|
 |
38a2c0 |
From f7a2fb33ad1507ad4ce3f7ec6534c06d4f6a7e83 Mon Sep 17 00:00:00 2001
|
|
|
38a2c0 |
From: Watson Sato <wsato@redhat.com>
|
|
|
38a2c0 |
Date: Fri, 4 Feb 2022 12:02:36 +0100
|
|
|
38a2c0 |
Subject: [PATCH 1/3] Add tests for distributed SSHD RekeyLimit config
|
|
|
38a2c0 |
|
|
|
38a2c0 |
---
|
|
|
38a2c0 |
.../sshd_rekey_limit/tests/bad_size_directory.fail.sh | 10 ++++++++++
|
|
|
38a2c0 |
.../sshd_rekey_limit/tests/bad_time_directory.fail.sh | 10 ++++++++++
|
|
|
38a2c0 |
.../sshd_rekey_limit/tests/no_line_directory.fail.sh | 8 ++++++++
|
|
|
38a2c0 |
.../sshd_rekey_limit/tests/rhel8_ok.pass.sh | 2 +-
|
|
|
38a2c0 |
.../sshd_rekey_limit/tests/rhel9_ok.pass.sh | 11 +++++++++++
|
|
|
38a2c0 |
5 files changed, 40 insertions(+), 1 deletion(-)
|
|
|
38a2c0 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh
|
|
|
38a2c0 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh
|
|
|
38a2c0 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh
|
|
|
38a2c0 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ok.pass.sh
|
|
|
38a2c0 |
|
|
|
38a2c0 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh
|
|
|
38a2c0 |
new file mode 100644
|
|
|
38a2c0 |
index 00000000000..88c6420c5ca
|
|
|
38a2c0 |
--- /dev/null
|
|
|
38a2c0 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh
|
|
|
38a2c0 |
@@ -0,0 +1,10 @@
|
|
|
38a2c0 |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+mkdir -p /etc/ssh/sshd_config.d
|
|
|
38a2c0 |
+touch /etc/ssh/sshd_config.d/nothing
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+if grep -q "^\s*RekeyLimit" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
|
|
38a2c0 |
+ sed -i "/^\s*RekeyLimit.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
|
|
38a2c0 |
+fi
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+echo "RekeyLimit 812M 1h" > /etc/ssh/sshd_config.d/bad_config.conf
|
|
|
38a2c0 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh
|
|
|
38a2c0 |
new file mode 100644
|
|
|
38a2c0 |
index 00000000000..3bb0926017c
|
|
|
38a2c0 |
--- /dev/null
|
|
|
38a2c0 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh
|
|
|
38a2c0 |
@@ -0,0 +1,10 @@
|
|
|
38a2c0 |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+mkdir -p /etc/ssh/sshd_config.d
|
|
|
38a2c0 |
+touch /etc/ssh/sshd_config.d/nothing
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+if grep -q "^\s*RekeyLimit" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
|
|
38a2c0 |
+ sed -i "/^\s*RekeyLimit.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
|
|
38a2c0 |
+fi
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+echo "RekeyLimit 512M 2h" > /etc/ssh/sshd_config.d/bad_config.conf
|
|
|
38a2c0 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh
|
|
|
38a2c0 |
new file mode 100644
|
|
|
38a2c0 |
index 00000000000..00569de1b84
|
|
|
38a2c0 |
--- /dev/null
|
|
|
38a2c0 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh
|
|
|
38a2c0 |
@@ -0,0 +1,8 @@
|
|
|
38a2c0 |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+mkdir -p /etc/ssh/sshd_config.d
|
|
|
