From acf787b666de36249ab835e6e1b9420b7d6be0d7 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 1 Aug 2024 10:06:33 +0200 Subject: [PATCH 01/16] extend template.py of sshd_lineinfile implement notion of XCCDF variables also start using a new template parameter datatype. It is used to generate proper templated test scenarios, see the template.py of the sysctl template. --- shared/templates/sshd_lineinfile/template.py | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/shared/templates/sshd_lineinfile/template.py b/shared/templates/sshd_lineinfile/template.py index 4678480d437..90165d46965 100644 --- a/shared/templates/sshd_lineinfile/template.py +++ b/shared/templates/sshd_lineinfile/template.py @@ -2,6 +2,9 @@ def preprocess(data, lang): + if data["datatype"] not in ["string", "int"]: + errmsg = "The template instance of the rule {0} contains invalid datatype. It must be either 'string' or 'int'".format(data["_rule_id"]) + raise ValueError(errmsg) data["missing_parameter_pass"] = parse_template_boolean_value( data, parameter="missing_parameter_pass", default_value=False) @@ -11,4 +14,21 @@ def preprocess(data, lang): data["config_basename"] = "01-complianceascode-reinforce-os-defaults.conf" else: data["config_basename"] = "00-complianceascode-hardening.conf" + + # set variables used in test scenarios + if data["datatype"] == "int": + if not data.get("value"): + data["wrong_value"] = 123456 + data["correct_value"] = 0 + else: + data["wrong_value"] = str(int(data["value"]) + 1) + data["correct_value"] = str(data["value"]) + elif data["datatype"] == "string": + if not data.get("value"): + data["wrong_value"] = "wrong_value" + data["correct_value"] = "correct_value" + else: + data["wrong_value"] = "wrong_value" + data["correct_value"] = str(data["value"]) + return data From cba06ad2bf13d0e2efe3ecb23eaee7d1ab0289c9 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jul 2024 13:36:58 +0200 Subject: [PATCH 02/16] create new oval macro for lineinfile state which uses XCCDF variable --- shared/macros/10-oval.jinja | 38 +++++++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index f12e56e08b6..439b6a45533 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -336,6 +336,21 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro %}} +{{%- macro oval_line_in_file_state_xccdf_variable(var_name='', id_stem='', datatype='') -%}} +{{%- set id_stem = id_stem or rule_id -%}} + + + + + + + + + +{{%- endmacro -%}} + {{%- macro oval_line_in_directory_criterion(path='', parameter='', missing_parameter_pass=false, avoid_conflicting=false) -%}} {{{- oval_line_in_file_criterion(path, parameter, missing_parameter_pass, id_stem=rule_id ~ "_config_dir", avoid_conflicting=avoid_conflicting) -}}} @@ -356,6 +371,9 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{{- oval_line_in_file_state(value, multi_value, quotes, id_stem=rule_id ~ "_config_dir") -}}} {{%- endmacro %}} +{{%- macro oval_line_in_directory_state_xccdf_variable(var_name='', datatype='') -%}} +{{{- oval_line_in_file_state_xccdf_variable(var_name, id_stem=rule_id ~ "_config_dir", datatype=datatype) -}}} +{{%- endmacro -%}} {{# Macro to define the OVAL criterion to check if the configuration file exists (Criterion definition). @@ -1037,10 +1055,14 @@ Generates the :code:`` tag for OVAL check using correct product platfo :type config_is_distributed: bool #}} -{{%- macro sshd_oval_check(parameter, value, missing_parameter_pass, config_is_distributed) -%}} +{{%- macro sshd_oval_check(parameter, value, missing_parameter_pass, config_is_distributed, xccdf_variable="", datatype="") -%}} {{%- set sshd_config_path = "/etc/ssh/sshd_config" %}} {{%- set sshd_config_dir = "/etc/ssh/sshd_config.d" -%}} +{{%- if xccdf_variable -%}} +{{%- set description = "Ensure '" ~ parameter ~ "' is configured with value configured in " ~ xccdf_variable ~ " variable in " ~ sshd_config_path %}} +{{%- else -%}} {{%- set description = "Ensure '" ~ parameter ~ "' is configured with value '" ~ value ~ "' in " ~ sshd_config_path %}} +{{%- endif -%}} {{%- if config_is_distributed == "true" %}} {{%- set description = description ~ " or in " ~ sshd_config_dir -%}} {{%- endif %}} @@ -1082,7 +1104,7 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{% endif %}} {{%- if not missing_parameter_pass %}} - + {{% endif %}} @@ -1113,18 +1135,30 @@ Generates the :code:`` tag for OVAL check using correct product platfo 1 + {{%- if xccdf_variable -%}} + {{{ oval_line_in_file_state_xccdf_variable(xccdf_variable, id_stem=rule_id ~ "_sshd_included_files", datatype=datatype) | indent (2) }}} + {{%- else -%}} {{{ oval_line_in_file_state(value, id_stem=rule_id ~ "_sshd_included_files") | indent (2) }}} + {{%- endif -%}} {{% endif %}} {{{ oval_line_in_file_test(sshd_config_path, parameter, avoid_conflicting=true ) | indent (2) }}} {{{ oval_line_in_file_object(sshd_config_path, parameter=parameter, ** case_insensitivity_kwargs)| indent (2) }}} + {{%- if xccdf_variable -%}} + {{{ oval_line_in_file_state_xccdf_variable(xccdf_variable, datatype=datatype) }}} + {{%- else -%}} {{{ oval_line_in_file_state(value) | indent (2) }}} + {{%- endif -%}} {{%- if config_is_distributed == "true" %}} {{{ oval_line_in_directory_test(sshd_config_dir, parameter, avoid_conflicting=true) | indent (2) }}} {{{ oval_line_in_directory_object(sshd_config_dir, parameter=parameter, ** case_insensitivity_kwargs) | indent (2) }}} + {{%- if xccdf_variable -%}} + {{{ oval_line_in_directory_state_xccdf_variable(xccdf_variable, datatype) | indent (2) }}} + {{%- else -%}} {{{ oval_line_in_directory_state(value) | indent (2) }}} + {{%- endif -%}} {{%- endif %}} {{% if not missing_parameter_pass %}} From 5cb119a4ba8fa27669ff27735c721a6349f68f76 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jul 2024 13:39:43 +0200 Subject: [PATCH 03/16] modify sshd_lineinfile OVAL template so that it uses XCCDF variable if supplied --- shared/templates/sshd_lineinfile/oval.template | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/shared/templates/sshd_lineinfile/oval.template b/shared/templates/sshd_lineinfile/oval.template index e70f9486ec0..478a9a78d95 100644 --- a/shared/templates/sshd_lineinfile/oval.template +++ b/shared/templates/sshd_lineinfile/oval.template @@ -1 +1,5 @@ -{{{ sshd_oval_check(parameter=PARAMETER, value=VALUE, missing_parameter_pass=MISSING_PARAMETER_PASS, config_is_distributed=sshd_distributed_config) }}} +{{%- if XCCDF_VARIABLE -%}} +{{{ sshd_oval_check(parameter=PARAMETER, xccdf_variable=XCCDF_VARIABLE, missing_parameter_pass=MISSING_PARAMETER_PASS, config_is_distributed=sshd_distributed_config, datatype=DATATYPE) }}} +{{%- else -%}} +{{{ sshd_oval_check(parameter=PARAMETER, value=VALUE, missing_parameter_pass=MISSING_PARAMETER_PASS, config_is_distributed=sshd_distributed_config, datatype=DATATYPE) }}} +{{%- endif -%}} From b2f4d764c7b70ae301e746e97a6c074ac1b3801b Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jul 2024 13:41:39 +0200 Subject: [PATCH 04/16] update sshd_lineinfile bash template --- shared/templates/sshd_lineinfile/bash.template | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/shared/templates/sshd_lineinfile/bash.template b/shared/templates/sshd_lineinfile/bash.template index 79d889df429..ee1aeda6267 100644 --- a/shared/templates/sshd_lineinfile/bash.template +++ b/shared/templates/sshd_lineinfile/bash.template @@ -4,4 +4,9 @@ # complexity = low # disruption = low +{{% if XCCDF_VARIABLE %}} +{{{ bash_instantiate_variables(XCCDF_VARIABLE) }}} +{{{ bash_sshd_remediation(parameter=PARAMETER, value="$" ~ XCCDF_VARIABLE, config_is_distributed=sshd_distributed_config, config_basename=CONFIG_BASENAME) -}}} +{{% else %}} {{{ bash_sshd_remediation(parameter=PARAMETER, value=VALUE, config_is_distributed=sshd_distributed_config, config_basename=CONFIG_BASENAME) -}}} +{{% endif %}} From 05f8984130c9546c713d22bf23fc7c1c0ac67bdd Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 1 Aug 2024 14:28:18 +0200 Subject: [PATCH 05/16] bash macro set_config_file: essentially allow the value to be an integer as well the + character kinda forced the value to be a string because it refused to concatenate non-string instances of the value --- shared/macros/10-bash.