Merge pull request #12251 from vojtapolasek/sshd_lineinfile_variables

Add support for XCCDF variables into sshd_lineinfile template
ComplianceAsCode · Aug 9, 2024 · 94ae023 · 94ae023
2 parents 05e8617 + b7b820d
commit 94ae023
Show file tree

Hide file tree

Showing 60 changed files with 240 additions and 274 deletions.
diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
@@ -795,6 +795,14 @@ When the remediation is applied duplicate occurrences of `key` are removed.
 
     -   **value** - value of the SSH configuration option specified by
         **parameter**, eg. `"no"`.
+        This cannot be specified together with the **xccdf_variable** parameter.
+
+    - **xccdf_variable** - specifies an XCCDF variable to use as a value for the specified **parameter**.
+        This parameter conflicts with the **value** parameter.
+
+    - **datatype** - specifies the datatype of the **value** or **xccdf_variable**.
+        Possible options are **int** or **string**.
+        The datatype is utilized for creation of correct templated test scenarios.
 
     -   **missing_parameter_pass** - effective only in OVAL checks, if
         set to `"false"` and the parameter is not present in the

diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml
@@ -62,6 +62,6 @@ template:
     name: sshd_lineinfile
     vars:
         parameter: HostbasedAuthentication
-        rule_id: disable_host_auth
         value: 'no'
+        datatype: string
         is_default_value: 'true'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml
@@ -69,6 +69,6 @@ template:
     name: sshd_lineinfile
     vars:
         parameter: PermitEmptyPasswords
-        rule_id: sshd_disable_empty_passwords
         value: 'no'
+        datatype: string
         is_default_value: 'true'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml
@@ -55,6 +55,6 @@ template:
     name: sshd_lineinfile
     vars:
         parameter: GSSAPIAuthentication
-        rule_id: sshd_disable_gssapi_auth
         value: 'no'
+        datatype: string
         is_default_value: 'true'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml
@@ -56,6 +56,6 @@ template:
     name: sshd_lineinfile
     vars:
         parameter: KerberosAuthentication
-        rule_id: sshd_disable_kerb_auth
         value: 'no'
+        datatype: string
         is_default_value: 'true'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/rule.yml
@@ -25,5 +25,5 @@ template:
     name: sshd_lineinfile
     vars:
         parameter: PubkeyAuthentication
-        rule_id: sshd_disable_pubkey_auth
         value: 'no'
+        datatype: string
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml
@@ -58,6 +58,6 @@ template:
     name: sshd_lineinfile
     vars:
         parameter: IgnoreRhosts
-        rule_id: sshd_disable_rhosts
         value: 'yes'
+        datatype: string
         is_default_value: 'true'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
@@ -70,5 +70,5 @@ template:
     name: sshd_lineinfile
     vars:
         parameter: PermitRootLogin
-        rule_id: sshd_disable_root_login
         value: 'no'
+        datatype: string
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_password_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_password_login/rule.yml
@@ -34,5 +34,5 @@ template:
     name: sshd_lineinfile
     vars:
         parameter: PermitRootLogin
-        rule_id: sshd_disable_root_password_login
         value: 'prohibit-password'
+        datatype: string
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml
@@ -35,5 +35,5 @@ template:
     name: sshd_lineinfile
     vars:
         parameter: AllowTcpForwarding
-        rule_id: sshd_disable_tcp_forwarding
         value: 'no'
+        datatype: string
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml
@@ -54,5 +54,5 @@ template:
     name: sshd_lineinfile
     vars:
         parameter: IgnoreUserKnownHosts
-        rule_id: sshd_disable_user_known_hosts
         value: 'yes'
+        datatype: string
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
@@ -58,6 +58,6 @@ template:
     name: sshd_lineinfile
     vars:
         parameter: X11Forwarding
-        rule_id: sshd_disable_x11_forwarding
         value: 'no'
+        datatype: string
         is_default_value: 'true'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
@@ -64,6 +64,6 @@ template:
     name: sshd_lineinfile
     vars:
         parameter: PermitUserEnvironment
-        rule_id: sshd_do_not_permit_user_env
         value: 'no'
+        datatype: string
         is_default_value: 'true'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_gssapi_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_gssapi_auth/rule.yml
@@ -27,5 +27,5 @@ template:
     name: sshd_lineinfile
     vars:
         parameter: GSSAPIAuthentication
-        rule_id: sshd_enable_gssapi_auth
         value: 'yes'
+        datatype: string
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
@@ -43,8 +43,8 @@ template:
     name: sshd_lineinfile
     vars:
         parameter: UsePAM
-        rule_id: sshd_enable_pam
         value: 'yes'
+        datatype: string
 
