From 5051a0d7c5c07f03773d723ab4c0fac2a1017ff9 Mon Sep 17 00:00:00 2001
From: Eduardo Barretto <eduardo.barretto@canonical.com>
Date: Wed, 6 Sep 2023 18:45:52 +0200
Subject: [PATCH 1/5] sshd_use_strong_kex: Fix OVAL variable comment

---
 .../services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml
index 6fd445e3deb..78c5debc8ff 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_kex/oval/shared.xml
@@ -51,7 +51,7 @@
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
-  <local_variable id="var_sshd_config_kex" datatype="string" version="1" comment="MACs values splitted on comma">
+  <local_variable id="var_sshd_config_kex" datatype="string" version="1" comment="KEXs values splitted on comma">
     <split delimiter=",">
       <object_component item_field="subexpression" object_ref="obj_sshd_config_kex" />
     </split>

From fe3638809ecf5dc7b87372383fcb8a4a460edd8d Mon Sep 17 00:00:00 2001
From: Eduardo Barretto <eduardo.barretto@canonical.com>
Date: Thu, 7 Sep 2023 15:15:27 +0200
Subject: [PATCH 2/5] sshd_use_approved_kex_ordered_stig: oval: Fix regex and
 improve comment

---
 .../oval/shared.xml                                   | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/shared.xml
index 7ac5adc21d8..fd7250dccf8 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/shared.xml
@@ -13,7 +13,8 @@
              "diffie-hellman-group-exchange-sha256"]  %}}
 {{% endif %}}
 
-{{% set kex_algos_regex=prefix_conf %}}
+{{% set kex_algos_regex=prefix_conf ~ "(?=[\w-])" "(\\b" ~ kex_algos|join("\\b,?)?(\\b") ~ ")?" ~
+                        sufix_conf ~ "[\\s]*(?:#.*)?$" %}}
 
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
@@ -26,10 +27,10 @@
           <extend_definition comment="sshd is not required or requirement is unset"
             definition_ref="sshd_not_required_or_unset" />
           {{% if product in ['sle12', 'sle15'] %}}
-          <extend_definition comment="rpm package openssh removed"
+          <extend_definition comment="package openssh removed"
             definition_ref="package_openssh_removed" />
           {{% else %}}
-          <extend_definition comment="rpm package openssh-server removed"
+          <extend_definition comment="package openssh-server removed"
             definition_ref="package_openssh-server_removed" />
           {{% endif %}}
         </criteria>
@@ -37,10 +38,10 @@
           <extend_definition comment="sshd is required or requirement is unset"
             definition_ref="sshd_required_or_unset" />
           {{% if product in ['sle12', 'sle15'] %}}
-          <extend_definition comment="rpm package openssh installed"
+          <extend_definition comment="package openssh installed"
             definition_ref="package_openssh_installed" />
           {{% else %}}
-          <extend_definition comment="rpm package openssh-server installed"
+          <extend_definition comment="package openssh-server installed"
             definition_ref="package_openssh-server_installed" />
           {{% endif %}}
           <criterion comment="Check Kex in {{{ path }}}"

From 89673851270ec6b250e09a2dbdcc66296b9d7b78 Mon Sep 17 00:00:00 2001
From: Dexter Le <dexter.le@sap.com>
Date: Thu, 6 Jul 2023 19:03:55 +0000
Subject: [PATCH 3/5] Add UBTU-20-010045 for enforcing proper kex exchange
 algorithms

This commit will add UBTU-20-010045 for sshd_use_approved_kex_ordered_stig rule. Additionally, ubuntu2004 has been included in the tests
---
 .../sshd_use_approved_kex_ordered_stig/tests/comment.fail.sh    | 2 +-
 .../sshd_use_approved_kex_ordered_stig/tests/common.sh          | 2 +-
 .../tests/correct_reduced_list.pass.sh                          | 2 +-
 .../tests/correct_scrambled.fail.sh                             | 2 +-
 .../tests/correct_value.pass.sh                                 | 2 +-
 .../tests/line_not_there.fail.sh                                | 2 +-
 .../tests/no_parameters.fail.sh                                 | 2 +-
 .../tests/wrong_value.fail.sh                                   | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/comment.fail.sh
index d9775be4387..4319832c0e5 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/comment.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/comment.fail.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
 