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 960c90ab96c..5e0b8dc61ed 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1092,7 +1092,7 @@ printf '%s\n' "{{{ message | replace('"', '\\"') }}}" >&2 #}} {{%- macro set_config_file(path, parameter, value, create, insert_after, insert_before, insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", sed_path_separator="/") -%}} - {{%- set new_line = parameter+separator+value -%}} + {{%- set new_line = parameter+separator~value -%}} {{#- An escaped dollar in the parameter is escaped because of its significance for the shell, so when making a regex out of the parameter, we remove the shell escape, as the regex escape will do its thing. -#}} {{%- set line_regex = prefix_regex + ((parameter | replace("\\$", "$") | escape_regex) | replace("/", "\/")) + separator_regex -%}} if [ -e "{{{ path }}}" ] ; then From 170fcdc9a6aed196160cb7fdd4a820e82ec6fa0b Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 1 Aug 2024 15:23:19 +0200 Subject: [PATCH 06/16] modify the sshd_lineinfile ansible template to handle variables --- shared/templates/sshd_lineinfile/ansible.template | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/shared/templates/sshd_lineinfile/ansible.template b/shared/templates/sshd_lineinfile/ansible.template index d292f4fdb02..53c61683d01 100644 --- a/shared/templates/sshd_lineinfile/ansible.template +++ b/shared/templates/sshd_lineinfile/ansible.template @@ -3,6 +3,18 @@ # strategy = restrict # complexity = low # disruption = low + +{{% if XCCDF_VARIABLE %}} +{{{ ansible_instantiate_variables(XCCDF_VARIABLE) }}} +{{{ + ansible_sshd_set( + parameter=PARAMETER, + value="{{ "+XCCDF_VARIABLE+" }}", + config_is_distributed=sshd_distributed_config, + config_basename=CONFIG_BASENAME + ) +}}} +{{% else %}} {{{ ansible_sshd_set( parameter=PARAMETER, @@ -11,3 +23,4 @@ config_basename=CONFIG_BASENAME ) }}} + {{% endif %}} From a4fc19d46ac273143c220d2349bfa07cd3d8627e Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jul 2024 13:34:29 +0200 Subject: [PATCH 07/16] update test scenarios so that they consider XCCDF variable --- shared/templates/sshd_lineinfile/tests/common.sh | 9 +++------ .../sshd_lineinfile/tests/correct_value.pass.sh | 5 ++++- .../tests/correct_value_directory.pass.sh | 6 +++++- .../correct_value_including_relative_path.pass.sh | 6 +++++- .../tests/correct_value_multiple_includes.pass.sh | 8 ++++++-- .../tests/duplicated_param.pass.sh | 10 ++++++++-- .../tests/duplicated_param_directory.pass.sh | 8 ++++++-- .../sshd_lineinfile/tests/param_conflict.fail.sh | 15 +++++++++------ .../tests/param_conflict_directory.fail.sh | 14 ++++++++------ .../param_conflict_file_with_directory.fail.sh | 13 +++++++------ ...param_conflict_including_relative_path.fail.sh | 13 +++++++------ .../param_conflict_multiple_includes.fail.sh | 15 +++++++-------- .../sshd_lineinfile/tests/wrong_value.fail.sh | 11 ++++++----- .../wrong_value_different_includings.fail.sh | 11 ++++++----- .../tests/wrong_value_directory.fail.sh | 11 ++++++----- .../wrong_value_including_relative_path.fail.sh | 11 ++++++----- 16 files changed, 99 insertions(+), 67 deletions(-) diff --git a/shared/templates/sshd_lineinfile/tests/common.sh b/shared/templates/sshd_lineinfile/tests/common.sh index f112d64a770..2f811821fde 100644 --- a/shared/templates/sshd_lineinfile/tests/common.sh +++ b/shared/templates/sshd_lineinfile/tests/common.sh @@ -1,13 +1,10 @@ #!/bin/bash -SSHD_PARAM={{{ PARAMETER }}} -SSHD_VAL={{{ VALUE }}} - mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/nothing -if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then - sed -i "s/^${SSHD_PARAM}.*/# ${SSHD_PARAM} ${SSHD_VAL}/g" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* +if grep -q "^\s*{{{ PARAMETER }}}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then + sed -i "s/^{{{ PARAMETER }}}.*/# {{{ PARAMETER }}} {{{ CORRECT_VALUE }}}/g" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* else - echo "# ${SSHD_PARAM} ${SSHD_VAL}" >> /etc/ssh/sshd_config + echo "# {{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" >> /etc/ssh/sshd_config fi diff --git a/shared/templates/sshd_lineinfile/tests/correct_value.pass.sh b/shared/templates/sshd_lineinfile/tests/correct_value.pass.sh index d3f79f3621b..53b44860172 100644 --- a/shared/templates/sshd_lineinfile/tests/correct_value.pass.sh +++ b/shared/templates/sshd_lineinfile/tests/correct_value.pass.sh @@ -2,4 +2,7 @@ source common.sh -{{{ bash_sshd_remediation(parameter=PARAMETER, value=VALUE, config_is_distributed=sshd_distributed_config) -}}} +{{%- if XCCDF_VARIABLE %}} +# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}} +{{% endif %}} +{{{ bash_sshd_remediation(parameter=PARAMETER, value=CORRECT_VALUE, config_is_distributed=sshd_distributed_config) -}}} diff --git a/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh b/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh index 7db352eda2d..6432aa5ce59 100644 --- a/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh +++ b/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh @@ -8,4 +8,8 @@ source common.sh {{{ bash_replace_or_append("/etc/ssh/sshd_config", "Include", "/etc/ssh/sshd_config.d/*.conf", "%s %s") }}} {{% endif %}} -{{{ bash_sshd_remediation(parameter=PARAMETER, value=VALUE, config_is_distributed=sshd_distributed_config) -}}} +{{%- if XCCDF_VARIABLE %}} +# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}} +{{%- endif %}} +{{{ bash_sshd_remediation(parameter=PARAMETER, value=CORRECT_VALUE, config_is_distributed=sshd_distributed_config) -}}} + diff --git a/shared/templates/sshd_lineinfile/tests/correct_value_including_relative_path.pass.sh b/shared/templates/sshd_lineinfile/tests/correct_value_including_relative_path.pass.sh index 408f0d3d01b..e6e1283efdd 100644 --- a/shared/templates/sshd_lineinfile/tests/correct_value_including_relative_path.pass.sh +++ b/shared/templates/sshd_lineinfile/tests/correct_value_including_relative_path.pass.sh @@ -6,4 +6,8 @@ source common.sh {{{ bash_replace_or_append("/etc/ssh/sshd_config", "Include", "sshd_config.d/*.conf", "%s %s") }}} -echo "{{{ PARAMETER }}} {{{ VALUE }}}" >> /etc/ssh/sshd_config.d/other.conf +{{%- if XCCDF_VARIABLE %}} +# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}} +{{%- endif %}} + +echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" >> /etc/ssh/sshd_config.d/other.conf diff --git a/shared/templates/sshd_lineinfile/tests/correct_value_multiple_includes.pass.sh b/shared/templates/sshd_lineinfile/tests/correct_value_multiple_includes.pass.sh index c4677e8be8d..be48ed85d29 100644 --- a/shared/templates/sshd_lineinfile/tests/correct_value_multiple_includes.pass.sh +++ b/shared/templates/sshd_lineinfile/tests/correct_value_multiple_includes.pass.sh @@ -7,5 +7,9 @@ source common.sh {{{ bash_replace_or_append("/etc/ssh/sshd_config", " InCLude", "sshd_config.d/*.conf", "%s %s") }}} echo " INclUde /etc/dummy" >> "/etc/ssh/sshd_config" -echo "{{{ PARAMETER }}} {{{ VALUE }}}" >> /etc/dummy -echo "{{{ PARAMETER }}} {{{ VALUE }}}" >> /etc/ssh/sshd_config.d/other.conf +{{%- if XCCDF_VARIABLE %}} +# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}} +{{%- endif %}} + +echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" >> /etc/dummy +echo "{{{ PARAMETER }}} {{{ correct_VALUE }}}" >> /etc/ssh/sshd_config.d/other.conf diff --git a/shared/templates/sshd_lineinfile/tests/duplicated_param.pass.sh b/shared/templates/sshd_lineinfile/tests/duplicated_param.pass.sh index 2f902953068..aac35afbcad 100644 --- a/shared/templates/sshd_lineinfile/tests/duplicated_param.pass.sh +++ b/shared/templates/sshd_lineinfile/tests/duplicated_param.pass.sh @@ -1,5 +1,7 @@ #!