|
 |
f6303c |
From e4bcce25933c474cb2358411e30917d30fdf6eb7 Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Watson Sato <wsato@redhat.com>
|
|
|
f6303c |
Date: Thu, 10 Nov 2022 10:13:16 +0100
|
|
|
f6303c |
Subject: [PATCH 1/3] Add tests to check for RekeyLimit conflicts
|
|
|
f6303c |
|
|
|
f6303c |
---
|
|
|
f6303c |
.../sshd_rekey_limit/tests/param_conflict.fail.sh | 13 +++++++++++++
|
|
|
f6303c |
.../tests/param_conflict_directory.fail.sh | 15 +++++++++++++++
|
|
|
f6303c |
2 files changed, 28 insertions(+)
|
|
|
f6303c |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh
|
|
|
f6303c |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh
|
|
|
f6303c |
new file mode 100644
|
|
|
f6303c |
index 00000000000..0eb6aab6804
|
|
|
f6303c |
--- /dev/null
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh
|
|
|
f6303c |
@@ -0,0 +1,13 @@
|
|
|
f6303c |
+#!/bin/bash
|
|
|
f6303c |
+
|
|
|
f6303c |
+SSHD_PARAM="RekeyLimit"
|
|
|
f6303c |
+
|
|
|
f6303c |
+mkdir -p /etc/ssh/sshd_config.d
|
|
|
f6303c |
+touch /etc/ssh/sshd_config.d/nothing
|
|
|
f6303c |
+
|
|
|
f6303c |
+if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
|
|
f6303c |
+ sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
|
|
f6303c |
+fi
|
|
|
f6303c |
+
|
|
|
f6303c |
+echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config
|
|
|
f6303c |
+echo "${SSHD_PARAM} 1G 3h" >> /etc/ssh/sshd_config
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh
|
|
|
f6303c |
new file mode 100644
|
|
|
f6303c |
index 00000000000..bc254a3a57c
|
|
|
f6303c |
--- /dev/null
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh
|
|
|
f6303c |
@@ -0,0 +1,15 @@
|
|
|
f6303c |
+#!/bin/bash
|
|
|
f6303c |
+
|
|
|
f6303c |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
|
|
|
f6303c |
+
|
|
|
f6303c |
+SSHD_PARAM="RekeyLimit"
|
|
|
f6303c |
+
|
|
|
f6303c |
+mkdir -p /etc/ssh/sshd_config.d
|
|
|
f6303c |
+touch /etc/ssh/sshd_config.d/nothing
|
|
|
f6303c |
+
|
|
|
f6303c |
+if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
|
|
f6303c |
+ sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
|
|
f6303c |
+fi
|
|
|
f6303c |
+
|
|
|
f6303c |
+echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config.d/good_config.conf
|
|
|
f6303c |
+echo "${SSHD_PARAM} 1G 3h" >> /etc/ssh/sshd_config.d/bad_config.conf
|
|
|
f6303c |
|
|
|
f6303c |
From 2654d659b4dbe7eed9794005153ea3f147b27320 Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Watson Sato <wsato@redhat.com>
|
|
|
f6303c |
Date: Thu, 10 Nov 2022 10:32:35 +0100
|
|
|
f6303c |
Subject: [PATCH 2/3] Separate the SSHD parameter from the value
|
|
|
f6303c |
|
|
|
f6303c |
Separate the SSHD paramater RekeyLimit from the compliant values.
|
|
|
f6303c |
This makes it possible to collect all occurrences of RekeyLimit and
|
|
|
f6303c |
compare each of then with the compliant values.
