Use SSHD directory configuration
Resolves: rhbz#1962564
This commit is contained in:
parent
1f83058625
commit
cae8e44f84
@ -0,0 +1,74 @@
|
|||||||
|
From ea37df6b736d22f32fd0d64457d731aa76b656c8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||||
|
Date: Wed, 18 Aug 2021 16:17:15 +0200
|
||||||
|
Subject: [PATCH 1/2] Come up with a better basename
|
||||||
|
|
||||||
|
On Red Hat systems, there is 50-redhat.conf, so
|
||||||
|
60-complianceascode.conf seems to be a generally good fit.
|
||||||
|
---
|
||||||
|
shared/templates/sshd_lineinfile/bash.template | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/shared/templates/sshd_lineinfile/bash.template b/shared/templates/sshd_lineinfile/bash.template
|
||||||
|
index eac758e310b..e15ab9521b8 100644
|
||||||
|
--- a/shared/templates/sshd_lineinfile/bash.template
|
||||||
|
+++ b/shared/templates/sshd_lineinfile/bash.template
|
||||||
|
@@ -11,8 +11,9 @@ mkdir -p /etc/ssh/sshd_config.d
|
||||||
|
touch /etc/ssh/sshd_config.d/hardening
|
||||||
|
{{{ lineinfile_absent("/etc/ssh/sshd_config", line_regex, insensitive=true) }}}
|
||||||
|
{{{ lineinfile_absent_in_directory("/etc/ssh/sshd_config.d", line_regex, insensitive=true) }}}
|
||||||
|
+{{%- set hardening_config_basename = "00-complianceascode-hardening.conf" %}}
|
||||||
|
{{{ set_config_file(
|
||||||
|
- path="/etc/ssh/sshd_config.d/hardening",
|
||||||
|
+ path="/etc/ssh/sshd_config.d/" ~ hardening_config_basename,
|
||||||
|
parameter=PARAMETER,
|
||||||
|
value=VALUE,
|
||||||
|
create=true,
|
||||||
|
|
||||||
|
From 9fc6f549d9494730c4d973330a24a5a2a209b1c3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||||
|
Date: Wed, 18 Aug 2021 17:51:17 +0200
|
||||||
|
Subject: [PATCH 2/2] Fix the sshd directory config check
|
||||||
|
|
||||||
|
The check should consider only files matching .*\.conf
|
||||||
|
---
|
||||||
|
.../sshd_disable_pubkey_auth/tests/conflict.fail.sh | 4 ++--
|
||||||
|
.../tests/correct_value_directory.pass.sh | 2 +-
|
||||||
|
shared/macros-oval.jinja | 2 +-
|
||||||
|
3 files changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
|
||||||
|
index 177a99e0b82..6e064ffc739 100644
|
||||||
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
|
||||||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
|
||||||
|
@@ -11,5 +11,5 @@ else
|
||||||
|
echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config
|
||||||
|
fi
|
||||||
|
|
||||||
|
-echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/good_config
|
||||||
|
-echo "PubkeyAuthentication yes" > /etc/ssh/sshd_config.d/rogue_config
|
||||||
|
+echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/good_config.conf
|
||||||
|
+echo "PubkeyAuthentication yes" > /etc/ssh/sshd_config.d/rogue_config.conf
|
||||||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
|
||||||
|
index 0aa2e775dbe..acb650915fe 100644
|
||||||
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
|
||||||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
|
||||||
|
@@ -11,4 +11,4 @@ else
|
||||||
|
echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config
|
||||||
|
fi
|
||||||
|
|
||||||
|
-echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/correct
|
||||||
|
+echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/correct.conf
|
||||||
|
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
|
||||||
|
index 87e0fd7d87d..f2fa7d79fc8 100644
|
||||||
|
--- a/shared/macros-oval.jinja
|
||||||
|
+++ b/shared/macros-oval.jinja
|
||||||
|
@@ -227,7 +227,7 @@
|
||||||
|
{{%- endmacro %}}
|
||||||
|
|
||||||
|
{{%- macro oval_line_in_directory_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false) -%}}
|
||||||
|
-{{{- oval_line_in_file_object(path=path, section=section, prefix_regex=prefix_regex, parameter=parameter, separator_regex=separator_regex, missing_parameter_pass=missing_parameter_pass, multi_value=multi_value, filepath_regex=".*", id_stem=rule_id ~ "_config_dir") -}}}
|
||||||
|
+{{{- oval_line_in_file_object(path=path, section=section, prefix_regex=prefix_regex, parameter=parameter, separator_regex=separator_regex, missing_parameter_pass=missing_parameter_pass, multi_value=multi_value, filepath_regex=".*\.conf$", id_stem=rule_id ~ "_config_dir") -}}}
|
||||||
|
{{%- endmacro %}}
|
||||||
|
|
||||||
|
{{%- macro oval_line_in_directory_state(value='', multi_value='', quotes='') -%}}
|
664
scap-security-guide-0.1.58-sshd_directory-PR_6926.patch
Normal file
664
scap-security-guide-0.1.58-sshd_directory-PR_6926.patch
Normal file
@ -0,0 +1,664 @@
|
|||||||
|
From b951a896d3ef1e678e5d6b580521053e7a076ab0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||||
|
Date: Thu, 29 Apr 2021 16:54:03 +0200
|
||||||
|
Subject: [PATCH 1/6] Updated checks and remediations of the sshd template.
|
||||||
|
|
||||||
|
Configuration of sshd moves from one config file to a config directory.
|
||||||
|
Therefore, checks should consider all those files, and the remediation should aim
|
||||||
|
to deliver fixes to one of those files in the config directory.
|
||||||
|
|
||||||
|
Tests that interact with this behavior have been added and are applicable for Fedora and RHEL9 products.
