diff --git a/controls/stig_ol9.yml b/controls/stig_ol9.yml index 74da77642a66..169fe0a98c33 100644 --- a/controls/stig_ol9.yml +++ b/controls/stig_ol9.yml @@ -1709,7 +1709,7 @@ controls: authentication. rules: - sshd_disable_compression - - var_sshd_disable_compression=no + - var_sshd_disable_compression=stig status: automated - id: OL09-00-002359 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml new file mode 100644 index 000000000000..6d0860e54f07 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml @@ -0,0 +1,14 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low +# Same metadata as other sshd_lineinfile rules (e.g. sshd_set_idle_timeout). + +{{{ ansible_sshd_set( + parameter="Compression", + value="no", + config_is_distributed=sshd_distributed_config, + config_basename="00-complianceascode-hardening.conf", + rule_title=rule_title +) }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh new file mode 100644 index 000000000000..496011812264 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh @@ -0,0 +1,8 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low +# Same metadata as other sshd_lineinfile rules (e.g. sshd_set_idle_timeout). + +{{{ bash_sshd_remediation(parameter="Compression", value="no", config_is_distributed=sshd_distributed_config, config_basename="00-complianceascode-hardening.conf", rule_id=rule_id) }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/oval/shared.xml new file mode 100644 index 000000000000..9cde20e33e2e --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/oval/shared.xml @@ -0,0 +1,20 @@ +{{%- if product == 'sle16' -%}} +{{{ sshd_oval_check_usr( + parameter="Compression", + value="(no|delayed)", + missing_parameter_pass=false, + datatype="string", + rule_id=rule_id, + rule_title=rule_title +) }}} +{{%- else -%}} +{{{ sshd_oval_check( + parameter="Compression", + value="(no|delayed)", + missing_parameter_pass=false, + config_is_distributed=sshd_distributed_config, + datatype="string", + rule_id=rule_id, + rule_title=rule_title +) }}} +{{%- endif -%}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml index 588f91a3396d..a969a0c2fa63 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml @@ -48,11 +48,13 @@ ocil: |-
$ sudo grep Compression /etc/ssh/sshd_configIf configured properly, output should be
noor
delayed. +# yamllint disable rule:key-duplicates {{% if product == "ol7" %}} platform: os_linux[ol]<7.4 {{% elif product == "sle12" %}} platform: package[openssh]<7.4 {{% endif %}} +# yamllint enable rule:key-duplicates fixtext: '{{{ fixtext_sshd_lineinfile("Compression", xccdf_value("var_sshd_disable_compression"), no) }}}' @@ -64,4 +66,3 @@ template: parameter: Compression xccdf_variable: var_sshd_disable_compression datatype: string - diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/delayed_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/delayed_value.pass.sh new file mode 100644 index 000000000000..ac433fa2043c --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/tests/delayed_value.pass.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# DISA STIG V-258002 allows both "no" and "delayed". +# The custom OVAL in oval/shared.xml checks for (no|delayed) with a +# hardcoded value. + +source common.sh + +{{{ bash_sshd_remediation(parameter="Compression", value="delayed", config_is_distributed=sshd_distributed_config, rule_id=rule_id) -}}} diff --git a/linux_os/guide/services/ssh/ssh_server/var_sshd_disable_compression.var b/linux_os/guide/services/ssh/ssh_server/var_sshd_disable_compression.var index 0e35a03c5f70..a9043c027e23 100644 --- a/linux_os/guide/services/ssh/ssh_server/var_sshd_disable_compression.var +++ b/linux_os/guide/services/ssh/ssh_server/var_sshd_disable_compression.var @@ -13,4 +13,5 @@ interactive: false options: no: no delayed: delayed + stig: "no|delayed" default: no diff --git a/products/rhel9/controls/stig_rhel9.yml b/products/rhel9/controls/stig_rhel9.yml index 76fd04b8c832..fb5a3d4f3bba 100644 --- a/products/rhel9/controls/stig_rhel9.yml +++ b/products/rhel9/controls/stig_rhel9.yml @@ -1974,7 +1974,7 @@ controls: authentication. rules: - sshd_disable_compression - - var_sshd_disable_compression=no + - var_sshd_disable_compression=stig status: automated - id: RHEL-09-255135 diff --git a/shared/templates/sshd_lineinfile/template.py b/shared/templates/sshd_lineinfile/template.py index d87c9d4832cc..bb18768c26a3 100644 --- a/shared/templates/sshd_lineinfile/template.py +++ b/shared/templates/sshd_lineinfile/template.py @@ -17,7 +17,7 @@ def set_variables_for_test_scenarios(data): data["wrong_value"] = "30:10:110" data["correct_value"] = "10:30:60" elif data["xccdf_variable"] == "var_sshd_disable_compression": - data["wrong_value"] = "delayed" + data["wrong_value"] = "yes" data["correct_value"] = "no" else: data["wrong_value"] = "wrong_value" diff --git a/tests/README.md b/tests/README.md index 8b439b7e0fb3..4f27354cf435 100644 --- a/tests/README.md +++ b/tests/README.md @@ -179,7 +179,7 @@ The header consists of comments (starting by `#`). Possible keys are: restricted. Use this only if the scenario makes sense only in a specific profile. Typically, a rule doesn't depend on a profile and behaves the same way regardless the profile it's a part of. If the rule is parametrized by - variables (XCCDF Values), use the `variables` key instead. This key is + variables (XCCDF `