From b951a896d3ef1e678e5d6b580521053e7a076ab0 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>

Date: Thu, 29 Apr 2021 16:54:03 +0200

Subject: [PATCH 1/6] Updated checks and remediations of the sshd template.

Configuration of sshd moves from one config file to a config directory.

Therefore, checks should consider all those files, and the remediation should aim

to deliver fixes to one of those files in the config directory.

Tests that interact with this behavior have been added and are applicable for Fedora and RHEL9 products.

---

 .../tests/commented.fail.sh                   |  7 ++

 .../tests/conflict.fail.sh                    | 15 ++++

 .../tests/correct_value_directory.pass.sh     | 14 ++++

 shared/macros-bash.jinja                      |  9 +++

 shared/macros-oval.jinja                      | 61 +++++++++++------

 .../templates/sshd_lineinfile/bash.template   | 22 ++++++

 .../templates/sshd_lineinfile/oval.template   | 68 +++++++++++++++++--

 7 files changed, 168 insertions(+), 28 deletions(-)

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh

new file mode 100644

index 00000000000..484c2165532

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh

@@ -0,0 +1,7 @@

+#!/bin/bash

+

+if grep -q "^PubkeyAuthentication" /etc/ssh/sshd_config; then

+	sed -i "s/^PubkeyAuthentication.*/# PubkeyAuthentication no/" /etc/ssh/sshd_config

+else

+	echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config

+fi

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh

new file mode 100644

index 00000000000..177a99e0b82

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh

@@ -0,0 +1,15 @@

+#!/bin/bash

+

+# platform = Fedora,Red Hat Enterprise Linux 9

+

+mkdir -p /etc/ssh/sshd_config.d

+touch /etc/ssh/sshd_config.d/nothing

+

+if grep -q "^PubkeyAuthentication" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then

+	sed -i "s/^PubkeyAuthentication.*/# PubkeyAuthentication no/" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*

+else

+	echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config

+fi

+

+echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/good_config

+echo "PubkeyAuthentication yes" > /etc/ssh/sshd_config.d/rogue_config

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh

new file mode 100644

index 00000000000..0aa2e775dbe

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh

@@ -0,0 +1,14 @@

+#!/bin/bash

+

+# platform = Fedora,Red Hat Enterprise Linux 9

+

+mkdir -p /etc/ssh/sshd_config.d

+touch /etc/ssh/sshd_config.d/nothing

+

+if grep -q "^PubkeyAuthentication" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then

+	sed -i "s/^PubkeyAuthentication.*/# PubkeyAuthentication no/" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*

+else

+	echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config

+fi

+

+echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/correct

diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja

index 1cd2c62b5e0..b4518d83c19 100644

--- a/shared/macros-bash.jinja

+++ b/shared/macros-bash.jinja

@@ -471,6 +471,15 @@ fi

 LC_ALL=C sed -i "/{{{ regex }}}/{{{ modifier }}}" "{{{ path }}}"

 {{%- endmacro -%}}

+{{%- macro lineinfile_absent_in_directory(dirname, regex, insensitive=true) -%}}

+    {{%- if insensitive -%}}

+        {{%- set modifier="Id" -%}}

+    {{%- else -%}}

+        {{%- set modifier="d" -%}}

+    {{%- endif -%}}

+LC_ALL=C sed -i "/{{{ regex }}}/{{{ modifier }}}" "{{{ dirname }}}"/*

+{{%- endmacro -%}}

+

 {{%- macro lineinfile_present(path, line, insert_after="", insert_before="", insensitive=true) -%}}

     {{%- if insensitive -%}}

         {{%- set grep_args="-q -m 1 -i" -%}}

diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja

index be2ac268206..d38db96d9e3 100644

--- a/shared/macros-oval.jinja

+++ b/shared/macros-oval.jinja

@@ -92,15 +92,18 @@

     - parameter (String): The parameter to be checked in the configuration file.

     - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

 #}}

-{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false) -%}}

+{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false, comment='', id_stem=rule_id) -%}}

 {{%- set suffix_id = "" -%}}

 {{%- set prefix_text = "Check the" -%}}

 {{%- if missing_parameter_pass %}}

 {{%- set suffix_id = suffix_id_default_not_overriden -%}}

 {{%- set prefix_text = prefix_text + " absence of" -%}}

 {{%- endif %}}

-      

-      test_ref="test_{{{ rule_id }}}{{{ suffix_id }}}" />

+{{%- if not comment -%}}

+{{%- set comment = prefix_text ~ " " ~ parameter ~ " in " ~ path -%}}

+{{%- endif -%}}

+

+  test_ref="test_{{{ id_stem }}}{{{ suffix_id }}}" />

 {{%- endmacro %}}

 {{#

@@ -110,7 +113,7 @@

     - parameter (String): The parameter to be checked in the configuration file.

     - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

 #}}

-{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false) -%}}

+{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false, id_stem=rule_id) -%}}

 {{%- set suffix_id = "" -%}}

 {{%- if missing_parameter_pass %}}

 {{%- set check_existence = "none_exist" -%}}

@@ -120,14 +123,14 @@

 {{%- set check_existence = "all_exist" -%}}

 {{%- set prefix_text = "value" -%}}

 {{%- endif %}}

-  

+

   comment="tests the {{{ prefix_text }}} of {{{ parameter }}} setting in the {{{ path }}} file"

-  id="test_{{{ rule_id }}}{{{ suffix_id }}}" version="1">

-  <ind:object object_ref="obj_{{{ rule_id }}}{{{ suffix_id }}}" />

+  id="test_{{{ id_stem }}}{{{ suffix_id }}}" version="1">

+  <ind:object object_ref="obj_{{{ id_stem }}}{{{ suffix_id }}}" />

   {{%- if not missing_parameter_pass %}}

-  <ind:state state_ref="state_{{{ rule_id }}}{{{ suffix_id }}}" />

+  <ind:state state_ref="state_{{{ id_stem }}}{{{ suffix_id }}}" />

   {{%- endif %}}

-  </ind:textfilecontent54_test>

+</ind:textfilecontent54_test>

 {{%- endmacro %}}

 {{#

@@ -141,7 +144,7 @@

     - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

     - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.

 #}}

-{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='') -%}}

+{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='', id_stem=rule_id) -%}}

 {{%- set suffix_id = "" -%}}

 {{%- if multi_value -%}}

 {{%- set group_regex = "([^#]*).*$" -%}}

@@ -173,16 +176,16 @@

 {{%- set regex = prefix_regex+parameter+separator_regex+group_regex -%}}

 {{%- endif %}}

 {{%- endif %}}

-  <ind:textfilecontent54_object id="obj_{{{ rule_id }}}{{{ suffix_id }}}" version="1">

+<ind:textfilecontent54_object id="obj_{{{ id_stem }}}{{{ suffix_id }}}" version="1">

 {{%- if filepath_regex %}}

-    <ind:path>{{{ path }}}</ind:path>

-    <ind:filename operation="pattern match">{{{ filepath_regex }}}</ind:filename>

+  <ind:path>{{{ path }}}</ind:path>

+  <ind:filename operation="pattern match">{{{ filepath_regex }}}</ind:filename>

 {{%- else %}}

-    <ind:filepath>{{{ path }}}</ind:filepath>

+  <ind:filepath>{{{ path }}}</ind:filepath>

 {{%- endif %}}

-    <ind:pattern operation="pattern match">{{{ regex }}}</ind:pattern>

-    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>

-  </ind:textfilecontent54_object>

+  <ind:pattern operation="pattern match">{{{ regex }}}</ind:pattern>

+  <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>

+</ind:textfilecontent54_object>

 {{%- endmacro %}}

 {{#

@@ -193,7 +196,7 @@

     - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string.

