From a5cce64337e8b8617f3bf3ee1311e80d652754ea Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 14 Oct 2021 12:12:16 +0200
Subject: [PATCH] Set sshd priv keys permissions 600 for all products.
---
.../file_permissions_sshd_private_key/rule.yml | 15 +++------------
.../tests/correct_value.pass.sh | 8 +-------
.../tests/multiple_keys.fail.sh | 2 +-
4 files changed, 7 insertions(+), 21 deletions(-)
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
index bda7ae4d53b..ddda4075e21 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
@@ -3,11 +3,7 @@ documentation_complete: true
title: 'Verify Permissions on SSH Server Private *_key Key Files'
description: |-
- {{% if product in ['ubuntu1804','opensuse', 'sle12', 'sle15'] %}}
{{{ describe_file_permissions(file="/etc/ssh/*_key", perms="0600") }}}
- {{% else %}}
- {{{ describe_file_permissions(file="/etc/ssh/*_key", perms="0640") }}}
- {{% endif %}}
rationale: |-
If an unauthorized user obtains the private SSH host key file, the host could be
@@ -45,10 +41,10 @@ references:
stigid@sle12: SLES-12-030220
stigid@sle15: SLES-15-040250
-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms="-rw-r-----") }}}'
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms="-rw-------") }}}'
ocil: |-
- {{{ ocil_file_permissions(file="/etc/ssh/*_key", perms="-rw-r-----") }}}
+ {{{ ocil_file_permissions(file="/etc/ssh/*_key", perms="-rw-------") }}}
template:
name: file_permissions
@@ -56,9 +52,4 @@ template:
filepath: /etc/ssh/
missing_file_pass: 'true'
file_regex: ^.*_key$
- filemode: '0640'
- filemode@sle12: '0600'
- filemode@sle15: '0600'
- filemode@ubuntu1604: '0600'
- filemode@ubuntu1804: '0600'
- filemode@ubuntu2004: '0600'
+ filemode: '0600'
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh
index 5790a48..f7cf8d9 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh
@@ -2,4 +2,4 @@
#
FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key)
-chmod 0640 /etc/ssh/*_key
+chmod 0600 /etc/ssh/*_key
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh
index 6df9d61b715..7c0d6019702 100644
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh
@@ -4,4 +4,4 @@
FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key)
chmod 0777 $FAKE_KEY
FAKE_KEY2=$(mktemp -p /etc/ssh/ XXXX_key)
-chmod 0640 $FAKE_KEY2
+chmod 0600 $FAKE_KEY2