From ea37df6b736d22f32fd0d64457d731aa76b656c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= Date: Wed, 18 Aug 2021 16:17:15 +0200 Subject: [PATCH 1/2] Come up with a better basename On Red Hat systems, there is 50-redhat.conf, so 60-complianceascode.conf seems to be a generally good fit. --- shared/templates/sshd_lineinfile/bash.template | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/shared/templates/sshd_lineinfile/bash.template b/shared/templates/sshd_lineinfile/bash.template index eac758e310b..e15ab9521b8 100644 --- a/shared/templates/sshd_lineinfile/bash.template +++ b/shared/templates/sshd_lineinfile/bash.template @@ -11,8 +11,9 @@ mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/hardening {{{ lineinfile_absent("/etc/ssh/sshd_config", line_regex, insensitive=true) }}} {{{ lineinfile_absent_in_directory("/etc/ssh/sshd_config.d", line_regex, insensitive=true) }}} +{{%- set hardening_config_basename = "00-complianceascode-hardening.conf" %}} {{{ set_config_file( - path="/etc/ssh/sshd_config.d/hardening", + path="/etc/ssh/sshd_config.d/" ~ hardening_config_basename, parameter=PARAMETER, value=VALUE, create=true, From 9fc6f549d9494730c4d973330a24a5a2a209b1c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= Date: Wed, 18 Aug 2021 17:51:17 +0200 Subject: [PATCH 2/2] Fix the sshd directory config check The check should consider only files matching .*\.conf --- .../sshd_disable_pubkey_auth/tests/conflict.fail.sh | 4 ++-- .../tests/correct_value_directory.pass.sh | 2 +- shared/macros-oval.jinja | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh index 177a99e0b82..6e064ffc739 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh @@ -11,5 +11,5 @@ else echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config fi -echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/good_config -echo "PubkeyAuthentication yes" > /etc/ssh/sshd_config.d/rogue_config +echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/good_config.conf +echo "PubkeyAuthentication yes" > /etc/ssh/sshd_config.d/rogue_config.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh index 0aa2e775dbe..acb650915fe 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh @@ -11,4 +11,4 @@ else echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config fi -echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/correct +echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/correct.conf diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja index 87e0fd7d87d..f2fa7d79fc8 100644 --- a/shared/macros-oval.jinja +++ b/shared/macros-oval.jinja @@ -227,7 +227,7 @@ {{%- endmacro %}} {{%- macro oval_line_in_directory_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false) -%}} -{{{- oval_line_in_file_object(path=path, section=section, prefix_regex=prefix_regex, parameter=parameter, separator_regex=separator_regex, missing_parameter_pass=missing_parameter_pass, multi_value=multi_value, filepath_regex=".*", id_stem=rule_id ~ "_config_dir") -}}} +{{{- oval_line_in_file_object(path=path, section=section, prefix_regex=prefix_regex, parameter=parameter, separator_regex=separator_regex, missing_parameter_pass=missing_parameter_pass, multi_value=multi_value, filepath_regex=".*\.conf$", id_stem=rule_id ~ "_config_dir") -}}} {{%- endmacro %}} {{%- macro oval_line_in_directory_state(value='', multi_value='', quotes='') -%}}