283 lines
15 KiB
Diff
283 lines
15 KiB
Diff
|
From f7a2fb33ad1507ad4ce3f7ec6534c06d4f6a7e83 Mon Sep 17 00:00:00 2001
|
||
|
From: Watson Sato <wsato@redhat.com>
|
||
|
Date: Fri, 4 Feb 2022 12:02:36 +0100
|
||
|
Subject: [PATCH 1/3] Add tests for distributed SSHD RekeyLimit config
|
||
|
|
||
|
---
|
||
|
.../sshd_rekey_limit/tests/bad_size_directory.fail.sh | 10 ++++++++++
|
||
|
.../sshd_rekey_limit/tests/bad_time_directory.fail.sh | 10 ++++++++++
|
||
|
.../sshd_rekey_limit/tests/no_line_directory.fail.sh | 8 ++++++++
|
||
|
.../sshd_rekey_limit/tests/rhel8_ok.pass.sh | 2 +-
|
||
|
.../sshd_rekey_limit/tests/rhel9_ok.pass.sh | 11 +++++++++++
|
||
|
5 files changed, 40 insertions(+), 1 deletion(-)
|
||
|
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh
|
||
|
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh
|
||
|
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh
|
||
|
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ok.pass.sh
|
||
|
|
||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh
|
||
|
new file mode 100644
|
||
|
index 00000000000..88c6420c5ca
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh
|
||
|
@@ -0,0 +1,10 @@
|
||
|
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
|
||
|
+
|
||
|
+mkdir -p /etc/ssh/sshd_config.d
|
||
|
+touch /etc/ssh/sshd_config.d/nothing
|
||
|
+
|
||
|
+if grep -q "^\s*RekeyLimit" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
||
|
+ sed -i "/^\s*RekeyLimit.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
||
|
+fi
|
||
|
+
|
||
|
+echo "RekeyLimit 812M 1h" > /etc/ssh/sshd_config.d/bad_config.conf
|
||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh
|
||
|
new file mode 100644
|
||
|
index 00000000000..3bb0926017c
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh
|
||
|
@@ -0,0 +1,10 @@
|
||
|
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
|
||
|
+
|
||
|
+mkdir -p /etc/ssh/sshd_config.d
|
||
|
+touch /etc/ssh/sshd_config.d/nothing
|
||
|
+
|
||
|
+if grep -q "^\s*RekeyLimit" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
||
|
+ sed -i "/^\s*RekeyLimit.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
||
|
+fi
|
||
|
+
|
||
|
+echo "RekeyLimit 512M 2h" > /etc/ssh/sshd_config.d/bad_config.conf
|
||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh
|
||
|
new file mode 100644
|
||
|
index 00000000000..00569de1b84
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh
|
||
|
@@ -0,0 +1,8 @@
|
||
|
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
|
||
|
+
|
||
|
+mkdir -p /etc/ssh/sshd_config.d
|
||
|
+touch /etc/ssh/sshd_config.d/nothing
|
||
|
+
|
||
|
+if grep -q "^\s*RekeyLimit" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
||
|
+ sed -i "/^\s*RekeyLimit.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
||
|
+fi
|
||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ok.pass.sh
|
||
|
index b9834e6d0b2..894c0ae4ba8 100644
|
||
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ok.pass.sh
|
||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ok.pass.sh
|
||
|
@@ -1,4 +1,4 @@
|
||
|
-# platform = Red Hat Enterprise Linux 8
|
||
|
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
|
||
|
# profiles = xccdf_org.ssgproject.content_profile_ospp
|
||
|
|
||
|
sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
|
||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ok.pass.sh
|
||
|
new file mode 100644
|
||
|
index 00000000000..e183e8986dc
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ok.pass.sh
|
||
|
@@ -0,0 +1,11 @@
|
||
|
+# platform = Red Hat Enterprise Linux 9
|
||
|
+# profiles = xccdf_org.ssgproject.content_profile_ospp
|
||
|
+
|
||
|
+mkdir -p /etc/ssh/sshd_config.d
|
||
|
+touch /etc/ssh/sshd_config.d/nothing
|
||
|
+
|
||
|
+if grep -q "^\s*RekeyLimit" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
||
|
+ sed -i "/^\s*RekeyLimit.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
||
|
+fi
|
||
|
+
|
||
|
+echo "RekeyLimit 1G 1h" >> /etc/ssh/sshd_config.d/good_config.conf
|
||
|
|
||
|
From 782e3a6108ea377d526d0aed4e8c0cf019f3dcdd Mon Sep 17 00:00:00 2001
|
||
|
From: Watson Sato <wsato@redhat.com>
|
||
|
Date: Fri, 4 Feb 2022 12:06:45 +0100
|
||
|
Subject: [PATCH 2/3] Update rule to handle distributed config
|
||
|
|
||
|
Based on the template sshd_lineinfile, updated rule sshd_rekey_limit to
|
||
|
check and remediate SSHD configuration in products that support
|
||
|
/etc/sshd/sshd_config.d/
|
||
|
|
||
|
The rule cannot use the template as it relies on two external variables.
