From e4bcce25933c474cb2358411e30917d30fdf6eb7 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 10 Nov 2022 10:13:16 +0100
Subject: [PATCH 1/3] Add tests to check for RekeyLimit conflicts

---
 .../sshd_rekey_limit/tests/param_conflict.fail.sh | 13 +++++++++++++
 .../tests/param_conflict_directory.fail.sh        | 15 +++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh
new file mode 100644
index 00000000000..0eb6aab6804
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict.fail.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+SSHD_PARAM="RekeyLimit"
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+    sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
+
+echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config
+echo "${SSHD_PARAM} 1G 3h" >> /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh
new file mode 100644
index 00000000000..bc254a3a57c
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/param_conflict_directory.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
+
+SSHD_PARAM="RekeyLimit"
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+   sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
+
+echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config.d/good_config.conf
+echo "${SSHD_PARAM} 1G 3h" >> /etc/ssh/sshd_config.d/bad_config.conf

From 2654d659b4dbe7eed9794005153ea3f147b27320 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 10 Nov 2022 10:32:35 +0100
Subject: [PATCH 2/3] Separate the SSHD parameter from the value

Separate the SSHD paramater RekeyLimit from the compliant values.
This makes it possible to collect all occurrences of RekeyLimit and
compare each of then with the compliant values.
---
 .../ssh/ssh_server/sshd_rekey_limit/oval/shared.xml  | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
index b2dd9039200..38c8a84aa3f 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
@@ -24,30 +24,36 @@
 
   <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of {{{ parameter }}} setting in the file" id="test_sshd_rekey_limit" version="1">
      <ind:object object_ref="obj_sshd_rekey_limit"/>
+     <ind:state state_ref="state_sshd_rekey_limit"/>
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="obj_sshd_rekey_limit" version="1">
      <ind:filepath>{{{ sshd_config_path }}}</ind:filepath>
-     <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
+     <ind:pattern operation="pattern match">^[\s]*{{{ parameter }}}[\s]+(.*)$</ind:pattern>
      <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 
   {{%- if sshd_distributed_config == "true" %}}
   <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of {{{ parameter }}} setting in SSHD config directory" id="test_sshd_rekey_limit_config_dir" version="1">
      <ind:object object_ref="obj_sshd_rekey_limit_config_dir"/>
+     <ind:state state_ref="state_sshd_rekey_limit"/>
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="obj_sshd_rekey_limit_config_dir" version="1">
      <ind:path>{{{ sshd_config_dir}}}</ind:path>
      <ind:filename operation="pattern match">.*\.conf$</ind:filename>
-     <ind:pattern var_ref="sshd_line_regex" operation="pattern match"></ind:pattern>
+     <ind:pattern operation="pattern match">^[\s]*{{{ parameter }}}[\s]+(.*)$</ind:pattern>
      <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
   {{%- endif %}}
 
+  <ind:textfilecontent54_state id="state_sshd_rekey_limit" version="1">
+     <ind:subexpression operation="pattern match" var_ref="sshd_line_regex" />
+  </ind:textfilecontent54_state>
+
   <local_variable id="sshd_line_regex" datatype="string" comment="The regex of the directive" version="1">
     <concat>
-      <literal_component>^[\s]*{{{ parameter }}}[\s]+</literal_component>
+      <literal_component>^</literal_component>
       <variable_component var_ref="var_rekey_limit_size"/>
       <literal_component>[\s]+</literal_component>
       <variable_component var_ref="var_rekey_limit_time"/>

From f5847d8362e7331fde049f3c56f6bb4f44fb18f1 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 10 Nov 2022 10:39:45 +0100
Subject: [PATCH 3/3] Add test for duplicated SSHD parameter

Ensure the rule still passes when a parameter is defined multiple times
but have the same value.
---
 .../tests/duplicated_param.pass.sh                 | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh
new file mode 100644
index 00000000000..2e0d8145abd
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/tests/duplicated_param.pass.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+SSHD_PARAM="RekeyLimit"
+
+mkdir -p /etc/ssh/sshd_config.d
+touch /etc/ssh/sshd_config.d/nothing
+
+if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
+    sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+fi
+
+echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config
+echo "${SSHD_PARAM} 512M 1h" >> /etc/ssh/sshd_config
+