|
|
|
f6303c |
---
|
|
|
f6303c |
.../ssh/ssh_server/sshd_rekey_limit/oval/shared.xml | 12 +++++++++---
|
|
|
f6303c |
1 file changed, 9 insertions(+), 3 deletions(-)
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
|
|
f6303c |
index b2dd9039200..38c8a84aa3f 100644
|
|
|
f6303c |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
|
|
f6303c |
@@ -24,30 +24,36 @@
|
|
|
f6303c |
|
|
|
f6303c |
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of {{{ parameter }}} setting in the file" id="test_sshd_rekey_limit" version="1">
|
|
|
f6303c |
<ind:object object_ref="obj_sshd_rekey_limit"/>
|
|
|
f6303c |
+ <ind:state state_ref="state_sshd_rekey_limit"/>
|
|
|
f6303c |
</ind:textfilecontent54_test>
|
|
|
f6303c |
|
|
|
f6303c |
<ind:textfilecontent54_object id="obj_sshd_rekey_limit" version="1">
|
|
|
f6303c |
<ind:filepath>{{{ sshd_config_path }}}</ind:filepath>
|
|
|
f6303c |
- <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
|
|
|
f6303c |
+ <ind:pattern operation="pattern match">^[\s]*{{{ parameter }}}[\s]+(.*)$</ind:pattern>
|
|
|
f6303c |
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
f6303c |
</ind:textfilecontent54_object>
|
|
|
f6303c |
|
|
|
f6303c |
{{%- if sshd_distributed_config == "true" %}}
|
|
|
f6303c |
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of {{{ parameter }}} setting in SSHD config directory" id="test_sshd_rekey_limit_config_dir" version="1">
|
|
|
f6303c |
<ind:object object_ref="obj_sshd_rekey_limit_config_dir"/>
|
|
|
f6303c |
+ <ind:state state_ref="state_sshd_rekey_limit"/>
|
|
|
f6303c |
</ind:textfilecontent54_test>
|
|
|
f6303c |
|
|
|
f6303c |
<ind:textfilecontent54_object id="obj_sshd_rekey_limit_config_dir" version="1">
|
|
|
f6303c |
<ind:path>{{{ sshd_config_dir}}}</ind:path>
|
|
|
f6303c |
<ind:filename operation="pattern match">.*\.conf$</ind:filename>
|
|
|
f6303c |
- <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
|
|
|
f6303c |
+ <ind:pattern operation="pattern match">^[\s]*{{{ parameter }}}[\s]+(.*)$</ind:pattern>
|
|
|
f6303c |
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
f6303c |
</ind:textfilecontent54_object>
|
|
|
f6303c |
{{%- endif %}}
|
|
|
f6303c |
|
|
|
f6303c |
+ <ind:textfilecontent54_state id="state_sshd_rekey_limit" version="1">
|
|
|
f6303c |
+ <ind:subexpression operation="pattern match" var_ref="sshd_line_regex" />
|
|
|
f6303c |
+ </ind:textfilecontent54_state>
|
|
|
f6303c |
+
|
|
|
f6303c |
<local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
|
|
|
f6303c |
<concat>
|
|
|
f6303c |
- <literal_component>^[\s]*{{{ parameter }}}[\s]+</literal_component>
|
|
|
f6303c |
+ <literal_component>^</literal_component>
|
|
|
f6303c |
<variable_component var_ref="var_rekey_limit_size"/>
|
|
|
f6303c |
<literal_component>[\s]+</literal_component>
|
|
|
f6303c |
<variable_component var_ref="var_rekey_limit_time"/>
|
|
|
f6303c |
|
|
|
f6303c |
From f5847d8362e7331fde049f3c56f6bb4f44fb18f1 Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Watson Sato <wsato@redhat.com>
|
|
|
f6303c |
Date: Thu, 10 Nov 2022 10:39:45 +0100
|
|
|
f6303c |
Subject: [PATCH 3/3] Add test for duplicated SSHD parameter
|
|
|
f6303c |
|
|
|
f6303c |
Ensure the rule still passes when a parameter is defined multiple times
|
|
|
f6303c |
but have the same value.
|
|
|
f6303c |
---
|
|
|
f6303c |
.../tests/duplicated_param.pass.sh | 14 ++++++++++++++
|
|
|
f6303c |
1 file changed, 14 insertions(+)
|
|
|
f6303c |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh
|
|
|
f6303c |
new file mode 100644
|
|
|
f6303c |
index 00000000000..2e0d8145abd
|
|
|
f6303c |
--- /dev/null
|
|
|
f6303c |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh
|
|
|
f6303c |
@@ -0,0 +1,14 @@
|
|
|
f6303c |
+#!/bin/bash
|
|
|
f6303c |
+
|
|
|
f6303c |
+SSHD_PARAM="RekeyLimit"
|
|
|
f6303c |
+
|
|
|
f6303c |
+mkdir -p /etc/ssh/sshd_config.d
|
|
|
f6303c |
+touch /etc/ssh/sshd_config.d/nothing
|
|
|
f6303c |
+
|
|
|
f6303c |
+if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
|
|
f6303c |
+ sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
|
|
f6303c |
+fi
|
|
|
f6303c |
+
|
|
|
f6303c |
+echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config
|
|
|
f6303c |
+echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config
|
|
|
f6303c |
+
|