From a5cce64337e8b8617f3bf3ee1311e80d652754ea Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Thu, 14 Oct 2021 12:12:16 +0200 Subject: [PATCH] Set sshd priv keys permissions 600 for all products. --- .../file_permissions_sshd_private_key/rule.yml | 15 +++------------ .../tests/correct_value.pass.sh | 8 +------- .../tests/multiple_keys.fail.sh | 2 +- 4 files changed, 7 insertions(+), 21 deletions(-) diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml index bda7ae4d53b..ddda4075e21 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml @@ -3,11 +3,7 @@ documentation_complete: true title: 'Verify Permissions on SSH Server Private *_key Key Files' description: |- - {{% if product in ['ubuntu1804','opensuse', 'sle12', 'sle15'] %}} {{{ describe_file_permissions(file="/etc/ssh/*_key", perms="0600") }}} - {{% else %}} - {{{ describe_file_permissions(file="/etc/ssh/*_key", perms="0640") }}} - {{% endif %}} rationale: |- If an unauthorized user obtains the private SSH host key file, the host could be @@ -45,10 +41,10 @@ references: stigid@sle12: SLES-12-030220 stigid@sle15: SLES-15-040250 -ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms="-rw-r-----") }}}' +ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms="-rw-------") }}}' ocil: |- - {{{ ocil_file_permissions(file="/etc/ssh/*_key", perms="-rw-r-----") }}} + {{{ ocil_file_permissions(file="/etc/ssh/*_key", perms="-rw-------") }}} template: name: file_permissions @@ -56,9 +52,4 @@ template: filepath: /etc/ssh/ missing_file_pass: 'true' file_regex: ^.*_key$ - filemode: '0640' - filemode@sle12: '0600' - filemode@sle15: '0600' - filemode@ubuntu1604: '0600' - filemode@ubuntu1804: '0600' - filemode@ubuntu2004: '0600' + filemode: '0600' diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh index 5790a48..f7cf8d9 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh +++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh @@ -2,4 +2,4 @@ # FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key) -chmod 0640 /etc/ssh/*_key +chmod 0600 /etc/ssh/*_key diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh index 6df9d61b715..7c0d6019702 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh +++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh @@ -4,4 +4,4 @@ FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key) chmod 0777 $FAKE_KEY FAKE_KEY2=$(mktemp -p /etc/ssh/ XXXX_key) -chmod 0640 $FAKE_KEY2 +chmod 0600 $FAKE_KEY2