38a2c0 |
+touch /etc/ssh/sshd_config.d/nothing
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+if grep -q "^\s*RekeyLimit" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
|
|
38a2c0 |
+ sed -i "/^\s*RekeyLimit.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
|
|
38a2c0 |
+fi
|
|
|
38a2c0 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ok.pass.sh
|
|
|
38a2c0 |
index b9834e6d0b2..894c0ae4ba8 100644
|
|
|
38a2c0 |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ok.pass.sh
|
|
|
38a2c0 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ok.pass.sh
|
|
|
38a2c0 |
@@ -1,4 +1,4 @@
|
|
|
38a2c0 |
-# platform = Red Hat Enterprise Linux 8
|
|
|
38a2c0 |
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
|
|
|
38a2c0 |
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
38a2c0 |
|
|
|
38a2c0 |
sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
|
|
|
38a2c0 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ok.pass.sh
|
|
|
38a2c0 |
new file mode 100644
|
|
|
38a2c0 |
index 00000000000..e183e8986dc
|
|
|
38a2c0 |
--- /dev/null
|
|
|
38a2c0 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ok.pass.sh
|
|
|
38a2c0 |
@@ -0,0 +1,11 @@
|
|
|
38a2c0 |
+# platform = Red Hat Enterprise Linux 9
|
|
|
38a2c0 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+mkdir -p /etc/ssh/sshd_config.d
|
|
|
38a2c0 |
+touch /etc/ssh/sshd_config.d/nothing
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+if grep -q "^\s*RekeyLimit" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
|
|
38a2c0 |
+ sed -i "/^\s*RekeyLimit.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
|
|
38a2c0 |
+fi
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+echo "RekeyLimit 1G 1h" >> /etc/ssh/sshd_config.d/good_config.conf
|
|
|
38a2c0 |
|
|
|
38a2c0 |
From 782e3a6108ea377d526d0aed4e8c0cf019f3dcdd Mon Sep 17 00:00:00 2001
|
|
|
38a2c0 |
From: Watson Sato <wsato@redhat.com>
|
|
|
38a2c0 |
Date: Fri, 4 Feb 2022 12:06:45 +0100
|
|
|
38a2c0 |
Subject: [PATCH 2/3] Update rule to handle distributed config
|
|
|
38a2c0 |
|
|
|
38a2c0 |
Based on the template sshd_lineinfile, updated rule sshd_rekey_limit to
|
|
|
38a2c0 |
check and remediate SSHD configuration in products that support
|
|
|
38a2c0 |
/etc/sshd/sshd_config.d/
|
|
|
38a2c0 |
|
|
|
38a2c0 |
The rule cannot use the template as it relies on two external variables.
|
|
|
38a2c0 |
---
|
|
|
38a2c0 |
.../sshd_rekey_limit/ansible/shared.yml | 8 +++-
|
|
|
38a2c0 |
.../sshd_rekey_limit/bash/shared.sh | 2 +-
|
|
|
38a2c0 |
.../sshd_rekey_limit/oval/shared.xml | 46 ++++++++++++++-----
|
|
|
38a2c0 |
.../ssh/ssh_server/sshd_rekey_limit/rule.yml | 10 +++-
|
|
|
38a2c0 |
4 files changed, 50 insertions(+), 16 deletions(-)
|
|
|
38a2c0 |
|
|
|
38a2c0 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
|
|
|
38a2c0 |
index 84a4f084d40..f30dcdb2ed3 100644
|
|
|
38a2c0 |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
|
|
|
38a2c0 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
|
|
|
38a2c0 |
@@ -5,4 +5,10 @@
|
|
|
38a2c0 |
# disruption = low
|