 fixtext: |-
     {{{ fixtext_sshd_lineinfile('UsePAM', 'yes') }}}

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pubkey_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pubkey_auth/rule.yml
@@ -45,5 +45,5 @@ template:
     name: sshd_lineinfile
     vars:
         parameter: PubkeyAuthentication
-        rule_id: sshd_enable_pubkey_auth
         value: 'yes'
+        datatype: string
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
@@ -57,6 +57,6 @@ template:
     name: sshd_lineinfile
     vars:
         parameter: StrictModes
-        rule_id: sshd_enable_strictmodes
         value: 'yes'
+        datatype: string
         is_default_value: 'true'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
@@ -65,5 +65,5 @@ template:
     name: sshd_lineinfile
     vars:
         parameter: Banner
-        rule_id: sshd_enable_warning_banner
         value: /etc/issue
+        datatype: string
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml
@@ -51,5 +51,5 @@ template:
     name: sshd_lineinfile
     vars:
         parameter: Banner
-        rule_id: sshd_enable_warning_banner_net
         value: /etc/issue.net
+        datatype: string
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
@@ -42,5 +42,5 @@ template:
     name: sshd_lineinfile
     vars:
         parameter: X11Forwarding
-        rule_id: sshd_enable_x11_forwarding
         value: 'yes'
+        datatype: string
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
@@ -52,6 +52,6 @@ template:
     name: sshd_lineinfile
     vars:
         parameter: PrintLastLog
-        rule_id: sshd_print_last_log
         value: 'yes'
+        datatype: string
         is_default_value: 'true'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
@@ -72,3 +72,10 @@ ocil: |-
     functionality completely.
     If the option is set to a number greater than <tt>0</tt>, then the session will be disconnected after
     <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds without receiving a keep alive message.
+
+template:
+    name: sshd_lineinfile
+    vars:
+        parameter: ClientAliveCountMax
+        xccdf_variable: var_sshd_set_keepalive
+        datatype: int
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/comment.fail.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/correct_value.pass.sh
diff --git a/...x_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/correct_value_dot_dir.pass.sh b/...x_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/correct_value_dot_dir.pass.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/line_not_there.fail.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh
diff --git a/...s/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh b/...s/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/wrong_value.fail.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/wrong_value_dot_dir.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/wrong_value_dot_dir.fail.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
@@ -73,5 +73,6 @@ template:
   vars:
     parameter: "ClientAliveCountMax"
     value: "0"
+    datatype: int
   backends:
     kubernetes: "off"
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml
@@ -44,6 +44,6 @@ template:
     name: sshd_lineinfile
     vars:
         parameter: LogLevel
-        rule_id: sshd_set_loglevel_info
         value: INFO
+        datatype: string
         is_default_value: 'true'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
@@ -51,5 +51,5 @@ template:
     name: sshd_lineinfile
     vars:
         parameter: LogLevel
-        rule_id: sshd_set_loglevel_verbose
         value: VERBOSE
+        datatype: string
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
@@ -61,4 +61,5 @@ template:
         path: '/etc/sysconfig/sshd'
         parameter: 'SSH_USE_STRONG_RNG'
         value: '32'
+        datatype: int
         no_quotes: 'true'