Merge pull request #12301 from vojtapolasek/sshd_rules_to_xccdf_vars_…

…finish

convert more rules to sshd_lineinfile template

linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml

@@ -60,3 +60,10 @@ warnings:
         As of <tt>openssh-server</tt> version <tt>7.4</tt> and above, the only protocol
         supported is version 2, and line <pre>Protocol 2</pre> in
         <tt>/etc/ssh/sshd_config</tt> is not necessary.
+
+template:
+    name: sshd_lineinfile
+    vars:
+        parameter: Protocol
+        value: "2"
+        datatype: int

linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml

@@ -57,3 +57,11 @@ platform: package[openssh]<7.4
 fixtext: '{{{ fixtext_sshd_lineinfile("Compression", xccdf_value("var_sshd_disable_compression"), no) }}}'
 
 srg_requirement: 'The {{{ full_name }}} SSH daemon must not allow compression or must only allow compression after successful authentication.'
+
+template:
+    name: sshd_lineinfile
+    vars:
+        parameter: Compression
+        xccdf_variable: var_sshd_disable_compression
+        datatype: string
+

linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/rule.yml

@@ -53,3 +53,11 @@ warnings:
         the <tt>RhostsRSAAuthentication</tt> option has been deprecated, and the line
         <pre>RhostsRSAAuthentication no</pre> in <tt>/etc/ssh/sshd_config</tt> is not
         necessary.
+
+template:
+    name: sshd_lineinfile
+    vars:
+        parameter: RhostsRSAAuthentication
+        value: "no"
+        datatype: string
+

linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml

@@ -25,13 +25,14 @@
         <extend_definition comment="rpm package openssh-server installed"
         definition_ref="package_openssh-server_installed" />
         {{% endif %}}
-        <criteria comment="ClientAliveInterval is configured correctly" operator="OR">
+        <criteria comment="ClientAliveInterval is configured correctly" operator="AND">
           <criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config"
           test_ref="test_sshd_idle_timeout" />
           {{%- if sshd_distributed_config == "true" %}}
           <criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config.d/"
           test_ref="test_sshd_idle_timeout_config_dir" />
           {{%- endif %}}
+          <criterion comment="the configuration exists" test_ref="test_clientaliveinterval_present" />
         </criteria>
         {{%- if product not in ["ol8", "ol9", "rhel8", "rhel9"] %}}
         <extend_definition comment="The SSH ClientAliveCountMax is set to zero" definition_ref="sshd_set_keepalive" />
@@ -40,7 +41,7 @@
     </criteria>
   </definition>
 
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+  <ind:textfilecontent54_test check="all" check_existence="any_exist"
   comment="timeout is configured" id="test_sshd_idle_timeout" version="1">
     <ind:object object_ref="object_sshd_idle_timeout" />
     <ind:state state_ref="state_timeout_value_upper_bound" />
@@ -50,11 +51,11 @@
   <ind:textfilecontent54_object id="object_sshd_idle_timeout" version="2">
     <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
     <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
   {{%- if sshd_distributed_config == "true" %}}
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+  <ind:textfilecontent54_test check="all" check_existence="any_exist"
   comment="timeout is configured in config directory" id="test_sshd_idle_timeout_config_dir" version="1">
     <ind:object object_ref="object_sshd_idle_timeout_config_dir" />
     <ind:state state_ref="state_timeout_value_upper_bound" />
@@ -80,6 +81,22 @@
     <ind:subexpression datatype="int" operation="greater than">0</ind:subexpression>
   </ind:textfilecontent54_state>
 
+  <ind:textfilecontent54_test id="test_clientaliveinterval_present" version="1"
+    check="all" check_existence="at_least_one_exists"
+    comment="Verify that the value of ClientAliveInterval is present">
+    <ind:object object_ref="obj_collection_obj_sshd_set_idle_timeout" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object comment="All confs collection" id="obj_collection_obj_sshd_set_idle_timeout" version="1">
+    <set>
+      <object_reference>object_sshd_idle_timeout</object_reference>
+      {{% if sshd_distributed_config == "true" %}}
+      <object_reference>object_sshd_idle_timeout_config_dir</object_reference>
+      {{% endif %}}
+    </set>
+  </ind:textfilecontent54_object>
+
+
   <external_variable comment="timeout value" datatype="int"
   id="sshd_idle_timeout_value" version="1" />
 

linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml

@@ -79,3 +79,13 @@ warnings:
         <li>Remote processes on the remote machine generates output. As the output has to be transferred over the network to the client, the timeout is reset every time such transfer happens.</li>
         <li>Any <tt>scp</tt> or <tt>sftp</tt> activity by the same user to the host resets the timeout.</li>
         </ul>
+
+template:
+    name: sshd_lineinfile
+    vars:
+        parameter: ClientAliveInterval
+        xccdf_variable: sshd_idle_timeout_value
+        datatype: int
+        backends:
+            oval: "off"
+