Blob Blame History Raw
From f7a2fb33ad1507ad4ce3f7ec6534c06d4f6a7e83 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 4 Feb 2022 12:02:36 +0100
Subject: [PATCH 1/3] Add tests for distributed SSHD RekeyLimit config

---
 .../sshd_rekey_limit/tests/bad_size_directory.fail.sh | 10 ++++++++++
 .../sshd_rekey_limit/tests/bad_time_directory.fail.sh | 10 ++++++++++
 .../sshd_rekey_limit/tests/no_line_directory.fail.sh  |  8 ++++++++
 .../sshd_rekey_limit/tests/rhel8_ok.pass.sh           |  2 +-
 .../sshd_rekey_limit/tests/rhel9_ok.pass.sh           | 11 +++++++++++
 5 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ok.pass.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh
new file mode 100644
index 00000000000..88c6420c5ca
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh
@@ -0,0 +1,10 @@
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^\s*RekeyLimit" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+	sed -i "/^\s*RekeyLimit.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
+
+echo "RekeyLimit 812M 1h" > /etc/ssh/sshd_config.d/bad_config.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh
new file mode 100644
index 00000000000..3bb0926017c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh
@@ -0,0 +1,10 @@
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^\s*RekeyLimit" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+	sed -i "/^\s*RekeyLimit.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
+
+echo "RekeyLimit 512M 2h" > /etc/ssh/sshd_config.d/bad_config.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh
new file mode 100644
index 00000000000..00569de1b84
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh
@@ -0,0 +1,8 @@
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^\s*RekeyLimit" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+	sed -i "/^\s*RekeyLimit.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ok.pass.sh
index b9834e6d0b2..894c0ae4ba8 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ok.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ok.pass.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 8
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
 # profiles = xccdf_org.ssgproject.content_profile_ospp
 
 sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ok.pass.sh
new file mode 100644
index 00000000000..e183e8986dc
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ok.pass.sh
@@ -0,0 +1,11 @@
+# platform = Red Hat Enterprise Linux 9
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^\s*RekeyLimit" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+	sed -i "/^\s*RekeyLimit.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
+
+echo "RekeyLimit 1G 1h" >> /etc/ssh/sshd_config.d/good_config.conf

From 782e3a6108ea377d526d0aed4e8c0cf019f3dcdd Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 4 Feb 2022 12:06:45 +0100
Subject: [PATCH 2/3] Update rule to handle distributed config

Based on the template sshd_lineinfile, updated rule sshd_rekey_limit to
check and remediate SSHD configuration in products that support
/etc/sshd/sshd_config.d/

The rule cannot use the template as it relies on two external variables.
---
 .../sshd_rekey_limit/ansible/shared.yml       |  8 +++-
 .../sshd_rekey_limit/bash/shared.sh           |  2 +-
 .../sshd_rekey_limit/oval/shared.xml          | 46 ++++++++++++++-----
 .../ssh/ssh_server/sshd_rekey_limit/rule.yml  | 10 +++-
 4 files changed, 50 insertions(+), 16 deletions(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
index 84a4f084d40..f30dcdb2ed3 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
@@ -5,4 +5,10 @@
 # disruption = low
 {{{ ansible_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
 
-{{{ ansible_sshd_set(parameter="RekeyLimit", value="{{ var_rekey_limit_size }} {{ var_rekey_limit_time }}") }}}
+{{{
+    ansible_sshd_set(
+        parameter="RekeyLimit",
+        value="{{ var_rekey_limit_size }} {{ var_rekey_limit_time }}",
+        config_is_distributed=sshd_distributed_config
+    )
+}}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
index 4422f63472c..789358472a1 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
@@ -2,4 +2,4 @@
 
 {{{ bash_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
 
-{{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}}
+{{{ bash_sshd_remediation(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time", config_is_distributed=sshd_distributed_config) -}}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
index f49d9ab5275..e109cbd3124 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
@@ -1,26 +1,49 @@
-{{% set filepath = "/etc/ssh/sshd_config" -%}}
-
+{{%- set parameter = "RekeyLimit" %}}
+{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}}
+{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}}
+{{%- set description = "Ensure RekeyLimit is configured with the appropriate value in " ~ sshd_config_path %}}
+{{%- if sshd_distributed_config == "true" %}}
+{{%- set description = description  ~ " or in " ~ sshd_config_dir -%}}
+{{%- endif %}}
 
