ComplianceAsCode · vojtapolasek · Feb 3, 2025 · Jan 31, 2025 · Feb 3, 2025
diff --git a/components/openssh.yml b/components/openssh.yml
@@ -9,6 +9,9 @@ packages:
 - openssh-clients
 - openssh-server
 rules:
+- directory_groupowner_sshd_config_d
+- directory_owner_sshd_config_d
+- directory_permissions_sshd_config_d
 - disable_host_auth
 - file_groupowner_sshd_config
 - file_groupowner_sshd_drop_in_config

diff --git a/controls/stig_rhel9.yml b/controls/stig_rhel9.yml
@@ -1959,6 +1959,7 @@ controls:
         title: RHEL 9 SSH server configuration file must be group-owned by root.
         rules:
             - file_groupowner_sshd_config
+            - directory_groupowner_sshd_config_d
             - file_groupowner_sshd_drop_in_config
         status: automated
 
@@ -1968,6 +1969,7 @@ controls:
         title: RHEL 9 SSH server configuration file must be owned by root.
         rules:
             - file_owner_sshd_config
+            - directory_owner_sshd_config_d
             - file_owner_sshd_drop_in_config
         status: automated
 
@@ -1977,6 +1979,7 @@ controls:
         title: RHEL 9 SSH server configuration file must have mode 0600 or less permissive.
         rules:
             - file_permissions_sshd_config
+            - directory_permissions_sshd_config_d
             - file_permissions_sshd_drop_in_config
         status: automated
 

