scap-security-guide/scap-security-guide-0.1.61-distributed-sshd-rekeylimit-PR_8148.patch

283 lines
15 KiB
Diff
Raw Normal View History

From f7a2fb33ad1507ad4ce3f7ec6534c06d4f6a7e83 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 4 Feb 2022 12:02:36 +0100
Subject: [PATCH 1/3] Add tests for distributed SSHD RekeyLimit config
---
.../sshd_rekey_limit/tests/bad_size_directory.fail.sh | 10 ++++++++++
.../sshd_rekey_limit/tests/bad_time_directory.fail.sh | 10 ++++++++++
.../sshd_rekey_limit/tests/no_line_directory.fail.sh | 8 ++++++++
.../sshd_rekey_limit/tests/rhel8_ok.pass.sh | 2 +-
.../sshd_rekey_limit/tests/rhel9_ok.pass.sh | 11 +++++++++++
5 files changed, 40 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ok.pass.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh
new file mode 100644
index 00000000000..88c6420c5ca
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_size_directory.fail.sh
@@ -0,0 +1,10 @@
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^\s*RekeyLimit" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+ sed -i "/^\s*RekeyLimit.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
+
+echo "RekeyLimit 812M 1h" > /etc/ssh/sshd_config.d/bad_config.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh
new file mode 100644
index 00000000000..3bb0926017c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/bad_time_directory.fail.sh
@@ -0,0 +1,10 @@
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^\s*RekeyLimit" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+ sed -i "/^\s*RekeyLimit.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
+
+echo "RekeyLimit 512M 2h" > /etc/ssh/sshd_config.d/bad_config.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh
new file mode 100644
index 00000000000..00569de1b84
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/no_line_directory.fail.sh
@@ -0,0 +1,8 @@
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^\s*RekeyLimit" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+ sed -i "/^\s*RekeyLimit.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ok.pass.sh
index b9834e6d0b2..894c0ae4ba8 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ok.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel8_ok.pass.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 8
+# platform = Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9
# profiles = xccdf_org.ssgproject.content_profile_ospp
sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ok.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ok.pass.sh
new file mode 100644
index 00000000000..e183e8986dc
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/rhel9_ok.pass.sh
@@ -0,0 +1,11 @@
+# platform = Red Hat Enterprise Linux 9
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^\s*RekeyLimit" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+ sed -i "/^\s*RekeyLimit.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
+
+echo "RekeyLimit 1G 1h" >> /etc/ssh/sshd_config.d/good_config.conf
From 782e3a6108ea377d526d0aed4e8c0cf019f3dcdd Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 4 Feb 2022 12:06:45 +0100
Subject: [PATCH 2/3] Update rule to handle distributed config
Based on the template sshd_lineinfile, updated rule sshd_rekey_limit to
check and remediate SSHD configuration in products that support
/etc/sshd/sshd_config.d/
The rule cannot use the template as it relies on two external variables.
---
.../sshd_rekey_limit/ansible/shared.yml | 8 +++-
.../sshd_rekey_limit/bash/shared.sh | 2 +-
.../sshd_rekey_limit/oval/shared.xml | 46 ++++++++++++++-----
.../ssh/ssh_server/sshd_rekey_limit/rule.yml | 10 +++-
4 files changed, 50 insertions(+), 16 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
index 84a4f084d40..f30dcdb2ed3 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/ansible/shared.yml
@@ -5,4 +5,10 @@
# disruption = low
{{{ ansible_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
-{{{ ansible_sshd_set(parameter="RekeyLimit", value="{{ var_rekey_limit_size }} {{ var_rekey_limit_time }}") }}}
+{{{
+ ansible_sshd_set(
+ parameter="RekeyLimit",
+ value="{{ var_rekey_limit_size }} {{ var_rekey_limit_time }}",
+ config_is_distributed=sshd_distributed_config
+ )
+}}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
index 4422f63472c..789358472a1 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/bash/shared.sh
@@ -2,4 +2,4 @@
{{{ bash_instantiate_variables("var_rekey_limit_size", "var_rekey_limit_time") }}}
-{{{ bash_sshd_config_set(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time") }}}
+{{{ bash_sshd_remediation(parameter='RekeyLimit', value="$var_rekey_limit_size $var_rekey_limit_time", config_is_distributed=sshd_distributed_config) -}}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
index f49d9ab5275..e109cbd3124 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
@@ -1,26 +1,49 @@
-{{% set filepath = "/etc/ssh/sshd_config" -%}}
-
+{{%- set parameter = "RekeyLimit" %}}
+{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}}
+{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}}
+{{%- set description = "Ensure RekeyLimit is configured with the appropriate value in " ~ sshd_config_path %}}
+{{%- if sshd_distributed_config == "true" %}}
+{{%- set description = description ~ " or in " ~ sshd_config_dir -%}}
+{{%- endif %}}
<def-group>
<definition class="compliance" id="{{{ rule_id }}}" version="1">
- {{{ oval_metadata("Ensure 'RekeyLimit' is configured with the correct value in '" + filepath + "'") }}}