       For example, for shell quoting, specify quotes="'\""), which will make sure that value, 'value' and "value" are matched, but 'value" or '"value"' won't be.

 #}}

-{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='') -%}}

+{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='', id_stem=rule_id) -%}}

 {{%- set regex = value -%}}

 {{%- if quotes != "" %}}

 {{%- if "\\1" in value > 0 %}}

@@ -206,9 +209,25 @@

 {{%- else %}}

 {{%- set regex = "^"+regex+"$" -%}}

 {{%- endif %}}

-  <ind:textfilecontent54_state id="state_{{{ rule_id }}}" version="1">

-    <ind:subexpression datatype="string" operation="pattern match">{{{ regex }}}</ind:subexpression>

-  </ind:textfilecontent54_state>

+<ind:textfilecontent54_state id="state_{{{ id_stem }}}" version="1">

+  <ind:subexpression datatype="string" operation="pattern match">{{{ regex }}}</ind:subexpression>

+</ind:textfilecontent54_state>

+{{%- endmacro %}}

+

+{{%- macro oval_line_in_directory_criterion(path='', parameter='', missing_parameter_pass=false) -%}}

+{{{- oval_line_in_file_criterion(path, parameter, missing_parameter_pass, id_stem=rule_id ~ "_config_dir") -}}}

+{{%- endmacro %}}

+

+{{%- macro oval_line_in_directory_test(path='', parameter='', missing_parameter_pass=false) -%}}

+{{{ oval_line_in_file_test(path, parameter, missing_parameter_pass, id_stem=rule_id ~ "_config_dir") }}}

+{{%- endmacro %}}

+

+{{%- macro oval_line_in_directory_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false) -%}}

+{{{- oval_line_in_file_object(path=path, section=section, prefix_regex=prefix_regex, parameter=parameter, separator_regex=separator_regex, missing_parameter_pass=missing_parameter_pass, multi_value=multi_value, filepath_regex=".*", id_stem=rule_id ~ "_config_dir") -}}}

+{{%- endmacro %}}

+

+{{%- macro oval_line_in_directory_state(value='', multi_value='', quotes='') -%}}

+{{{- oval_line_in_file_state(value, multi_value, quotes, id_stem=rule_id ~ "_config_dir") -}}}

 {{%- endmacro %}}

 {{#

diff --git a/shared/templates/sshd_lineinfile/bash.template b/shared/templates/sshd_lineinfile/bash.template

index ca1b512bb3d..eac758e310b 100644

--- a/shared/templates/sshd_lineinfile/bash.template

+++ b/shared/templates/sshd_lineinfile/bash.template

@@ -3,4 +3,26 @@

 # strategy = restrict

 # complexity = low

 # disruption = low

+{{%- if product in ("fedora", "rhel9") %}}

+{{%- set prefix_regex = "^\s*" -%}}

+{{%- set separator_regex = "\s\+" -%}}

+{{%- set line_regex = prefix_regex ~ PARAMETER ~ separator_regex %}}

+mkdir -p /etc/ssh/sshd_config.d

+touch /etc/ssh/sshd_config.d/hardening

+{{{ lineinfile_absent("/etc/ssh/sshd_config", line_regex, insensitive=true) }}}

+{{{ lineinfile_absent_in_directory("/etc/ssh/sshd_config.d", line_regex, insensitive=true) }}}

+{{{ set_config_file(

+        path="/etc/ssh/sshd_config.d/hardening",

+        parameter=PARAMETER,

+        value=VALUE,

+        create=true,

+        insert_after="",

+        insert_before="^Match",

+        insensitive=true,

+        separator=" ",

+        separator_regex=separator_regex,

+        prefix_regex=prefix_regex)