diff --git a/linux_os/guide/services/ssh/directory_groupowner_sshd_config_d/policy/stig/shared.yml b/linux_os/guide/services/ssh/directory_groupowner_sshd_config_d/policy/stig/shared.yml
@@ -0,0 +1,19 @@
+srg_requirement: |-
+    {{{ full_name }}} SSH server configuration file must be group-owned by root.
+
+vuldiscussion: |-
+    Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnerable configurations. Therefore, service configuration files must be owned by the correct group to prevent unauthorized changes.
+
+checktext: |-
+    Verify the group ownership of the "/etc/ssh/sshd_config.d" directory and files under it with the following command:
+
+    $ ls -al /etc/ssh/sshd_config.d/*
+
+    rw-------. 1 root root 3669 Feb 22 11:34 /etc/ssh/sshd_config
+
+    If the "/etc/ssh/sshd_config" file does not have a group owner of "root", this is a finding.
+
+fixtext: |-
+    Configure the "/etc/ssh/sshd_config" file to be group-owned by root with the following command:
+
+    $ sudo chgrp -R root /etc/ssh/sshd_config.d
diff --git a/linux_os/guide/services/ssh/directory_groupowner_sshd_config_d/rule.yml b/linux_os/guide/services/ssh/directory_groupowner_sshd_config_d/rule.yml
@@ -0,0 +1,44 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns SSH Server Configuration Files'
+
+description: |-
+    {{{ describe_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}
+
+rationale: |-
+    Service configuration files enable or disable features of their respective
+    services that if configured incorrectly can lead to insecure and vulnerable
+    configurations. Therefore, service configuration files should be owned by the
+    correct group to prevent unauthorized changes.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-86179-9
+
+references:
+    cis-csc: 12,13,14,15,16,18,3,5
+    cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
+    disa: CCI-000366
+    isa-62443-2009: 4.3.3.7.3
+    isa-62443-2013: 'SR 2.1,SR 5.2'
+    iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
+    nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2
+    nist: AC-17(a),CM-6(a),AC-6(1)
+    nist-csf: PR.AC-4,PR.DS-5
+    srg: SRG-OS-000480-GPOS-00227
+
+ocil_clause: '{{{ ocil_clause_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}'
+
+ocil: |-
+    {{{ ocil_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}
+
+fixtext: '{{{ fixtext_directory_group_owner(file="/etc/ssh/sshd_config.d", group="root") }}}'
+
+srg_requirement: '{{{ srg_requirement_directory_group_owner(file="/etc/ssh/sshd_config.d", group="root") }}}'
+
+template:
+    name: file_groupowner
+    vars:
+        filepath: '/etc/ssh/sshd_config.d/'
+        gid_or_name: '0'
diff --git a/linux_os/guide/services/ssh/directory_owner_sshd_config_d/policy/stig/shared.yml b/linux_os/guide/services/ssh/directory_owner_sshd_config_d/policy/stig/shared.yml
@@ -0,0 +1,19 @@
+srg_requirement: |-
+    {{{ full_name }}} SSH server configuration file must be owned by root.
+
+vuldiscussion: |-
+    Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnerable configurations. Therefore, service configuration files must be owned by the correct group to prevent unauthorized changes.
+
+checktext: |-
+    Verify the ownership of the "/etc/ssh/sshd_config.d" directory and files under it with the following command:
+
+    $ ls -al /etc/ssh/sshd_config.d/*
+
+    rw-------. 1 root root 3669 Feb 22 11:34 /etc/ssh/sshd_config
+
+    If the "/etc/ssh/sshd_config" file does not have a owner of "root", this is a finding.
+
+fixtext: |-
+    Configure the "/etc/ssh/sshd_config" file to be owned by root with the following command:
+
+    $ sudo chgrp -R root /etc/ssh/sshd_config.d
diff --git a/linux_os/guide/services/ssh/directory_owner_sshd_config_d/rule.yml b/linux_os/guide/services/ssh/directory_owner_sshd_config_d/rule.yml
@@ -0,0 +1,45 @@
+documentation_complete: true
+
+title: 'Verify Owner on SSH Server Configuration Files'
+
+description: |-
+    {{{ describe_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}
+
+rationale: |-
+    Service configuration files enable or disable features of their respective
+    services that if configured incorrectly can lead to insecure and vulnerable
+    configurations. Therefore, service configuration files should be owned by the
+    correct group to prevent unauthorized changes.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-86180-7
+
+
+references:
+    cis-csc: 12,13,14,15,16,18,3,5
+    cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
+    disa: CCI-000366
+    isa-62443-2009: 4.3.3.7.3
+    isa-62443-2013: 'SR 2.1,SR 5.2'
+    iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
+    nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2
+    nist: AC-17(a),CM-6(a),AC-6(1)
+    nist-csf: PR.AC-4,PR.DS-5
+    srg: SRG-OS-000480-GPOS-00227
+
+ocil_clause: '{{{ ocil_clause_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}'
+
+ocil: |-
+    {{{ ocil_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}
+
+fixtext: '{{{ fixtext_directory_owner(file="/etc/ssh/sshd_config.d", owner="root") }}}'
+
+srg_requirement: '{{{ srg_requirement_directory_owner(file="/etc/ssh/sshd_config.d", owner="root") }}}'
+
+template:
+    name: file_owner
+    vars:
+        filepath: '/etc/ssh/sshd_config.d/'
+        fileuid: '0'
diff --git a/linux_os/guide/services/ssh/directory_permissions_sshd_config_d/policy/stig/shared.yml b/linux_os/guide/services/ssh/directory_permissions_sshd_config_d/policy/stig/shared.yml
@@ -0,0 +1,20 @@
+srg_requirement: |-
+    {{{ full_name }}} SSH server configuration file must have mode 0700 or less permissive.
+
+vuldiscussion: |-
+    Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
+
+checktext: |-
+    Verify the permissions of the "/etc/ssh/sshd_config.d" file with the following command:
+
+    $ ls -al /etc/ssh/sshd_config.d
+
+    drwx------. 1 root root 3669 Feb 22 11:34 /etc/ssh/sshd_config.d
+
+    If the "/etc/ssh/sshd_config" permissions are not "0700", this is a finding.
+
+fixtext: |-
+    Configure the "/etc/ssh/sshd_config.d" permissions to be "0700" with the following command:
+
+    $ sudo chmod 0700 /etc/ssh/sshd_config.d
+
diff --git a/linux_os/guide/services/ssh/directory_permissions_sshd_config_d/rule.yml b/linux_os/guide/services/ssh/directory_permissions_sshd_config_d/rule.yml
@@ -0,0 +1,44 @@
+documentation_complete: true
+
+title: 'Verify Permissions on SSH Server Config File'
+
+description: |-
+    {{{ describe_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="0700") }}}
+
+rationale: |-
+    Service configuration files enable or disable features of their respective
+    services that if configured incorrectly can lead to insecure and vulnerable
+    configurations. Therefore, service configuration files should be owned by the
+    correct group to prevent unauthorized changes.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-86186-4
+
+references:
+    cis-csc: 12,13,14,15,16,18,3,5
+    cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
+    disa: CCI-000366
+    isa-62443-2009: 4.3.3.7.3
+    isa-62443-2013: 'SR 2.1,SR 5.2'
+    iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
+    nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2
+    nist: AC-17(a),CM-6(a),AC-6(1)
+    nist-csf: PR.AC-4,PR.DS-5
+    srg: SRG-OS-000480-GPOS-00227
+
+ocil_clause: '{{{ ocil_clause_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rwx------") }}}'
+
+ocil: |-
+    {{{ ocil_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rwx------") }}}
+
+fixtext: '{{{ fixtext_directory_permissions(file="/etc/ssh/sshd_config.d", mode="0700") }}}'
+
+srg_requirement: '{{{ srg_requirement_directory_permission(file="/etc/ssh/sshd_config.d", mode="0700") }}}'
+
+template:
+    name: file_permissions
+    vars:
+        filepath: /etc/ssh/sshd_config.d/
+        filemode: '0700'
diff --git a/linux_os/guide/services/ssh/directory_permissions_sshd_config_d/tests/ocp4/e2e.yml b/linux_os/guide/services/ssh/directory_permissions_sshd_config_d/tests/ocp4/e2e.yml
@@ -0,0 +1,2 @@
+---
+default_result: PASS
diff --git a/linux_os/guide/services/ssh/file_groupowner_sshd_drop_in_config/rule.yml b/linux_os/guide/services/ssh/file_groupowner_sshd_drop_in_config/rule.yml
@@ -1,10 +1,9 @@
 documentation_complete: true
 