|
|
38a2c0 |
{{{ ansible_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
|
|
|
38a2c0 |
|
|
|
38a2c0 |
-{{{ ansible_sshd_set(parameter="RekeyLimit", value="{{ var_rekey_limit_size }} {{ var_rekey_limit_time }}") }}}
|
|
|
38a2c0 |
+{{{
|
|
|
38a2c0 |
+ ansible_sshd_set(
|
|
|
38a2c0 |
+ parameter="RekeyLimit",
|
|
|
38a2c0 |
+ value="{{ var_rekey_limit_size }} {{ var_rekey_limit_time }}",
|
|
|
38a2c0 |
+ config_is_distributed=sshd_distributed_config
|
|
|
38a2c0 |
+ )
|
|
|
38a2c0 |
+}}}
|
|
|
38a2c0 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
|
|
|
38a2c0 |
index 4422f63472c..789358472a1 100644
|
|
|
38a2c0 |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
|
|
|
38a2c0 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
|
|
|
38a2c0 |
@@ -2,4 +2,4 @@
|
|
|
38a2c0 |
|
|
|
38a2c0 |
{{{ bash_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
|
|
|
38a2c0 |
|
|
|
38a2c0 |
-{{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}}
|
|
|
38a2c0 |
+{{{ bash_sshd_remediation(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time", config_is_distributed=sshd_distributed_config) -}}}
|
|
|
38a2c0 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
|
|
38a2c0 |
index f49d9ab5275..e109cbd3124 100644
|
|
|
38a2c0 |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
|
|
38a2c0 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
|
|
38a2c0 |
@@ -1,26 +1,49 @@
|
|
|
38a2c0 |
-{{% set filepath = "/etc/ssh/sshd_config" -%}}
|
|
|
38a2c0 |
-
|
|
|
38a2c0 |
+{{%- set parameter = "RekeyLimit" %}}
|
|
|
38a2c0 |
+{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}}
|
|
|
38a2c0 |
+{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}}
|
|
|
38a2c0 |
+{{%- set description = "Ensure RekeyLimit is configured with the appropriate value in " ~ sshd_config_path %}}
|
|
|
38a2c0 |
+{{%- if sshd_distributed_config == "true" %}}
|
|
|
38a2c0 |
+{{%- set description = description ~ " or in " ~ sshd_config_dir -%}}
|
|
|
38a2c0 |
+{{%- endif %}}
|
|
|
38a2c0 |
|
|
|
38a2c0 |
<def-group>
|
|
|
38a2c0 |
<definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
38a2c0 |
- {{{ oval_metadata("Ensure 'RekeyLimit' is configured with the correct value in '" + filepath + "'") }}}
|
|
|
38a2c0 |
- <criteria comment="sshd is configured correctly or is not installed" operator="OR">
|
|
|
38a2c0 |
- {{{- application_not_required_or_requirement_unset() }}}
|
|
|
38a2c0 |
- {{{- application_required_or_requirement_unset() }}}
|
|
|
38a2c0 |
- {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
|
|
|
38a2c0 |
- </criteria>
|
|
|
38a2c0 |
- </criteria>
|
|
|
38a2c0 |
+ {{{ oval_metadata(description) }}}
|
|
|
38a2c0 |
+ <criteria comment="sshd is configured correctly or is not installed" operator="OR">
|
|
|
38a2c0 |
+ {{{- application_not_required_or_requirement_unset() }}}
|
|
|
38a2c0 |
+ {{{- application_required_or_requirement_unset() }}}
|
|
|
38a2c0 |
+ <criteria comment="sshd is configured corectly" operator="OR">
|
|
|
38a2c0 |
+ {{{- oval_line_in_file_criterion(sshd_config_path, parameter) }}}