|
||||||
|
---
|
||||||
|
.../tests/commented.fail.sh | 7 ++
|
||||||
|
.../tests/conflict.fail.sh | 15 ++++
|
||||||
|
.../tests/correct_value_directory.pass.sh | 14 ++++
|
||||||
|
shared/macros-bash.jinja | 9 +++
|
||||||
|
shared/macros-oval.jinja | 61 +++++++++++------
|
||||||
|
.../templates/sshd_lineinfile/bash.template | 22 ++++++
|
||||||
|
.../templates/sshd_lineinfile/oval.template | 68 +++++++++++++++++--
|
||||||
|
7 files changed, 168 insertions(+), 28 deletions(-)
|
||||||
|
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh
|
||||||
|
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
|
||||||
|
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..484c2165532
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/commented.fail.sh
|
||||||
|
@@ -0,0 +1,7 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+if grep -q "^PubkeyAuthentication" /etc/ssh/sshd_config; then
|
||||||
|
+ sed -i "s/^PubkeyAuthentication.*/# PubkeyAuthentication no/" /etc/ssh/sshd_config
|
||||||
|
+else
|
||||||
|
+ echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config
|
||||||
|
+fi
|
||||||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..177a99e0b82
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
|
||||||
|
@@ -0,0 +1,15 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+# platform = Fedora,Red Hat Enterprise Linux 9
|
||||||
|
+
|
||||||
|
+mkdir -p /etc/ssh/sshd_config.d
|
||||||
|
+touch /etc/ssh/sshd_config.d/nothing
|
||||||
|
+
|
||||||
|
+if grep -q "^PubkeyAuthentication" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
||||||
|
+ sed -i "s/^PubkeyAuthentication.*/# PubkeyAuthentication no/" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
||||||
|
+else
|
||||||
|
+ echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/good_config
|
||||||
|
+echo "PubkeyAuthentication yes" > /etc/ssh/sshd_config.d/rogue_config
|
||||||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..0aa2e775dbe
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
|
||||||
|
@@ -0,0 +1,14 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+# platform = Fedora,Red Hat Enterprise Linux 9
|
||||||
|
+
|
||||||
|
+mkdir -p /etc/ssh/sshd_config.d
|
||||||
|
+touch /etc/ssh/sshd_config.d/nothing
|
||||||
|
+
|
||||||
|
+if grep -q "^PubkeyAuthentication" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
|
||||||
|
+ sed -i "s/^PubkeyAuthentication.*/# PubkeyAuthentication no/" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
|
||||||
|
+else
|
||||||
|
+ echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/correct
|
||||||
|
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
|
||||||
|
index 1cd2c62b5e0..b4518d83c19 100644
|
||||||
|
--- a/shared/macros-bash.jinja
|
||||||
|
+++ b/shared/macros-bash.jinja
|
||||||
|
@@ -471,6 +471,15 @@ fi
|
||||||
|
LC_ALL=C sed -i "/{{{ regex }}}/{{{ modifier }}}" "{{{ path }}}"
|
||||||
|
{{%- endmacro -%}}
|
||||||
|
|
||||||
|
+{{%- macro lineinfile_absent_in_directory(dirname, regex, insensitive=true) -%}}
|
||||||
|
+ {{%- if insensitive -%}}
|
||||||
|
+ {{%- set modifier="Id" -%}}
|
||||||
|
+ {{%- else -%}}
|
||||||
|
+ {{%- set modifier="d" -%}}
|
||||||
|
+ {{%- endif -%}}
|
||||||
|
+LC_ALL=C sed -i "/{{{ regex }}}/{{{ modifier }}}" "{{{ dirname }}}"/*
|
||||||
|
+{{%- endmacro -%}}
|
||||||
|
+
|
||||||
|
{{%- macro lineinfile_present(path, line, insert_after="", insert_before="", insensitive=true) -%}}
|
||||||
|
{{%- if insensitive -%}}
|
||||||
|
{{%- set grep_args="-q -m 1 -i" -%}}
|
||||||
|
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
|
||||||
|
index be2ac268206..d38db96d9e3 100644
|
||||||
|
--- a/shared/macros-oval.jinja
|
||||||
|
+++ b/shared/macros-oval.jinja
|
||||||
|
@@ -92,15 +92,18 @@
|
||||||
|
- parameter (String): The parameter to be checked in the configuration file.
|
||||||
|
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
|
||||||
|
#}}
|
||||||
|
-{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false) -%}}
|
||||||
|
+{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false, comment='', id_stem=rule_id) -%}}
|
||||||
|
{{%- set suffix_id = "" -%}}
|
||||||
|
{{%- set prefix_text = "Check the" -%}}
|
||||||
|
{{%- if missing_parameter_pass %}}
|
||||||
|
{{%- set suffix_id = suffix_id_default_not_overriden -%}}
|
||||||
|
{{%- set prefix_text = prefix_text + " absence of" -%}}
|
||||||
|
{{%- endif %}}
|
||||||
|
- <criterion comment="{{{ prefix_text }}} {{{ parameter }}} in {{{ path }}}"
|
||||||
|
- test_ref="test_{{{ rule_id }}}{{{ suffix_id }}}" />
|
||||||
|
+{{%- if not comment -%}}
|
||||||
|
+{{%- set comment = prefix_text ~ " " ~ parameter ~ " in " ~ path -%}}
|
||||||
|
+{{%- endif -%}}
|
||||||
|
+<criterion comment="{{{ comment }}}"
|
||||||
|
+ test_ref="test_{{{ id_stem }}}{{{ suffix_id }}}" />
|
||||||
|
{{%- endmacro %}}
|
||||||
|
|
||||||
|
{{#
|
||||||
|
@@ -110,7 +113,7 @@
|
||||||
|
- parameter (String): The parameter to be checked in the configuration file.
