From 604f70aa2d0cce64aed5d699178394523969ba37 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 27 May 2020 14:34:50 +0200 Subject: [PATCH 01/11] add rule, variables, check, remediations --- .../ssh_client_rekey_limit/ansible/shared.yml | 8 ++++ .../ssh_client_rekey_limit/bash/shared.sh | 8 ++++ .../ssh_client_rekey_limit/oval/shared.xml | 39 +++++++++++++++++++ .../crypto/ssh_client_rekey_limit/rule.yml | 34 ++++++++++++++++ .../var_ssh_client_rekey_limit_size.var | 15 +++++++ .../var_ssh_client_rekey_limit_time.var | 14 +++++++ shared/references/cce-redhat-avail.txt | 1 - 7 files changed, 118 insertions(+), 1 deletion(-) create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml new file mode 100644 index 0000000000..6d2bcbbd44 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml @@ -0,0 +1,8 @@ +# platform = multi_platform_all [0/453] +# reboot = false +# strategy = configure +# complexity = low +# disruption = low +{{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}} + +{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}} diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh new file mode 100644 index 0000000000..43d0971ffc --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh @@ -0,0 +1,8 @@ +# platform = multi_platform_all + +# Include source function library. +. /usr/share/scap-security-guide/remediation_functions + +{{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}} + +{{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}} diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml new file mode 100644 index 0000000000..2412763e3f --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml @@ -0,0 +1,39 @@ +{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}} + + + + + + {{{ rule_title }}} + {{{- oval_affected(products) }}} + Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}' + + + {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}} + + + + + + + + + {{{ filepath }}} + + 1 + + + + + ^[\s]*RekeyLimit[\s]+ + + [\s]+ + + [\s]*$ + + + + + + + diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml new file mode 100644 index 0000000000..a1b85b0ee5 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml @@ -0,0 +1,34 @@ +documentation_complete: true + +prodtype: rhel8 + +title: 'Configure session renegotiation for SSH client' + +description: |- + The RekeyLimit parameter specifies how often + the session key is renegotiated, both in terms of + amount of data that may be transmitted and the time + elapsed. To decrease the default limits, put line + RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}} to file /etc/ssh/ssh_config.d/02-rekey-limit.conf. + +rationale: |- + By decreasing the limit based on the amount of data and enabling + time-based limit, effects of potential attacks against + encryption keys are limited. + +severity: medium + +identifiers: + cce@rhel8: 82880-6 + +references: + ospp: FCS_SSHS_EXT.1 + +ocil_clause: 'it is commented out or is not set' + +ocil: |- + To check if RekeyLimit is set correctly, run the + following command: + 
$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf
+ If configured properly, output should be + 
RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var new file mode 100644 index 0000000000..bcf051fd97 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var @@ -0,0 +1,15 @@ +documentation_complete: true + +title: 'SSH client RekeyLimit - size' + +description: 'Specify the size component of the rekey limit.' + +type: string + +operator: equals + +options: + ssh_client_default: "default" + default: "512M" + "512M": "512M" + "1G": "1G" diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var new file mode 100644 index 0000000000..31c76f9ab5 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var @@ -0,0 +1,14 @@ +documentation_complete: true + +title: 'SSH client RekeyLimit - size' + +description: 'Specify the size component of the rekey limit.' + +type: string + +operator: equals + +options: + ssh_client_default: "none" + default: "1h" + "1hour": "1h" diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 45d03a2c1d..e060d2fb1c 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -1,4 +1,3 @@ -CCE-82880-6 CCE-82882-2 CCE-82883-0 CCE-82888-9 From a0d54462b9a1e65de3598d7fc262f61a8e3a06ea Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 27 May 2020 14:35:24 +0200 Subject: [PATCH 02/11] add tests --- .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 4 ++++ .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 4 ++++ .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 3 +++ .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 4 ++++ 4 files changed, 15 insertions(+) create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh new file mode 100644 index 0000000000..2ac0bbf350 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh @@ -0,0 +1,4 @@ +# platform = multi_platform_all + +sed -e '/RekeyLimit/d' /etc/ssh/sshd_config +echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh new file mode 100644 index 0000000000..fec859fe05 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh @@ -0,0 +1,4 @@ +# platform = multi_platform_all + +sed -e '/RekeyLimit/d' /etc/ssh/sshd_config +echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh new file mode 100644 index 0000000000..a6cd10163f --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh @@ -0,0 +1,3 @@ +# platform = multi_platform_all + +sed -e '/RekeyLimit/d' /etc/ssh/sshd_config diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh new file mode 100644 index 0000000000..a6a2ba7adf --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh @@ -0,0 +1,4 @@ +# platform = multi_platform_all + +sed -e '/RekeyLimit/d' /etc/ssh/sshd_config +echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config From 6ce9e9d55eab07f1c2a3a8d0b28f104d0b5992da Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 27 May 2020 14:35:43 +0200 Subject: [PATCH 03/11] add rule to rhel8 ospp, update stable profiles --- rhel8/profiles/ospp.profile | 5 +++++ tests/data/profile_stability/rhel8/ospp.profile | 3 +++ tests/data/profile_stability/rhel8/stig.profile | 3 +++ 3 files changed, 11 insertions(+) diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile index 0dca8350f9..07d32b814d 100644 --- a/rhel8/profiles/ospp.profile +++ b/rhel8/profiles/ospp.profile @@ -410,3 +410,8 @@ selections: # Prevent Kerberos use by system daemons - kerberos_disable_no_keytab + + # set ssh client rekey limit + - ssh_client_rekey_limit + - var_ssh_client_rekey_limit_size=1G + - var_ssh_client_rekey_limit_time=1hour diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile index 25f7922bf3..b0d7672c36 100644 --- a/tests/data/profile_stability/rhel8/ospp.profile +++ b/tests/data/profile_stability/rhel8/ospp.profile @@ -240,4 +240,7 @@ selections: - grub2_vsyscall_argument.severity=info - sysctl_user_max_user_namespaces.role=unscored - sysctl_user_max_user_namespaces.severity=info +- ssh_client_rekey_limit +- var_ssh_client_rekey_limit_size=1G +- var_ssh_client_rekey_limit_time=1hour title: Protection Profile for General Purpose Operating Systems diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 6c4270925f..330ecc7e1e 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -269,4 +269,7 @@ selections: - grub2_vsyscall_argument.severity=info - sysctl_user_max_user_namespaces.role=unscored - sysctl_user_max_user_namespaces.severity=info +- ssh_client_rekey_limit +- var_ssh_client_rekey_limit_size=1G +- var_ssh_client_rekey_limit_time=1hour title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8' From 763a79e337eecb24c640d1ac189edf02d20e53ad Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 28 May 2020 14:25:41 +0200 Subject: [PATCH 04/11] improve description of variables --- .../crypto/var_ssh_client_rekey_limit_size.var | 10 ++++++++-- .../crypto/var_ssh_client_rekey_limit_time.var | 12 +++++++++--- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var index bcf051fd97..4e20104cba 100644 --- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var +++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var @@ -2,14 +2,20 @@ documentation_complete: true title: 'SSH client RekeyLimit - size' -description: 'Specify the size component of the rekey limit.' +description: |- + Specify the size component of the rekey limit. This limit signifies amount + of data. After this amount of data is transferred through the connection, + the session key is renegotiated. The number is followed by K, M or G for + kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also + configured according to ellabsed time. + +interactive: true type: string operator: equals options: - ssh_client_default: "default" default: "512M" "512M": "512M" "1G": "1G" diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var index 31c76f9ab5..6143a5448c 100644 --- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var +++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var @@ -1,14 +1,20 @@ documentation_complete: true -title: 'SSH client RekeyLimit - size' +title: 'SSH client RekeyLimit - time' -description: 'Specify the size component of the rekey limit.' +description: |- + Specify the time component of the rekey limit. This limit signifies amount + of data. The session key is renegotiated after the defined amount of time + passes. The number is followed by units such as H or M for hours or minutes. + Note that the RekeyLimit can be also configured according to amount of + transfered data. + +interactive: true type: string operator: equals options: - ssh_client_default: "none" default: "1h" "1hour": "1h" From 0800fcaff037a1b012b75e59d6771f5e7763e1de Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 28 May 2020 14:26:12 +0200 Subject: [PATCH 05/11] fix tests and ansible --- .../crypto/ssh_client_rekey_limit/ansible/shared.yml | 2 +- .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 4 ++-- .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 4 ++-- .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 2 +- .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 5 +++-- 5 files changed, 9 insertions(+), 8 deletions(-) diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml index 6d2bcbbd44..bb6544a0a0 100644 --- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_all [0/453] +# platform = multi_platform_all # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh index 2ac0bbf350..22c465b08f 100644 --- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh @@ -1,4 +1,4 @@ # platform = multi_platform_all -sed -e '/RekeyLimit/d' /etc/ssh/sshd_config -echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config + +echo "RekeyLimit 812M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh index fec859fe05..0dc621b1da 100644 --- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh @@ -1,4 +1,4 @@ # platform = multi_platform_all -sed -e '/RekeyLimit/d' /etc/ssh/sshd_config -echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config + +echo "RekeyLimit 512M 2h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh index a6cd10163f..f6abf711da 100644 --- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh @@ -1,3 +1,3 @@ # platform = multi_platform_all -sed -e '/RekeyLimit/d' /etc/ssh/sshd_config +echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh index a6a2ba7adf..e64e4191bc 100644 --- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh @@ -1,4 +1,5 @@ # platform = multi_platform_all -sed -e '/RekeyLimit/d' /etc/ssh/sshd_config -echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config + +rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf +echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf From 9451e6d91c9975a3e9ecd4c627cbb0f9afce4c92 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 1 Jun 2020 14:29:47 +0200 Subject: [PATCH 06/11] fix test to use default value, remove rule from stig --- .