 source common.sh
 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/common.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/common.sh
index 738765cb4bc..9d85fcbeb23 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/common.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/common.sh
@@ -5,7 +5,7 @@ CONF_PREFIX="CRYPTO_POLICY='-oKexAlgorithms="
 KEX_ALGOS="ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512"
 CONF_SUFIX="'"
 CONF_PREFIX_REGEX="^\s*CRYPTO_POLICY"
-{{% elif product in ['ol7','rhel7','sle12','sle15'] %}}
+{{% elif product in ['ol7','rhel7','sle12','sle15','ubuntu2004'] %}}
 FILE_PATH='/etc/ssh/sshd_config'
 CONF_PREFIX="KexAlgorithms "
 KEX_ALGOS="ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256"
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_reduced_list.pass.sh
index 5e724620515..64199ace8a2 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_reduced_list.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_reduced_list.pass.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
 
 source common.sh
 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_scrambled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_scrambled.fail.sh
index 11e8fe96db7..3e52ca7c6a7 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_scrambled.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_scrambled.fail.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
 
 source common.sh
 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_value.pass.sh
index a2528cb3061..63774b1e3e8 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_value.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_value.pass.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
 
 source common.sh
 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/line_not_there.fail.sh
index 63213b5d178..a9ddcf7c171 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/line_not_there.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/line_not_there.fail.sh
@@ -1,4 +1,4 @@
 #!/bin/bash
-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
 
 source common.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/no_parameters.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/no_parameters.fail.sh
index 59dee5b9e97..682758a9df0 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/no_parameters.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/no_parameters.fail.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
 
 source common.sh
 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/wrong_value.fail.sh
index 0e12d5a2a9d..4cac68a128c 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/wrong_value.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/wrong_value.fail.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
 
 source common.sh
 

From 3164759774d534c29a6eeccaf1ce3c03a0557ad7 Mon Sep 17 00:00:00 2001
From: Eduardo Barretto <eduardo.barretto@canonical.com>
Date: Thu, 7 Sep 2023 09:39:26 +0200
Subject: [PATCH 4/5] sshd_use_approved_kex_ordered_stig: tests: Fix typo in
 correct_scrambled

---
 .../tests/correct_scrambled.fail.sh                             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_scrambled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_scrambled.fail.sh
index 3e52ca7c6a7..1bd7473fe7d 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_scrambled.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_scrambled.fail.sh
@@ -7,7 +7,7 @@ readarray -t KEX_ALGOS_ARR < <(echo $KEX_ALGOS | tr "," "\n")
 
 #swap first and second algorithms
 
-KEX_ALGOS_SCRAMBLED=$(echo ${KEY_ALGOS_ARR[0]},${KEY_ALGOS_ARR[1]},$(echo ${KEY_ALGOS_ARR[@]:2} | tr " " ","))
+KEX_ALGOS_SCRAMBLED=$(echo ${KEX_ALGOS_ARR[0]},${KEX_ALGOS_ARR[1]},$(echo ${KEX_ALGOS_ARR[@]:2} | tr " " ","))
 
 CONF="${CONF_PREFIX}${KEX_ALGOS_SCRAMBLED}${CONF_SUFIX}"
 

From 12df498330562391a568357c2445196c37287bde Mon Sep 17 00:00:00 2001
From: Eduardo Barretto <eduardo.barretto@canonical.com>
Date: Thu, 7 Sep 2023 15:35:17 +0200
Subject: [PATCH 5/5] sshd_use_approved_kex_ordered_stig: tests: Fix logic in
 correct_scrambled

---
 .../tests/correct_scrambled.fail.sh                             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_scrambled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_scrambled.fail.sh
index 1bd7473fe7d..dfe21de8127 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_scrambled.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_scrambled.fail.sh
@@ -7,7 +7,7 @@ readarray -t KEX_ALGOS_ARR < <(echo $KEX_ALGOS | tr "," "\n")
 
 #swap first and second algorithms
 
-KEX_ALGOS_SCRAMBLED=$(echo ${KEX_ALGOS_ARR[0]},${KEX_ALGOS_ARR[1]},$(echo ${KEX_ALGOS_ARR[@]:2} | tr " " ","))
+KEX_ALGOS_SCRAMBLED=$(echo ${KEX_ALGOS_ARR[1]},${KEX_ALGOS_ARR[0]},$(echo ${KEX_ALGOS_ARR[@]:2} | tr " " ","))
 
 CONF="${CONF_PREFIX}${KEX_ALGOS_SCRAMBLED}${CONF_SUFIX}"