From 604f70aa2d0cce64aed5d699178394523969ba37 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Wed, 27 May 2020 14:34:50 +0200

Subject: [PATCH 01/11] add rule, variables, check, remediations

---

 .../ssh_client_rekey_limit/ansible/shared.yml |  8 ++++

 .../ssh_client_rekey_limit/bash/shared.sh     |  8 ++++

 .../ssh_client_rekey_limit/oval/shared.xml    | 39 +++++++++++++++++++

 .../crypto/ssh_client_rekey_limit/rule.yml    | 34 ++++++++++++++++

 .../var_ssh_client_rekey_limit_size.var       | 15 +++++++

 .../var_ssh_client_rekey_limit_time.var       | 14 +++++++

 shared/references/cce-redhat-avail.txt        |  1 -

 7 files changed, 118 insertions(+), 1 deletion(-)

 create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml

 create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh

 create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml

 create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml

 create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var

 create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var

diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml

new file mode 100644

index 0000000000..6d2bcbbd44

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml

@@ -0,0 +1,8 @@

+# platform = multi_platform_all                                                                                                                                                                                                                                                                                        [0/453]

+# reboot = false

+# strategy = configure

+# complexity = low

+# disruption = low

+{{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}

+

+{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}}

diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh

new file mode 100644

index 0000000000..43d0971ffc

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh

@@ -0,0 +1,8 @@

+# platform = multi_platform_all

+

+# Include source function library.

+. /usr/share/scap-security-guide/remediation_functions

+

+{{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}

+

+{{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}}

diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml

new file mode 100644

index 0000000000..2412763e3f

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml

@@ -0,0 +1,39 @@

+{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}}

+

+

+<def-group>

+  <definition class="compliance" id="{{{ rule_id }}}" version="1">

+    <metadata>

+      <title>{{{ rule_title }}}</title>

+      {{{- oval_affected(products) }}}

+      <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>

+    </metadata>

+    <criteria comment="RekeyLimit is correctly configured for ssh client">

+      {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}

+    </criteria>

+  </definition>

+

+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the  file" id="test_ssh_client_rekey_limit" version="1">

+     <ind:object object_ref="obj_ssh_client_rekey_limit"/>

+  </ind:textfilecontent54_test>

+

+  <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit" version="1">

+     <ind:filepath>{{{ filepath }}}</ind:filepath>

+     <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>

+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

+  </ind:textfilecontent54_object>

+

+  <local_variable id="ssh_client_line_regex" datatype="string" comment="The regex of the directive" version="1">

+    <concat>

+      <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>

+      <variable_component var_ref="var_ssh_client_rekey_limit_size"/>

+      <literal_component>[\s]+</literal_component>

+      <variable_component var_ref="var_ssh_client_rekey_limit_time"/>

+      <literal_component>[\s]*$</literal_component>

+    </concat>

+  </local_variable>

+

+  <external_variable comment="Size component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_size" version="1" />

+  <external_variable comment="Time component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_time" version="1" />

+</def-group>

+

diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml

new file mode 100644

index 0000000000..a1b85b0ee5

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml

@@ -0,0 +1,34 @@

+documentation_complete: true

+

+prodtype: rhel8

+

+title: 'Configure session renegotiation for SSH client'

+

+description: |-

+    The <tt>RekeyLimit</tt> parameter specifies how often

+    the session key is renegotiated, both in terms of

+    amount of data that may be transmitted and the time

+    elapsed. To decrease the default limits, put line

+    <tt>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.

+

+rationale: |-

+    By decreasing the limit based on the amount of data and enabling

+    time-based limit, effects of potential attacks against

+    encryption keys are limited.

+

+severity: medium

+

+identifiers:

+    cce@rhel8: 82880-6

+

+references:

+    ospp: FCS_SSHS_EXT.1

+

+ocil_clause: 'it is commented out or is not set'

+

+ocil: |-

+    To check if RekeyLimit is set correctly, run the

+    following command:

+    
$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf

+    If configured properly, output should be

+    
RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}

diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var

new file mode 100644

index 0000000000..bcf051fd97

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var

@@ -0,0 +1,15 @@

+documentation_complete: true

+

+title: 'SSH client RekeyLimit - size'

+

+description: 'Specify the size component of the rekey limit.'

+

+type: string

+

+operator: equals

+

+options:

+    ssh_client_default: "default"

+    default: "512M"

+    "512M": "512M"

+    "1G": "1G"

diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var

new file mode 100644

index 0000000000..31c76f9ab5

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var

@@ -0,0 +1,14 @@

+documentation_complete: true

+

+title: 'SSH client RekeyLimit - size'

+

+description: 'Specify the size component of the rekey limit.'