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 2 +- rhel8/profiles/stig.profile | 1 + tests/data/profile_stability/rhel8/stig.profile | 1 - 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh index e64e4191bc..89d7069687 100644 --- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh @@ -2,4 +2,4 @@ rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf -echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf +echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile index 2bb81cf9dc..8f12852e26 100644 --- a/rhel8/profiles/stig.profile +++ b/rhel8/profiles/stig.profile @@ -44,3 +44,4 @@ selections: - package_rsyslog-gnutls_installed - rsyslog_remote_tls - rsyslog_remote_tls_cacert + - "!ssh_client_rekey_limit" diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 330ecc7e1e..9b164eb5c2 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -269,7 +269,6 @@ selections: - grub2_vsyscall_argument.severity=info - sysctl_user_max_user_namespaces.role=unscored - sysctl_user_max_user_namespaces.severity=info -- ssh_client_rekey_limit - var_ssh_client_rekey_limit_size=1G - var_ssh_client_rekey_limit_time=1hour title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8' From bd47b1145f17c97de719c887db6146d5e7b59616 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 3 Jun 2020 12:38:19 +0200 Subject: [PATCH 07/11] rewrite oval to check for multiple locations --- .../ssh_client_rekey_limit/oval/shared.xml | 42 ++++++++++++------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml index 2412763e3f..41fa0497ae 100644 --- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml @@ -1,28 +1,17 @@ -{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}} - {{{ rule_title }}} {{{- oval_affected(products) }}} - Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}' + Ensure 'RekeyLimit' is configured with the correct value in /etc/ssh/ssh_config and /etc/ssh/ssh_config.d/*.conf - - {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}} + + + - - - - - - {{{ filepath }}} - - 1 - - ^[\s]*RekeyLimit[\s]+ @@ -35,5 +24,26 @@ - + + + + + + + /etc/ssh/ssh_config + ^[\s]*RekeyLimit.*$ + 1 + + + + + + + + ^/etc/ssh/ssh_config\.d/.*\.conf$ + + 1 + + + From c090301ab1cf43a83994b654ccb2ab0b967d05b4 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 4 Jun 2020 08:24:54 +0200 Subject: [PATCH 08/11] reqrite remediations --- .../ssh_client_rekey_limit/ansible/shared.yml | 16 ++++++++++++++++ .../crypto/ssh_client_rekey_limit/bash/shared.sh | 13 +++++++++++++ 2 files changed, 29 insertions(+) diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml index bb6544a0a0..36de503806 100644 --- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml @@ -5,4 +5,20 @@ # disruption = low {{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}} +{{{ ansible_lineinfile(msg='Ensure RekeyLimit is not configured in /etc/ssh/ssh_config', path='/etc/ssh/ssh_config', regex='^\s*RekeyLimit.*$', create='no', state='absent') }}} + +- name: Collect all include config files for ssh client which configure RekeyLimit + find: + paths: "/etc/ssh/ssh_config.d/" + contains: '^[\s]*RekeyLimit.*$' + patterns: "*.config" + register: ssh_config_include_files + +- name: Remove all occurences of RekeyLimit configuration from include config files of ssh client + lineinfile: + path: "{{ item }}" + regexp: '^[\s]*RekeyLimit.*$' + state: "absent" + loop: "{{ ssh_config_include_files.files }}" + {{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}} diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh index 43d0971ffc..99f6f63c92 100644 --- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh @@ -5,4 +5,17 @@ {{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}} +main_config="/etc/ssh/ssh_config" +include_directory="/etc/ssh/ssh_config.d" + +if grep -q '^[\s]*RekeyLimit.*$' "$main_config"; then + sed -i '/^[\s]*RekeyLimit.*/d' "$main_config" +fi + +for file in "$include_directory"/*.conf; do + if grep -q '^[\s]*RekeyLimit.*$' "$file"; then + sed -i '/^[\s]*RekeyLimit.*/d' "$file" + fi +done + {{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}} From 22b8cb067cfc9d6d48065233973d1dba223ef5a4 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 4 Jun 2020 08:25:14 +0200 Subject: [PATCH 09/11] add more tests --- .../tests/bad_main_config_good_include_config.fail.sh | 4 ++++ .../ssh_client_rekey_limit/tests/line_in_main_config.fail.sh | 4 ++++ .../tests/ok_different_config_file.pass.sh | 3 +++ 3 files changed, 11 insertions(+) create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh new file mode 100644 index 0000000000..90314712af --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh @@ -0,0 +1,4 @@ +#!