From e368a515911cd09727d8cd1c7e8b46dc7bdff4fa Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Tue, 9 Aug 2022 17:28:33 +0200

Subject: [PATCH] Reintroduce back the sshd timeout rules in RHEL8 STIG

 profile.

---

 .../ssh/ssh_server/sshd_set_idle_timeout/rule.yml  |  1 +

 .../ssh/ssh_server/sshd_set_keepalive_0/rule.yml   |  1 +

 products/rhel8/profiles/stig.profile               | 14 +++++++-------

 tests/data/profile_stability/rhel8/stig.profile    |  2 ++

 .../data/profile_stability/rhel8/stig_gui.profile  |  2 ++

 5 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml

index 46ea0558a42..1e9c6172758 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml

@@ -57,6 +57,7 @@ references:

     stigid@ol7: OL07-00-040320

     stigid@ol8: OL08-00-010201

     stigid@rhel7: RHEL-07-040320

+    stigid@rhel8: RHEL-08-010201

     stigid@sle12: SLES-12-030190

     stigid@sle15: SLES-15-010280

     stigid@ubuntu2004: UBTU-20-010037

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml

index 0f0693ddc6c..f6e98a61d9a 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml

@@ -53,6 +53,7 @@ references:

     stigid@ol7: OL07-00-040340

     stigid@ol8: OL08-00-010200

     stigid@rhel7: RHEL-07-040340

+    stigid@rhel8: RHEL-08-010200

     stigid@sle12: SLES-12-030191

     stigid@sle15: SLES-15-010320

     vmmsrg: SRG-OS-000480-VMM-002000

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 6b44436a2b1..124b7520d3a 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -170,13 +170,13 @@ selections:

     # RHEL-08-010190

     - dir_perms_world_writable_sticky_bits

-    # These two items don't behave as they used to in RHEL8.6 and RHEL9

-    # anymore. They will be disabled for now until an alternative

-    # solution is found.

-    # # RHEL-08-010200

-    # - sshd_set_keepalive_0

-    # # RHEL-08-010201

-    # - sshd_set_idle_timeout

+    # Although these rules have a different behavior in RHEL>=8.6

+    # they still need to be selected so it follows exactly what STIG

+    # states.

+    # RHEL-08-010200

+    - sshd_set_keepalive_0

+    # RHEL-08-010201

+    - sshd_set_idle_timeout

     # RHEL-08-010210

     - file_permissions_var_log_messages

diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile

index 47f53a9d023..6c75d0ae1b1 100644

--- a/tests/data/profile_stability/rhel8/stig.profile

+++ b/tests/data/profile_stability/rhel8/stig.profile

@@ -369,6 +369,8 @@ selections:

 - sshd_enable_warning_banner

 - sshd_print_last_log

 - sshd_rekey_limit

+- sshd_set_idle_timeout

+- sshd_set_keepalive_0

 - sshd_use_strong_rng

 - sshd_x11_use_localhost

 - sssd_certificate_verification

diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile

index c4e60ddcde5..8a7a469b940 100644

--- a/tests/data/profile_stability/rhel8/stig_gui.profile

+++ b/tests/data/profile_stability/rhel8/stig_gui.profile

@@ -379,6 +379,8 @@ selections:

 - sshd_enable_warning_banner

 - sshd_print_last_log

 - sshd_rekey_limit

+- sshd_set_idle_timeout

+- sshd_set_keepalive_0

 - sshd_use_strong_rng

 - sshd_x11_use_localhost

 - sssd_certificate_verification