+    }}}

+{{%- else %}}

 {{{ bash_sshd_config_set(parameter=PARAMETER, value=VALUE) }}}

+{{%- endif %}}

diff --git a/shared/templates/sshd_lineinfile/oval.template b/shared/templates/sshd_lineinfile/oval.template

index df63d542505..2cc38776eb2 100644

--- a/shared/templates/sshd_lineinfile/oval.template

+++ b/shared/templates/sshd_lineinfile/oval.template

@@ -1,7 +1,61 @@

-{{{

-oval_sshd_config(

-	parameter=PARAMETER,

-	value=VALUE,

-	missing_parameter_pass=MISSING_PARAMETER_PASS

-)

-}}}

+{{%- set config_path = "/etc/ssh/sshd_config" %}}

+{{%- set config_dir = "/etc/ssh/sshd_config.d" -%}}

+{{%- set products_with_distributed_configuration = ("rhel9", "fedora") -%}}

+{{%- set description = "Ensure '" ~ PARAMETER ~ "' is configured with value '" ~ VALUE ~ "' in " ~ config_path %}}

+{{%- if product in products_with_distributed_configuration %}}

+{{%- set description = description  ~ " and in " ~ config_dir -%}}

+{{%- endif %}}

+{{%- set case_insensitivity_kwargs = dict(prefix_regex="^[ \\t]*(?i)", separator_regex = "(?-i)[ \\t]+") -%}}

+

+<def-group>

+  <definition class="compliance" id="{{{ rule_id }}}" version="1">

+   {{{ oval_metadata(description) }}}

+   <criteria comment="sshd is configured correctly or is not installed" operator="OR">

+     <criteria comment="sshd is not installed" operator="AND">

+        

+          definition_ref="sshd_not_required_or_unset" />

+        

+          definition_ref="package_openssh-server_removed" />

+     </criteria>

+     <criteria comment="sshd is installed and configured" operator="AND">

+        

+          definition_ref="sshd_required_or_unset" />

+        

+          definition_ref="package_openssh-server_installed" />

+        <criteria comment="sshd is configured correctly" operator="OR">

+          {{{- oval_line_in_file_criterion(config_path, PARAMETER) | indent(8) }}}

+          {{%- if MISSING_PARAMETER_PASS %}}

+          <criteria comment="sshd is not configured incorrectly" operator="AND">

+          {{{- oval_line_in_file_criterion(config_path, PARAMETER, MISSING_PARAMETER_PASS) | indent(10)}}}

+          {{%- if product in products_with_distributed_configuration %}}

+          {{{- oval_line_in_directory_criterion(config_dir, PARAMETER, MISSING_PARAMETER_PASS) | indent(10) }}}

+          {{%- endif %}}

+          </criteria>

+          {{%- endif %}}

+          {{%- if product in products_with_distributed_configuration %}}

+          {{{- oval_line_in_directory_criterion(config_dir, PARAMETER) | indent(8) }}}

+          {{%- endif %}}

+        </criteria>

+      </criteria>

+    </criteria> 

+  </definition>

+  {{{ oval_line_in_file_test(config_path, PARAMETER) | indent (2) }}}

+  {{{ oval_line_in_file_object(config_path, parameter=PARAMETER, ** case_insensitivity_kwargs)| indent (2) }}}

+  {{{ oval_line_in_file_state(VALUE) | indent (2) }}}

+

+  {{%- if MISSING_PARAMETER_PASS %}}

+  {{{ oval_line_in_file_test(config_path, PARAMETER, MISSING_PARAMETER_PASS) | indent(2) }}}

+  {{{ oval_line_in_file_object(config_path, parameter=PARAMETER, missing_parameter_pass=MISSING_PARAMETER_PASS, ** case_insensitivity_kwargs) | indent(2) }}}

+  {{%- endif %}}

+

+  {{%- if product in products_with_distributed_configuration %}}

+  {{{ oval_line_in_directory_test(config_dir, PARAMETER) | indent (2) }}}

+  {{{ oval_line_in_directory_object(config_dir, parameter=PARAMETER, ** case_insensitivity_kwargs) | indent (2) }}}

