Merge pull request ComplianceAsCode#13028 from evgenyz/fix-sshd_inclu…

…de_crypto_policy Rule: sshd_include_crypto_policy, drop remediations, improve OVAL
vojtapolasek · Feb 12, 2025 · 7fb2776 · 7fb2776
2 parents c625acb + ca71a05
commit 7fb2776
Show file tree

Hide file tree

Showing 10 changed files with 40 additions and 53 deletions.
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/ansible/shared.yml
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/bash/shared.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml
@@ -14,19 +14,19 @@
 
     <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_include_sshd_drop_in" version="1">
         <ind:filepath operation="pattern match">/etc/ssh/sshd_config</ind:filepath>
-        <ind:pattern operation="pattern match">^Include /etc/ssh/sshd_config.d/\*.conf$</ind:pattern>
+        <ind:pattern operation="pattern match">^[ \t]*(?i)Include(?-i)[ \t]+/etc/ssh/sshd_config\.d/\*.conf$</ind:pattern>
         <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
     </ind:textfilecontent54_object>
 
 
     <ind:textfilecontent54_test id="test_{{{ rule_id }}}_include_sshd_include_system_crypto"
                                 comment="Ensure that drop in config files are included" version="1" check="all">
-        <ind:object object_ref="obj_{{{ rule_id }}}_include_sshd_drop_in"/>
+        <ind:object object_ref="obj_{{{ rule_id }}}_include_sshd_include_system_crypto"/>
     </ind:textfilecontent54_test>
 
     <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_include_sshd_include_system_crypto" version="1">
-        <ind:filepath operation="pattern match">/etc/ssh/sshd_config</ind:filepath>
-        <ind:pattern operation="pattern match">^Include /etc/crypto-policies/back-ends/opensshserver\.config</ind:pattern>
+        <ind:filepath operation="pattern match">/etc/ssh/(sshd_config|sshd_config\.d/.*\.conf)</ind:filepath>
+        <ind:pattern operation="pattern match">^[ \t]*(?i)Include(?-i)[ \t]+/etc/crypto-policies/back-ends/opensshserver\.config$</ind:pattern>
         <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
     </ind:textfilecontent54_object>
 </def-group>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/rule.yml
@@ -25,8 +25,8 @@ references:
 checktext: |-
     Verify that RHEL 9 implements DOD-approved encryption ciphers for SSH connections.
     Verify that the SSH configuration files include the path to the systemwide policy with the following command:
-    <pre>sudo grep -R Include /etc/ssh/sshd_config  /etc/ssh/sshd_config.d/
-    
+    <pre>sudo grep -R "Include /etc/ssh/sshd_config"  /etc/ssh/sshd_config.d/
+
     /etc/ssh/sshd_config:Include /etc/ssh/sshd_config.d/*.conf
     /etc/ssh/sshd_config.d/50-redhat.conf:Include /etc/crypto-policies/back-ends/opensshserver.config</pre>
     If "Include /etc/ssh/sshd_config.d/*.conf" or "Include /etc/crypto-policies/back-ends/opensshserver.config" are not included in the system sshd config or if the file "/etc/ssh/sshd_config.d/50-redhat.conf" is missing, this is a finding.
@@ -36,4 +36,6 @@ fixtext: |-
     Reinstall OpenSSH server package contents with the following command:
     <pre>sudo dnf -y remove openssh-server && sudo dnf -y install openssh-server</pre>
 
-platform: not osbuild
+warnings:
+    - general: |-
+        There is no automated remediation because recommended action could severely disrupt the system and might not be efficient in fixing the problem.
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/confing.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/confing.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# remediation = none
+# platform = multi_platform_all
+
+sed -i '/Include \/etc\/crypto-policies\/back-ends\/opensshserver.config/d' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
+echo "Include /etc/crypto-policies/back-ends/opensshserver.config" >> /etc/ssh/sshd_config
+
+if ! grep -q "Include /etc/ssh/sshd_config.d/*.conf" /etc/ssh/sshd_config; then
+  echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/default_pass.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/default_pass.pass.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/drop_in.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# remediation = none
+# platform = multi_platform_all
+
+sed -i '/Include \/etc\/crypto-policies\/back-ends\/opensshserver.config/d' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
+echo "Include /etc/crypto-policies/back-ends/opensshserver.config" >> /etc/ssh/sshd_config.d/50-redhat.conf
+
+if ! grep -q "Include /etc/ssh/sshd_config.d/*.conf" /etc/ssh/sshd_config; then
+  echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_crypto.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_crypto.fail.sh
@@ -1,12 +1,9 @@
 #!/bin/bash
+# remediation = none
+# platform = multi_platform_all
 
-# this is done because the remediation will reset the /etc/ssh/sshd_config file
-# which is modified by Automatus so that root can log in.
-# This prevents Automatus from logging in for final scan.
-echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/99-automatus.conf
-
-sed -i '/Include/d' /etc/ssh/sshd_config
+sed -i '/Include \/etc\/crypto-policies\/back-ends\/opensshserver.config/d' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
 
 if ! grep -q "Include /etc/ssh/sshd_config.d/*.conf" /etc/ssh/sshd_config; then
-  echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/ssh_config.d/50-redhat.conf
+  echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config
 fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_drop_in.fail.sh
@@ -1,12 +1,9 @@
 #!/bin/bash
-
-# this is done because the remediation will reset the /etc/ssh/sshd_config file
-# which is modified by Automatus so that root can log in.
-# This prevents Automatus from logging in for final scan.
-echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/99-automatus.conf
+# remediation = none
+# platform = multi_platform_all
 
 sed -i '/Include/d' /etc/ssh/sshd_config
 
-if ! grep -q "Include /etc/ssh/sshd_config.d/*.conf" /etc/ssh/sshd_config; then
-  echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/ssh_config
+if ! grep -q "Include /etc/crypto-policies/back-ends/opensshserver.config" /etc/ssh/sshd_config.d/*.conf /etc/ssh/sshd_config; then
+  echo "Include /etc/crypto-policies/back-ends/opensshserver.config" >> /etc/ssh/sshd_config.d/50-redhat.conf
 fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_includes.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_includes.fail.sh
@@ -1,8 +1,5 @@
 #!/bin/bash
+# remediation = none
+# platform = multi_platform_all
 
-# this is done because the remediation will reset the /etc/ssh/sshd_config file
-# which is modified by Automatus so that root can log in.
-# This prevents Automatus from logging in for final scan.
-echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/99-automatus.conf
-
-sed -i '/Include/d' /etc/ssh/sshd_config
+sed -i '/Include/d' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf