Tree - rpms/scap-security-guide

rpms / scap-security-guide

Files

Commit: ff1465361ce508f93601c5dcefe092ef09bc26bb
Blob Blame History Raw
From a5cce64337e8b8617f3bf3ee1311e80d652754ea Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 14 Oct 2021 12:12:16 +0200
Subject: [PATCH] Set sshd priv keys permissions 600 for all products.

---
 .../file_permissions_sshd_private_key/rule.yml    | 15 +++------------
 .../tests/correct_value.pass.sh             |  8 +-------
 .../tests/multiple_keys.fail.sh                   |  2 +-
 4 files changed, 7 insertions(+), 21 deletions(-)

diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
index bda7ae4d53b..ddda4075e21 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
@@ -3,11 +3,7 @@ documentation_complete: true
 title: 'Verify Permissions on SSH Server Private *_key Key Files'
 
 description: |-
-    {{% if product in ['ubuntu1804','opensuse', 'sle12', 'sle15'] %}}
     {{{ describe_file_permissions(file="/etc/ssh/*_key", perms="0600") }}}
-    {{% else %}}
-    {{{ describe_file_permissions(file="/etc/ssh/*_key", perms="0640") }}}
-    {{% endif %}}
 
 rationale: |-
     If an unauthorized user obtains the private SSH host key file, the host could be
@@ -45,10 +41,10 @@ references:
     stigid@sle12: SLES-12-030220
     stigid@sle15: SLES-15-040250
 
-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms="-rw-r-----") }}}'
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms="-rw-------") }}}'
 
 ocil: |-
-    {{{ ocil_file_permissions(file="/etc/ssh/*_key", perms="-rw-r-----") }}}
+    {{{ ocil_file_permissions(file="/etc/ssh/*_key", perms="-rw-------") }}}
 
 template:
     name: file_permissions
@@ -56,9 +52,4 @@ template:
         filepath: /etc/ssh/
         missing_file_pass: 'true'
         file_regex: ^.*_key$
-        filemode: '0640'
-        filemode@sle12: '0600'
-        filemode@sle15: '0600'
-        filemode@ubuntu1604: '0600'
-        filemode@ubuntu1804: '0600'
-        filemode@ubuntu2004: '0600'
+        filemode: '0600'
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh
index 5790a48..f7cf8d9 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh
@@ -2,4 +2,4 @@
 #
 
 FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key)
-chmod 0640 /etc/ssh/*_key
+chmod 0600 /etc/ssh/*_key
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh
index 6df9d61b715..7c0d6019702 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh
@@ -4,4 +4,4 @@
 FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key)
 chmod 0777 $FAKE_KEY
 FAKE_KEY2=$(mktemp -p /etc/ssh/ XXXX_key)
-chmod 0640 $FAKE_KEY2
+chmod 0600 $FAKE_KEY2
rpms / scap-security-guide

Source Code

Files