+  {{{ oval_line_in_directory_state(VALUE) | indent (2) }}}

+

+  {{%- if MISSING_PARAMETER_PASS %}}

+  {{{ oval_line_in_directory_test(config_path, PARAMETER, MISSING_PARAMETER_PASS) | indent(2) }}}

+  {{{ oval_line_in_directory_object(config_path, parameter=PARAMETER, missing_parameter_pass=MISSING_PARAMETER_PASS, ** case_insensitivity_kwargs) | indent(2) }}}

+  {{%- endif %}}

+  {{%- endif %}}

+</def-group>

From b0f86c11fa0fb45b32b53833b5d3565c7eb73cfe Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>

Date: Fri, 30 Apr 2021 11:52:22 +0200

Subject: [PATCH 2/6] Improved the lineinfile template.

It now escapes the text contents if parts of them could be incorrectly interpreted as regexes.

---

 shared/macros-bash.jinja                  | 2 +-

 shared/templates/lineinfile/oval.template | 2 +-

 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja

index b4518d83c19..d654a0e0e89 100644

--- a/shared/macros-bash.jinja

+++ b/shared/macros-bash.jinja

@@ -445,7 +445,7 @@ printf '%s\n' "{{{ message | replace('"', '\\"') }}}" >&2

 # prefix_regex: regular expression describing allowed leading characters at each line

 #}}

 {{%- macro set_config_file(path, parameter, value, create, insert_after, insert_before, insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") -%}}

-    {{%- set line_regex = prefix_regex+parameter+separator_regex -%}}

+    {{%- set line_regex = prefix_regex + ((parameter | escape_regex) | replace("/", "\/")) + separator_regex -%}}

     {{%- set new_line = parameter+separator+value -%}}

 if [ -e "{{{ path }}}" ] ; then

     {{{ lineinfile_absent(path, line_regex, insensitive) | indent(4) }}}

diff --git a/shared/templates/lineinfile/oval.template b/shared/templates/lineinfile/oval.template

index a38856d9177..644327b7d6e 100644

--- a/shared/templates/lineinfile/oval.template

+++ b/shared/templates/lineinfile/oval.template

@@ -1,4 +1,4 @@

-{{%- set regex = "^[\s]*" + TEXT + "[\s]*$" -%}}

+{{%- set regex = "^[\s]*" ~ (TEXT | escape_regex) ~ "[\s]*$" -%}}

 <def-group>

   <definition class="compliance" id="{{{ rule_id }}}" version="1">

     {{{ oval_metadata("Check presence of " + TEXT + " in " + PATH) }}}

From 6953f74d1ab168e7ccc3f28877621edff317fef2 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>

Date: Fri, 30 Apr 2021 11:54:12 +0200

Subject: [PATCH 3/6] Introduced the sshd_use_directory_configuration rule.

The rule makes sure that the sshd configuration is distributed in the

/etc/ssh/sshd_config.d/ directory, and therefore it makes sense to scan that directory

in another rules.

---

 .../bash/shared.sh                            | 15 ++++++++++

 .../oval/shared.xml                           | 29 +++++++++++++++++++

 .../sshd_use_directory_configuration/rule.yml | 26 +++++++++++++++++

 .../tests/match.fail.sh                       |  4 +++

 .../tests/simple.fail.sh                      |  3 ++

 .../tests/simple.pass.sh                      |  4 +++

 shared/references/cce-redhat-avail.txt        |  1 -

 shared/templates/extra_ovals.yml              |  6 ++++

 8 files changed, 87 insertions(+), 1 deletion(-)

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh

new file mode 100644

index 00000000000..2ff58ec373c

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh

@@ -0,0 +1,15 @@

+# platform = multi_platform_all

+

+{{% set target_file = "/etc/ssh/sshd_config.d/sshd_config_original.conf" -%}}

+if test -f {{{ target_file}}}; then

+	{{{ die("Remediation probably already happened, '" ~ target_file ~ "' already exists, not doing anything.", action="false") }}}