-
-title: 'Verify Group Who Owns SSH Server config file'
+title: 'Verify Group Who Owns SSH Server Configuration Files'
 
 description: |-
-    {{{ describe_file_group_owner(file="/etc/ssh/sshd_config.d", group="root") }}}
+    {{{ describe_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -30,17 +29,18 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/ssh/sshd_config.d", group="root") }}}'
+ocil_clause: '{{{ ocil_clause_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}'
 
 ocil: |-
-    {{{ ocil_file_group_owner(file="/etc/ssh/sshd_config.d", group="root") }}}
+    {{{ ocil_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}
 
-fixtext: '{{{ fixtext_file_group_owner(file="/etc/ssh/sshd_config.d", group="root") }}}'
+fixtext: '{{{ fixtext_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}'
 
-srg_requirement: '{{{ srg_requirement_file_group_owner(file="/etc/ssh/sshd_config.d", group="root") }}}'
+srg_requirement: '{{{ srg_requirement_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}'
 
 template:
     name: file_groupowner
     vars:
-        filepath: /etc/ssh/sshd_config.d/
+        filepath: '/etc/ssh/sshd_config.d/'
+        file_regex: '^.*$'
         gid_or_name: '0'
diff --git a/linux_os/guide/services/ssh/file_owner_sshd_drop_in_config/rule.yml b/linux_os/guide/services/ssh/file_owner_sshd_drop_in_config/rule.yml
@@ -1,10 +1,9 @@
 documentation_complete: true
 
-
-title: 'Verify Owner on SSH Server config file'
+title: 'Verify Owner on SSH Server Configuration Files'
 
 description: |-
-    {{{ describe_file_owner(file="/etc/ssh/sshd_config.d", owner="root") }}}
+    {{{ describe_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -31,17 +30,18 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/ssh/sshd_config.d", owner="root") }}}'
+ocil_clause: '{{{ ocil_clause_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}'
 
 ocil: |-
-    {{{ ocil_file_owner(file="/etc/ssh/sshd_config.d", owner="root") }}}
+    {{{ ocil_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}
 
-fixtext: '{{{ fixtext_file_owner(file="/etc/ssh/sshd_config.d", owner="root") }}}'
+fixtext: '{{{ fixtext_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}'
 
-srg_requirement: '{{{ srg_requirement_file_owner(file="/etc/ssh/sshd_config.d", owner="root") }}}'
+srg_requirement: '{{{ srg_requirement_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}'
 
 template:
     name: file_owner
     vars:
-        filepath: /etc/ssh/sshd_config.d/
+        filepath: '/etc/ssh/sshd_config.d/'
+        file_regex: '^.*$'
         fileuid: '0'
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml
@@ -53,5 +53,4 @@ template:
     vars:
         filepath:
             - /etc/ssh/sshd_config
-            - /etc/ssh/sshd_config.d
         filemode: '0600'
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_drop_in_config/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_drop_in_config/rule.yml
@@ -1,10 +1,9 @@
 documentation_complete: true
 
-
-title: 'Verify Permissions on SSH Server config file'
+title: 'Verify Permissions on SSH Server Config File'
 
 description: |-
-    {{{ describe_file_permissions(file="/etc/ssh/sshd_config.d", perms="0600") }}}
+    {{{ describe_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="0600") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -30,17 +29,18 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/sshd_config.d", perms="-rw-------") }}}'
+ocil_clause: '{{{ ocil_clause_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rw-------") }}}'
 
 ocil: |-
-    {{{ ocil_file_permissions(file="/etc/ssh/sshd_config.d", perms="-rw-------") }}}
+    {{{ ocil_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rw-------") }}}
 
-fixtext: '{{{ fixtext_file_permissions(file="/etc/ssh/sshd_config.d", mode="0600") }}}'
+fixtext: '{{{ fixtext_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", mode="0600") }}}'
 
-srg_requirement: '{{{ srg_requirement_file_permission(file="/etc/ssh/sshd_config.d", mode="0600") }}}'
+srg_requirement: '{{{ srg_requirement_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", mode="0600") }}}'
 
 template:
     name: file_permissions
     vars:
-        filepath: /etc/ssh/sshd_config.d//
+        filepath: '/etc/ssh/sshd_config.d/'
+        file_regex: '^.*$'
         filemode: '0600'