Fix rules checking '/etc/ssh/sshd_config.d/' #12954
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The new rule in RHEL 9 STIG `file_permissions_sshd_drop_in_config` fails in daily productization in tests for Image Mode RHEL. A closer look reveals that this rule requires mode 0600 on `/etc/ssh/sshd_config.d/` directory, which makes the directory inaccessible. Directories should have the executable permissions. It should require mode 0700 on the directory. The intention is to set mode 0600 is set on the files within that directory. The `file_permissions` template doesn't allow to define different modes and have directories and files in a single rule. Therefore, we need to split the rule `file_permissions_sshd_drop_in_config` to 2 rules: `file_permissions_sshd_drop_in_config` and `directory_permissions_sshd_config_d`, where the former will check mode on config files in the `/etc/ssh/sshd_config.d/` directory and the latter will check mode on the directory itself. We need to do analogous changes also for rules `file_owner_sshd_drop_in_config` and `file_groupowner_sshd_drop_in_config`. We want to cover owner and group owner of the directory and of files in the directory. Therefore, we will create `directory_owner_sshd_config_d` and `directory_groupowner_sshd_config_d`.
jan-cerny
added
productization-issue
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_sshd_drop_in_config'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_sshd_drop_in_config
+++ xccdf_org.ssgproject.content_rule_file_groupowner_sshd_drop_in_config
@@ -1,10 +1,10 @@
[title]:
-Verify Group Who Owns SSH Server config file
+Verify Group Who Owns SSH Server Configuration Files
[description]:
-To properly set the group owner of /etc/ssh/sshd_config.d, run the command:
-$ sudo chgrp root /etc/ssh/sshd_config.d
+To properly set the group owner of files in /etc/ssh/sshd_config.d, run the command:
+find -H /etc/ssh/sshd_config.d -type d -exec chgrp -L root {} \;
[reference]:
12
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_sshd_drop_in_config' differs.
--- ocil:ssg-file_groupowner_sshd_drop_in_config_ocil:questionnaire:1
+++ ocil:ssg-file_groupowner_sshd_drop_in_config_ocil:questionnaire:1
@@ -1,7 +1,7 @@
-To check the group ownership of /etc/ssh/sshd_config.d,
+To check the group ownership of files in the /etc/ssh/sshd_config.d directory,
run the command:
$ ls -lL /etc/ssh/sshd_config.d
If properly configured, the output should indicate the following group-owner:
root
- Is it the case that /etc/ssh/sshd_config.d does not have a group owner of root?
+ Is it the case that files in the /etc/ssh/sshd_config.d directory do not have a group owner of root?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_sshd_drop_in_config' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_sshd_drop_in_config
+++ xccdf_org.ssgproject.content_rule_file_groupowner_sshd_drop_in_config
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
-find -H /etc/ssh/sshd_config.d/ -maxdepth 1 -type d -exec chgrp -L 0 {} \;
+find -L /etc/ssh/sshd_config.d/ -maxdepth 1 -type f ! -group 0 -regextype posix-extended -regex '^.*$' -exec chgrp -L 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_sshd_drop_in_config' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_sshd_drop_in_config
+++ xccdf_org.ssgproject.content_rule_file_groupowner_sshd_drop_in_config
@@ -14,11 +14,13 @@
- medium_severity
- no_reboot_needed
-- name: Ensure group owner on /etc/ssh/sshd_config.d/
- file:
- path: /etc/ssh/sshd_config.d/
- state: directory
- group: '0'
+- name: Find /etc/ssh/sshd_config.d/ file(s) matching ^.*$
+ command: find -H /etc/ssh/sshd_config.d/ -maxdepth 1 -type f ! -group 0 -regextype
+ posix-extended -regex "^.*$"
+ register: files_found
+ changed_when: false
+ failed_when: false
+ check_mode: false
when: '"kernel" in ansible_facts.packages'
tags:
- CCE-86253-2
@@ -32,3 +34,24 @@
- low_disruption
- medium_severity
- no_reboot_needed
+
+- name: Ensure group owner on /etc/ssh/sshd_config.d/ file(s) matching ^.*$
+ file:
+ path: '{{ item }}'
+ group: '0'
+ state: file
+ with_items:
+ - '{{ files_found.stdout_lines }}'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-86253-2
+ - DISA-STIG-RHEL-09-255105
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_groupowner_sshd_drop_in_config
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_sshd_drop_in_config'.