|
||||||
|
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
|
||||||
|
#}}
|
||||||
|
-{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false) -%}}
|
||||||
|
+{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false, id_stem=rule_id) -%}}
|
||||||
|
{{%- set suffix_id = "" -%}}
|
||||||
|
{{%- if missing_parameter_pass %}}
|
||||||
|
{{%- set check_existence = "none_exist" -%}}
|
||||||
|
@@ -120,14 +123,14 @@
|
||||||
|
{{%- set check_existence = "all_exist" -%}}
|
||||||
|
{{%- set prefix_text = "value" -%}}
|
||||||
|
{{%- endif %}}
|
||||||
|
- <ind:textfilecontent54_test check="all" check_existence="{{{ check_existence }}}"
|
||||||
|
+<ind:textfilecontent54_test check="all" check_existence="{{{ check_existence }}}"
|
||||||
|
comment="tests the {{{ prefix_text }}} of {{{ parameter }}} setting in the {{{ path }}} file"
|
||||||
|
- id="test_{{{ rule_id }}}{{{ suffix_id }}}" version="1">
|
||||||
|
- <ind:object object_ref="obj_{{{ rule_id }}}{{{ suffix_id }}}" />
|
||||||
|
+ id="test_{{{ id_stem }}}{{{ suffix_id }}}" version="1">
|
||||||
|
+ <ind:object object_ref="obj_{{{ id_stem }}}{{{ suffix_id }}}" />
|
||||||
|
{{%- if not missing_parameter_pass %}}
|
||||||
|
- <ind:state state_ref="state_{{{ rule_id }}}{{{ suffix_id }}}" />
|
||||||
|
+ <ind:state state_ref="state_{{{ id_stem }}}{{{ suffix_id }}}" />
|
||||||
|
{{%- endif %}}
|
||||||
|
- </ind:textfilecontent54_test>
|
||||||
|
+</ind:textfilecontent54_test>
|
||||||
|
{{%- endmacro %}}
|
||||||
|
|
||||||
|
{{#
|
||||||
|
@@ -141,7 +144,7 @@
|
||||||
|
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
|
||||||
|
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
|
||||||
|
#}}
|
||||||
|
-{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='') -%}}
|
||||||
|
+{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='', id_stem=rule_id) -%}}
|
||||||
|
{{%- set suffix_id = "" -%}}
|
||||||
|
{{%- if multi_value -%}}
|
||||||
|
{{%- set group_regex = "([^#]*).*$" -%}}
|
||||||
|
@@ -173,16 +176,16 @@
|
||||||
|
{{%- set regex = prefix_regex+parameter+separator_regex+group_regex -%}}
|
||||||
|
{{%- endif %}}
|
||||||
|
{{%- endif %}}
|
||||||
|
- <ind:textfilecontent54_object id="obj_{{{ rule_id }}}{{{ suffix_id }}}" version="1">
|
||||||
|
+<ind:textfilecontent54_object id="obj_{{{ id_stem }}}{{{ suffix_id }}}" version="1">
|
||||||
|
{{%- if filepath_regex %}}
|
||||||
|
- <ind:path>{{{ path }}}</ind:path>
|
||||||
|
- <ind:filename operation="pattern match">{{{ filepath_regex }}}</ind:filename>
|
||||||
|
+ <ind:path>{{{ path }}}</ind:path>
|
||||||
|
+ <ind:filename operation="pattern match">{{{ filepath_regex }}}</ind:filename>
|
||||||
|
{{%- else %}}
|
||||||
|
- <ind:filepath>{{{ path }}}</ind:filepath>
|
||||||
|
+ <ind:filepath>{{{ path }}}</ind:filepath>
|
||||||
|
{{%- endif %}}
|
||||||
|
- <ind:pattern operation="pattern match">{{{ regex }}}</ind:pattern>
|
||||||
|
- <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||||
|
- </ind:textfilecontent54_object>
|
||||||
|
+ <ind:pattern operation="pattern match">{{{ regex }}}</ind:pattern>
|
||||||
|
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||||
|
+</ind:textfilecontent54_object>
|
||||||
|
{{%- endmacro %}}
|
||||||
|
|
||||||
|
{{#
|
||||||
|
@@ -193,7 +196,7 @@
|
||||||
|
- quotes (String): If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string.
|
||||||
|
For example, for shell quoting, specify quotes="'\""), which will make sure that value, 'value' and "value" are matched, but 'value" or '"value"' won't be.
|
||||||
|
#}}
|
||||||
|
-{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='') -%}}
|
||||||
|
+{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='', id_stem=rule_id) -%}}
|
||||||
|
{{%- set regex = value -%}}
|
||||||
|
{{%- if quotes != "" %}}
|
||||||
|
{{%- if "\\1" in value > 0 %}}
|
||||||
|
@@ -206,9 +209,25 @@
|
||||||
|
{{%- else %}}
|
||||||
|
{{%- set regex = "^"+regex+"$" -%}}
|
||||||
|
{{%- endif %}}
|
||||||
|
- <ind:textfilecontent54_state id="state_{{{ rule_id }}}" version="1">
|
||||||
|
- <ind:subexpression datatype="string" operation="pattern match">{{{ regex }}}</ind:subexpression>
|
||||||
|
- </ind:textfilecontent54_state>
|
||||||
|
+<ind:textfilecontent54_state id="state_{{{ id_stem }}}" version="1">
|
||||||
|
+ <ind:subexpression datatype="string" operation="pattern match">{{{ regex }}}</ind:subexpression>
|
||||||
|
+</ind:textfilecontent54_state>
|
||||||
|
+{{%- endmacro %}}
|
||||||
|
+
|
||||||
|
+{{%- macro oval_line_in_directory_criterion(path='', parameter='', missing_parameter_pass=false) -%}}
|
||||||
|
+{{{- oval_line_in_file_criterion(path, parameter, missing_parameter_pass, id_stem=rule_id ~ "_config_dir") -}}}
|
||||||
|
+{{%- endmacro %}}
