Sle16 sshd lineinfile related fixes#14458
Open
teacup-on-rockingchair wants to merge 12 commits intoComplianceAsCode:masterfrom
Open
Sle16 sshd lineinfile related fixes#14458teacup-on-rockingchair wants to merge 12 commits intoComplianceAsCode:masterfrom
teacup-on-rockingchair wants to merge 12 commits intoComplianceAsCode:masterfrom
Conversation
…shd config is in /usr subdir Add macros for ansible, bash and oval to check and set sshd config parameters for case where config can be both in /usr and /etc
…nfig in /usr and subfolders
…nd subfolders for sshd_set_idle_timeout rule
…nd subfolders for sshd_set_login_grace_time rule
…nd subfolders for sshd_set_max_auth_tries rule
…nd subfolders for sshd_set_max_sessions rule
…nd subfolders for sshd_set_maxstartups rule
teacup-on-rockingchair
added
Ansible
teacup-on-rockingchair
requested a review
from matusmarhefka
as a code owner
teacup-on-rockingchair
requested review from
Mab879 and
vojtapolasek
as code owners
teacup-on-rockingchair
added
the
SLES
teacup-on-rockingchair
added
the
Update Template
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if ( ( rpm --quiet -q libreswan && rpm --quiet -q kernel-core ) ); then
+if rpm --quiet -q kernel-core; then
function remediate_libreswan_crypto_policy() {
CONFIG_FILE="/etc/ipsec.conf"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
@@ -22,8 +22,7 @@
path: /etc/ipsec.conf
line: include /etc/crypto-policies/back-ends/libreswan.config
create: true
- when: ( "libreswan" in ansible_facts.packages and "kernel-core" in ansible_facts.packages
- )
+ when: '"kernel-core" in ansible_facts.packages'
tags:
- CCE-80937-6
- DISA-STIG-RHEL-08-010280
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy'
--- xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
@@ -1,2 +1 @@
-oval:ssg-package_libreswan:def:1
oval:ssg-system_with_kernel:def:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy' differs.
--- ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1
+++ ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1
@@ -6,5 +6,5 @@
Run the following command:
$ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd
- Is it the case that the CRYPTO_POLICY variable is set or is not commented out in /etc/sysconfig/sshd?
+ Is it the case that the CRYPTO_POLICY variable is set or is not commented out in the /etc/sysconfig/sshd?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed'.
--- xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
+++ xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
@@ -198,9 +198,6 @@
6.3
[reference]:
-1.2.1.1
-
-[reference]:
RHEL-08-010019
[reference]:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed' differs.
--- xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
+++ xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
@@ -20,9 +20,11 @@
# No CRC error, safe to proceed
if [ "${GPG_RESULT}" -eq "0" ]
then
- # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it
- echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || rpm --import "${REDHAT_RELEASE_KEY}"
+ echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || {
+ # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it
+ rpm --import "${REDHAT_RELEASE_KEY}"
+ }
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed' differs.
--- xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
+++ xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
@@ -99,7 +99,9 @@
- restrict_strategy
- name: 'Ensure Red Hat GPG Key Installed: Import RedHat GPG key'
- ansible.builtin.command: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+ ansible.builtin.rpm_key:
+ state: present
+ key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
when:
- gpg_key_directory_permission.stat.mode <= '0755'
- (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length ==
bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue
@@ -1,8 +1,26 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core; then
-login_banner_contents=$(echo "" | sed 's/\\n/\n/g')
-echo "$login_banner_contents" > /etc/issue
+read -r -d '' login_banner_text <<'EOF' || true
+
+EOF
+
+# Multiple regexes transform the banner regex into a usable banner
+# 0 - Remove anchors around the banner text
+login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
+# 1 - Keep only the first banners if there are multiple
+# (dod_banners contains the long and short banner)
+login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g')
+# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
+login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/\n/g')
+# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example).