--- xccdf_org.ssgproject.content_rule_file_owner_sshd_drop_in_config
+++ xccdf_org.ssgproject.content_rule_file_owner_sshd_drop_in_config
@@ -1,10 +1,10 @@
[title]:
-Verify Owner on SSH Server config file
+Verify Owner on SSH Server Configuration Files
[description]:
-To properly set the owner of /etc/ssh/sshd_config.d, run the command:
-$ sudo chown root /etc/ssh/sshd_config.d
+To properly set the owner of files in /etc/ssh/sshd_config.d, run the command:
+find -H /etc/ssh/sshd_config.d -type d -exec chown -L root {} \;
[reference]:
12
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_owner_sshd_drop_in_config' differs.
--- ocil:ssg-file_owner_sshd_drop_in_config_ocil:questionnaire:1
+++ ocil:ssg-file_owner_sshd_drop_in_config_ocil:questionnaire:1
@@ -1,7 +1,7 @@
-To check the ownership of /etc/ssh/sshd_config.d,
+To check the ownership of files in the /etc/ssh/sshd_config.d directory,
run the command:
$ ls -lL /etc/ssh/sshd_config.d
If properly configured, the output should indicate the following owner:
root
- Is it the case that /etc/ssh/sshd_config.d does not have an owner of root?
+ Is it the case that files in the /etc/ssh/sshd_config.d directory do not have a owner of root?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_sshd_drop_in_config' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_sshd_drop_in_config
+++ xccdf_org.ssgproject.content_rule_file_owner_sshd_drop_in_config
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
-find -H /etc/ssh/sshd_config.d/ -maxdepth 1 -type d -exec chown -L 0 {} \;
+find -L /etc/ssh/sshd_config.d/ -maxdepth 1 -type f ! -uid 0 -regextype posix-extended -regex '^.*$' -exec chown -L 0 {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_sshd_drop_in_config' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_sshd_drop_in_config
+++ xccdf_org.ssgproject.content_rule_file_owner_sshd_drop_in_config
@@ -14,11 +14,13 @@
- medium_severity
- no_reboot_needed
-- name: Ensure owner on directory /etc/ssh/sshd_config.d/
- file:
- path: /etc/ssh/sshd_config.d/
- state: directory
- owner: '0'
+- name: Find /etc/ssh/sshd_config.d/ file(s) matching ^.*$
+ command: find -H /etc/ssh/sshd_config.d/ -maxdepth 1 -type f ! -uid 0 -regextype
+ posix-extended -regex "^.*$"
+ register: files_found
+ changed_when: false
+ failed_when: false
+ check_mode: false
when: '"kernel" in ansible_facts.packages'
tags:
- CCE-86217-7
@@ -32,3 +34,24 @@
- low_disruption
- medium_severity
- no_reboot_needed
+
+- name: Ensure owner on /etc/ssh/sshd_config.d/ file(s) matching ^.*$
+ file:
+ path: '{{ item }}'
+ owner: '0'
+ state: file
+ with_items:
+ - '{{ files_found.stdout_lines }}'
+ when: '"kernel" in ansible_facts.packages'
+ tags:
+ - CCE-86217-7
+ - DISA-STIG-RHEL-09-255110
+ - NIST-800-53-AC-17(a)
+ - NIST-800-53-AC-6(1)
+ - NIST-800-53-CM-6(a)
+ - configure_strategy
+ - file_owner_sshd_drop_in_config
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
OVAL for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_config' differs.