|
||||||
|
+
|
||||||
|
+{{%- macro oval_line_in_directory_test(path='', parameter='', missing_parameter_pass=false) -%}}
|
||||||
|
+{{{ oval_line_in_file_test(path, parameter, missing_parameter_pass, id_stem=rule_id ~ "_config_dir") }}}
|
||||||
|
+{{%- endmacro %}}
|
||||||
|
+
|
||||||
|
+{{%- macro oval_line_in_directory_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false) -%}}
|
||||||
|
+{{{- oval_line_in_file_object(path=path, section=section, prefix_regex=prefix_regex, parameter=parameter, separator_regex=separator_regex, missing_parameter_pass=missing_parameter_pass, multi_value=multi_value, filepath_regex=".*", id_stem=rule_id ~ "_config_dir") -}}}
|
||||||
|
+{{%- endmacro %}}
|
||||||
|
+
|
||||||
|
+{{%- macro oval_line_in_directory_state(value='', multi_value='', quotes='') -%}}
|
||||||
|
+{{{- oval_line_in_file_state(value, multi_value, quotes, id_stem=rule_id ~ "_config_dir") -}}}
|
||||||
|
{{%- endmacro %}}
|
||||||
|
|
||||||
|
{{#
|
||||||
|
diff --git a/shared/templates/sshd_lineinfile/bash.template b/shared/templates/sshd_lineinfile/bash.template
|
||||||
|
index ca1b512bb3d..eac758e310b 100644
|
||||||
|
--- a/shared/templates/sshd_lineinfile/bash.template
|
||||||
|
+++ b/shared/templates/sshd_lineinfile/bash.template
|
||||||
|
@@ -3,4 +3,26 @@
|
||||||
|
# strategy = restrict
|
||||||
|
# complexity = low
|
||||||
|
# disruption = low
|
||||||
|
+{{%- if product in ("fedora", "rhel9") %}}
|
||||||
|
+{{%- set prefix_regex = "^\s*" -%}}
|
||||||
|
+{{%- set separator_regex = "\s\+" -%}}
|
||||||
|
+{{%- set line_regex = prefix_regex ~ PARAMETER ~ separator_regex %}}
|
||||||
|
+mkdir -p /etc/ssh/sshd_config.d
|
||||||
|
+touch /etc/ssh/sshd_config.d/hardening
|
||||||
|
+{{{ lineinfile_absent("/etc/ssh/sshd_config", line_regex, insensitive=true) }}}
|
||||||
|
+{{{ lineinfile_absent_in_directory("/etc/ssh/sshd_config.d", line_regex, insensitive=true) }}}
|
||||||
|
+{{{ set_config_file(
|
||||||
|
+ path="/etc/ssh/sshd_config.d/hardening",
|
||||||
|
+ parameter=PARAMETER,
|
||||||
|
+ value=VALUE,
|
||||||
|
+ create=true,
|
||||||
|
+ insert_after="",
|
||||||
|
+ insert_before="^Match",
|
||||||
|
+ insensitive=true,
|
||||||
|
+ separator=" ",
|
||||||
|
+ separator_regex=separator_regex,
|
||||||
|
+ prefix_regex=prefix_regex)
|
||||||
|
+ }}}
|
||||||
|
+{{%- else %}}
|
||||||
|
{{{ bash_sshd_config_set(parameter=PARAMETER, value=VALUE) }}}
|
||||||
|
+{{%- endif %}}
|
||||||
|
diff --git a/shared/templates/sshd_lineinfile/oval.template b/shared/templates/sshd_lineinfile/oval.template
|
||||||
|
index df63d542505..2cc38776eb2 100644
|
||||||
|
--- a/shared/templates/sshd_lineinfile/oval.template
|
||||||
|
+++ b/shared/templates/sshd_lineinfile/oval.template
|
||||||
|
@@ -1,7 +1,61 @@
|
||||||
|
-{{{
|
||||||
|
-oval_sshd_config(
|
||||||
|
- parameter=PARAMETER,
|
||||||
|
- value=VALUE,
|
||||||
|
- missing_parameter_pass=MISSING_PARAMETER_PASS
|
||||||
|
-)
|
||||||
|
-}}}
|
||||||
|
+{{%- set config_path = "/etc/ssh/sshd_config" %}}
|
||||||
|
+{{%- set config_dir = "/etc/ssh/sshd_config.d" -%}}
|
||||||
|
+{{%- set products_with_distributed_configuration = ("rhel9", "fedora") -%}}
|
||||||
|
+{{%- set description = "Ensure '" ~ PARAMETER ~ "' is configured with value '" ~ VALUE ~ "' in " ~ config_path %}}
|
||||||
|
+{{%- if product in products_with_distributed_configuration %}}
|
||||||
|
+{{%- set description = description ~ " and in " ~ config_dir -%}}
|
||||||
|
+{{%- endif %}}
|
||||||
|
+{{%- set case_insensitivity_kwargs = dict(prefix_regex="^[ \\t]*(?i)", separator_regex = "(?-i)[ \\t]+") -%}}
|
||||||
|
+
|
||||||
|
+<def-group>
|
||||||
|
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||||
|
+ {{{ oval_metadata(description) }}}
|
||||||
|
+ <criteria comment="sshd is configured correctly or is not installed" operator="OR">
|
||||||
|
+ <criteria comment="sshd is not installed" operator="AND">
|
||||||
|
+ <extend_definition comment="sshd is not required or requirement is unset"
|
||||||
|
+ definition_ref="sshd_not_required_or_unset" />
|
||||||
|
+ <extend_definition comment="rpm package openssh-server removed"
|
||||||
|
+ definition_ref="package_openssh-server_removed" />
|
||||||
|
+ </criteria>
|
||||||
|
+ <criteria comment="sshd is installed and configured" operator="AND">
|
||||||
|
+ <extend_definition comment="sshd is required or requirement is unset"
|
||||||
|
+ definition_ref="sshd_required_or_unset" />
|
||||||
|
+ <extend_definition comment="rpm package openssh-server installed"
|
||||||
|
+ definition_ref="package_openssh-server_installed" />
|
||||||
|
+ <criteria comment="sshd is configured correctly" operator="OR">
|
||||||
|
+ {{{- oval_line_in_file_criterion(config_path, PARAMETER) | indent(8) }}}
