From 91c7ff65572b51b52eaf14f3b147b118dc85cc9f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 19 May 2020 15:49:34 +0200
Subject: [PATCH 1/5] Made the rule sshd_rekey_limit parametrized.

Introduce the rekey_limit_size and rekey_limit_time XCCDF values
to make the rule more flexible.
---
 .../sshd_rekey_limit/bash/shared.sh           |  9 ++++
 .../sshd_rekey_limit/oval/shared.xml          | 43 +++++++++++++++++++
 .../ssh/ssh_server/sshd_rekey_limit/rule.yml  | 12 +-----
 .../sshd_rekey_limit/tests/bad_size.fail.sh   |  4 ++
 .../sshd_rekey_limit/tests/bad_time.fail.sh   |  4 ++
 .../sshd_rekey_limit/tests/no_line.fail.sh    |  3 ++
 .../sshd_rekey_limit/tests/ok.pass.sh         |  4 ++
 .../ssh/ssh_server/var_rekey_limit_size.var   | 14 ++++++
 .../ssh/ssh_server/var_rekey_limit_time.var   | 14 ++++++
 rhel8/profiles/ospp.profile                   |  2 +
 10 files changed, 99 insertions(+), 10 deletions(-)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
 create mode 100644 linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
new file mode 100644
index 0000000000..2620c2d49e
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+populate var_rekey_limit_size
+populate var_rekey_limit_time
+
+{{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
new file mode 100644
index 0000000000..57aa090948
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
@@ -0,0 +1,43 @@
+{{% set filepath = "/etc/ssh/sshd_config" %}}
+{{% set parameter = "RekeyLimit" %}}
+
+
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    <metadata>
+      <title>{{{ rule_title }}}</title>
+      {{{- oval_affected(products) }}}
+      <description>Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}'</description>
+    </metadata>
+    <criteria comment="sshd is configured correctly or is not installed" operator="OR">
+        {{{- application_not_required_or_requirement_unset() }}}
+        {{{- application_required_or_requirement_unset() }}}
+        {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
+    </criteria>
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the  file" id="test_sshd_rekey_limit" version="1">
+     <ind:object object_ref="obj_sshd_rekey_limit"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_sshd_rekey_limit" version="1">
+     <ind:filepath>{{{ filepath }}}</ind:filepath>
+     <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
+    <concat>
+      <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
+      <variable_component var_ref="var_rekey_limit_size"/>
+      <literal_component>[\s]+</literal_component>
+      <variable_component var_ref="var_rekey_limit_time"/>
+      <literal_component>[\s]*$</literal_component>
+    </concat>
+  </local_variable>
+
+  <external_variable comment="Size component of the rekey limit" datatype="string" id="var_rekey_limit_size" version="1" />
+  <external_variable comment="Time component of the rekey limit" datatype="string" id="var_rekey_limit_time" version="1" />
+</def-group>
+
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
index e11678faa0..4936a381f5 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
@@ -7,7 +7,7 @@ description: |-
     the session key of the is renegotiated, both in terms of
     amount of data that may be transmitted and the time
     elapsed. To decrease the default limits, put line
-    <tt>RekeyLimit 512M 1h</tt> to file <tt>/etc/ssh/sshd_config</tt>.
+    <tt>RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/sshd_config</tt>.
 
 rationale: |-
     By decreasing the limit based on the amount of data and enabling
@@ -30,12 +30,4 @@ ocil: |-
     following command:
     <pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config</pre>
     If configured properly, output should be
-    <pre>RekeyLimit 512M 1h</pre>
-
-template:
-    name: sshd_lineinfile
-    vars:
-        missing_parameter_pass: 'false'
-        parameter: RekeyLimit
-        rule_id: sshd_rekey_limit
-        value: 512M 1h
+    <pre>RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}</pre>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
new file mode 100644
index 0000000000..2ac0bbf350
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size.fail.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
new file mode 100644
index 0000000000..fec859fe05
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time.fail.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
new file mode 100644
index 0000000000..a6cd10163f
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line.fail.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
new file mode 100644
index 0000000000..a6a2ba7adf
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/ok.pass.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
+echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
new file mode 100644
index 0000000000..16dc376508
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_size.var
@@ -0,0 +1,14 @@
+documentation_complete: true
+
+title: 'SSH RekeyLimit - size'
+
+description: 'Specify the size component of the rekey limit.'
+
+type: string
+
+operator: equals
+
+options:
+    sshd_default: "default"
+    default: "512M"
+    "512M": "512M"
diff --git a/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
new file mode 100644
index 0000000000..8801fbbf6f
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/var_rekey_limit_time.var
@@ -0,0 +1,14 @@
+documentation_complete: true
+
+title: 'SSH RekeyLimit - size'
+
+description: 'Specify the size component of the rekey limit.'
+
+type: string
+
+operator: equals
+
+options:
+    sshd_default: "none"
+    default: "1h"
+    "1hour": "1h"
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index c672066050..a5223a187f 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -58,6 +58,8 @@ selections:
     - sshd_set_keepalive
     - sshd_enable_warning_banner
     - sshd_rekey_limit
+    - var_rekey_limit_size=512M
+    - var_rekey_limit_time=1hour
     - sshd_use_strong_rng
     - openssl_use_strong_entropy
 

From 85efae481db88792de138916c242fbbf0a7adeb1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 19 May 2020 17:57:12 +0200
Subject: [PATCH 2/5] Updated stable profile definitions.