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
-    {{{ oval_metadata("Ensure 'RekeyLimit' is configured with the correct value in '" + filepath + "'") }}}
-    <criteria comment="sshd is configured correctly or is not installed" operator="OR">
-        {{{- application_not_required_or_requirement_unset() }}}
-        {{{- application_required_or_requirement_unset() }}}
-        {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
-    </criteria>
-    </criteria>
+  {{{ oval_metadata(description) }}}
+  <criteria comment="sshd is configured correctly or is not installed" operator="OR">
+    {{{- application_not_required_or_requirement_unset() }}}
+    {{{- application_required_or_requirement_unset() }}}
+      <criteria comment="sshd is configured corectly" operator="OR">
+        {{{- oval_line_in_file_criterion(sshd_config_path, parameter) }}}
+        {{%- if sshd_distributed_config %}}
+        {{{- oval_line_in_directory_criterion(sshd_config_dir, parameter) | indent(8) }}}
+        {{%- endif %}}
+      </criteria>
+    </criteria><!-- macro application_required_or_requirement_unset() leaves an open criteria element-->
+  </criteria>
   </definition>
 
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the  file" id="test_sshd_rekey_limit" version="1">
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_sshd_rekey_limit" version="1">
      <ind:object object_ref="obj_sshd_rekey_limit"/>
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="obj_sshd_rekey_limit" version="1">
-     <ind:filepath>{{{ filepath }}}</ind:filepath>
+     <ind:filepath>{{{ sshd_config_path }}}</ind:filepath>
+     <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  {{%- if sshd_distributed_config %}}
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in SSHD config directory" id="test_sshd_rekey_limit_config_dir" version="1">
+     <ind:object object_ref="obj_sshd_rekey_limit_config_dir"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_sshd_rekey_limit_config_dir" version="1">
+     <ind:path>{{{ sshd_config_dir}}}</ind:path>
+     <ind:filename operation="pattern match">.*\.conf$</ind:filename>
      <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
      <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
+  {{%- endif %}}
 
   <local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
     <concat>
@@ -35,4 +58,3 @@
   <external_variable comment="Size component of the rekey limit" datatype="string" id="var_rekey_limit_size" version="1" />
   <external_variable comment="Time component of the rekey limit" datatype="string" id="var_rekey_limit_time" version="1" />
 </def-group>
-
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
index 450f244de41..702cd0506d3 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
@@ -6,8 +6,10 @@ description: |-
     The <tt>RekeyLimit</tt> parameter specifies how often
     the session key of the is renegotiated, both in terms of
     amount of data that may be transmitted and the time
-    elapsed. To decrease the default limits, put line
-    <tt>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/sshd_config</tt>.
+    elapsed.<br/>
+    To decrease the default limits, add or correct the following line in
+    {{{ sshd_config_file() }}}
+    <pre>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</pre>
 
 rationale: |-
     By decreasing the limit based on the amount of data and enabling
@@ -32,6 +34,10 @@ ocil_clause: 'it is commented out or is not set'
 ocil: |-
     To check if RekeyLimit is set correctly, run the
     following command:
+    {{% if sshd_distributed_config == "true" %}}
+    <pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*</pre>
+    {{% else %}}
     <pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config</pre>
+    {{% endif %}}
     If configured properly, output should be
     <pre>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</pre>

From 78d6d40f280b0e43e6c8fd7d60cfd81e7979fb8f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 9 Feb 2022 16:59:53 +0100
Subject: [PATCH 3/3] Use the Jinja variable 'parameter' where applicable

---
 .../ssh/ssh_server/sshd_rekey_limit/oval/shared.xml       | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
index e109cbd3124..d79ac7f2047 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
@@ -1,7 +1,7 @@
 {{%- set parameter = "RekeyLimit" %}}
 {{%- set sshd_config_path = "/etc/ssh/sshd_config" %}}
 {{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}}
-{{%- set description = "Ensure RekeyLimit is configured with the appropriate value in " ~ sshd_config_path %}}
+{{%- set description = "Ensure {{{ parameter }}} is configured with the appropriate value in " ~ sshd_config_path %}}
 {{%- if sshd_distributed_config == "true" %}}
 {{%- set description = description  ~ " or in " ~ sshd_config_dir -%}}
 {{%- endif %}}
@@ -22,7 +22,7 @@
   </criteria>
   </definition>
 
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_sshd_rekey_limit" version="1">
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of {{{ parameter }}} setting in the file" id="test_sshd_rekey_limit" version="1">
      <ind:object object_ref="obj_sshd_rekey_limit"/>
   </ind:textfilecontent54_test>
 
@@ -33,7 +33,7 @@
   </ind:textfilecontent54_object>
 
   {{%- if sshd_distributed_config %}}
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in SSHD config directory" id="test_sshd_rekey_limit_config_dir" version="1">
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of {{{ parameter }}} setting in SSHD config directory" id="test_sshd_rekey_limit_config_dir" version="1">
      <ind:object object_ref="obj_sshd_rekey_limit_config_dir"/>
   </ind:textfilecontent54_test>
 
@@ -47,7 +47,7 @@
 
   <local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
     <concat>
-      <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
+      <literal_component>^[\s]*{{{ parameter }}}[\s]+</literal_component>
       <variable_component var_ref="var_rekey_limit_size"/>
       <literal_component>[\s]+</literal_component>
       <variable_component var_ref="var_rekey_limit_time"/>