|
||||||
|
+ {{%- if MISSING_PARAMETER_PASS %}}
|
||||||
|
+ <criteria comment="sshd is not configured incorrectly" operator="AND">
|
||||||
|
+ {{{- oval_line_in_file_criterion(config_path, PARAMETER, MISSING_PARAMETER_PASS) | indent(10)}}}
|
||||||
|
+ {{%- if product in products_with_distributed_configuration %}}
|
||||||
|
+ {{{- oval_line_in_directory_criterion(config_dir, PARAMETER, MISSING_PARAMETER_PASS) | indent(10) }}}
|
||||||
|
+ {{%- endif %}}
|
||||||
|
+ </criteria>
|
||||||
|
+ {{%- endif %}}
|
||||||
|
+ {{%- if product in products_with_distributed_configuration %}}
|
||||||
|
+ {{{- oval_line_in_directory_criterion(config_dir, PARAMETER) | indent(8) }}}
|
||||||
|
+ {{%- endif %}}
|
||||||
|
+ </criteria>
|
||||||
|
+ </criteria>
|
||||||
|
+ </criteria>
|
||||||
|
+ </definition>
|
||||||
|
+ {{{ oval_line_in_file_test(config_path, PARAMETER) | indent (2) }}}
|
||||||
|
+ {{{ oval_line_in_file_object(config_path, parameter=PARAMETER, ** case_insensitivity_kwargs)| indent (2) }}}
|
||||||
|
+ {{{ oval_line_in_file_state(VALUE) | indent (2) }}}
|
||||||
|
+
|
||||||
|
+ {{%- if MISSING_PARAMETER_PASS %}}
|
||||||
|
+ {{{ oval_line_in_file_test(config_path, PARAMETER, MISSING_PARAMETER_PASS) | indent(2) }}}
|
||||||
|
+ {{{ oval_line_in_file_object(config_path, parameter=PARAMETER, missing_parameter_pass=MISSING_PARAMETER_PASS, ** case_insensitivity_kwargs) | indent(2) }}}
|
||||||
|
+ {{%- endif %}}
|
||||||
|
+
|
||||||
|
+ {{%- if product in products_with_distributed_configuration %}}
|
||||||
|
+ {{{ oval_line_in_directory_test(config_dir, PARAMETER) | indent (2) }}}
|
||||||
|
+ {{{ oval_line_in_directory_object(config_dir, parameter=PARAMETER, ** case_insensitivity_kwargs) | indent (2) }}}
|
||||||
|
+ {{{ oval_line_in_directory_state(VALUE) | indent (2) }}}
|
||||||
|
+
|
||||||
|
+ {{%- if MISSING_PARAMETER_PASS %}}
|
||||||
|
+ {{{ oval_line_in_directory_test(config_path, PARAMETER, MISSING_PARAMETER_PASS) | indent(2) }}}
|
||||||
|
+ {{{ oval_line_in_directory_object(config_path, parameter=PARAMETER, missing_parameter_pass=MISSING_PARAMETER_PASS, ** case_insensitivity_kwargs) | indent(2) }}}
|
||||||
|
+ {{%- endif %}}
|
||||||
|
+ {{%- endif %}}
|
||||||
|
+</def-group>
|
||||||
|
|
||||||
|
From b0f86c11fa0fb45b32b53833b5d3565c7eb73cfe Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||||
|
Date: Fri, 30 Apr 2021 11:52:22 +0200
|
||||||
|
Subject: [PATCH 2/6] Improved the lineinfile template.
|
||||||
|
|
||||||
|
It now escapes the text contents if parts of them could be incorrectly interpreted as regexes.
|
||||||
|
---
|
||||||
|
shared/macros-bash.jinja | 2 +-
|
||||||
|
shared/templates/lineinfile/oval.template | 2 +-
|
||||||
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
|
||||||
|
index b4518d83c19..d654a0e0e89 100644
|
||||||
|
--- a/shared/macros-bash.jinja
|
||||||
|
+++ b/shared/macros-bash.jinja
|
||||||
|
@@ -445,7 +445,7 @@ printf '%s\n' "{{{ message | replace('"', '\\"') }}}" >&2
|
||||||
|
# prefix_regex: regular expression describing allowed leading characters at each line
|
||||||
|
#}}
|
||||||
|
{{%- macro set_config_file(path, parameter, value, create, insert_after, insert_before, insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") -%}}
|
||||||
|
- {{%- set line_regex = prefix_regex+parameter+separator_regex -%}}
|
||||||
|
+ {{%- set line_regex = prefix_regex + ((parameter | escape_regex) | replace("/", "\/")) + separator_regex -%}}
|
||||||
|
{{%- set new_line = parameter+separator+value -%}}
|
||||||
|
if [ -e "{{{ path }}}" ] ; then
|
||||||
|
{{{ lineinfile_absent(path, line_regex, insensitive) | indent(4) }}}
|
||||||
|
diff --git a/shared/templates/lineinfile/oval.template b/shared/templates/lineinfile/oval.template
|
||||||
|
index a38856d9177..644327b7d6e 100644
|
||||||
|
--- a/shared/templates/lineinfile/oval.template
|
||||||
|
+++ b/shared/templates/lineinfile/oval.template
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-{{%- set regex = "^[\s]*" + TEXT + "[\s]*$" -%}}
|
||||||
|
+{{%- set regex = "^[\s]*" ~ (TEXT | escape_regex) ~ "[\s]*$" -%}}
|
||||||
|
<def-group>
|
||||||
|
<definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||||
|
{{{ oval_metadata("Check presence of " + TEXT + " in " + PATH) }}}
|
||||||
|
|
||||||
|
From 6953f74d1ab168e7ccc3f28877621edff317fef2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||||
|
Date: Fri, 30 Apr 2021 11:54:12 +0200
|
||||||
|
Subject: [PATCH 3/6] Introduced the sshd_use_directory_configuration rule.
|
||||||
|
|
||||||
|
The rule makes sure that the sshd configuration is distributed in the
|
||||||
|
/etc/ssh/sshd_config.d/ directory, and therefore it makes sense to scan that directory
|
||||||
|
in another rules.
