25d1f 100644
540324 
--- a/shared/macros-ansible.jinja
540324 
+++ b/shared/macros-ansible.jinja
540324 
@@ -1,3 +1,17 @@
540324 
+{{#
540324 
+Pass strings that correspond to XCCDF value names as arguments to this macro:
540324 
+ansible_instantiate_variables("varname1", "varname2")
540324 
+
540324 
+Then, assume that the task that follows can work with the variable by referencing it, e.g.
540324 
+value: "Setting={{ varname1 }}"
540324 
+
540324 
+#}}
540324 
+{{%- macro ansible_instantiate_variables() -%}}
540324 
+{{%- for name in varargs -%}}
540324 
+- (xccdf-var {{{ name }}})
540324 
+{{% endfor -%}}
540324 
+{{%- endmacro -%}}
540324 
+
540324 
 {{#
540324 
   A wrapper over the Ansible lineinfile module. This handles the most common
540324 
   options for us. regex is optional and when blank, it won't be included in
540324 
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
540324 
index 01b9e62e7b..3a94fe5dd8 100644
540324 
--- a/shared/macros-bash.jinja
540324 
+++ b/shared/macros-bash.jinja
540324 
@@ -1,5 +1,20 @@
540324 
 {{# ##### High level macros ##### #}}
540324
540324 
+{{#
540324 
+Pass strings that correspond to XCCDF value names as arguments to this macro:
540324 
+bash_instantiate_variables("varname1", "varname2")
540324 
+
540324 
+Then, assume that variables of that names are defined and contain the correct value, e.g.
540324 
+echo "Setting=$varname1" >> config_file
540324 
+
540324 
+#}}
540324 
+{{%- macro bash_instantiate_variables() -%}}
540324 
+{{%- for name in varargs -%}}
540324 
+populate {{{ name }}}
540324 
+{{# this line is intentionally left blank #}}
540324 
+{{% endfor -%}}
540324 
+{{%- endmacro -%}}
540324 
+
540324 
 {{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}}
540324 
 {{% if no_quotes -%}}
540324 
   {{% if "$" in value %}}
540324
540324 
From 912ce0a4ade9aa335c044314a6cc018f1ead1abe Mon Sep 17 00:00:00 2001
540324 
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
540324 
Date: Fri, 22 May 2020 11:44:08 +0200
540324 
Subject: [PATCH 4/5] Fixed Bash and Ansible remediations.
540324
540324 
---
540324 
 .../ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml    | 8 ++++++++
540324 
 .../ssh/ssh_server/sshd_rekey_limit/bash/shared.sh        | 3 +--
540324 
 2 files changed, 9 insertions(+), 2 deletions(-)
540324 
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
540324
540324 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
540324 
new file mode 100644
540324 
index 0000000000..43a2d4521f
540324 
--- /dev/null
540324 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
540324 
@@ -0,0 +1,8 @@
540324 
+# platform = multi_platform_all                                                                                                                                                                                                                                                                                        [0/453]
540324 
+# reboot = false
540324 
+# strategy = configure
540324 
+# complexity = low
540324 
+# disruption = low
540324 
+{{{ ansible_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
540324 
+
540324 
+{{{ ansible_sshd_set(parameter="RekeyLimit", value="{{ var_rekey_limit_size}} {{var_rekey_limit_time}}") }}}
540324 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
540324 
index 2620c2d49e..0277f31392 100644
540324 
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
540324 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
540324 
@@ -3,7 +3,6 @@
540324 
 # Include source function library.
540324 
 . /usr/share/scap-security-guide/remediation_functions
540324
540324 
-populate var_rekey_limit_size
540324 
-populate var_rekey_limit_time
540324 
+{{{ bash_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
540324
540324 
 {{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}}
540324
540324 
From d0ac47945e14017e522d523267d3a4bfb5ecdf71 Mon Sep 17 00:00:00 2001
540324 
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
540324 
Date: Fri, 22 May 2020 11:49:04 +0200
540324 
Subject: [PATCH 5/5] Improved the OVAL according to the review feedback.
540324
540324 
---
540324 
 .../services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml | 5 ++---
540324 
 1 file changed, 2 insertions(+), 3 deletions(-)
540324
540324 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
540324 
index 57aa090948..47796e5332 100644
540324 
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
540324 
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
540324 
@@ -1,5 +1,4 @@
540324 
-{{% set filepath = "/etc/ssh/sshd_config" %}}
540324 
-{{% set parameter = "RekeyLimit" %}}
540324 
+{{% set filepath = "/etc/ssh/sshd_config" -%}}
540324
540324
540324 
 <def-group>
540324 
@@ -7,7 +6,7 @@
540324 
     <metadata>
540324 
       <title>{{{ rule_title }}}</title>
540324 
       {{{- oval_affected(products) }}}
540324 
-      <description>Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}'</description>
540324 
+      <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
540324 
     </metadata>
540324 
     <criteria comment="sshd is configured correctly or is not installed" operator="OR">
540324 
         {{{- application_not_required_or_requirement_unset() }}}

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation