Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion controls/stig_ol9.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1709,7 +1709,7 @@ controls:
authentication.
rules:
- sshd_disable_compression
- var_sshd_disable_compression=no
- var_sshd_disable_compression=stig
status: automated

- id: OL09-00-002359
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# platform = multi_platform_all
# reboot = false
# strategy = restrict
# complexity = low
# disruption = low
# Same metadata as other sshd_lineinfile rules (e.g. sshd_set_idle_timeout).

{{{ ansible_sshd_set(
parameter="Compression",
value="no",
config_is_distributed=sshd_distributed_config,
config_basename="00-complianceascode-hardening.conf",
rule_title=rule_title
) }}}
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# platform = multi_platform_all
# reboot = false
# strategy = restrict
# complexity = low
# disruption = low
# Same metadata as other sshd_lineinfile rules (e.g. sshd_set_idle_timeout).

{{{ bash_sshd_remediation(parameter="Compression", value="no", config_is_distributed=sshd_distributed_config, config_basename="00-complianceascode-hardening.conf", rule_id=rule_id) }}}

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jan-cerny Are we OK with the hardcoded 'value="no"' here and in the ansible remediation?

Other rules instantiate the variables and then extract the correct value. Having explicit 'no' looks better IMHO, even though it breaks the pattern.

Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{{%- if product == 'sle16' -%}}
{{{ sshd_oval_check_usr(
parameter="Compression",
value="(no|delayed)",
missing_parameter_pass=false,
datatype="string",
rule_id=rule_id,
rule_title=rule_title
) }}}
{{%- else -%}}
{{{ sshd_oval_check(
parameter="Compression",
value="(no|delayed)",
missing_parameter_pass=false,
config_is_distributed=sshd_distributed_config,
datatype="string",
rule_id=rule_id,
rule_title=rule_title
) }}}
{{%- endif -%}}
Original file line number Diff line number Diff line change
Expand Up @@ -48,11 +48,13 @@ ocil: |-
<pre>$ sudo grep Compression /etc/ssh/sshd_config</pre>
If configured properly, output should be <pre>no</pre> or <pre>delayed</pre>.

# yamllint disable rule:key-duplicates
{{% if product == "ol7" %}}
platform: os_linux[ol]<7.4
{{% elif product == "sle12" %}}
platform: package[openssh]<7.4
{{% endif %}}
# yamllint enable rule:key-duplicates

fixtext: '{{{ fixtext_sshd_lineinfile("Compression", xccdf_value("var_sshd_disable_compression"), no) }}}'

Expand All @@ -64,4 +66,3 @@ template:
parameter: Compression
xccdf_variable: var_sshd_disable_compression
datatype: string

Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/bash
# DISA STIG V-258002 allows both "no" and "delayed".
# The custom OVAL in oval/shared.xml checks for (no|delayed) with a
# hardcoded value.

source common.sh

{{{ bash_sshd_remediation(parameter="Compression", value="delayed", config_is_distributed=sshd_distributed_config, rule_id=rule_id) -}}}
Original file line number Diff line number Diff line change
Expand Up @@ -13,4 +13,5 @@ interactive: false
options:
no: no
delayed: delayed
stig: "no|delayed"
Comment thread
macko1 marked this conversation as resolved.
default: no
2 changes: 1 addition & 1 deletion products/rhel9/controls/stig_rhel9.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1974,7 +1974,7 @@ controls:
authentication.
rules:
- sshd_disable_compression
- var_sshd_disable_compression=no
- var_sshd_disable_compression=stig
status: automated

- id: RHEL-09-255135
Expand Down
2 changes: 1 addition & 1 deletion shared/templates/sshd_lineinfile/template.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ def set_variables_for_test_scenarios(data):
data["wrong_value"] = "30:10:110"
data["correct_value"] = "10:30:60"
elif data["xccdf_variable"] == "var_sshd_disable_compression":
data["wrong_value"] = "delayed"
data["wrong_value"] = "yes"
data["correct_value"] = "no"
else:
data["wrong_value"] = "wrong_value"
Expand Down
17 changes: 11 additions & 6 deletions tests/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,7 @@ The header consists of comments (starting by `#`). Possible keys are:
restricted. Use this only if the scenario makes sense only in a specific
profile. Typically, a rule doesn't depend on a profile and behaves the same
way regardless the profile it's a part of. If the rule is parametrized by
variables (XCCDF Values), use the `variables` key instead. This key is
variables (XCCDF `<Value>` elements), use the `variables` key instead. This key is
intended to be used in regression testing of bugs in profiles, it isn't
intended for casual use.
- `check` is a string specifying one of the available check engine types
Expand All @@ -193,11 +193,16 @@ The header consists of comments (starting by `#`). Possible keys are:
scenario would break test runs, because OpenSCAP generates reports into the
/tmp directory).
- `templates` has no effect at the moment.
- `variables` is a comma-separated list of XCCDF values that sets a different
default value for XCCDF variables in a form `<variable name>=<value>`.
Typically, you use only one of `profile` or `variables` in scenario metadata -
default values are effective only if the variable is not defined using a
selector, which is exactly what profiles do.
- `variables` overrides the default value of XCCDF `<Value>` elements
in the data stream:
- Comma-separated, in the form `<variable name>=<value>`
- The variable must already exist as a `<Value>` element in the
data stream
- Use the actual value (e.g. `no|delayed`), not the option name
from the `.var` file (e.g. `stig`)
- Do not combine with `profile` in the same scenario -- the profile
selects variable values on its own, overriding the `variables`
directive

Examples of test scenario:

Expand Down
2 changes: 1 addition & 1 deletion tests/data/profile_stability/rhel9/stig.profile
Original file line number Diff line number Diff line change
Expand Up @@ -537,7 +537,7 @@ var_rekey_limit_time=1hour
var_selinux_policy_name=targeted
var_selinux_state=enforcing
var_smartcard_drivers=cac
var_sshd_disable_compression=no
var_sshd_disable_compression=stig
var_sshd_set_keepalive=1
var_sssd_certificate_verification_digest_function=sha512
var_sudo_timestamp_timeout=always_prompt
Expand Down
2 changes: 1 addition & 1 deletion tests/data/profile_stability/rhel9/stig_gui.profile
Original file line number Diff line number Diff line change
Expand Up @@ -535,7 +535,7 @@ var_rekey_limit_time=1hour
var_selinux_policy_name=targeted
var_selinux_state=enforcing
var_smartcard_drivers=cac
var_sshd_disable_compression=no
var_sshd_disable_compression=stig
var_sshd_set_keepalive=1
var_sssd_certificate_verification_digest_function=sha512
var_sudo_timestamp_timeout=always_prompt
Expand Down
Loading