--- oval:ssg-file_permissions_sshd_config:def:1
+++ oval:ssg-file_permissions_sshd_config:def:1
@@ -1,3 +1,2 @@
criteria AND
criterion oval:ssg-test_file_permissions_sshd_config_0:tst:1
-criterion oval:ssg-test_file_permissions_sshd_config_1:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_config' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_sshd_config
+++ xccdf_org.ssgproject.content_rule_file_permissions_sshd_config
@@ -3,8 +3,6 @@
chmod u-xs,g-xwrs,o-xwrt /etc/ssh/sshd_config
-chmod u-xs,g-xwrs,o-xwrt /etc/ssh/sshd_config.d
-
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_config' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_sshd_config
+++ xccdf_org.ssgproject.content_rule_file_permissions_sshd_config
@@ -57,45 +57,3 @@
- low_disruption
- medium_severity
- no_reboot_needed
-
-- name: Test for existence /etc/ssh/sshd_config.d
- stat:
- path: /etc/ssh/sshd_config.d
- register: file_exists
- when: '"kernel" in ansible_facts.packages'
- tags:
- - CCE-90818-6
- - DISA-STIG-RHEL-09-255115
- - NIST-800-53-AC-17(a)
- - NIST-800-53-AC-6(1)
- - NIST-800-53-CM-6(a)
- - PCI-DSSv4-2.2
- - PCI-DSSv4-2.2.6
- - configure_strategy
- - file_permissions_sshd_config
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
-
-- name: Ensure permission u-xs,g-xwrs,o-xwrt on /etc/ssh/sshd_config.d
- file:
- path: /etc/ssh/sshd_config.d
- mode: u-xs,g-xwrs,o-xwrt
- when:
- - '"kernel" in ansible_facts.packages'
- - file_exists.stat is defined and file_exists.stat.exists
- tags:
- - CCE-90818-6
- - DISA-STIG-RHEL-09-255115
- - NIST-800-53-AC-17(a)
- - NIST-800-53-AC-6(1)
- - NIST-800-53-CM-6(a)
- - PCI-DSSv4-2.2
- - PCI-DSSv4-2.2.6
- - configure_strategy
- - file_permissions_sshd_config
- - low_complexity
- - low_disruption
- - medium_severity
- - no_reboot_needed
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_drop_in_config'.
--- xccdf_org.ssgproject.content_rule_file_permissions_sshd_drop_in_config
+++ xccdf_org.ssgproject.content_rule_file_permissions_sshd_drop_in_config
@@ -1,10 +1,10 @@
[title]:
-Verify Permissions on SSH Server config file
+Verify Permissions on SSH Server Config File
[description]:
-To properly set the permissions of /etc/ssh/sshd_config.d, run the command:
-$ sudo chmod 0600 /etc/ssh/sshd_config.d
+To properly set the permissions of files in /etc/ssh/sshd_config.d, run the command:
+find -H /etc/ssh/sshd_config.d -type d -exec chown 0600 {} \;
[reference]:
12
OCIL for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_drop_in_config' differs.
--- ocil:ssg-file_permissions_sshd_drop_in_config_ocil:questionnaire:1
+++ ocil:ssg-file_permissions_sshd_drop_in_config_ocil:questionnaire:1
@@ -1,7 +1,7 @@
-To check the permissions of /etc/ssh/sshd_config.d,
+To check the permissions of files in the /etc/ssh/sshd_config.d directory,
run the command:
-$ ls -l /etc/ssh/sshd_config.d
+$ ls -lL /etc/ssh/sshd_config.d
If properly configured, the output should indicate the following permissions:
-rw-------
- Is it the case that /etc/ssh/sshd_config.d does not have unix mode -rw-------?
+ Is it the case that files in the /etc/ssh/sshd_config.d directory do not have unix mode -rw-------?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_drop_in_config' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_sshd_drop_in_config
+++ xccdf_org.ssgproject.content_rule_file_permissions_sshd_drop_in_config
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
-find -H /etc/ssh/sshd_config.d// -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt -type d -exec chmod u-xs,g-xwrs,o-xwrt {} \;
+find -L /etc/ssh/sshd_config.d/ -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt -type f -regextype posix-extended -regex '^.*$' -exec chmod u-xs,g-xwrs,o-xwrt {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_drop_in_config' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_sshd_drop_in_config
+++ xccdf_org.ssgproject.content_rule_file_permissions_sshd_drop_in_config
@@ -14,9 +14,9 @@
- medium_severity
- no_reboot_needed
-- name: Find /etc/ssh/sshd_config.d// file(s)
- command: 'find -H /etc/ssh/sshd_config.d// -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt -type
- d '
+- name: Find /etc/ssh/sshd_config.d/ file(s)
+ command: find -H /etc/ssh/sshd_config.d/ -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt -type
+ f -regextype posix-extended -regex "^.*$"
register: files_found
changed_when: false
failed_when: false
@@ -35,11 +35,11 @@
- medium_severity
- no_reboot_needed
-- name: Set permissions for /etc/ssh/sshd_config.d// file(s)
+- name: Set permissions for /etc/ssh/sshd_config.d/ file(s)
file:
path: '{{ item }}'
mode: u-xs,g-xwrs,o-xwrt
- state: directory
+ state: file
with_items:
- '{{ files_found.stdout_lines }}'
when: '"kernel" in ansible_facts.packages'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive
@@ -6,6 +6,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
+++ xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
@@ -6,6 +6,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*ClientAliveInterval\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*ClientAliveInterval\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_disable_host_auth' differs.