/bin/bash + + mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/nothing @@ -7,5 +9,9 @@ if grep -q "^\s*{{{ PARAMETER }}}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* sed -i "/^\s*{{{ PARAMETER }}}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* fi -echo "{{{ PARAMETER }}} {{{ VALUE }}}" >> /etc/ssh/sshd_config -echo "{{{ PARAMETER }}} {{{ VALUE }}}" >> /etc/ssh/sshd_config +{{% if XCCDF_VARIABLE %}} +# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}} +{{% endif %}} + +echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" >> /etc/ssh/sshd_config +echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" >> /etc/ssh/sshd_config diff --git a/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh b/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh index e0cd64de1f6..c5390ff134b 100644 --- a/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh +++ b/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh @@ -13,5 +13,9 @@ if grep -q "^\s*{{{ PARAMETER }}}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* sed -i "/^\s*{{{ PARAMETER }}}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* fi -echo "{{{ PARAMETER }}} {{{ VALUE }}}" >> /etc/ssh/sshd_config.d/first.conf -echo "{{{ PARAMETER }}} {{{ VALUE }}}" >> /etc/ssh/sshd_config.d/second.conf +{{% if XCCDF_VARIABLE %}} +# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}} +{{% endif %}} + +echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" >> /etc/ssh/sshd_config.d/first.conf +echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" >> /etc/ssh/sshd_config.d/second.conf diff --git a/shared/templates/sshd_lineinfile/tests/param_conflict.fail.sh b/shared/templates/sshd_lineinfile/tests/param_conflict.fail.sh index 1e44f6b0d8a..8429f10b82b 100644 --- a/shared/templates/sshd_lineinfile/tests/param_conflict.fail.sh +++ b/shared/templates/sshd_lineinfile/tests/param_conflict.fail.sh @@ -1,14 +1,17 @@ #!/bin/bash -SSHD_PARAM={{{ PARAMETER }}} -SSHD_VAL={{{ VALUE }}} + +{{% if XCCDF_VARIABLE %}} +# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}} +{{% endif %}} + mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/nothing -if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then - sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* +if grep -q "^\s*{{{ PARAMETER }}}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then + sed -i "/^\s*{{{ PARAMETER }}}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* fi -echo "${SSHD_PARAM} ${SSHD_VAL}" >> /etc/ssh/sshd_config -echo "${SSHD_PARAM} bad_val" >> /etc/ssh/sshd_config +echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" >> /etc/ssh/sshd_config +echo "{{{ PARAMETER }}} {{{ WRONG_VALUE }}}" >> /etc/ssh/sshd_config diff --git a/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh index fd2cfeb1070..7d55e3d0d61 100644 --- a/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh +++ b/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh @@ -2,8 +2,10 @@ # platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu -SSHD_PARAM={{{ PARAMETER }}} -SSHD_VAL={{{ VALUE }}} + +{{% if XCCDF_VARIABLE %}} +# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}} +{{% endif %}} mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/nothing @@ -12,9 +14,9 @@ touch /etc/ssh/sshd_config.d/nothing {{{ bash_replace_or_append("/etc/ssh/sshd_config", "Include", "/etc/ssh/sshd_config.d/*.conf", "%s %s") }}} {{% endif %}} -if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then - sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* +if grep -q "^\s*{{{ PARAMETER }}}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then + sed -i "/^\s*{{{ PARAMETER }}}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* fi -echo "${SSHD_PARAM} ${SSHD_VAL}" > /etc/ssh/sshd_config.d/good_config.conf -echo "${SSHD_PARAM} bad_val" > /etc/ssh/sshd_config.d/bad_config.conf +echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" > /etc/ssh/sshd_config.d/good_config.conf +echo "{{{ PARAMETER }}} {{{ WRONG_VALUE }}}" > /etc/ssh/sshd_config.d/bad_config.conf diff --git a/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh index 2322e1d7c84..c686804837e 100644 --- a/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh +++ b/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh @@ -2,8 +2,9 @@ # platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu -SSHD_PARAM={{{ PARAMETER }}} -SSHD_VAL={{{ VALUE }}} +{{% if XCCDF_VARIABLE %}} +# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}} +{{% endif %}} mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/nothing @@ -12,9 +13,9 @@ touch /etc/ssh/sshd_config.d/nothing {{{ bash_replace_or_append("/etc/ssh/sshd_config", "Include", "/etc/ssh/sshd_config.d/*.conf", "%s %s") }}} {{% endif %}} -if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then - sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* +if grep -q "^\s*{{{ PARAMETER }}}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then + sed -i "/^\s*{{{ PARAMETER }}}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* fi -echo "${SSHD_PARAM} ${SSHD_VAL}" >> /etc/ssh/sshd_config -echo "${SSHD_PARAM} bad_val" > /etc/ssh/sshd_config.d/bad_config.conf +echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" >> /etc/ssh/sshd_config +echo "{{{ PARAMETER }}} {{{ WRONG_VALUE }}}" > /etc/ssh/sshd_config.d/bad_config.conf diff --git a/shared/templates/sshd_lineinfile/tests/param_conflict_including_relative_path.fail.sh b/shared/templates/sshd_lineinfile/tests/param_conflict_including_relative_path.fail.sh index cafe341bf03..a1355374211 100644 --- a/shared/templates/sshd_lineinfile/tests/param_conflict_including_relative_path.fail.sh +++ b/shared/templates/sshd_lineinfile/tests/param_conflict_including_relative_path.fail.sh @@ -2,17 +2,18 @@ # platform = Oracle Linux 8,Oracle Linux 9 -SSHD_PARAM={{{ PARAMETER }}} -SSHD_VAL={{{ VALUE }}} +{{% if XCCDF_VARIABLE %}} +# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}} +{{% endif %}} mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/nothing {{{ bash_replace_or_append("/etc/ssh/sshd_config", "Include", "sshd_config.d/*.conf", "%s %s") }}} -if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then - sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* +if grep -q "^\s*{{{ PARAMETER }}}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then + sed -i "/^\s*{{{ PARAMETER }}}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* fi -echo "${SSHD_PARAM} ${SSHD_VAL}" > /etc/ssh/sshd_config.d/good_config.conf -echo "${SSHD_PARAM} bad_val" > /etc/ssh/sshd_config.d/bad_config.conf +echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" > /etc/ssh/sshd_config.d/good_config.conf +echo "{{{ PARAMETER }}} {{{ WRONG_VALUE }}}" > /etc/ssh/sshd_config.d/bad_config.conf diff --git a/shared/templates/sshd_lineinfile/tests/param_conflict_multiple_includes.fail.sh b/shared/templates/sshd_lineinfile/tests/param_conflict_multiple_includes.fail.sh index 64b4e156f1b..25db457ed4a 100644 --- a/shared/templates/sshd_lineinfile/tests/param_conflict_multiple_includes.fail.sh +++ b/shared/templates/sshd_lineinfile/tests/param_conflict_multiple_includes.fail.sh @@ -2,8 +2,9 @@ # platform = Oracle Linux 8,Oracle Linux 9 -SSHD_PARAM={{{ PARAMETER }}} -SSHD_VAL={{{ VALUE }}} +{{% if XCCDF_VARIABLE %}} +# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}} +{{% endif %}} mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/nothing @@ -11,11 +12,9 @@ touch /etc/ssh/sshd_config.d/nothing {{{ bash_replace_or_append("/etc/ssh/sshd_config", "Include", "sshd_config.d/*.conf", "%s %s") }}} echo "Include /etc/bad_config.conf" >> "/etc/ssh/sshd_config" -if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then - sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* +if grep -q "^\s*{{{ PARAMETER }}}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then + sed -i "/^\s*{{{ PARAMETER }}}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* fi -echo "${SSHD_PARAM} ${SSHD_VAL}" > /etc/ssh/sshd_config.d/good_config.conf -echo "${SSHD_PARAM} bad_val" > /etc/bad_config.conf - - +echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" > /etc/ssh/sshd_config.d/good_config.conf +echo "{{{ PARAMETER }}} {{{ WRONG_VALUE }}}" > /etc/bad_config.conf diff --git a/shared/templates/sshd_lineinfile/tests/wrong_value.fail.sh b/shared/templates/sshd_lineinfile/tests/wrong_value.fail.sh index 0a28fab4d9c..a03bbbca235 100644 --- a/shared/templates/sshd_lineinfile/tests/wrong_value.fail.sh +++ b/shared/templates/sshd_lineinfile/tests/wrong_value.fail.sh @@ -1,13 +1,14 @@ #!