+login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g')
+formatted=$(echo "$login_banner_text" | fold -sw 80)
+cat <<EOF >/etc/issue
+$formatted
+EOF
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue
@@ -13,18 +13,18 @@
- medium_severity
- no_reboot_needed
- unknown_strategy
-- name: XCCDF Value login_banner_contents # promote to variable
+- name: XCCDF Value login_banner_text # promote to variable
set_fact:
- login_banner_contents: !!str
+ login_banner_text: !!str
tags:
- always
- name: Modify the System Login Banner - Ensure Correct Banner
ansible.builtin.copy:
dest: /etc/issue
- content: |
- {{ login_banner_contents | replace('\n', '
- ') }}
+ content: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
+ "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
+ "\n") | regex_replace("\\", "") | wordwrap() }}'
when: '"kernel-core" in ansible_facts.packages'
tags:
- CCE-80763-6
bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue_net
@@ -1,8 +1,26 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core; then
-remote_login_banner_contents=$(echo "" | sed 's/\\n/\n/g')
-echo "$remote_login_banner_contents" > /etc/issue.net
+remote_login_banner_text=''
+
+
+# Multiple regexes transform the banner regex into a usable banner
+# 0 - Remove anchors around the banner text
+remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
+# 1 - Keep only the first banners if there are multiple
+# (dod_banners contains the long and short banner)
+remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/\[\\s\\n\]+/ /g')
+# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
+remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/\n/g')
+# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example).
+remote_login_banner_text=$(echo "$remote_login_banner_text" | sed 's/\\//g')
+formatted=$(echo "$remote_login_banner_text" | fold -sw 80)
+
+cat <<EOF >/etc/issue.net
+$formatted
+EOF
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue_net
@@ -9,18 +9,18 @@
- medium_severity
- no_reboot_needed
- unknown_strategy
-- name: XCCDF Value remote_login_banner_contents # promote to variable
+- name: XCCDF Value remote_login_banner_text # promote to variable
set_fact:
- remote_login_banner_contents: !!str
+ remote_login_banner_text: !!str
tags:
- always
- name: Modify the System Login Banner for Remote Connections - ensure correct banner
ansible.builtin.copy:
dest: /etc/issue.net
- content: |
- {{ remote_login_banner_contents | replace('\n', '
- ') }}
+ content: '{{ remote_login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
+ "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
+ "\n") | regex_replace("\\", "") | wordwrap() }}'
when: '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86147-6
bash remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_motd' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_motd
+++ xccdf_org.ssgproject.content_rule_banner_etc_motd
@@ -1,8 +1,26 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core; then
-motd_banner_contents=$(echo "" | sed 's/\\n/\n/g')
-echo "$motd_banner_contents" > /etc/motd
+motd_banner_text=''
+
+
+# Multiple regexes transform the banner regex into a usable banner
+# 0 - Remove anchors around the banner text
+motd_banner_text=$(echo "$motd_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
+# 1 - Keep only the first banners if there are multiple
+# (dod_banners contains the long and short banner)
+motd_banner_text=$(echo "$motd_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+motd_banner_text=$(echo "$motd_banner_text" | sed 's/\[\\s\\n\]+/ /g')
+# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
+motd_banner_text=$(echo "$motd_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/\n/g')
+# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example).
+motd_banner_text=$(echo "$motd_banner_text" | sed 's/\\//g')
+formatted=$(echo "$motd_banner_text" | fold -sw 80)
+
+cat <<EOF >/etc/motd
+$formatted
+EOF
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_banner_etc_motd' differs.