---
 tests/data/profile_stability/rhel8/ospp.profile | 2 ++
 tests/data/profile_stability/rhel8/stig.profile | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 23039c82b4..bdda39a903 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -214,6 +214,8 @@ selections:
 - timer_dnf-automatic_enabled
 - usbguard_allow_hid_and_hub
 - var_sshd_set_keepalive=0
+- var_rekey_limit_size=512M
+- var_rekey_limit_time=1hour
 - var_accounts_user_umask=027
 - var_password_pam_difok=4
 - var_password_pam_maxrepeat=3
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index cd31b73700..ebef541921 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -21,7 +21,6 @@ description: 'This profile contains configuration checks that align to the
 
     - Red Hat Containers with a Red Hat Enterprise Linux 8 image'
 documentation_complete: true
-extends: ospp
 selections:
 - account_disable_post_pw_expiration
 - account_temp_expire_date
@@ -243,6 +242,8 @@ selections:
 - timer_dnf-automatic_enabled
 - usbguard_allow_hid_and_hub
 - var_sshd_set_keepalive=0
+- var_rekey_limit_size=512M
+- var_rekey_limit_time=1hour
 - var_accounts_user_umask=027
 - var_password_pam_difok=4
 - var_password_pam_maxrepeat=3

From d75161c4f7232380a1b46aa8d99fa5d562503c80 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 22 May 2020 11:43:36 +0200
Subject: [PATCH 3/5] Improved how variables are handled in remediations.

---
 shared/macros-ansible.jinja | 14 ++++++++++++++
 shared/macros-bash.jinja    | 15 +++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 56a3f5f3ec..6798a25d1f 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -1,3 +1,17 @@
+{{#
+Pass strings that correspond to XCCDF value names as arguments to this macro:
+ansible_instantiate_variables("varname1", "varname2")
+
+Then, assume that the task that follows can work with the variable by referencing it, e.g.
+value: "Setting={{ varname1 }}"
+
+#}}
+{{%- macro ansible_instantiate_variables() -%}}
+{{%- for name in varargs -%}}
+- (xccdf-var {{{ name }}})
+{{% endfor -%}}
+{{%- endmacro -%}}
+
 {{#
   A wrapper over the Ansible lineinfile module. This handles the most common
   options for us. regex is optional and when blank, it won't be included in
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 01b9e62e7b..3a94fe5dd8 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -1,5 +1,20 @@
 {{# ##### High level macros ##### #}}
 
+{{#
+Pass strings that correspond to XCCDF value names as arguments to this macro:
+bash_instantiate_variables("varname1", "varname2")
+
+Then, assume that variables of that names are defined and contain the correct value, e.g.
+echo "Setting=$varname1" >> config_file
+
+#}}
+{{%- macro bash_instantiate_variables() -%}}
+{{%- for name in varargs -%}}
+populate {{{ name }}}
+{{# this line is intentionally left blank #}}
+{{% endfor -%}}
+{{%- endmacro -%}}
+
 {{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}}
 {{% if no_quotes -%}}
   {{% if "$" in value %}}

From 912ce0a4ade9aa335c044314a6cc018f1ead1abe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 22 May 2020 11:44:08 +0200
Subject: [PATCH 4/5] Fixed Bash and Ansible remediations.

---
 .../ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml    | 8 ++++++++
 .../ssh/ssh_server/sshd_rekey_limit/bash/shared.sh        | 3 +--
 2 files changed, 9 insertions(+), 2 deletions(-)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
new file mode 100644
index 0000000000..43a2d4521f
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
@@ -0,0 +1,8 @@
+# platform = multi_platform_all                                                                                                                                                                                                                                                                                        [0/453]
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+{{{ ansible_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
+
+{{{ ansible_sshd_set(parameter="RekeyLimit", value="{{ var_rekey_limit_size}} {{var_rekey_limit_time}}") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
index 2620c2d49e..0277f31392 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
@@ -3,7 +3,6 @@
 # Include source function library.
 . /usr/share/scap-security-guide/remediation_functions
 
-populate var_rekey_limit_size
-populate var_rekey_limit_time
+{{{ bash_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
 
 {{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}}

From d0ac47945e14017e522d523267d3a4bfb5ecdf71 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 22 May 2020 11:49:04 +0200
Subject: [PATCH 5/5] Improved the OVAL according to the review feedback.

---
 .../services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
index 57aa090948..47796e5332 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
@@ -1,5 +1,4 @@
-{{% set filepath = "/etc/ssh/sshd_config" %}}
-{{% set parameter = "RekeyLimit" %}}
+{{% set filepath = "/etc/ssh/sshd_config" -%}}
 
 
 <def-group>
@@ -7,7 +6,7 @@
     <metadata>
       <title>{{{ rule_title }}}</title>
       {{{- oval_affected(products) }}}
-      <description>Ensure '{{{ RekeyLimit }}}' is configured with the correct value in '{{{ filepath }}}'</description>
+      <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
     </metadata>
     <criteria comment="sshd is configured correctly or is not installed" operator="OR">
         {{{- application_not_required_or_requirement_unset() }}}