|
||
|
---
|
||
|
.../sshd_rekey_limit/ansible/shared.yml | 8 +++-
|
||
|
.../sshd_rekey_limit/bash/shared.sh | 2 +-
|
||
|
.../sshd_rekey_limit/oval/shared.xml | 46 ++++++++++++++-----
|
||
|
.../ssh/ssh_server/sshd_rekey_limit/rule.yml | 10 +++-
|
||
|
4 files changed, 50 insertions(+), 16 deletions(-)
|
||
|
|
||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
|
||
|
index 84a4f084d40..f30dcdb2ed3 100644
|
||
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
|
||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
|
||
|
@@ -5,4 +5,10 @@
|
||
|
# disruption = low
|
||
|
{{{ ansible_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
|
||
|
|
||
|
-{{{ ansible_sshd_set(parameter="RekeyLimit", value="{{ var_rekey_limit_size }} {{ var_rekey_limit_time }}") }}}
|
||
|
+{{{
|
||
|
+ ansible_sshd_set(
|
||
|
+ parameter="RekeyLimit",
|
||
|
+ value="{{ var_rekey_limit_size }} {{ var_rekey_limit_time }}",
|
||
|
+ config_is_distributed=sshd_distributed_config
|
||
|
+ )
|
||
|
+}}}
|
||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
|
||
|
index 4422f63472c..789358472a1 100644
|
||
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
|
||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
|
||
|
@@ -2,4 +2,4 @@
|
||
|
|
||
|
{{{ bash_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
|
||
|
|
||
|
-{{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}}
|
||
|
+{{{ bash_sshd_remediation(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time", config_is_distributed=sshd_distributed_config) -}}}
|
||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
||
|
index f49d9ab5275..e109cbd3124 100644
|
||
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
||
|
@@ -1,26 +1,49 @@
|
||
|
-{{% set filepath = "/etc/ssh/sshd_config" -%}}
|
||
|
-
|
||
|
+{{%- set parameter = "RekeyLimit" %}}
|
||
|
+{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}}
|
||
|
+{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}}
|
||
|
+{{%- set description = "Ensure RekeyLimit is configured with the appropriate value in " ~ sshd_config_path %}}
|
||
|
+{{%- if sshd_distributed_config == "true" %}}
|
||
|
+{{%- set description = description ~ " or in " ~ sshd_config_dir -%}}
|
||
|
+{{%- endif %}}
|
||
|
|
||
|
<def-group>
|
||
|
<definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||
|
- {{{ oval_metadata("Ensure 'RekeyLimit' is configured with the correct value in '" + filepath + "'") }}}
|
||
|
- <criteria comment="sshd is configured correctly or is not installed" operator="OR">
|
||
|
- {{{- application_not_required_or_requirement_unset() }}}
|
||
|
- {{{- application_required_or_requirement_unset() }}}
|
||
|
- {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
|
||
|
- </criteria>
|
||
|
- </criteria>
|
||
|
+ {{{ oval_metadata(description) }}}
|
||
|
+ <criteria comment="sshd is configured correctly or is not installed" operator="OR">
|
||
|
+ {{{- application_not_required_or_requirement_unset() }}}
|
||
|
+ {{{- application_required_or_requirement_unset() }}}
|
||
|
+ <criteria comment="sshd is configured corectly" operator="OR">
|
||
|
+ {{{- oval_line_in_file_criterion(sshd_config_path, parameter) }}}
|
||
|
+ {{%- if sshd_distributed_config %}}
|
||
|
+ {{{- oval_line_in_directory_criterion(sshd_config_dir, parameter) | indent(8) }}}
|
||
|
+ {{%- endif %}}
|
||
|
+ </criteria>
|
||
|
+ </criteria><!-- macro application_required_or_requirement_unset() leaves an open criteria element-->
|
||
|
+ </criteria>
|
||
|
</definition>
|
||
|
|
||
|
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_sshd_rekey_limit" version="1">
|
||
|
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_sshd_rekey_limit" version="1">
|
||
|
<ind:object object_ref="obj_sshd_rekey_limit"/>
|
||
|
</ind:textfilecontent54_test>
|
||
|
|
||
|
<ind:textfilecontent54_object id="obj_sshd_rekey_limit" version="1">
|
||
|
- <ind:filepath>{{{ filepath }}}</ind:filepath>
|
||
|
+ <ind:filepath>{{{ sshd_config_path }}}</ind:filepath>
|
||
|
+ <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
|
||
|
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||
|
+ </ind:textfilecontent54_object>
|
||
|
+
|
||
|
+ {{%- if sshd_distributed_config %}}
|
||
|
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in SSHD config directory" id="test_sshd_rekey_limit_config_dir" version="1">
|
||
|
+ <ind:object object_ref="obj_sshd_rekey_limit_config_dir"/>
|
||
|
+ </ind:textfilecontent54_test>
|
||
|
+
|
||
|
+ <ind:textfilecontent54_object id="obj_sshd_rekey_limit_config_dir" version="1">
|
||
|
+ <ind:path>{{{ sshd_config_dir}}}</ind:path>
|
||
|
+ <ind:filename operation="pattern match">.*\.conf$</ind:filename>
|
||
|
<ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
|
||
|
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||
|
</ind:textfilecontent54_object>
|
||
|
+ {{%- endif %}}
|
||
|
|
||
|
<local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
|
||
|
<concat>
|
||
|
@@ -35,4 +58,3 @@
|
||
|
<external_variable comment="Size component of the rekey limit" datatype="string" id="var_rekey_limit_size" version="1" />
|
||
|
<external_variable comment="Time component of the rekey limit" datatype="string" id="var_rekey_limit_time" version="1" />
|
||
|
</def-group>
|
||
|
-
|
||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
|
||
|
index 450f244de41..702cd0506d3 100644
|
||
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
|
||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
|
||
|
@@ -6,8 +6,10 @@ description: |-
|
||
|
The <tt>RekeyLimit</tt> parameter specifies how often
|
||
|
the session key of the is renegotiated, both in terms of
|
||
|
amount of data that may be transmitted and the time
|
||
|
- elapsed. To decrease the default limits, put line
|
||
|
- <tt>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/sshd_config</tt>.
