75 lines
4.2 KiB
Diff
75 lines
4.2 KiB
Diff
|
From ea37df6b736d22f32fd0d64457d731aa76b656c8 Mon Sep 17 00:00:00 2001
|
||
|
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||
|
Date: Wed, 18 Aug 2021 16:17:15 +0200
|
||
|
Subject: [PATCH 1/2] Come up with a better basename
|
||
|
|
||
|
On Red Hat systems, there is 50-redhat.conf, so
|
||
|
60-complianceascode.conf seems to be a generally good fit.
|
||
|
---
|
||
|
shared/templates/sshd_lineinfile/bash.template | 3 ++-
|
||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/shared/templates/sshd_lineinfile/bash.template b/shared/templates/sshd_lineinfile/bash.template
|
||
|
index eac758e310b..e15ab9521b8 100644
|
||
|
--- a/shared/templates/sshd_lineinfile/bash.template
|
||
|
+++ b/shared/templates/sshd_lineinfile/bash.template
|
||
|
@@ -11,8 +11,9 @@ mkdir -p /etc/ssh/sshd_config.d
|
||
|
touch /etc/ssh/sshd_config.d/hardening
|
||
|
{{{ lineinfile_absent("/etc/ssh/sshd_config", line_regex, insensitive=true) }}}
|
||
|
{{{ lineinfile_absent_in_directory("/etc/ssh/sshd_config.d", line_regex, insensitive=true) }}}
|
||
|
+{{%- set hardening_config_basename = "00-complianceascode-hardening.conf" %}}
|
||
|
{{{ set_config_file(
|
||
|
- path="/etc/ssh/sshd_config.d/hardening",
|
||
|
+ path="/etc/ssh/sshd_config.d/" ~ hardening_config_basename,
|
||
|
parameter=PARAMETER,
|
||
|
value=VALUE,
|
||
|
create=true,
|
||
|
|
||
|
From 9fc6f549d9494730c4d973330a24a5a2a209b1c3 Mon Sep 17 00:00:00 2001
|
||
|
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||
|
Date: Wed, 18 Aug 2021 17:51:17 +0200
|
||
|
Subject: [PATCH 2/2] Fix the sshd directory config check
|
||
|
|
||
|
The check should consider only files matching .*\.conf
|
||
|
---
|
||
|
.../sshd_disable_pubkey_auth/tests/conflict.fail.sh | 4 ++--
|
||
|
.../tests/correct_value_directory.pass.sh | 2 +-
|
||
|
shared/macros-oval.jinja | 2 +-
|
||
|
3 files changed, 4 insertions(+), 4 deletions(-)
|
||
|
|
||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
|
||
|
index 177a99e0b82..6e064ffc739 100644
|
||
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
|
||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
|
||
|
@@ -11,5 +11,5 @@ else
|
||
|
echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config
|
||
|
fi
|
||
|
|
||
|
-echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/good_config
|
||
|
-echo "PubkeyAuthentication yes" > /etc/ssh/sshd_config.d/rogue_config
|
||
|
+echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/good_config.conf
|
||
|
+echo "PubkeyAuthentication yes" > /etc/ssh/sshd_config.d/rogue_config.conf
|
||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
|
||
|
index 0aa2e775dbe..acb650915fe 100644
|
||
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
|
||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
|
||
|
@@ -11,4 +11,4 @@ else
|
||
|
echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config
|
||
|
fi
|
||
|
|
||
|
-echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/correct
|
||
|
+echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/correct.conf
|
||
|
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
|
||
|
index 87e0fd7d87d..f2fa7d79fc8 100644
|
||
|
--- a/shared/macros-oval.jinja
|
||
|
+++ b/shared/macros-oval.jinja
|
||
|
@@ -227,7 +227,7 @@
|
||
|
{{%- endmacro %}}
|
||
|
|
||
|
{{%- macro oval_line_in_directory_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false) -%}}
|
||
|
-{{{- oval_line_in_file_object(path=path, section=section, prefix_regex=prefix_regex, parameter=parameter, separator_regex=separator_regex, missing_parameter_pass=missing_parameter_pass, multi_value=multi_value, filepath_regex=".*", id_stem=rule_id ~ "_config_dir") -}}}
|
||
|
+{{{- oval_line_in_file_object(path=path, section=section, prefix_regex=prefix_regex, parameter=parameter, separator_regex=separator_regex, missing_parameter_pass=missing_parameter_pass, multi_value=multi_value, filepath_regex=".*\.conf$", id_stem=rule_id ~ "_config_dir") -}}}
|
||
|
{{%- endmacro %}}
|
||
|
|
||
|
{{%- macro oval_line_in_directory_state(value='', multi_value='', quotes='') -%}}
|