/bin/basdh + +echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config +echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh new file mode 100644 index 0000000000..9ba20b0290 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +rm -rf /etc/ssh/ssh_config.d/* +echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh new file mode 100644 index 0000000000..f725f6936f --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/05-some-file.conf From 78904a0cc4461cc26786289095fd76e8ce15843e Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 4 Jun 2020 08:25:29 +0200 Subject: [PATCH 10/11] extend description and ocil --- .../crypto/ssh_client_rekey_limit/rule.yml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml index a1b85b0ee5..76f5f84090 100644 --- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml @@ -10,6 +10,12 @@ description: |- amount of data that may be transmitted and the time elapsed. To decrease the default limits, put line RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}} to file /etc/ssh/ssh_config.d/02-rekey-limit.conf. + Make sure that there is no other RekeyLimit configuration preceding + the include directive in the main config file + /etc/ssh/ssh_config. Check also other files in + /etc/ssh/ssh_config.d directory. Files are processed according to + their names. Make sure that there is no file processed before + 02-rekey-limit.conf containing definition of RekeyLimit. rationale: |- By decreasing the limit based on the amount of data and enabling @@ -27,8 +33,11 @@ references: ocil_clause: 'it is commented out or is not set' ocil: |- - To check if RekeyLimit is set correctly, run the - following command: - 
$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf
- If configured properly, output should be - 
RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}
+ To check if RekeyLimit is set correctly, run the following command: 
$
+    sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf
If configured + properly, output should be 
/etc/ssh/ssh_config.d/02-rekey-limit.conf:
+    RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{
+    sub_var_value("var_ssh_client_rekey_limit_time") }}}
Check also the + main configuration file with the following command: 
sudo grep
+    RekeyLimit /etc/ssh/ssh_config
The command should not return any + output. From 854d5c9d1e1a44e97fe59aeaace687adcff620d5 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 8 Jun 2020 11:44:44 +0200 Subject: [PATCH 11/11] fix typos and wording --- .../integrity/crypto/ssh_client_rekey_limit/rule.yml | 5 +++-- .../tests/bad_main_config_good_include_config.fail.sh | 2 +- .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 1 + .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 1 + .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 1 + .../crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 1 + .../integrity/crypto/var_ssh_client_rekey_limit_size.var | 2 +- .../integrity/crypto/var_ssh_client_rekey_limit_time.var | 9 ++++----- 8 files changed, 13 insertions(+), 9 deletions(-) diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml index 76f5f84090..b054d9d221 100644 --- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml @@ -14,8 +14,9 @@ description: |- the include directive in the main config file /etc/ssh/ssh_config. Check also other files in /etc/ssh/ssh_config.d directory. Files are processed according to - their names. Make sure that there is no file processed before - 02-rekey-limit.conf containing definition of RekeyLimit. + lexicographical order of file names. Make sure that there is no file + processed before 02-rekey-limit.conf containing definition of + RekeyLimit. rationale: |- By decreasing the limit based on the amount of data and enabling diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh index 90314712af..58befb0107 100644 --- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh @@ -1,4 +1,4 @@ -#!/bin/basdh +#!/bin/bash echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh index 22c465b08f..1803c26629 100644 --- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh @@ -1,3 +1,4 @@ +#!/bin/bash # platform = multi_platform_all diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh index 0dc621b1da..2c9e839255 100644 --- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh @@ -1,3 +1,4 @@ +#!/bin/bash # platform = multi_platform_all diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh index f6abf711da..7de108eafd 100644 --- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh @@ -1,3 +1,4 @@ +#!/bin/bash # platform = multi_platform_all echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh index 89d7069687..4c047ed179 100644 --- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh @@ -1,3 +1,4 @@ +#!/bin/bash # platform = multi_platform_all diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var index 4e20104cba..c8dd8ef10e 100644 --- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var +++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var @@ -7,7 +7,7 @@ description: |- of data. After this amount of data is transferred through the connection, the session key is renegotiated. The number is followed by K, M or G for kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also - configured according to ellabsed time. + configured according to elapsed time. interactive: true diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var index 6143a5448c..6223e8e38f 100644 --- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var +++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var @@ -3,11 +3,10 @@ documentation_complete: true title: 'SSH client RekeyLimit - time' description: |- - Specify the time component of the rekey limit. This limit signifies amount - of data. The session key is renegotiated after the defined amount of time - passes. The number is followed by units such as H or M for hours or minutes. - Note that the RekeyLimit can be also configured according to amount of - transfered data. + Specify the time component of the rekey limit. The session key is + renegotiated after the defined amount of time passes. The number is followed + by units such as H or M for hours or minutes. Note that the RekeyLimit can + be also configured according to amount of transfered data. interactive: true