|
||||||
|
---
|
||||||
|
.../bash/shared.sh | 15 ++++++++++
|
||||||
|
.../oval/shared.xml | 29 +++++++++++++++++++
|
||||||
|
.../sshd_use_directory_configuration/rule.yml | 26 +++++++++++++++++
|
||||||
|
.../tests/match.fail.sh | 4 +++
|
||||||
|
.../tests/simple.fail.sh | 3 ++
|
||||||
|
.../tests/simple.pass.sh | 4 +++
|
||||||
|
shared/references/cce-redhat-avail.txt | 1 -
|
||||||
|
shared/templates/extra_ovals.yml | 6 ++++
|
||||||
|
8 files changed, 87 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh
|
||||||
|
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml
|
||||||
|
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml
|
||||||
|
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh
|
||||||
|
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh
|
||||||
|
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..2ff58ec373c
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh
|
||||||
|
@@ -0,0 +1,15 @@
|
||||||
|
+# platform = multi_platform_all
|
||||||
|
+
|
||||||
|
+{{% set target_file = "/etc/ssh/sshd_config.d/sshd_config_original.conf" -%}}
|
||||||
|
+if test -f {{{ target_file}}}; then
|
||||||
|
+ {{{ die("Remediation probably already happened, '" ~ target_file ~ "' already exists, not doing anything.", action="false") }}}
|
||||||
|
+else
|
||||||
|
+ mkdir -p /etc/ssh/sshd_config.d
|
||||||
|
+ mv /etc/ssh/sshd_config {{{ target_file }}}
|
||||||
|
+cat > /etc/ssh/sshd_config << EOF
|
||||||
|
+# To modify the system-wide sshd configuration, create a *.conf file under
|
||||||
|
+# /etc/ssh/sshd_config.d/ which will be automatically included below
|
||||||
|
+
|
||||||
|
+Include /etc/ssh/sshd_config.d/*.conf
|
||||||
|
+EOF
|
||||||
|
+fi
|
||||||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..0ffb429adff
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/oval/shared.xml
|
||||||
|
@@ -0,0 +1,29 @@
|
||||||
|
+{{%- set config_path = "/etc/ssh/sshd_config" %}}
|
||||||
|
+
|
||||||
|
+<def-group>
|
||||||
|
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||||
|
+ {{{ oval_metadata("foo") }}}
|
||||||
|
+ <criteria comment="sshd is configured correctly or is not installed" operator="OR">
|
||||||
|
+ <criteria comment="sshd is not installed" operator="AND">
|
||||||
|
+ <extend_definition comment="sshd is not required or requirement is unset"
|
||||||
|
+ definition_ref="sshd_not_required_or_unset" />
|
||||||
|
+ <extend_definition comment="rpm package openssh-server removed"
|
||||||
|
+ definition_ref="package_openssh-server_removed" />
|
||||||
|
+ </criteria>
|
||||||
|
+ <criteria comment="sshd is installed and configured" operator="AND">
|
||||||
|
+ <extend_definition comment="sshd is required or requirement is unset"
|
||||||
|
+ definition_ref="sshd_required_or_unset" />
|
||||||
|
+ <extend_definition comment="rpm package openssh-server installed"
|
||||||
|
+ definition_ref="package_openssh-server_installed" />
|
||||||
|
+ <criteria comment="sshd is configured correctly" operator="AND">
|
||||||
|
+ <extend_definition comment="sshd includes config files from its .d directory"
|
||||||
|
+ definition_ref="sshd_includes_config_files" />
|
||||||
|
+ {{{- oval_line_in_file_criterion(config_path, "match", missing_parameter_pass=true) | indent(8) }}}
|
||||||
|
+ </criteria>
|
||||||
|
+ </criteria>
|
||||||
|
+ </criteria>
|
||||||
|
+ </definition>
|
||||||
|
+ {{{ oval_line_in_file_test(config_path, "match", missing_parameter_pass=true) | indent (2) }}}
|
||||||
|
+ {{{ oval_line_in_file_object(config_path, parameter="match", missing_parameter_pass=true, prefix_regex="^[ \\t]*(?i)", separator_regex="(?-i)\s+\S+") | indent (2) }}}
|
||||||
|
+</def-group>
|
||||||
|
+
|
||||||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..8c370036e61
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml
|
||||||
|
@@ -0,0 +1,26 @@
|
||||||
|
+documentation_complete: true
|
||||||
|
+
|
||||||
|
+prodtype: fedora,rhel9
|
||||||
|
+
|
||||||
|
+title: 'Distribute the SSH Server configuration to multiple files in a config directory.'
|
||||||
|
+
|
||||||
|
+description: |-
|
||||||
|
+ Make sure to have the <tt>Include /etc/ssh/sshd_config.d/*.conf</tt> line in the <tt>/etc/ssh/sshd_config</tt> file.
|
||||||
|
+ Ideally, don't have any active configuration directives in that file, and distribute the service configuration
|
||||||
|
+ to several files in the <tt>/etc/ssh/sshd_config.d</tt> directory.
|
||||||
|
+
|
||||||
|
+rationale: |-
|
||||||
|
+ This form of distributed configuration is considered as a good practice, and as other sshd rules assume that directives in files in the <tt>/etc/ssh/sshd_config.d</tt> config directory are effective, there has to be a rule that ensures this.
|
||||||
|
+ Aside from that, having multiple configuration files makes the SSH Server configuration changes easier to partition according to the reason that they were introduced, and therefore it should help to perform merges of hardening updates.
|
||||||
|
+
|
||||||
|
+severity: medium
|
||||||
|
+
|
||||||
|
+identifiers:
|
||||||
|
+ cce@rhel9: CCE-87681-3
|
||||||
|
+
|
||||||
|
+ocil_clause: "you don't include other configuration files from the main configuration file"
|
||||||
|
+
|
||||||
|
+ocil: |-
|
||||||
|
+ To determine whether the SSH server includes configuration files from the right directory, run the following command:
|
||||||
|
+ <pre>$ sudo grep -i '^Include' /etc/ssh/sshd_config</pre>
|
||||||
|
+ If a line <tt>Include /etc/ssh/sshd_config.d/*.conf</tt> is returned, then the configuration file inclusion is set correctly.
