ComplianceAsCode · Mab879 · Feb 1, 2023 · Jan 2, 2023
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_keys_passphrase_protected/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_keys_passphrase_protected/rule.yml
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Verify the SSH private key files have a passcode'
+
+description: |-
+    When creating SSH key pairs, always use a passcode.
+    <br />
+    You can create such keys with the following command:
+    <pre>$ sudo ssh-keygen -n [passphrase]</pre>
+    {{{ full_name }}}, for certificate-based authentication, must enforce authorized access to the corresponding private key.
+
+rationale: |-
+    If an unauthorized user obtains access to a private key without a passcode,
+    that user would have unauthorized access to any system where the associated
+    public key has been installed.
+
+severity: medium
+
+identifiers:
+  cce@rhel8: CCE-90781-6
+
+references:
+    stigid@rhel8: RHEL-08-010100
+
+ocil_clause: 'no ssh private key is accessible without a passcode'
+
+ocil: |-
+    For each private key stored on the system, use the following command:
+    <pre>$ sudo ssh-keygen -y -f /path/to/file</pre>
+    If the contents of the key are displayed, this is a finding.
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_keys_passphrase_protected/sce/shared.sh b/linux_os/guide/services/ssh/ssh_client/ssh_keys_passphrase_protected/sce/shared.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+user_list=$(awk -F: -n '{ if ($7 !~ /\/s?bin\/false/ && $7 !~ /\/s?bin\/nologin/) { print $0; } }' /etc/passwd)
+user_dirs=$(cut -d: -f6 <<<"${user_list}" | sort | uniq)
+for dir in ${user_dirs}
+do
+	pubkeys=$(find "${dir}/.ssh/" -type f -name '*.pub')
+	for pubkey in ${pubkeys}
+	do
+		ssh-keygen -y -P "" -f "${pubkey%.pub}" >/dev/null
+		if [ $? -ne 255 ]; then
+			echo "Key '${pubkey}' is not passphrase-protected"
+			exit "${XCCDF_RESULT_FAIL}"
+		fi
+	done
+done
+
+exit "${XCCDF_RESULT_PASS}"
@@ -120,6 +120,7 @@ selections:
     # RHEL-08-010090
 
     # RHEL-08-010100
+    - ssh_keys_passphrase_protected
 
     # RHEL-08-010110
     - set_password_hashing_algorithm_logindefs

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -4109,4 +4109,3 @@ CCE-90776-6
 CCE-90777-4
 CCE-90778-2
 CCE-90780-8
-CCE-90781-6
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
@@ -418,6 +418,7 @@ selections:
 - sysctl_net_ipv6_conf_default_accept_redirects
 - sysctl_net_ipv6_conf_default_accept_source_route
 - sysctl_user_max_user_namespaces
+- ssh_keys_passphrase_protected
 - tftpd_uses_secure_mode
 - usbguard_generate_policy
 - wireless_disable_interfaces

diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -389,6 +389,7 @@ selections:
 - sshd_set_keepalive
 - sshd_use_strong_rng
 - sshd_x11_use_localhost
+- ssh_keys_passphrase_protected
 - sssd_certificate_verification
 - sssd_enable_certmap
 - sssd_enable_smartcards