|
|
|
38a2c0 |
+ {{%- if sshd_distributed_config %}}
|
|
|
38a2c0 |
+ {{{- oval_line_in_directory_criterion(sshd_config_dir, parameter) | indent(8) }}}
|
|
|
38a2c0 |
+ {{%- endif %}}
|
|
|
38a2c0 |
+ </criteria>
|
|
|
38a2c0 |
+ </criteria>
|
|
|
38a2c0 |
+ </criteria>
|
|
|
38a2c0 |
</definition>
|
|
|
38a2c0 |
|
|
|
38a2c0 |
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_sshd_rekey_limit" version="1">
|
|
|
38a2c0 |
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_sshd_rekey_limit" version="1">
|
|
|
38a2c0 |
<ind:object object_ref="obj_sshd_rekey_limit"/>
|
|
|
38a2c0 |
</ind:textfilecontent54_test>
|
|
|
38a2c0 |
|
|
|
38a2c0 |
<ind:textfilecontent54_object id="obj_sshd_rekey_limit" version="1">
|
|
|
38a2c0 |
- <ind:filepath>{{{ filepath }}}</ind:filepath>
|
|
|
38a2c0 |
+ <ind:filepath>{{{ sshd_config_path }}}</ind:filepath>
|
|
|
38a2c0 |
+ <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
|
|
|
38a2c0 |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
38a2c0 |
+ </ind:textfilecontent54_object>
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ {{%- if sshd_distributed_config %}}
|
|
|
38a2c0 |
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in SSHD config directory" id="test_sshd_rekey_limit_config_dir" version="1">
|
|
|
38a2c0 |
+ <ind:object object_ref="obj_sshd_rekey_limit_config_dir"/>
|
|
|
38a2c0 |
+ </ind:textfilecontent54_test>
|
|
|
38a2c0 |
+
|
|
|
38a2c0 |
+ <ind:textfilecontent54_object id="obj_sshd_rekey_limit_config_dir" version="1">
|
|
|
38a2c0 |
+ <ind:path>{{{ sshd_config_dir}}}</ind:path>
|
|
|
38a2c0 |
+ <ind:filename operation="pattern match">.*\.conf$</ind:filename>
|
|
|
38a2c0 |
<ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
|
|
|
38a2c0 |
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
38a2c0 |
</ind:textfilecontent54_object>
|
|
|
38a2c0 |
+ {{%- endif %}}
|
|
|
38a2c0 |
|
|
|
38a2c0 |
<local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
|
|
|
38a2c0 |
<concat>
|
|
|
38a2c0 |
@@ -35,4 +58,3 @@
|
|
|
38a2c0 |
<external_variable comment="Size component of the rekey limit" datatype="string" id="var_rekey_limit_size" version="1" />
|
|
|
38a2c0 |
<external_variable comment="Time component of the rekey limit" datatype="string" id="var_rekey_limit_time" version="1" />
|
|
|
38a2c0 |
</def-group>
|
|
|
38a2c0 |
-
|
|
|
38a2c0 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
|
|
|
38a2c0 |
index 450f244de41..702cd0506d3 100644
|
|
|
38a2c0 |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
|
|
|
38a2c0 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
|
|
|
38a2c0 |
@@ -6,8 +6,10 @@ description: |-
|
|
|
38a2c0 |
The <tt>RekeyLimit</tt> parameter specifies how often
|
|
|
38a2c0 |
the session key of the is renegotiated, both in terms of
|
|
|
38a2c0 |
amount of data that may be transmitted and the time
|
|
|
38a2c0 |
- elapsed. To decrease the default limits, put line
|
|
|
38a2c0 |
- <tt>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/sshd_config</tt>.
|
|
|
38a2c0 |
+ elapsed.
