RedHatOfficial.rhel7_stig Ansible role inserts settings in the wrong location when multiple "Match User" entries exist in /etc/ssh/sshd_config

[vhaispdeaded]

Description of problem:

Ansible Tasks for RedHatOfficial.RHEL7_stig of the form:

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      line: Compression delayed
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s

insert their lines before the last occurrence of the pattern, but if multiple patterns exist, then the lines are placed in the incorrect position. Even if no "Match User" directives have been added to /etc/ssh/sshd_config, the role inserts the lines inside an example comment block describing the "Match User" directive. If two or more "Match User" directives exist, the role will create a a configuration that does not meet the requirements, and may not even work .

An additional parameter "firstmatch: yes" will correct this issue for Ansible 2.5 and later.

SCAP Security Guide Version:

Unsure of SCAP Security Guide Version used to generate this project.
DISA STIG for Red Hat Enterprise Linux 7 - release 0.1.47

Operating System Version:

Red Hat Enterprise Linux 7.7 built from Red Hat Satellite 6.6.1 and Ansible 2.8.7 (embedded in Satellite)

Steps to Reproduce:

1. Install RHEL7.7 on system.
2. Edit /etc/ssh/sshd_config to add two or more "Match User" directives
3. Run RedHatOfficial.rhel7_stig role using RH Satellite, or playbook that includes role
4. Examine /etc/ssh/sshd_config to see directives inserted between last and next to last occurrence of "Match User" directive (including commented example.

Actual Results:

With no "Match User" directives:

# Example of overriding settings on a per-user basis
Compression delayed
KerberosAuthentication no
PermitRootLogin no
HostbasedAuthentication no
X11Forwarding yes
ClientAliveInterval 600
StrictModes yes
GSSAPIAuthentication no
UsePrivilegeSeparation sandbox
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
Protocol 2
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
PermitEmptyPasswords no
PermitUserEnvironment yes
ClientAliveCountMax 0
PrintLastLog yes
Banner /etc/issue
RhostsRSAAuthentication no
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

With one "Match User" directive:

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
Compression delayed
KerberosAuthentication no
PermitRootLogin no
HostbasedAuthentication no
X11Forwarding yes
ClientAliveInterval 600
StrictModes yes
GSSAPIAuthentication no
UsePrivilegeSeparation sandbox
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
Protocol 2
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
PermitEmptyPasswords no
PermitUserEnvironment yes
ClientAliveCountMax 0
PrintLastLog yes
Banner /etc/issue
RhostsRSAAuthentication no
Match User testuser1
    PasswordAuthentication no

With two "Match User" directives:

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
Match User testuser1
    PasswordAuthentication no
Compression delayed
KerberosAuthentication no
PermitRootLogin no
HostbasedAuthentication no
X11Forwarding yes
ClientAliveInterval 600
StrictModes yes
GSSAPIAuthentication no
UsePrivilegeSeparation sandbox
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
Protocol 2
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
PermitEmptyPasswords no
PermitUserEnvironment yes
ClientAliveCountMax 0
PrintLastLog yes
Banner /etc/issue
RhostsRSAAuthentication no
Match User testuser2
    PasswordAuthentication no

Expected Results:

Compression delayed
KerberosAuthentication no
PermitRootLogin no
HostbasedAuthentication no
X11Forwarding yes
ClientAliveInterval 600
StrictModes yes
GSSAPIAuthentication no
UsePrivilegeSeparation sandbox
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
Protocol 2
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
PermitEmptyPasswords no
PermitUserEnvironment yes
ClientAliveCountMax 0
PrintLastLog yes
Banner /etc/issue
RhostsRSAAuthentication no
# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
Match User testuser1
    PasswordAuthentication no

Match User testuser2
    PasswordAuthentication no

Addition Information/Debugging Steps:

The issue occurs for the following tasks:

16256:  - name: Insert correct line to /etc/ssh/sshd_config
16292:  - name: Insert correct line to /etc/ssh/sshd_config
16328:  - name: Insert correct line to /etc/ssh/sshd_config
16371:  - name: Insert correct line to /etc/ssh/sshd_config
16410:  - name: Insert correct line to /etc/ssh/sshd_config
16446:  - name: Insert correct line to /etc/ssh/sshd_config
16490:  - name: Insert correct line to /etc/ssh/sshd_config
16529:  - name: Insert correct line to /etc/ssh/sshd_config
16567:  - name: Insert correct line to /etc/ssh/sshd_config
16605:  - name: Insert correct line to /etc/ssh/sshd_config
16648:  - name: Insert correct line to /etc/ssh/sshd_config
16689:  - name: Insert correct line to /etc/ssh/sshd_config
16737:  - name: Insert correct line to /etc/ssh/sshd_config
16779:  - name: Insert correct line to /etc/ssh/sshd_config
16818:  - name: Insert correct line to /etc/ssh/sshd_config
16860:  - name: Insert correct line to /etc/ssh/sshd_config
16897:  - name: Insert correct line to /etc/ssh/sshd_config
16940:  - name: Insert correct line to /etc/ssh/sshd_config

[ggbecker]

Can you check with latest versions of the ansible role to see if the problem still persists?

[marcusburghardt]

The relevant rule is sshd_disable_compression. I will take a look on it.

[marcusburghardt]

I researched about this and didn't find any ordering restriction for the Compression line. We can simply remove the insertbefore: ^[#\s]*Match line. @ggbecker , do you know why this insertbefore: ^[#\s]*Match was used in this task?

[marcusburghardt]

@vhaispdeaded could you provide more context on why the Compression delayed line depends on specific location, please?

[vhaispdeaded]

Compression delayed was just one of several sshd options the role applies to /etc/ssh/sshd_config. I used it as an example. The settings are intended to be global. The issue applies to all global settings applied to /etc/ssh/sshd_config by the role.

All options following a "Match" keyword only apply to the conditional block defined by the "Match" expression. (see sshd_config)

Inserting before the first occurrence of "Match", is safe, but ideally all global options should be placed before the # Example of overriding settings on a per-user basis comment.

@marcusburghardt, Thank you for investigating this issue.

[ggbecker]

@marcusburghardt It looks like this was added via: #4807

[vhaispdeaded]

Thank you!

[marcusburghardt]

From man:

Match   Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords
              on the following lines override those set in the global section of the config file, until either another
              Match line or the end of the file.  If a keyword appears in multiple Match blocks that are satisfied,
              only the first instance of the keyword is applied.

So, Match conditionals are always expected at the end of the file. Consequently, global parameters must be defined before any Match conditional. The rule uses the ansible_sshd_set which then calls other macros which finally define the insertbefore parameter. Since these last macros are used in many places, it is safer to call them with a different regex from ansible_sshd_set. The regex will be updated from insertbefore: ^[#\s]*Match to insertbefore: BOF to ensure new lines are always inserted at the beginning of the file. I will prepare a PR.