+

+type: string

+

+operator: equals

+

+options:

+    ssh_client_default: "none"

+    default: "1h"

+    "1hour": "1h"

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt

index 45d03a2c1d..e060d2fb1c 100644

--- a/shared/references/cce-redhat-avail.txt

+++ b/shared/references/cce-redhat-avail.txt

@@ -1,4 +1,3 @@

-CCE-82880-6

 CCE-82882-2

 CCE-82883-0

 CCE-82888-9

From a0d54462b9a1e65de3598d7fc262f61a8e3a06ea Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Wed, 27 May 2020 14:35:24 +0200

Subject: [PATCH 02/11] add tests

---

 .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh      | 4 ++++

 .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh      | 4 ++++

 .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh       | 3 +++

 .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh  | 4 ++++

 4 files changed, 15 insertions(+)

 create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh

 create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh

 create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh

 create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh

diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh

new file mode 100644

index 0000000000..2ac0bbf350

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh

@@ -0,0 +1,4 @@

+# platform = multi_platform_all

+

+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config

+echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config

diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh

new file mode 100644

index 0000000000..fec859fe05

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh

@@ -0,0 +1,4 @@

+# platform = multi_platform_all

+

+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config

+echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config

diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh

new file mode 100644

index 0000000000..a6cd10163f

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh

@@ -0,0 +1,3 @@

+# platform = multi_platform_all

+

+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config

diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh

new file mode 100644

index 0000000000..a6a2ba7adf

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh

@@ -0,0 +1,4 @@

+# platform = multi_platform_all

+

+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config

+echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config

From 6ce9e9d55eab07f1c2a3a8d0b28f104d0b5992da Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Wed, 27 May 2020 14:35:43 +0200

Subject: [PATCH 03/11] add rule to rhel8 ospp, update stable profiles

---

 rhel8/profiles/ospp.profile                     | 5 +++++

 tests/data/profile_stability/rhel8/ospp.profile | 3 +++

 tests/data/profile_stability/rhel8/stig.profile | 3 +++

 3 files changed, 11 insertions(+)

diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile

index 0dca8350f9..07d32b814d 100644

--- a/rhel8/profiles/ospp.profile

+++ b/rhel8/profiles/ospp.profile

@@ -410,3 +410,8 @@ selections:

     # Prevent Kerberos use by system daemons

     - kerberos_disable_no_keytab

+

+    # set ssh client rekey limit

+    - ssh_client_rekey_limit

+    - var_ssh_client_rekey_limit_size=1G

+    - var_ssh_client_rekey_limit_time=1hour

diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile

index 25f7922bf3..b0d7672c36 100644

--- a/tests/data/profile_stability/rhel8/ospp.profile

+++ b/tests/data/profile_stability/rhel8/ospp.profile

@@ -240,4 +240,7 @@ selections:

 - grub2_vsyscall_argument.severity=info

 - sysctl_user_max_user_namespaces.role=unscored

 - sysctl_user_max_user_namespaces.severity=info

+- ssh_client_rekey_limit

+- var_ssh_client_rekey_limit_size=1G

+- var_ssh_client_rekey_limit_time=1hour

 title: Protection Profile for General Purpose Operating Systems

diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile

index 6c4270925f..330ecc7e1e 100644

--- a/tests/data/profile_stability/rhel8/stig.profile

+++ b/tests/data/profile_stability/rhel8/stig.profile

@@ -269,4 +269,7 @@ selections:

 - grub2_vsyscall_argument.severity=info

 - sysctl_user_max_user_namespaces.role=unscored

 - sysctl_user_max_user_namespaces.severity=info

+- ssh_client_rekey_limit

+- var_ssh_client_rekey_limit_size=1G

+- var_ssh_client_rekey_limit_time=1hour

 title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'

From 763a79e337eecb24c640d1ac189edf02d20e53ad Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Thu, 28 May 2020 14:25:41 +0200

Subject: [PATCH 04/11] improve description of variables

---

 .../crypto/var_ssh_client_rekey_limit_size.var       | 10 ++++++++--

 .../crypto/var_ssh_client_rekey_limit_time.var       | 12 +++++++++---

 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var

index bcf051fd97..4e20104cba 100644

--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var

+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var

@@ -2,14 +2,20 @@ documentation_complete: true

 title: 'SSH client RekeyLimit - size'

-description: 'Specify the size component of the rekey limit.'

+description: |-

+    Specify the size component of the rekey limit. This limit signifies amount

+    of data. After this amount of data is transferred through the connection,

+    the session key is renegotiated. The number is followed by K, M or G for

+    kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also

+    configured according to ellabsed time.

+

+interactive: true

 type: string

 operator: equals

 options:

-    ssh_client_default: "default"

     default: "512M"

     "512M": "512M"

     "1G": "1G"

diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var

index 31c76f9ab5..6143a5448c 100644

--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var

+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var

@@ -1,14 +1,20 @@

 documentation_complete: true

-title: 'SSH client RekeyLimit - size'

+title: 'SSH client RekeyLimit - time'

-description: 'Specify the size component of the rekey limit.'

+description: |-

+    Specify the time component of the rekey limit. This limit signifies amount

+    of data. The session key is renegotiated after the defined amount of time

+    passes. The number is followed by units such as H or M for hours or minutes.

+    Note that the RekeyLimit can be also configured according to amount of

+    transfered data.

+

+interactive: true

 type: string

 operator: equals

 options:

-    ssh_client_default: "none"

     default: "1h"

     "1hour": "1h"

From 0800fcaff037a1b012b75e59d6771f5e7763e1de Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Thu, 28 May 2020 14:26:12 +0200

Subject: [PATCH 05/11] fix tests and ansible

---

 .../crypto/ssh_client_rekey_limit/ansible/shared.yml         | 2 +-

 .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh     | 4 ++--

 .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh     | 4 ++--

 .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh      | 2 +-

 .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 5 +++--

 5 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml

index 6d2bcbbd44..bb6544a0a0 100644

--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml

+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml

@@ -1,4 +1,4 @@

-# platform = multi_platform_all                                                                                                                                                                                                                                                                                        [0/453]

+# platform = multi_platform_all

 # reboot = false

 # strategy = configure

 # complexity = low

diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh

index 2ac0bbf350..22c465b08f 100644

--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh

+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh

@@ -1,4 +1,4 @@

 # platform = multi_platform_all

-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config

-echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config

+

+echo "RekeyLimit 812M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf

diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh

index fec859fe05..0dc621b1da 100644

--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh

+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh

@@ -1,4 +1,4 @@

 # platform = multi_platform_all

-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config

-echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config

+

+echo "RekeyLimit 512M 2h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf

diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh

index a6cd10163f..f6abf711da 100644

--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh

+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh

@@ -1,3 +1,3 @@

 # platform = multi_platform_all

-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config

+echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf

diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh

index a6a2ba7adf..e64e4191bc 100644

--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh

+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh

@@ -1,4 +1,5 @@

 # platform = multi_platform_all

-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config

-echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config

+

+rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf

+echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf

From 9451e6d91c9975a3e9ecd4c627cbb0f9afce4c92 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Mon, 1 Jun 2020 14:29:47 +0200

Subject: [PATCH 06/11] fix test to use default value, remove rule from stig

---

 .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh    | 2 +-

 rhel8/profiles/stig.profile                                     | 1 +

 tests/data/profile_stability/rhel8/stig.profile                 | 1 -

 3 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh

index e64e4191bc..89d7069687 100644

--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh

+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh

@@ -2,4 +2,4 @@

 rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf

-echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf

+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf

diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile

index 2bb81cf9dc..8f12852e26 100644

--- a/rhel8/profiles/stig.profile

+++ b/rhel8/profiles/stig.profile

@@ -44,3 +44,4 @@ selections:

     - package_rsyslog-gnutls_installed

     - rsyslog_remote_tls

     - rsyslog_remote_tls_cacert

+    - "!ssh_client_rekey_limit"

diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile

index 330ecc7e1e..9b164eb5c2 100644

--- a/tests/data/profile_stability/rhel8/stig.profile

+++ b/tests/data/profile_stability/rhel8/stig.profile

@@ -269,7 +269,6 @@ selections:

 - grub2_vsyscall_argument.severity=info

 - sysctl_user_max_user_namespaces.role=unscored

 - sysctl_user_max_user_namespaces.severity=info

-- ssh_client_rekey_limit

 - var_ssh_client_rekey_limit_size=1G

 - var_ssh_client_rekey_limit_time=1hour

 title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'

From bd47b1145f17c97de719c887db6146d5e7b59616 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Wed, 3 Jun 2020 12:38:19 +0200