--- xccdf_org.ssgproject.content_rule_disable_host_auth
+++ xccdf_org.ssgproject.content_rule_disable_host_auth
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2' differs.
--- xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
+++ xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*Protocol\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*Protocol\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_compression' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_compression
+++ xccdf_org.ssgproject.content_rule_sshd_disable_compression
@@ -6,6 +6,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*Compression\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*Compression\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
+++ xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
LC_ALL=C sed -i "/^\s*KerberosAuthentication\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*KerberosAuthentication\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*PubkeyAuthentication\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*PubkeyAuthentication\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa
+++ xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*RhostsRSAAuthentication\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*RhostsRSAAuthentication\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_login
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*AllowTcpForwarding\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*AllowTcpForwarding\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*IgnoreUserKnownHosts\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*IgnoreUserKnownHosts\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env' differs.
--- xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
+++ xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pam' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pam
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pam
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*UsePAM\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*UsePAM\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*PubkeyAuthentication\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*PubkeyAuthentication\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
+++ xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
LC_ALL=C sed -i "/^\s*StrictModes\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*StrictModes\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
+++ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net
+++ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_print_last_log' differs.
--- xccdf_org.ssgproject.content_rule_sshd_print_last_log
+++ xccdf_org.ssgproject.content_rule_sshd_print_last_log
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
LC_ALL=C sed -i "/^\s*PrintLastLog\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*PrintLastLog\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_rekey_limit' differs.
--- xccdf_org.ssgproject.content_rule_sshd_rekey_limit
+++ xccdf_org.ssgproject.content_rule_sshd_rekey_limit
@@ -8,6 +8,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*RekeyLimit\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*RekeyLimit\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
+++ xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
@@ -6,6 +6,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*LoginGraceTime\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*LoginGraceTime\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
@@ -6,6 +6,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*MaxAuthTries\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*MaxAuthTries\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_sessions' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
@@ -6,6 +6,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*MaxSessions\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*MaxSessions\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_maxstartups' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
+++ xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
@@ -6,6 +6,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*MaxStartups\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*MaxStartups\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
+++ xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
@@ -6,6 +6,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
+chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*UsePrivilegeSeparation\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*UsePrivilegeSeparation\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost' differs.
--- xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
+++ xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
@@ -3,6 +3,7 @@
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
+chmod 0600 /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
LC_ALL=C sed -i "/^\s*X11UseLocalhost\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*X11UseLocalhost\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf |
|
Change in Ansible Please consider using more suitable Ansible module than |
|
Code Climate has analyzed commit acb81d5 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.9% (0.0% change). View more on Code Climate. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The new rule in RHEL 9 STIG
file_permissions_sshd_drop_in_configfails in daily productization in tests for Image Mode RHEL.A closer look reveals that this rule requires mode 0600 on
/etc/ssh/sshd_config.d/directory, which makes the directory inaccessible. Directories should have the executable permissions. It should require mode 0700 on the directory. The intention is to set mode 0600 is set on the files within that directory.The
file_permissionstemplate doesn't allow to define different modes and have directories and files in a single rule. Therefore, we need to split the rulefile_permissions_sshd_drop_in_configto 2 rules:file_permissions_sshd_drop_in_configanddirectory_permissions_sshd_config_d, where the former will check mode on config files in the/etc/ssh/sshd_config.d/directory and the latter will check mode on the directory itself.We need to do analogous changes also for rules
file_owner_sshd_drop_in_configandfile_groupowner_sshd_drop_in_config. We want to cover owner and group owner of the directory and of files in the directory. Therefore, we will createdirectory_owner_sshd_config_danddirectory_groupowner_sshd_config_d.