+else

+	mkdir -p /etc/ssh/sshd_config.d

+	mv /etc/ssh/sshd_config {{{ target_file }}}

+cat > /etc/ssh/sshd_config << EOF

+# To modify the system-wide sshd configuration, create a  *.conf  file under

+#  /etc/ssh/sshd_config.d/  which will be automatically included below

+

+Include /etc/ssh/sshd_config.d/*.conf

+EOF

+fi

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml

new file mode 100644

index 00000000000..0ffb429adff

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml

@@ -0,0 +1,29 @@

+{{%- set config_path = "/etc/ssh/sshd_config" %}}

+

+<def-group>

+  <definition class="compliance" id="{{{ rule_id }}}" version="1">

+   {{{ oval_metadata("foo") }}}

+   <criteria comment="sshd is configured correctly or is not installed" operator="OR">

+     <criteria comment="sshd is not installed" operator="AND">

+        

+          definition_ref="sshd_not_required_or_unset" />

+        

+          definition_ref="package_openssh-server_removed" />

+     </criteria>

+     <criteria comment="sshd is installed and configured" operator="AND">

+        

+          definition_ref="sshd_required_or_unset" />

+        

+          definition_ref="package_openssh-server_installed" />

+        <criteria comment="sshd is configured correctly" operator="AND">

+          

+            definition_ref="sshd_includes_config_files" />

+          {{{- oval_line_in_file_criterion(config_path, "match", missing_parameter_pass=true) | indent(8) }}}

+        </criteria>

+      </criteria>

+    </criteria> 

+  </definition>

+  {{{ oval_line_in_file_test(config_path, "match", missing_parameter_pass=true) | indent (2) }}}

+  {{{ oval_line_in_file_object(config_path, parameter="match", missing_parameter_pass=true, prefix_regex="^[ \\t]*(?i)", separator_regex="(?-i)\s+\S+") | indent (2) }}}

+</def-group>

+

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml

new file mode 100644

index 00000000000..8c370036e61

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml

@@ -0,0 +1,26 @@

+documentation_complete: true

+

+prodtype: fedora,rhel9

+

+title: 'Distribute the SSH Server configuration to multiple files in a config directory.'

+

+description: |-

+    Make sure to have the <tt>Include /etc/ssh/sshd_config.d/*.conf</tt> line in the <tt>/etc/ssh/sshd_config</tt> file.

+    Ideally, don't have any active configuration directives in that file, and distribute the service configuration

+    to several files in the <tt>/etc/ssh/sshd_config.d</tt> directory.

+

+rationale: |-

+    This form of distributed configuration is considered as a good practice, and as other sshd rules assume that directives in files in the <tt>/etc/ssh/sshd_config.d</tt> config directory are effective, there has to be a rule that ensures this.

+    Aside from that, having multiple configuration files makes the SSH Server configuration changes easier to partition according to the reason that they were introduced, and therefore it should help to perform merges of hardening updates.

+

+severity: medium

+

+identifiers:

+    cce@rhel9: CCE-87681-3

+

+ocil_clause: "you don't include other configuration files from the main configuration file"

+

+ocil: |-

+    To determine whether the SSH server includes configuration files from the right directory, run the following command:

+    
$ sudo grep -i '^Include' /etc/ssh/sshd_config

+    If a line <tt>Include /etc/ssh/sshd_config.d/*.conf</tt> is returned, then the configuration file inclusion is set correctly.