/bin/bash -SSHD_PARAM={{{ PARAMETER }}} -SSHD_VAL="bad_val" +{{% if XCCDF_VARIABLE %}} +# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}} +{{% endif %}} mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/nothing -if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then - sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* +if grep -q "^\s*{{{ PARAMETER }}}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then + sed -i "/^\s*{{{ PARAMETER }}}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* fi -echo "${SSHD_PARAM} ${SSHD_VAL}" >> /etc/ssh/sshd_config +echo "{{{ PARAMETER }}} {{{ WRONG_VALUE }}}" >> /etc/ssh/sshd_config diff --git a/shared/templates/sshd_lineinfile/tests/wrong_value_different_includings.fail.sh b/shared/templates/sshd_lineinfile/tests/wrong_value_different_includings.fail.sh index 25d51274021..b5a31240295 100644 --- a/shared/templates/sshd_lineinfile/tests/wrong_value_different_includings.fail.sh +++ b/shared/templates/sshd_lineinfile/tests/wrong_value_different_includings.fail.sh @@ -2,8 +2,9 @@ # platform = Oracle Linux 8,Oracle Linux 9 -SSHD_PARAM={{{ PARAMETER }}} -SSHD_VAL="bad_val" +{{% if XCCDF_VARIABLE %}} +# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}} +{{% endif %}} mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/nothing @@ -25,10 +26,10 @@ echo "iNcLudE /etc/ssh/sshd_config.d/bad_config5.conf" >> /etc/ssh/sshd_config # Leading spaces include echo " Include /etc/ssh/sshd_config.d/bad_config6.conf" >> /etc/ssh/sshd_config -if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then - sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* +if grep -q "^\s*{{{ PARAMETER }}}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then + sed -i "/^\s*{{{ PARAMETER }}}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* fi for i in {1..6}; do - echo "${SSHD_PARAM} ${SSHD_VAL}" > "/etc/ssh/sshd_config.d/bad_config${i}.conf" + echo "{{{ PARAMETER }}} {{{ WRONG_VALUE }}}" > "/etc/ssh/sshd_config.d/bad_config${i}.conf" done diff --git a/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh index 1810d779a16..983eb3fda37 100644 --- a/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh +++ b/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh @@ -2,8 +2,9 @@ # platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu -SSHD_PARAM={{{ PARAMETER }}} -SSHD_VAL="bad_val" +{{% if XCCDF_VARIABLE %}} +# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}} +{{% endif %}} mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/nothing @@ -12,8 +13,8 @@ touch /etc/ssh/sshd_config.d/nothing {{{ bash_replace_or_append("/etc/ssh/sshd_config", "Include", "/etc/ssh/sshd_config.d/*.conf", "%s %s") }}} {{% endif %}} -if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then - sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* +if grep -q "^\s*{{{ PARAMETER }}}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then + sed -i "/^\s*{{{ PARAMETER }}}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* fi -echo "${SSHD_PARAM} ${SSHD_VAL}" > /etc/ssh/sshd_config.d/bad_config.conf +echo "{{{ PARAMETER }}} {{{ WRONG_VALUE }}}" > /etc/ssh/sshd_config.d/bad_config.conf diff --git a/shared/templates/sshd_lineinfile/tests/wrong_value_including_relative_path.fail.sh b/shared/templates/sshd_lineinfile/tests/wrong_value_including_relative_path.fail.sh index 9683f79ac12..bf8a2465ab6 100644 --- a/shared/templates/sshd_lineinfile/tests/wrong_value_including_relative_path.fail.sh +++ b/shared/templates/sshd_lineinfile/tests/wrong_value_including_relative_path.fail.sh @@ -2,16 +2,17 @@ # platform = Oracle Linux 8,Oracle Linux 9 -SSHD_PARAM={{{ PARAMETER }}} -SSHD_VAL="bad_val" +{{% if XCCDF_VARIABLE %}} +# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}} +{{% endif %}} mkdir -p /etc/ssh/sshd_config.d touch /etc/ssh/sshd_config.d/nothing {{{ bash_replace_or_append("/etc/ssh/sshd_config", "Include", "sshd_config.d/*.conf", "%s %s") }}} -if grep -q "^\s*${SSHD_PARAM}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then - sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* +if grep -q "^\s*{{{ PARAMETER }}}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then + sed -i "/^\s*{{{ PARAMETER }}}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* fi -echo "${SSHD_PARAM} ${SSHD_VAL}" > /etc/ssh/sshd_config.d/bad_config.conf +echo "{{{ PARAMETER }}} {{{ WRONG_VALUE }}}" > /etc/ssh/sshd_config.d/bad_config.conf From fc7e0ecfb6377e361eef70a1be7220d9146a14b3 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 16 Jul 2024 13:40:57 +0200 Subject: [PATCH 08/16] convert an example rule to templated one; sshd_set_keepalive --- .../sshd_set_keepalive/ansible/shared.yml | 8 -- .../sshd_set_keepalive/bash/shared.sh | 5 -- .../sshd_set_keepalive/oval/shared.xml | 75 ------------------- .../ssh_server/sshd_set_keepalive/rule.yml | 8 ++ .../sshd_set_keepalive/tests/comment.fail.sh | 10 --- .../tests/correct_value.pass.sh | 10 --- .../tests/correct_value_dot_dir.pass.sh | 16 ---- .../tests/line_not_there.fail.sh | 4 - .../tests/param_conflict.fail.sh | 12 --- .../tests/param_conflict_directory.fail.sh | 13 ---- .../tests/wrong_value.fail.sh | 10 --- .../tests/wrong_value_dot_dir.fail.sh | 16 ---- 12 files changed, 8 insertions(+), 179 deletions(-) delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/comment.fail.sh delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/correct_value.pass.sh delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/correct_value_dot_dir.pass.sh delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/line_not_there.fail.sh delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/wrong_value.fail.sh delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/wrong_value_dot_dir.fail.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml deleted file mode 100644 index be6b3672f5b..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml +++ /dev/null @@ -1,8 +0,0 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian -# reboot = false -# strategy = restrict -# complexity = low -# disruption = low -{{{ ansible_instantiate_variables("var_sshd_set_keepalive") }}} - -{{{ ansible_sshd_set(parameter="ClientAliveCountMax", value="{{ var_sshd_set_keepalive }}") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh deleted file mode 100644 index e777ce8fe61..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh +++ /dev/null @@ -1,5 +0,0 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian - -{{{ bash_instantiate_variables("var_sshd_set_keepalive") }}} - -{{{ bash_sshd_config_set(parameter="ClientAliveCountMax", value="$var_sshd_set_keepalive") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml deleted file mode 100644 index 69a7f83de82..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml +++ /dev/null @@ -1,75 +0,0 @@ - - - {{{ oval_metadata("The SSH ClientAliveCountMax should be set to an appropriate value (and - dependencies are met)") }}} - - - - {{% if product in ['opensuse', 'sle12','sle15'] %}} - - {{% else %}} - - {{% endif %}} - - - - {{% if product in ['opensuse', 'sle12','sle15'] %}} - - {{% else %}} - - {{% endif %}} - - - {{%- if sshd_distributed_config == "true" %}} - - {{%- endif %}} - - - - - - - - - - - - /etc/ssh/sshd_config - ^[ \t]*(?i)ClientAliveCountMax(?-i)[ \t]+(.+?)[ \t]*(?:$|#) - 1 - - - - - - - {{%- if sshd_distributed_config == "true" %}} - - - - - - - /etc/ssh/sshd_config.d - .*\.conf$ - ^[ \t]*(?i)ClientAliveCountMax(?-i)[ \t]+(.+?)[ \t]*(?:$|#) - 1 - - {{%- endif %}} - - - diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml index 351c76ae8f6..cf13d46f4a5 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml @@ -72,3 +72,11 @@ ocil: |- functionality completely. If the option is set to a number greater than 0, then the session will be disconnected after ClientAliveInterval * ClientAliveCountMax seconds without receiving a keep alive message. + +template: + name: sshd_lineinfile + vars: + parameter: ClientAliveCountMax + rule_id: sshd_set_keepalive + xccdf_variable: var_sshd_set_keepalive + datatype: int diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/comment.fail.sh deleted file mode 100644 index 00717a96112..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/comment.fail.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -# variables = var_sshd_set_keepalive=1 - -SSHD_CONFIG="/etc/ssh/sshd_config" - -if grep -q "^ClientAliveCountMax" $SSHD_CONFIG; then - sed -i "s/^ClientAliveCountMax.*/# ClientAliveCountMax 1/" $SSHD_CONFIG -else - echo "# ClientAliveCountMax 1" >> $SSHD_CONFIG -fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/correct_value.pass.sh deleted file mode 100644 index 608e4b729a3..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/correct_value.pass.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -# variables = var_sshd_set_keepalive=1 - -SSHD_CONFIG="/etc/ssh/sshd_config" - -if grep -q "^ClientAliveCountMax" $SSHD_CONFIG; then - sed -i "s/^ClientAliveCountMax.*/ClientAliveCountMax 1/" $SSHD_CONFIG -else - echo "ClientAliveCountMax 1" >> $SSHD_CONFIG -fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/correct_value_dot_dir.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/correct_value_dot_dir.pass.sh deleted file mode 100644 index 8c774768ce3..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/correct_value_dot_dir.pass.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash -# platform = multi_platform_fedora,Red Hat Enterprise Linux 9 -# variables = var_sshd_set_keepalive=1 - -SSHD_CONFIG="/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" - -. "$SHARED/utilities.sh" - -mkdir -p /etc/ssh/sshd_config.d -touch /etc/ssh/sshd_config.d/nothing - -if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then - sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* -fi - -assert_directive_in_file "$SSHD_CONFIG" ClientAliveCountMax "ClientAliveCountMax 1" diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/line_not_there.fail.sh deleted file mode 100644 index e994acdcde3..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/line_not_there.fail.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash -# variables = var_sshd_set_keepalive=1 - -sed -i "/^ClientAliveCountMax.*/d" /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh deleted file mode 100644 index a0d96a73436..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -# variables = var_sshd_set_keepalive=1 - -mkdir -p /etc/ssh/sshd_config.d -touch /etc/ssh/sshd_config.d/nothing - -if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then - sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* -fi - -echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config -echo "ClientAliveCountMax 1" >> /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh deleted file mode 100644 index acbca14d897..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -# platform = multi_platform_fedora,Red Hat Enterprise Linux 9 -# variables = var_sshd_set_keepalive=1 - -mkdir -p /etc/ssh/sshd_config.d -touch /etc/ssh/sshd_config.d/nothing - -if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then - sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* -fi - -echo "ClientAliveCountMax 1" > /etc/ssh/sshd_config.d/good_config.conf -echo "ClientAliveCountMax 0" > /etc/ssh/sshd_config.d/bad_config.conf diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/wrong_value.fail.sh deleted file mode 100644 index a7581922608..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/wrong_value.fail.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -# variables = var_sshd_set_keepalive=1 - -SSHD_CONFIG="/etc/ssh/sshd_config" - -if grep -q "^ClientAliveCountMax" $SSHD_CONFIG; then - sed -i "s/^ClientAliveCountMax.*/ClientAliveCountMax 50/" $SSHD_CONFIG -else - echo "ClientAliveCountMax 50" >> $SSHD_CONFIG -fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/wrong_value_dot_dir.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/wrong_value_dot_dir.fail.sh deleted file mode 100644 index 17f1bd721a9..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/wrong_value_dot_dir.fail.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash -# platform = multi_platform_fedora,Red Hat Enterprise Linux 9 -# variables = var_sshd_set_keepalive=1 - -SSHD_CONFIG="/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" - -. "$SHARED/utilities.sh" - -mkdir -p /etc/ssh/sshd_config.d -touch /etc/ssh/sshd_config.d/nothing - -if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then - sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* -fi - -assert_directive_in_file "$SSHD_CONFIG" ClientAliveCountMax "ClientAliveCountMax 0" From c5091bb7be2c84ad9dd811499cb5070cc6dcc7d1 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 1 Aug 2024 16:01:58 +0200 Subject: [PATCH 09/16] add the datatype parameter to all rules templated with sshd_lineinfile template --- .../guide/services/ssh/ssh_server/disable_host_auth/rule.yml | 1 + .../ssh/ssh_server/sshd_disable_empty_passwords/rule.yml | 1 + .../services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml | 1 + .../services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml | 1 + .../services/ssh/ssh_server/sshd_disable_pubkey_auth/rule.yml | 1 + .../guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml | 1 + .../services/ssh/ssh_server/sshd_disable_root_login/rule.yml | 1 + .../ssh/ssh_server/sshd_disable_root_password_login/rule.yml | 1 + .../services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml | 1 + .../ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml | 1 + .../services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 1 + .../services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml | 1 + .../services/ssh/ssh_server/sshd_enable_gssapi_auth/rule.yml | 1 + linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml | 1 + .../services/ssh/ssh_server/sshd_enable_pubkey_auth/rule.yml | 1 + .../services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml | 1 + .../services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml | 1 + .../ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml | 1 + .../services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml | 1 + .../guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml | 1 + .../guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 1 + .../services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml | 1 + .../services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml | 1 + .../guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml | 1 + .../services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml | 1 + 25 files changed, 25 insertions(+) diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml index b973ca6e5e8..e49dacd3890 100644 --- a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml @@ -64,4 +64,5 @@ template: parameter: HostbasedAuthentication rule_id: disable_host_auth value: 'no' + datatype: string is_default_value: 'true' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml index 9094310a0a7..a510710acd3 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml @@ -71,4 +71,5 @@ template: parameter: PermitEmptyPasswords rule_id: sshd_disable_empty_passwords value: 'no' + datatype: string is_default_value: 'true' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml index 42f75821eff..9dfadd82a5a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml @@ -57,4 +57,5 @@ template: parameter: GSSAPIAuthentication rule_id: sshd_disable_gssapi_auth value: 'no' + datatype: string is_default_value: 'true' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml index 166cdd19060..cdbf047cf55 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml @@ -58,4 +58,5 @@ template: parameter: KerberosAuthentication rule_id: sshd_disable_kerb_auth value: 'no' + datatype: string is_default_value: 'true' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/rule.yml index bc5c4872c8d..736d9a14fd9 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/rule.yml @@ -27,3 +27,4 @@ template: parameter: PubkeyAuthentication rule_id: sshd_disable_pubkey_auth value: 'no' + datatype: string diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml index 0966c3078a3..997b47ebe3f 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml @@ -60,4 +60,5 @@ template: parameter: IgnoreRhosts rule_id: sshd_disable_rhosts value: 'yes' + datatype: string is_default_value: 'true' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml index 112b45b7c73..9cdb34efd30 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml @@ -72,3 +72,4 @@ template: parameter: PermitRootLogin rule_id: sshd_disable_root_login value: 'no' + datatype: string diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_password_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_password_login/rule.yml index a3adc6b2364..0ec68c0a56f 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_password_login/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_password_login/rule.yml @@ -36,3 +36,4 @@ template: parameter: PermitRootLogin rule_id: sshd_disable_root_password_login value: 'prohibit-password' + datatype: string diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml index 97a19fa3ddf..233898ca418 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml @@ -37,3 +37,4 @@ template: parameter: AllowTcpForwarding rule_id: sshd_disable_tcp_forwarding value: 'no' + datatype: string diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml index 842073fa51b..793fb538fd1 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml @@ -56,3 +56,4 @@ template: parameter: IgnoreUserKnownHosts rule_id: sshd_disable_user_known_hosts value: 'yes' + datatype: string diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml index ef31be0ac3f..0e8b7139b64 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml @@ -60,4 +60,5 @@ template: parameter: X11Forwarding rule_id: sshd_disable_x11_forwarding value: 'no' + datatype: string is_default_value: 'true' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml index 2094afabd8c..98a6f19c0b6 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml @@ -66,4 +66,5 @@ template: parameter: PermitUserEnvironment rule_id: sshd_do_not_permit_user_env value: 'no' + datatype: string is_default_value: 'true' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_gssapi_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_gssapi_auth/rule.yml index 72ea7a025b5..c1e773009a2 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_gssapi_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_gssapi_auth/rule.yml @@ -29,3 +29,4 @@ template: parameter: GSSAPIAuthentication rule_id: sshd_enable_gssapi_auth value: 'yes' + datatype: string diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml index 7340403acb4..04f983418ac 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml @@ -45,6 +45,7 @@ template: parameter: UsePAM rule_id: sshd_enable_pam value: 'yes' + datatype: string fixtext: |- {{{ fixtext_sshd_lineinfile('UsePAM', 'yes') }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pubkey_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pubkey_auth/rule.yml index 90e53f13c2e..8beb1118cf9 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pubkey_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pubkey_auth/rule.yml @@ -47,3 +47,4 @@ template: parameter: PubkeyAuthentication rule_id: sshd_enable_pubkey_auth value: 'yes' + datatype: string diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml index 51a2f96e1b5..d8768eb7186 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml @@ -59,4 +59,5 @@ template: parameter: StrictModes rule_id: sshd_enable_strictmodes value: 'yes' + datatype: string is_default_value: 'true' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml index 47695299dc1..f4d5b32119f 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml @@ -67,3 +67,4 @@ template: parameter: Banner rule_id: sshd_enable_warning_banner value: /etc/issue + datatype: string diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml index 1d35f4945f2..95eaf62954b 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml @@ -53,3 +53,4 @@ template: parameter: Banner rule_id: sshd_enable_warning_banner_net value: /etc/issue.net + datatype: string diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml index 80f48cf7740..5fce04cee83 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml @@ -44,3 +44,4 @@ template: parameter: X11Forwarding rule_id: sshd_enable_x11_forwarding value: 'yes' + datatype: string diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml index da7d9fc431b..673c149f6b3 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml @@ -54,4 +54,5 @@ template: parameter: PrintLastLog rule_id: sshd_print_last_log value: 'yes' + datatype: string is_default_value: 'true' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml index d2951cd20cd..99d555980d8 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml @@ -73,5 +73,6 @@ template: vars: parameter: "ClientAliveCountMax" value: "0" + datatype: int backends: kubernetes: "off" diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml index e8ad0e5047b..68c4782fbd6 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml @@ -46,4 +46,5 @@ template: parameter: LogLevel rule_id: sshd_set_loglevel_info value: INFO + datatype: string is_default_value: 'true' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml index a3029ce27ba..63239751d6f 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml @@ -53,3 +53,4 @@ template: parameter: LogLevel rule_id: sshd_set_loglevel_verbose value: VERBOSE + datatype: string diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml index f138fc68b61..eb448d4c8da 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml @@ -61,4 +61,5 @@ template: path: '/etc/sysconfig/sshd' parameter: 'SSH_USE_STRONG_RNG' value: '32' + datatype: int no_quotes: 'true' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml index da0460ad141..29c8b91b81e 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml @@ -57,4 +57,5 @@ template: parameter: X11UseLocalhost rule_id: sshd_x11_use_localhost value: 'yes' + datatype: string is_default_value: 'true' From 8b773134c6e03d78ba8b0741326b3d671068c6ac Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 1 Aug 2024 16:02:21 +0200 Subject: [PATCH 10/16] update the documentation of sshd_lineinfile template. --- docs/templates/template_reference.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md index 911aa609d4c..6ab0dcfaa8b 100644 --- a/docs/templates/template_reference.md +++ b/docs/templates/template_reference.md @@ -795,6 +795,14 @@ When the remediation is applied duplicate occurrences of `key` are removed. - **value** - value of the SSH configuration option specified by **parameter**, eg. `"no"`. + This cannot be specified together with the **xccdf_variable** parameter. + + - **xccdf_variable** - specifies an XCCDF variable to use as a value for the specified **parameter**. + This parameter conflicts with the **value** parameter. + + - **datatype** - specifies the datatype of the **value** or **xccdf_variable**. + Possible options are **int** or **string**. + The datatype is utilized for creation of correct templated test scenarios. - **missing_parameter_pass** - effective only in OVAL checks, if set to `"false"` and the parameter is not present in the From 956fffaede256811102cfb0d5e82ce586040c19a Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 1 Aug 2024 16:26:25 +0200 Subject: [PATCH 11/16] document new parameters for the sshd_oval_check macro --- shared/macros/10-oval.jinja | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 439b6a45533..f79917365e8 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -1053,6 +1053,10 @@ datatype="{{{ datatype }}}" version="1"> :type missing_parameter_pass: bool :param config_is_distributed: Is the param in /etc/sshd_config.d vs just /etc/ssh/sshd_config :type config_is_distributed: bool +:param xccdf_variable: the name of an XCCDF variable carrying the value, this conflicts with the value parameter +:type xccdf_variable: str +:param datatype: a data type of the value +:type datatype: str #}} {{%- macro sshd_oval_check(parameter, value, missing_parameter_pass, config_is_distributed, xccdf_variable="", datatype="") -%}} From 3ac6f5d65a1c2a51414a59f6dde6a3c195e08b6e Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 1 Aug 2024 17:06:41 +0200 Subject: [PATCH 12/16] template.py: prevent specification of value and xccdf_variable at the same time --- shared/templates/sshd_lineinfile/template.