|
||
|
+ elapsed.<br/>
|
||
|
+ To decrease the default limits, add or correct the following line in
|
||
|
+ {{{ sshd_config_file() }}}
|
||
|
+ <pre>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</pre>
|
||
|
|
||
|
rationale: |-
|
||
|
By decreasing the limit based on the amount of data and enabling
|
||
|
@@ -32,6 +34,10 @@ ocil_clause: 'it is commented out or is not set'
|
||
|
ocil: |-
|
||
|
To check if RekeyLimit is set correctly, run the
|
||
|
following command:
|
||
|
+ {{% if sshd_distributed_config == "true" %}}
|
||
|
+ <pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*</pre>
|
||
|
+ {{% else %}}
|
||
|
<pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config</pre>
|
||
|
+ {{% endif %}}
|
||
|
If configured properly, output should be
|
||
|
<pre>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</pre>
|
||
|
|
||
|
From 78d6d40f280b0e43e6c8fd7d60cfd81e7979fb8f Mon Sep 17 00:00:00 2001
|
||
|
From: Watson Sato <wsato@redhat.com>
|
||
|
Date: Wed, 9 Feb 2022 16:59:53 +0100
|
||
|
Subject: [PATCH 3/3] Use the Jinja variable 'parameter' where applicable
|
||
|
|
||
|
---
|
||
|
.../ssh/ssh_server/sshd_rekey_limit/oval/shared.xml | 8 ++++----
|
||
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
||
|
|
||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
||
|
index e109cbd3124..d79ac7f2047 100644
|
||
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
|
||
|
@@ -1,7 +1,7 @@
|
||
|
{{%- set parameter = "RekeyLimit" %}}
|
||
|
{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}}
|
||
|
{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}}
|
||
|
-{{%- set description = "Ensure RekeyLimit is configured with the appropriate value in " ~ sshd_config_path %}}
|
||
|
+{{%- set description = "Ensure {{{ parameter }}} is configured with the appropriate value in " ~ sshd_config_path %}}
|
||
|
{{%- if sshd_distributed_config == "true" %}}
|
||
|
{{%- set description = description ~ " or in " ~ sshd_config_dir -%}}
|
||
|
{{%- endif %}}
|
||
|
@@ -22,7 +22,7 @@
|
||
|
</criteria>
|
||
|
</definition>
|
||
|
|
||
|
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_sshd_rekey_limit" version="1">
|
||
|
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of {{{ parameter }}} setting in the file" id="test_sshd_rekey_limit" version="1">
|
||
|
<ind:object object_ref="obj_sshd_rekey_limit"/>
|
||
|
</ind:textfilecontent54_test>
|
||
|
|
||
|
@@ -33,7 +33,7 @@
|
||
|
</ind:textfilecontent54_object>
|
||
|
|
||
|
{{%- if sshd_distributed_config %}}
|
||
|
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in SSHD config directory" id="test_sshd_rekey_limit_config_dir" version="1">
|
||
|
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of {{{ parameter }}} setting in SSHD config directory" id="test_sshd_rekey_limit_config_dir" version="1">
|
||
|
<ind:object object_ref="obj_sshd_rekey_limit_config_dir"/>
|
||
|
</ind:textfilecontent54_test>
|
||
|
|
||
|
@@ -47,7 +47,7 @@
|
||
|
|
||
|
<local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
|
||
|
<concat>
|
||
|
- <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
|
||
|
+ <literal_component>^[\s]*{{{ parameter }}}[\s]+</literal_component>
|
||
|
<variable_component var_ref="var_rekey_limit_size"/>
|
||
|
<literal_component>[\s]+</literal_component>
|
||
|
<variable_component var_ref="var_rekey_limit_time"/>
|