Subject: [PATCH 07/11] rewrite oval to check for multiple locations

---

 .../ssh_client_rekey_limit/oval/shared.xml    | 42 ++++++++++++-------

 1 file changed, 26 insertions(+), 16 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml

index 2412763e3f..41fa0497ae 100644

--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml

+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml

@@ -1,28 +1,17 @@

-{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}}

-

 <def-group>

   <definition class="compliance" id="{{{ rule_id }}}" version="1">

     <metadata>

       <title>{{{ rule_title }}}</title>

       {{{- oval_affected(products) }}}

-      <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>

+      <description>Ensure 'RekeyLimit' is configured with the correct value in /etc/ssh/ssh_config and /etc/ssh/ssh_config.d/*.conf</description>

     </metadata>

-    <criteria comment="RekeyLimit is correctly configured for ssh client">

-      {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}

+    <criteria comment="RekeyLimit is correctly configured for ssh client" operator="AND">

+      <criterion comment="check that RekeyLimit is not configured in /etc/ssh/ssh_config" test_ref="test_ssh_client_rekey_limit_main_config" negate="true" />

+      <criterion comment="check correct RekeyLimit configuration in /etc/ssh/ssh_config.d/*.conf" test_ref="test_ssh_client_rekey_limit_include_configs" />

     </criteria>

   </definition>

-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the  file" id="test_ssh_client_rekey_limit" version="1">

-     <ind:object object_ref="obj_ssh_client_rekey_limit"/>

-  </ind:textfilecontent54_test>

-

-  <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit" version="1">

-     <ind:filepath>{{{ filepath }}}</ind:filepath>

-     <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>

-     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

-  </ind:textfilecontent54_object>

-

   <local_variable id="ssh_client_line_regex" datatype="string" comment="The regex of the directive" version="1">

     <concat>

       <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>

@@ -35,5 +24,26 @@

   <external_variable comment="Size component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_size" version="1" />

   <external_variable comment="Time component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_time" version="1" />

-</def-group>

+

+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config file" id="test_ssh_client_rekey_limit_main_config" version="1">

+     <ind:object object_ref="obj_ssh_client_rekey_limit_main_config"/>

+  </ind:textfilecontent54_test>

+

+  <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_main_config" version="1">

+     <ind:filepath>/etc/ssh/ssh_config</ind:filepath>

+     <ind:pattern operation="pattern match">^[\s]*RekeyLimit.*$</ind:pattern>

+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

+  </ind:textfilecontent54_object>

+

+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config.d/*.conf" id="test_ssh_client_rekey_limit_include_configs" version="1">

+     <ind:object object_ref="obj_ssh_client_rekey_limit_include_configs"/>

+  </ind:textfilecontent54_test>

+

+  <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_include_configs" version="1">

+     <ind:filepath operation="pattern match">^/etc/ssh/ssh_config\.d/.*\.conf$</ind:filepath>

+     <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>

+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

+  </ind:textfilecontent54_object>

+

+</def-group>

From c090301ab1cf43a83994b654ccb2ab0b967d05b4 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Thu, 4 Jun 2020 08:24:54 +0200

Subject: [PATCH 08/11] reqrite remediations

---

 .../ssh_client_rekey_limit/ansible/shared.yml    | 16 ++++++++++++++++

 .../crypto/ssh_client_rekey_limit/bash/shared.sh | 13 +++++++++++++

 2 files changed, 29 insertions(+)

diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml

index bb6544a0a0..36de503806 100644

--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml

+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml

@@ -5,4 +5,20 @@

 # disruption = low

 {{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}

+{{{ ansible_lineinfile(msg='Ensure RekeyLimit is not configured in /etc/ssh/ssh_config', path='/etc/ssh/ssh_config', regex='^\s*RekeyLimit.*$', create='no', state='absent') }}}

+

+- name: Collect all include config files for ssh client which configure RekeyLimit

+  find:

+    paths: "/etc/ssh/ssh_config.d/"

+    contains: '^[\s]*RekeyLimit.*$'

+    patterns: "*.config"

+  register: ssh_config_include_files

+

+- name: Remove all occurences of RekeyLimit configuration from include config files of ssh client

+  lineinfile:

+    path: "{{ item }}"

+    regexp: '^[\s]*RekeyLimit.*$'

+    state: "absent"

+  loop: "{{ ssh_config_include_files.files }}"

+

 {{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}}

diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh

index 43d0971ffc..99f6f63c92 100644

--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh

+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh

@@ -5,4 +5,17 @@

 {{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}

+main_config="/etc/ssh/ssh_config"

+include_directory="/etc/ssh/ssh_config.d"

+

+if grep -q '^[\s]*RekeyLimit.*$' "$main_config"; then

+  sed -i '/^[\s]*RekeyLimit.*/d' "$main_config"