- <criteria comment="sshd is configured correctly or is not installed" operator="OR">
- {{{- application_not_required_or_requirement_unset() }}}
- {{{- application_required_or_requirement_unset() }}}
- {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
- </criteria>
- </criteria>
+ {{{ oval_metadata(description) }}}
+ <criteria comment="sshd is configured correctly or is not installed" operator="OR">
+ {{{- application_not_required_or_requirement_unset() }}}
+ {{{- application_required_or_requirement_unset() }}}
+ <criteria comment="sshd is configured corectly" operator="OR">
+ {{{- oval_line_in_file_criterion(sshd_config_path, parameter) }}}
+ {{%- if sshd_distributed_config %}}
+ {{{- oval_line_in_directory_criterion(sshd_config_dir, parameter) | indent(8) }}}
+ {{%- endif %}}
+ </criteria>
+ </criteria><!-- macro application_required_or_requirement_unset() leaves an open criteria element-->
+ </criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_sshd_rekey_limit" version="1">
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_sshd_rekey_limit" version="1">
<ind:object object_ref="obj_sshd_rekey_limit"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_sshd_rekey_limit" version="1">
- <ind:filepath>{{{ filepath }}}</ind:filepath>
+ <ind:filepath>{{{ sshd_config_path }}}</ind:filepath>
+ <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ {{%- if sshd_distributed_config %}}
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in SSHD config directory" id="test_sshd_rekey_limit_config_dir" version="1">
+ <ind:object object_ref="obj_sshd_rekey_limit_config_dir"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_sshd_rekey_limit_config_dir" version="1">
+ <ind:path>{{{ sshd_config_dir}}}</ind:path>
+ <ind:filename operation="pattern match">.*\.conf$</ind:filename>
<ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
+ {{%- endif %}}
<local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
<concat>
@@ -35,4 +58,3 @@
<external_variable comment="Size component of the rekey limit" datatype="string" id="var_rekey_limit_size" version="1" />
<external_variable comment="Time component of the rekey limit" datatype="string" id="var_rekey_limit_time" version="1" />
</def-group>
-
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
index 450f244de41..702cd0506d3 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
@@ -6,8 +6,10 @@ description: |-
The <tt>RekeyLimit</tt> parameter specifies how often
the session key of the is renegotiated, both in terms of
amount of data that may be transmitted and the time
- elapsed. To decrease the default limits, put line
- <tt>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/sshd_config</tt>.
+ elapsed.<br/>
+ To decrease the default limits, add or correct the following line in
+ {{{ sshd_config_file() }}}
+ <pre>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</pre>
rationale: |-
By decreasing the limit based on the amount of data and enabling
@@ -32,6 +34,10 @@ ocil_clause: 'it is commented out or is not set'
ocil: |-
To check if RekeyLimit is set correctly, run the
following command:
+ {{% if sshd_distributed_config == "true" %}}
+ <pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*</pre>
+ {{% else %}}
<pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config</pre>
+ {{% endif %}}
If configured properly, output should be
<pre>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</pre>
From 78d6d40f280b0e43e6c8fd7d60cfd81e7979fb8f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 9 Feb 2022 16:59:53 +0100
Subject: [PATCH 3/3] Use the Jinja variable 'parameter' where applicable
---
.../ssh/ssh_server/sshd_rekey_limit/oval/shared.xml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
index e109cbd3124..d79ac7f2047 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
@@ -1,7 +1,7 @@
{{%- set parameter = "RekeyLimit" %}}
{{%- set sshd_config_path = "/etc/ssh/sshd_config" %}}
{{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}}
-{{%- set description = "Ensure RekeyLimit is configured with the appropriate value in " ~ sshd_config_path %}}
+{{%- set description = "Ensure {{{ parameter }}} is configured with the appropriate value in " ~ sshd_config_path %}}
{{%- if sshd_distributed_config == "true" %}}
{{%- set description = description ~ " or in " ~ sshd_config_dir -%}}
{{%- endif %}}
@@ -22,7 +22,7 @@
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_sshd_rekey_limit" version="1">
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of {{{ parameter }}} setting in the file" id="test_sshd_rekey_limit" version="1">
<ind:object object_ref="obj_sshd_rekey_limit"/>
</ind:textfilecontent54_test>
@@ -33,7 +33,7 @@
</ind:textfilecontent54_object>
{{%- if sshd_distributed_config %}}
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in SSHD config directory" id="test_sshd_rekey_limit_config_dir" version="1">
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of {{{ parameter }}} setting in SSHD config directory" id="test_sshd_rekey_limit_config_dir" version="1">
<ind:object object_ref="obj_sshd_rekey_limit_config_dir"/>
</ind:textfilecontent54_test>
@@ -47,7 +47,7 @@
<local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
<concat>
- <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
+ <literal_component>^[\s]*{{{ parameter }}}[\s]+</literal_component>
<variable_component var_ref="var_rekey_limit_size"/>
<literal_component>[\s]+</literal_component>
<variable_component var_ref="var_rekey_limit_time"/>