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh

new file mode 100644

index 00000000000..fa2ee0654f2

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh

@@ -0,0 +1,4 @@

+# platform = multi_platform_all

+

+echo "Match something" >> /etc/ssh/sshd_config

+echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh

new file mode 100644

index 00000000000..a6013ad7cfa

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh

@@ -0,0 +1,3 @@

+# platform = multi_platform_all

+

+echo "include /etc/ssh/sshd_config.d/.*" > /etc/ssh/sshd_config

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh

new file mode 100644

index 00000000000..7a26f521415

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh

@@ -0,0 +1,4 @@

+# platform = multi_platform_all

+

+# Handling of case-insensitivity of include is tricky

+echo "Include /etc/ssh/sshd_config.d/*.conf" > /etc/ssh/sshd_config

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt

index 73d025484e6..40a2b9b5868 100644

--- a/shared/references/cce-redhat-avail.txt

+++ b/shared/references/cce-redhat-avail.txt

@@ -1780,7 +1780,6 @@ CCE-87677-1

 CCE-87678-9

 CCE-87679-7

 CCE-87680-5

-CCE-87681-3

 CCE-87682-1

 CCE-87683-9

 CCE-87684-7

diff --git a/shared/templates/extra_ovals.yml b/shared/templates/extra_ovals.yml

index 095d911ee1c..69062ebe541 100644

--- a/shared/templates/extra_ovals.yml

+++ b/shared/templates/extra_ovals.yml

@@ -57,3 +57,9 @@ service_syslog_disabled:

   vars:

     servicename: syslog

     packagename: rsyslog

+

+sshd_includes_config_files:

+  name: lineinfile

+  vars:

+    path: /etc/ssh/sshd_config

+    text: "Include /etc/ssh/sshd_config.d/*.conf"

From d7fcab7ad66e77bb7ccba507e3f024bc892c3864 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>

Date: Tue, 11 May 2021 16:06:29 +0200

Subject: [PATCH 4/6] Improved error reporting related to macros.

---

 ssg/jinja.py | 22 +++++++++++++---------

 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/ssg/jinja.py b/ssg/jinja.py

index a46246ad0fb..28edd9a6dcd 100644

--- a/ssg/jinja.py

+++ b/ssg/jinja.py

@@ -153,16 +153,20 @@ def load_macros(substitutions_dict=None):

     add_python_functions(substitutions_dict)

     try:

-        update_substitutions_dict(JINJA_MACROS_BASE_DEFINITIONS, substitutions_dict)

-        update_substitutions_dict(JINJA_MACROS_HIGHLEVEL_DEFINITIONS, substitutions_dict)

-        update_substitutions_dict(JINJA_MACROS_ANSIBLE_DEFINITIONS, substitutions_dict)

-        update_substitutions_dict(JINJA_MACROS_BASH_DEFINITIONS, substitutions_dict)

-        update_substitutions_dict(JINJA_MACROS_OVAL_DEFINITIONS, substitutions_dict)

-        update_substitutions_dict(JINJA_MACROS_IGNITION_DEFINITIONS, substitutions_dict)

-        update_substitutions_dict(JINJA_MACROS_KUBERNETES_DEFINITIONS, substitutions_dict)

+        filenames = [

+            JINJA_MACROS_BASE_DEFINITIONS,

+            JINJA_MACROS_HIGHLEVEL_DEFINITIONS,

+            JINJA_MACROS_ANSIBLE_DEFINITIONS,

+            JINJA_MACROS_BASH_DEFINITIONS,

+            JINJA_MACROS_OVAL_DEFINITIONS,

+            JINJA_MACROS_IGNITION_DEFINITIONS,

+            JINJA_MACROS_KUBERNETES_DEFINITIONS,

+        ]

+        for filename in filenames:

+            update_substitutions_dict(filename, substitutions_dict)

     except Exception as exc:

-        msg = ("Error extracting macro definitions: {0}"

-               .format(str(exc)))

+        msg = ("Error extracting macro definitions from '{1}': {0}"

+               .format(str(exc), filename))

         raise RuntimeError(msg)

     return substitutions_dict

From df45c3fa295a2dc5a23cc347657964df6453cbae Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>

Date: Tue, 11 May 2021 16:44:50 +0200

Subject: [PATCH 5/6] Removed devault values that are variables from Jinja

Support in older jinja2 packages is not in a good shape.