|
|
|
38a2c0 |
+ To decrease the default limits, add or correct the following line in
|
|
|
38a2c0 |
+ {{{ sshd_config_file() }}}
|
|
|
38a2c0 |
+ RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}
|
|
|
38a2c0 |
|
|
|
38a2c0 |
rationale: |-
|
|
|
38a2c0 |
By decreasing the limit based on the amount of data and enabling
|
|
|
38a2c0 |
@@ -32,6 +34,10 @@ ocil_clause: 'it is commented out or is not set'
|
|
|
38a2c0 |
ocil: |-
|
|
|
38a2c0 |
To check if RekeyLimit is set correctly, run the
|
|
|
38a2c0 |
following command:
|
|
|
38a2c0 |
+ {{% if sshd_distributed_config == "true" %}}
|
|
|
38a2c0 |
+ $ sudo grep RekeyLimit /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
|
|
38a2c0 |
+ {{% else %}}
|
|
|
38a2c0 |
$ sudo grep RekeyLimit /etc/ssh/sshd_config
|
|
|
38a2c0 |
+ {{% endif %}}
|
|
|
38a2c0 |
If configured properly, output should be
|
|
|
38a2c0 |
RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}
|
|
|
38a2c0 |
|
|
|
38a2c0 |
From 78d6d40f280b0e43e6c8fd7d60cfd81e7979fb8f Mon Sep 17 00:00:00 2001
|
|
|
38a2c0 |
From: Watson Sato <wsato@redhat.com>
|
|
|
38a2c0 |
Date: Wed, 9 Feb 2022 16:59:53 +0100
|
|
|
38a2c0 |
Subject: [PATCH 3/3] Use the Jinja variable 'parameter' where applicable
|
|
|
38a2c0 |
|
|
|
38a2c0 |
---
|
|
|
38a2c0 |
.../ssh/ssh_server/sshd_rekey_limit/oval/shared.xml | 8 ++++----
|
|
|
38a2c0 |
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
|
38a2c0 |
|
|
|
38a2c0 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
|
|
38a2c0 |
index e109cbd3124..d79ac7f2047 100644
|
|
|
38a2c0 |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
|
|
38a2c0 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
|
|
38a2c0 |
@@ -1,7 +1,7 @@
|
|
|
38a2c0 |
{{%- set parameter = "RekeyLimit" %}}
|
|
|
38a2c0 |
{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}}
|
|
|
38a2c0 |
{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}}
|
|
|
38a2c0 |
-{{%- set description = "Ensure RekeyLimit is configured with the appropriate value in " ~ sshd_config_path %}}
|
|
|
38a2c0 |
+{{%- set description = "Ensure {{{ parameter }}} is configured with the appropriate value in " ~ sshd_config_path %}}
|
|
|
38a2c0 |
{{%- if sshd_distributed_config == "true" %}}
|
|
|
38a2c0 |
{{%- set description = description ~ " or in " ~ sshd_config_dir -%}}
|
|
|
38a2c0 |
{{%- endif %}}
|
|
|
38a2c0 |
@@ -22,7 +22,7 @@
|
|
|
38a2c0 |
</criteria>
|
|
|
38a2c0 |
</definition>
|
|
|
38a2c0 |
|
|
|
38a2c0 |
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_sshd_rekey_limit" version="1">
|
|
|
38a2c0 |
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of {{{ parameter }}} setting in the file" id="test_sshd_rekey_limit" version="1">
|
|
|
38a2c0 |
<ind:object object_ref="obj_sshd_rekey_limit"/>
|
|
|
38a2c0 |
</ind:textfilecontent54_test>
|
|
|
38a2c0 |
|
|
|
38a2c0 |
@@ -33,7 +33,7 @@
|
|
|
38a2c0 |
</ind:textfilecontent54_object>
|
|
|
38a2c0 |
|
|
|
38a2c0 |
{{%- if sshd_distributed_config %}}
|
|
|
38a2c0 |
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in SSHD config directory" id="test_sshd_rekey_limit_config_dir" version="1">
|
|
|
38a2c0 |
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of {{{ parameter }}} setting in SSHD config directory" id="test_sshd_rekey_limit_config_dir" version="1">
|
|
|
38a2c0 |
<ind:object object_ref="obj_sshd_rekey_limit_config_dir"/>
|
|
|
38a2c0 |
</ind:textfilecontent54_test>
|
|
|
38a2c0 |
|
|
|
38a2c0 |
@@ -47,7 +47,7 @@
|
|
|
38a2c0 |
|
|
|
38a2c0 |
<local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
|
|
|
38a2c0 |
<concat>
|
|
|
38a2c0 |
- <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
|
|
|
38a2c0 |
+ <literal_component>^[\s]*{{{ parameter }}}[\s]+</literal_component>
|
|
|
38a2c0 |
<variable_component var_ref="var_rekey_limit_size"/>
|
|
|
38a2c0 |
<literal_component>[\s]+</literal_component>
|
|
|
38a2c0 |
<variable_component var_ref="var_rekey_limit_time"/>
|