+fi

+

+for file in "$include_directory"/*.conf; do

+  if grep -q '^[\s]*RekeyLimit.*$' "$file"; then

+    sed -i '/^[\s]*RekeyLimit.*/d' "$file"

+  fi

+done

+

 {{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}}

From 22b8cb067cfc9d6d48065233973d1dba223ef5a4 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Thu, 4 Jun 2020 08:25:14 +0200

Subject: [PATCH 09/11] add more tests

---

 .../tests/bad_main_config_good_include_config.fail.sh         | 4 ++++

 .../ssh_client_rekey_limit/tests/line_in_main_config.fail.sh  | 4 ++++

 .../tests/ok_different_config_file.pass.sh                    | 3 +++

 3 files changed, 11 insertions(+)

 create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh

 create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh

 create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh

diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh

new file mode 100644

index 0000000000..90314712af

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh

@@ -0,0 +1,4 @@

+#!/bin/basdh

+

+echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config

+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf

diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh

new file mode 100644

index 0000000000..9ba20b0290

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh

@@ -0,0 +1,4 @@

+#!/bin/bash

+

+rm -rf /etc/ssh/ssh_config.d/*

+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config

diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh

new file mode 100644

index 0000000000..f725f6936f

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh

@@ -0,0 +1,3 @@

+#!/bin/bash

+

+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/05-some-file.conf

From 78904a0cc4461cc26786289095fd76e8ce15843e Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Thu, 4 Jun 2020 08:25:29 +0200

Subject: [PATCH 10/11] extend description and ocil

---

 .../crypto/ssh_client_rekey_limit/rule.yml    | 19 ++++++++++++++-----

 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml

index a1b85b0ee5..76f5f84090 100644

--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml

+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml

@@ -10,6 +10,12 @@ description: |-

     amount of data that may be transmitted and the time

     elapsed. To decrease the default limits, put line

     <tt>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.

+    Make sure that there is no other <tt>RekeyLimit</tt> configuration preceding

+    the <tt>include</tt> directive in the main config file

+    <tt>/etc/ssh/ssh_config</tt>. Check also other files in

+    <tt>/etc/ssh/ssh_config.d</tt> directory. Files are processed according to

+    their names. Make sure that there is no file processed before

+    <tt>02-rekey-limit.conf</tt> containing definition of <tt>RekeyLimit</tt>.

 rationale: |-

     By decreasing the limit based on the amount of data and enabling

@@ -27,8 +33,11 @@ references:

 ocil_clause: 'it is commented out or is not set'

 ocil: |-

-    To check if RekeyLimit is set correctly, run the

-    following command:

-    
$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf

-    If configured properly, output should be

-    
RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}

+    To check if RekeyLimit is set correctly, run the following command: 
$

+    sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf If configured

+    properly, output should be 
/etc/ssh/ssh_config.d/02-rekey-limit.conf:

+    RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{

+    sub_var_value("var_ssh_client_rekey_limit_time") }}} Check also the

+    main configuration file with the following command: 
sudo grep

+    RekeyLimit /etc/ssh/ssh_config The command should not return any

+    output.

From 854d5c9d1e1a44e97fe59aeaace687adcff620d5 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Mon, 8 Jun 2020 11:44:44 +0200

Subject: [PATCH 11/11] fix typos and wording

---

 .../integrity/crypto/ssh_client_rekey_limit/rule.yml     | 5 +++--

 .../tests/bad_main_config_good_include_config.fail.sh    | 2 +-

 .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 1 +

 .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 1 +

 .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh  | 1 +

 .../crypto/ssh_client_rekey_limit/tests/ok.pass.sh       | 1 +

 .../integrity/crypto/var_ssh_client_rekey_limit_size.var | 2 +-

 .../integrity/crypto/var_ssh_client_rekey_limit_time.var | 9 ++++-----

 8 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml

index 76f5f84090..b054d9d221 100644

--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml

+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml

@@ -14,8 +14,9 @@ description: |-

     the <tt>include</tt> directive in the main config file

     <tt>/etc/ssh/ssh_config</tt>. Check also other files in

     <tt>/etc/ssh/ssh_config.d</tt> directory. Files are processed according to

-    their names. Make sure that there is no file processed before

-    <tt>02-rekey-limit.conf</tt> containing definition of <tt>RekeyLimit</tt>.

+    lexicographical order of file names. Make sure that there is no file

+    processed before <tt>02-rekey-limit.conf</tt> containing definition of

+    <tt>RekeyLimit</tt>.

 rationale: |-

     By decreasing the limit based on the amount of data and enabling