---

 shared/macros-oval.jinja | 12 ++++++++----

 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja

index d38db96d9e3..87e0fd7d87d 100644

--- a/shared/macros-oval.jinja

+++ b/shared/macros-oval.jinja

@@ -92,7 +92,8 @@

     - parameter (String): The parameter to be checked in the configuration file.

     - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

 #}}

-{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false, comment='', id_stem=rule_id) -%}}

+{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false, comment='', id_stem='') -%}}

+{{%- set id_stem = id_stem or rule_id -%}}

 {{%- set suffix_id = "" -%}}

 {{%- set prefix_text = "Check the" -%}}

 {{%- if missing_parameter_pass %}}

@@ -113,7 +114,8 @@

     - parameter (String): The parameter to be checked in the configuration file.

     - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

 #}}

-{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false, id_stem=rule_id) -%}}

+{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false, id_stem='') -%}}

+{{%- set id_stem = id_stem or rule_id -%}}

 {{%- set suffix_id = "" -%}}

 {{%- if missing_parameter_pass %}}

 {{%- set check_existence = "none_exist" -%}}

@@ -144,7 +146,8 @@

     - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).

     - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.

 #}}

-{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='', id_stem=rule_id) -%}}

+{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='', id_stem='') -%}}

+{{%- set id_stem = id_stem or rule_id -%}}

 {{%- set suffix_id = "" -%}}

 {{%- if multi_value -%}}

 {{%- set group_regex = "([^#]*).*$" -%}}

@@ -196,7 +199,8 @@

     - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string.

       For example, for shell quoting, specify quotes="'\""), which will make sure that value, 'value' and "value" are matched, but 'value" or '"value"' won't be.

 #}}

-{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='', id_stem=rule_id) -%}}

+{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='', id_stem='') -%}}

+{{%- set id_stem = id_stem or rule_id -%}}

 {{%- set regex = value -%}}

 {{%- if quotes != "" %}}

 {{%- if "\\1" in value > 0 %}}

From a3ec49f75ac3059d7096985e08e10005db96330a Mon Sep 17 00:00:00 2001

From: Matej Tyc <matyc@redhat.com>

Date: Fri, 30 Jul 2021 17:25:25 +0200

Subject: [PATCH 6/6] Don't remediate when it is inappropriate

Don't remediate when the config file already contains the include

directive.

---

 .../sshd_use_directory_configuration/bash/shared.sh        | 7 +++++--

 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh

index 2ff58ec373c..9317b23992d 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh

@@ -1,12 +1,15 @@

 # platform = multi_platform_all

 {{% set target_file = "/etc/ssh/sshd_config.d/sshd_config_original.conf" -%}}

+{{% set base_config = "/etc/ssh/sshd_config" -%}}

 if test -f {{{ target_file}}}; then

 	{{{ die("Remediation probably already happened, '" ~ target_file ~ "' already exists, not doing anything.", action="false") }}}

+elif grep -Eq '^\s*Include\s+/etc/ssh/sshd_config\.d/\*\.conf' {{{ base_config }}} && ! grep -Eq '^\s*Match\s' {{{ base_config }}}; then

+	{{{ die("Remediation probably already happened, '" ~ base_config ~ "' already contains the include directive.", action="false") }}}

 else

 	mkdir -p /etc/ssh/sshd_config.d

-	mv /etc/ssh/sshd_config {{{ target_file }}}

-cat > /etc/ssh/sshd_config << EOF

+	mv {{{ base_config }}} {{{ target_file }}}

+cat > {{{ base_config }}} << EOF

 # To modify the system-wide sshd configuration, create a  *.conf  file under

 #  /etc/ssh/sshd_config.d/  which will be automatically included below