|
||||||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..fa2ee0654f2
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/match.fail.sh
|
||||||
|
@@ -0,0 +1,4 @@
|
||||||
|
+# platform = multi_platform_all
|
||||||
|
+
|
||||||
|
+echo "Match something" >> /etc/ssh/sshd_config
|
||||||
|
+echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config
|
||||||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..a6013ad7cfa
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.fail.sh
|
||||||
|
@@ -0,0 +1,3 @@
|
||||||
|
+# platform = multi_platform_all
|
||||||
|
+
|
||||||
|
+echo "include /etc/ssh/sshd_config.d/.*" > /etc/ssh/sshd_config
|
||||||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..7a26f521415
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/tests/simple.pass.sh
|
||||||
|
@@ -0,0 +1,4 @@
|
||||||
|
+# platform = multi_platform_all
|
||||||
|
+
|
||||||
|
+# Handling of case-insensitivity of include is tricky
|
||||||
|
+echo "Include /etc/ssh/sshd_config.d/*.conf" > /etc/ssh/sshd_config
|
||||||
|
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||||
|
index 73d025484e6..40a2b9b5868 100644
|
||||||
|
--- a/shared/references/cce-redhat-avail.txt
|
||||||
|
+++ b/shared/references/cce-redhat-avail.txt
|
||||||
|
@@ -1780,7 +1780,6 @@ CCE-87677-1
|
||||||
|
CCE-87678-9
|
||||||
|
CCE-87679-7
|
||||||
|
CCE-87680-5
|
||||||
|
-CCE-87681-3
|
||||||
|
CCE-87682-1
|
||||||
|
CCE-87683-9
|
||||||
|
CCE-87684-7
|
||||||
|
diff --git a/shared/templates/extra_ovals.yml b/shared/templates/extra_ovals.yml
|
||||||
|
index 095d911ee1c..69062ebe541 100644
|
||||||
|
--- a/shared/templates/extra_ovals.yml
|
||||||
|
+++ b/shared/templates/extra_ovals.yml
|
||||||
|
@@ -57,3 +57,9 @@ service_syslog_disabled:
|
||||||
|
vars:
|
||||||
|
servicename: syslog
|
||||||
|
packagename: rsyslog
|
||||||
|
+
|
||||||
|
+sshd_includes_config_files:
|
||||||
|
+ name: lineinfile
|
||||||
|
+ vars:
|
||||||
|
+ path: /etc/ssh/sshd_config
|
||||||
|
+ text: "Include /etc/ssh/sshd_config.d/*.conf"
|
||||||
|
|
||||||
|
From d7fcab7ad66e77bb7ccba507e3f024bc892c3864 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||||
|
Date: Tue, 11 May 2021 16:06:29 +0200
|
||||||
|
Subject: [PATCH 4/6] Improved error reporting related to macros.
|
||||||
|
|
||||||
|
---
|
||||||
|
ssg/jinja.py | 22 +++++++++++++---------
|
||||||
|
1 file changed, 13 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ssg/jinja.py b/ssg/jinja.py
|
||||||
|
index a46246ad0fb..28edd9a6dcd 100644
|
||||||
|
--- a/ssg/jinja.py
|
||||||
|
+++ b/ssg/jinja.py
|
||||||
|
@@ -153,16 +153,20 @@ def load_macros(substitutions_dict=None):
|
||||||
|
|
||||||
|
add_python_functions(substitutions_dict)
|
||||||
|
try:
|
||||||
|
- update_substitutions_dict(JINJA_MACROS_BASE_DEFINITIONS, substitutions_dict)
|
||||||
|
- update_substitutions_dict(JINJA_MACROS_HIGHLEVEL_DEFINITIONS, substitutions_dict)
|
||||||
|
- update_substitutions_dict(JINJA_MACROS_ANSIBLE_DEFINITIONS, substitutions_dict)
|
||||||
|
- update_substitutions_dict(JINJA_MACROS_BASH_DEFINITIONS, substitutions_dict)
|
||||||
|
- update_substitutions_dict(JINJA_MACROS_OVAL_DEFINITIONS, substitutions_dict)
|
||||||
|
- update_substitutions_dict(JINJA_MACROS_IGNITION_DEFINITIONS, substitutions_dict)
|
||||||
|
- update_substitutions_dict(JINJA_MACROS_KUBERNETES_DEFINITIONS, substitutions_dict)
|
||||||
|
+ filenames = [
|
||||||
|
+ JINJA_MACROS_BASE_DEFINITIONS,
|
||||||
|
+ JINJA_MACROS_HIGHLEVEL_DEFINITIONS,
|
||||||
|
+ JINJA_MACROS_ANSIBLE_DEFINITIONS,
|
||||||
|
+ JINJA_MACROS_BASH_DEFINITIONS,
|
||||||
|
+ JINJA_MACROS_OVAL_DEFINITIONS,
|
||||||
|
+ JINJA_MACROS_IGNITION_DEFINITIONS,
|
||||||
|
+ JINJA_MACROS_KUBERNETES_DEFINITIONS,
|
||||||
|
+ ]
|
||||||
|
+ for filename in filenames:
|
||||||
|
+ update_substitutions_dict(filename, substitutions_dict)
|
||||||
|
except Exception as exc:
|
||||||
|
- msg = ("Error extracting macro definitions: {0}"
|
||||||
|
- .format(str(exc)))
|
||||||
|
+ msg = ("Error extracting macro definitions from '{1}': {0}"
|
||||||
|
+ .format(str(exc), filename))
|
||||||
|
raise RuntimeError(msg)
|
||||||
|
|
||||||
|
return substitutions_dict
|
||||||
|
|
||||||
|
From df45c3fa295a2dc5a23cc347657964df6453cbae Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||||
|
Date: Tue, 11 May 2021 16:44:50 +0200
|
||||||
|
Subject: [PATCH 5/6] Removed devault values that are variables from Jinja
|
||||||
|
|
||||||
|
Support in older jinja2 packages is not in a good shape.