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/shared/templates/sshd_lineinfile/template.py b/shared/templates/sshd_lineinfile/template.py index 90165d46965..82685617f56 100644 --- a/shared/templates/sshd_lineinfile/template.py +++ b/shared/templates/sshd_lineinfile/template.py @@ -2,6 +2,9 @@ def preprocess(data, lang): + if data.get("value") is not None and data.get("xccdf_variable") is not None: + errmsg = "The template definition of {0} specifies both value and xccdf_variable. This is forbidden.".format(data["_rule_id"]) + raise ValueError(errmsg) if data["datatype"] not in ["string", "int"]: errmsg = "The template instance of the rule {0} contains invalid datatype. It must be either 'string' or 'int'".format(data["_rule_id"]) raise ValueError(errmsg) From c453156af02b3d787abcff166867102c87f72063 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 8 Aug 2024 10:23:18 +0200 Subject: [PATCH 13/16] do not specify rule_id as a template parameter. It is effectivelly not used and will be removed in the future. The build system does not need this passed, it knows it already. --- .../guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml index cf13d46f4a5..d0fe7b739ed 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml @@ -77,6 +77,5 @@ template: name: sshd_lineinfile vars: parameter: ClientAliveCountMax - rule_id: sshd_set_keepalive xccdf_variable: var_sshd_set_keepalive datatype: int From f250db8a382a5d53718037203a918860928a6ec8 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 8 Aug 2024 10:55:51 +0200 Subject: [PATCH 14/16] modify oval_line_in_file_macros so that the variable is declared independently of the OVAL state. This prevents creating of duplicate local_variables which in the end reference the same XCCDF variable (through external_variable). --- shared/macros/10-oval.jinja | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index f79917365e8..f5ca560d387 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -336,18 +336,20 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro %}} -{{%- macro oval_line_in_file_state_xccdf_variable(var_name='', id_stem='', datatype='') -%}} -{{%- set id_stem = id_stem or rule_id -%}} - +{{% endmacro %}} +{{%- macro oval_line_in_file_state_xccdf_variable(var_name='', id_stem='', datatype='') -%}} +{{%- set id_stem = id_stem or rule_id -%}} - + {{%- endmacro -%}} @@ -1115,6 +1117,10 @@ datatype="{{{ datatype }}}" version="1"> +{{% if xccdf_variable %}} +{{{ oval_line_in_file_define_variable(xccdf_variable, datatype) }}} +{{% endif %}} + {{% if product in ["ol8", "ol9"] %}} {{{ oval_line_in_file_object(sshd_config_path, parameter="include", id_stem="sshd_include_value_" ~ rule_id, ** case_insensitivity_kwargs)| indent (2) }}} Date: Thu, 8 Aug 2024 11:08:48 +0200 Subject: [PATCH 15/16] apply suggestions provided by Codeclimate extract setting of test scenario variables to a separate function split long strings to multiple lines --- shared/templates/sshd_lineinfile/template.py | 43 ++++++++++++-------- 1 file changed, 25 insertions(+), 18 deletions(-) diff --git a/shared/templates/sshd_lineinfile/template.py b/shared/templates/sshd_lineinfile/template.py index 82685617f56..f553c9444a4 100644 --- a/shared/templates/sshd_lineinfile/template.py +++ b/shared/templates/sshd_lineinfile/template.py @@ -1,26 +1,10 @@ from ssg.utils import parse_template_boolean_value -def preprocess(data, lang): - if data.get("value") is not None and data.get("xccdf_variable") is not None: - errmsg = "The template definition of {0} specifies both value and xccdf_variable. This is forbidden.".format(data["_rule_id"]) - raise ValueError(errmsg) - if data["datatype"] not in ["string", "int"]: - errmsg = "The template instance of the rule {0} contains invalid datatype. It must be either 'string' or 'int'".format(data["_rule_id"]) - raise ValueError(errmsg) - data["missing_parameter_pass"] = parse_template_boolean_value( - data, parameter="missing_parameter_pass", default_value=False) - - is_default_value = parse_template_boolean_value( - data, parameter="is_default_value", default_value=False) - if is_default_value: - data["config_basename"] = "01-complianceascode-reinforce-os-defaults.conf" - else: - data["config_basename"] = "00-complianceascode-hardening.conf" - - # set variables used in test scenarios +def set_variables_for_test_scenarios(data): if data["datatype"] == "int": if not data.get("value"): + # this implies XCCDF variable is used data["wrong_value"] = 123456 data["correct_value"] = 0 else: @@ -28,6 +12,7 @@ def preprocess(data, lang): data["correct_value"] = str(data["value"]) elif data["datatype"] == "string": if not data.get("value"): + # this implies XCCDF variable is used data["wrong_value"] = "wrong_value" data["correct_value"] = "correct_value" else: @@ -35,3 +20,25 @@ def preprocess(data, lang): data["correct_value"] = str(data["value"]) return data + + +def preprocess(data, lang): + if data.get("value") is not None and data.get("xccdf_variable") is not None: + errmsg = ("The template definition of {0} specifies both value and xccdf_variable." + "This is forbidden.".format(data["_rule_id"])) + raise ValueError(errmsg) + if data["datatype"] not in ["string", "int"]: + errmsg = ("The template instance of the rule {0} contains invalid datatype." + "It must be either 'string' or 'int'".format(data["_rule_id"])) + raise ValueError(errmsg) + data["missing_parameter_pass"] = parse_template_boolean_value( + data, parameter="missing_parameter_pass", default_value=False) + + is_default_value = parse_template_boolean_value( + data, parameter="is_default_value", default_value=False) + if is_default_value: + data["config_basename"] = "01-complianceascode-reinforce-os-defaults.conf" + else: + data["config_basename"] = "00-complianceascode-hardening.conf" + + return set_variables_for_test_scenarios(data) From b7b820d41df3162d76d454684b2dbb0f442e3d85 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 8 Aug 2024 11:48:31 +0200 Subject: [PATCH 16/16] remove rule_id template parameter from rremaining rules --- .../guide/services/ssh/ssh_server/disable_host_auth/rule.yml | 1 - .../ssh/ssh_server/sshd_disable_empty_passwords/rule.yml | 1 - .../services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml | 1 - .../services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml | 1 - .../services/ssh/ssh_server/sshd_disable_pubkey_auth/rule.yml | 1 - .../guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml | 1 - .../services/ssh/ssh_server/sshd_disable_root_login/rule.yml | 1 - .../ssh/ssh_server/sshd_disable_root_password_login/rule.yml | 1 - .../services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml | 1 - .../ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml | 1 - .../services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 1 - .../services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml | 1 - .../services/ssh/ssh_server/sshd_enable_gssapi_auth/rule.yml | 1 - linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml | 1 - .../services/ssh/ssh_server/sshd_enable_pubkey_auth/rule.yml | 1 - .../services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml | 1 - .../services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml | 1 - .../ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml | 1 - .../services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml | 1 - .../guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml | 1 - .../services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml | 1 - .../services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml | 1 - .../services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml | 1 - 23 files changed, 23 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml index e49dacd3890..a11c658f253 100644 --- a/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/disable_host_auth/rule.yml @@ -62,7 +62,6 @@ template: name: sshd_lineinfile vars: parameter: HostbasedAuthentication - rule_id: disable_host_auth value: 'no' datatype: string is_default_value: 'true' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml index a510710acd3..8a6a62ecc33 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml @@ -69,7 +69,6 @@ template: name: sshd_lineinfile vars: parameter: PermitEmptyPasswords - rule_id: sshd_disable_empty_passwords value: 'no' datatype: string is_default_value: 'true' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml index 9dfadd82a5a..69a138e7e4e 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml @@ -55,7 +55,6 @@ template: name: sshd_lineinfile vars: parameter: GSSAPIAuthentication - rule_id: sshd_disable_gssapi_auth value: 'no' datatype: string is_default_value: 'true' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml index cdbf047cf55..01de7d15889 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml @@ -56,7 +56,6 @@ template: name: sshd_lineinfile vars: parameter: KerberosAuthentication - rule_id: sshd_disable_kerb_auth value: 'no' datatype: string is_default_value: 'true' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/rule.yml index 736d9a14fd9..40509887010 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/rule.yml @@ -25,6 +25,5 @@ template: name: sshd_lineinfile vars: parameter: PubkeyAuthentication - rule_id: sshd_disable_pubkey_auth value: 'no' datatype: string diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml index 997b47ebe3f..b5e6ad620b9 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/rule.yml @@ -58,7 +58,6 @@ template: name: sshd_lineinfile vars: parameter: IgnoreRhosts - rule_id: sshd_disable_rhosts value: 'yes' datatype: string is_default_value: 'true' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml index 9cdb34efd30..d727458e0e8 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml @@ -70,6 +70,5 @@ template: name: sshd_lineinfile vars: parameter: PermitRootLogin - rule_id: sshd_disable_root_login value: 'no' datatype: string diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_password_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_password_login/rule.yml index 0ec68c0a56f..764f3c7f093 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_password_login/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_password_login/rule.yml @@ -34,6 +34,5 @@ template: name: sshd_lineinfile vars: parameter: PermitRootLogin - rule_id: sshd_disable_root_password_login value: 'prohibit-password' datatype: string diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml index 233898ca418..598de7b2ff2 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_tcp_forwarding/rule.yml @@ -35,6 +35,5 @@ template: name: sshd_lineinfile vars: parameter: AllowTcpForwarding - rule_id: sshd_disable_tcp_forwarding value: 'no' datatype: string diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml index 793fb538fd1..78a8f5724ff 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml @@ -54,6 +54,5 @@ template: name: sshd_lineinfile vars: parameter: IgnoreUserKnownHosts - rule_id: sshd_disable_user_known_hosts value: 'yes' datatype: string diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml index 0e8b7139b64..f520fbad55d 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml @@ -58,7 +58,6 @@ template: name: sshd_lineinfile vars: parameter: X11Forwarding - rule_id: sshd_disable_x11_forwarding value: 'no' datatype: string is_default_value: 'true' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml index 98a6f19c0b6..8c524bdcd55 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml @@ -64,7 +64,6 @@ template: name: sshd_lineinfile vars: parameter: PermitUserEnvironment - rule_id: sshd_do_not_permit_user_env value: 'no' datatype: string is_default_value: 'true' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_gssapi_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_gssapi_auth/rule.yml index c1e773009a2..e94fbc15cad 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_gssapi_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_gssapi_auth/rule.yml @@ -27,6 +27,5 @@ template: name: sshd_lineinfile vars: parameter: GSSAPIAuthentication - rule_id: sshd_enable_gssapi_auth value: 'yes' datatype: string diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml index 04f983418ac..d862f19c364 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml @@ -43,7 +43,6 @@ template: name: sshd_lineinfile vars: parameter: UsePAM - rule_id: sshd_enable_pam value: 'yes' datatype: string diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pubkey_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pubkey_auth/rule.yml index 8beb1118cf9..abf15c131db 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pubkey_auth/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pubkey_auth/rule.yml @@ -45,6 +45,5 @@ template: name: sshd_lineinfile vars: parameter: PubkeyAuthentication - rule_id: sshd_enable_pubkey_auth value: 'yes' datatype: string diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml index d8768eb7186..3320ebf99f7 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml @@ -57,7 +57,6 @@ template: name: sshd_lineinfile vars: parameter: StrictModes - rule_id: sshd_enable_strictmodes value: 'yes' datatype: string is_default_value: 'true' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml index f4d5b32119f..854801bdda7 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml @@ -65,6 +65,5 @@ template: name: sshd_lineinfile vars: parameter: Banner - rule_id: sshd_enable_warning_banner value: /etc/issue datatype: string diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml index 95eaf62954b..47453a362f3 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml @@ -51,6 +51,5 @@ template: name: sshd_lineinfile vars: parameter: Banner - rule_id: sshd_enable_warning_banner_net value: /etc/issue.net datatype: string diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml index 5fce04cee83..858708828d8 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml @@ -42,6 +42,5 @@ template: name: sshd_lineinfile vars: parameter: X11Forwarding - rule_id: sshd_enable_x11_forwarding value: 'yes' datatype: string diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml index 673c149f6b3..fbe119dfc3d 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml @@ -52,7 +52,6 @@ template: name: sshd_lineinfile vars: parameter: PrintLastLog - rule_id: sshd_print_last_log value: 'yes' datatype: string is_default_value: 'true' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml index 68c4782fbd6..07b163fa05d 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml @@ -44,7 +44,6 @@ template: name: sshd_lineinfile vars: parameter: LogLevel - rule_id: sshd_set_loglevel_info value: INFO datatype: string is_default_value: 'true' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml index 63239751d6f..3fa22a16351 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml @@ -51,6 +51,5 @@ template: name: sshd_lineinfile vars: parameter: LogLevel - rule_id: sshd_set_loglevel_verbose value: VERBOSE datatype: string diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml index 29c8b91b81e..6fb515bafc0 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml @@ -55,7 +55,6 @@ template: name: sshd_lineinfile vars: parameter: X11UseLocalhost - rule_id: sshd_x11_use_localhost value: 'yes' datatype: string is_default_value: 'true'