|
||||||
|
---
|
||||||
|
shared/macros-oval.jinja | 12 ++++++++----
|
||||||
|
1 file changed, 8 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
|
||||||
|
index d38db96d9e3..87e0fd7d87d 100644
|
||||||
|
--- a/shared/macros-oval.jinja
|
||||||
|
+++ b/shared/macros-oval.jinja
|
||||||
|
@@ -92,7 +92,8 @@
|
||||||
|
- parameter (String): The parameter to be checked in the configuration file.
|
||||||
|
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
|
||||||
|
#}}
|
||||||
|
-{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false, comment='', id_stem=rule_id) -%}}
|
||||||
|
+{{%- macro oval_line_in_file_criterion(path='', parameter='', missing_parameter_pass=false, comment='', id_stem='') -%}}
|
||||||
|
+{{%- set id_stem = id_stem or rule_id -%}}
|
||||||
|
{{%- set suffix_id = "" -%}}
|
||||||
|
{{%- set prefix_text = "Check the" -%}}
|
||||||
|
{{%- if missing_parameter_pass %}}
|
||||||
|
@@ -113,7 +114,8 @@
|
||||||
|
- parameter (String): The parameter to be checked in the configuration file.
|
||||||
|
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
|
||||||
|
#}}
|
||||||
|
-{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false, id_stem=rule_id) -%}}
|
||||||
|
+{{%- macro oval_line_in_file_test(path='', parameter='', missing_parameter_pass=false, id_stem='') -%}}
|
||||||
|
+{{%- set id_stem = id_stem or rule_id -%}}
|
||||||
|
{{%- set suffix_id = "" -%}}
|
||||||
|
{{%- if missing_parameter_pass %}}
|
||||||
|
{{%- set check_existence = "none_exist" -%}}
|
||||||
|
@@ -144,7 +146,8 @@
|
||||||
|
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
|
||||||
|
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
|
||||||
|
#}}
|
||||||
|
-{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='', id_stem=rule_id) -%}}
|
||||||
|
+{{%- macro oval_line_in_file_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false, filepath_regex='', id_stem='') -%}}
|
||||||
|
+{{%- set id_stem = id_stem or rule_id -%}}
|
||||||
|
{{%- set suffix_id = "" -%}}
|
||||||
|
{{%- if multi_value -%}}
|
||||||
|
{{%- set group_regex = "([^#]*).*$" -%}}
|
||||||
|
@@ -196,7 +199,8 @@
|
||||||
|
- quotes (String): If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string.
|
||||||
|
For example, for shell quoting, specify quotes="'\""), which will make sure that value, 'value' and "value" are matched, but 'value" or '"value"' won't be.
|
||||||
|
#}}
|
||||||
|
-{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='', id_stem=rule_id) -%}}
|
||||||
|
+{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='', id_stem='') -%}}
|
||||||
|
+{{%- set id_stem = id_stem or rule_id -%}}
|
||||||
|
{{%- set regex = value -%}}
|
||||||
|
{{%- if quotes != "" %}}
|
||||||
|
{{%- if "\\1" in value > 0 %}}
|
||||||
|
|
||||||
|
From a3ec49f75ac3059d7096985e08e10005db96330a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Matej Tyc <matyc@redhat.com>
|
||||||
|
Date: Fri, 30 Jul 2021 17:25:25 +0200
|
||||||
|
Subject: [PATCH 6/6] Don't remediate when it is inappropriate
|
||||||
|
|
||||||
|
Don't remediate when the config file already contains the include
|
||||||
|
directive.
|
||||||
|
---
|
||||||
|
.../sshd_use_directory_configuration/bash/shared.sh | 7 +++++--
|
||||||
|
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh
|
||||||
|
index 2ff58ec373c..9317b23992d 100644
|
||||||
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh
|
||||||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh
|
||||||
|
@@ -1,12 +1,15 @@
|
||||||
|
# platform = multi_platform_all
|
||||||
|
|
||||||
|
{{% set target_file = "/etc/ssh/sshd_config.d/sshd_config_original.conf" -%}}
|
||||||
|
+{{% set base_config = "/etc/ssh/sshd_config" -%}}
|
||||||
|
if test -f {{{ target_file}}}; then
|
||||||
|
{{{ die("Remediation probably already happened, '" ~ target_file ~ "' already exists, not doing anything.", action="false") }}}
|
||||||
|
+elif grep -Eq '^\s*Include\s+/etc/ssh/sshd_config\.d/\*\.conf' {{{ base_config }}} && ! grep -Eq '^\s*Match\s' {{{ base_config }}}; then
|
||||||
|
+ {{{ die("Remediation probably already happened, '" ~ base_config ~ "' already contains the include directive.", action="false") }}}
|
||||||
|
else
|
||||||
|
mkdir -p /etc/ssh/sshd_config.d
|
||||||
|
- mv /etc/ssh/sshd_config {{{ target_file }}}
|
||||||
|
-cat > /etc/ssh/sshd_config << EOF
|
||||||
|
+ mv {{{ base_config }}} {{{ target_file }}}
|
||||||
|
+cat > {{{ base_config }}} << EOF
|
||||||
|
# To modify the system-wide sshd configuration, create a *.conf file under
|
||||||
|
# /etc/ssh/sshd_config.d/ which will be automatically included below
|
||||||
|
|
@ -13,6 +13,8 @@ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{versio
|
|||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
|
||||||
Patch0: scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch
|
Patch0: scap-security-guide-0.1.58-fix_service_disabled-PR_7296.patch
|
||||||
|
Patch1: scap-security-guide-0.1.58-sshd_directory-PR_6926.patch
|
||||||
|
Patch2: scap-security-guide-0.1.58-sshd_config_basename-PR_7410.patch
|
||||||
|
|
||||||
BuildRequires: libxslt
|
BuildRequires: libxslt
|
||||||
BuildRequires: expat
|
BuildRequires: expat
|
||||||
|
Loading…
Reference in New Issue
Block a user