--- xccdf_org.ssgproject.content_rule_banner_etc_motd
+++ xccdf_org.ssgproject.content_rule_banner_etc_motd
@@ -9,18 +9,18 @@
- medium_severity
- no_reboot_needed
- unknown_strategy
-- name: XCCDF Value motd_banner_contents # promote to variable
+- name: XCCDF Value motd_banner_text # promote to variable
set_fact:
- motd_banner_contents: !!str
+ motd_banner_text: !!str
tags:
- always
- name: Modify the System Message of the Day Banner - ensure correct banner
ansible.builtin.copy:
dest: /etc/motd
- content: |
- {{ motd_banner_contents | replace('\n', '
- ') }}
+ content: '{{ motd_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
+ "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
+ "\n") | regex_replace("\\", "") | wordwrap() }}'
when: '"kernel-core" in ansible_facts.packages'
tags:
- CCE-83496-0
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
@@ -1,7 +1,24 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm; then
-dconf_login_banner_contents=$(echo "" )
+login_banner_text=''
+
+# Multiple regexes transform the banner regex into a usable banner
+# 0 - Remove anchors around the banner text
+login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
+# 1 - Keep only the first banners if there are multiple
+# (dod_banners contains the long and short banner)
+login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
+# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
+login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g')
+# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*")
+login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/(n)*/g')
+# 4 - Remove any leftover backslash. (From any parenthesis in the banner, for example).
+login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g')
+# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n").
+# ( Needs to be done after 4, otherwise the escapce sequence will become just "n".
+login_banner_text=$(echo "$login_banner_text" | sed 's/(n)\*/\\n/g')
+
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :
@@ -28,7 +45,7 @@
printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE}
fi
-escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'${dconf_login_banner_contents}'")"
+escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'${login_banner_text}'")"
if grep -q "^\\s*banner-message-text\\s*=" "${DCONFFILE}"
then
sed -i "s/\\s*banner-message-text\\s*=\\s*.*/banner-message-text=${escaped_value}/g" "${DCONFFILE}"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text
@@ -13,9 +13,9 @@
- medium_severity
- no_reboot_needed
- unknown_strategy
-- name: XCCDF Value dconf_login_banner_contents # promote to variable
+- name: XCCDF Value login_banner_text # promote to variable
set_fact:
- dconf_login_banner_contents: !!str
+ login_banner_text: !!str
tags:
- always
@@ -72,7 +72,9 @@
dest: /etc/dconf/db/gdm.d/00-security-settings
section: org/gnome/login-screen
option: banner-message-text
- value: '''{{ dconf_login_banner_contents }}'''
+ value: '''{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
+ "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
+ "(n)*") | regex_replace("\\", "") | regex_replace("\(n\)\*", "\\n") }}'''
create: true
no_extra_spaces: true
register: result_ini
bash remediation for rule 'xccdf_org.ssgproject.content_rule_logind_session_timeout' differs.
--- xccdf_org.ssgproject.content_rule_logind_session_timeout
+++ xccdf_org.ssgproject.content_rule_logind_session_timeout
@@ -3,10 +3,6 @@
var_logind_session_timeout=''
-
-# Remove StopIdleSessionSec from main config
-
-LC_ALL=C sed -i "/^\s*StopIdleSessionSec\s*=/Id" "/etc/systemd/logind.conf"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_logind_session_timeout' differs.
--- xccdf_org.ssgproject.content_rule_logind_session_timeout
+++ xccdf_org.ssgproject.content_rule_logind_session_timeout
@@ -25,38 +25,6 @@
var_logind_session_timeout: !!str
tags:
- always
-
-- name: Remove StopIdleSessionSec from main config
- ansible.builtin.lineinfile:
- path: /etc/systemd/logind.conf
- regexp: ^\s*StopIdleSessionSec\s*=
- state: absent
- when:
- - '"kernel-core" in ansible_facts.packages'
- - ( ansible_distribution == 'RedHat' and ansible_distribution_version is version('8.7',
- '>=') and ansible_distribution == 'RedHat' and ansible_distribution_version is
- version('9.0', '!=') ) or ansible_distribution == 'OracleLinux' and ansible_distribution_version
- is version('8.7', '>=') or ansible_distribution == 'SLES' and ansible_distribution_version
- is version('15', '>=')
- tags:
- - CCE-90784-0
- - CJIS-5.5.6
- - DISA-STIG-RHEL-08-020035
- - NIST-800-171-3.1.11
- - NIST-800-53-AC-12
- - NIST-800-53-AC-17(a)
- - NIST-800-53-AC-17(a)
- - NIST-800-53-AC-2(5)
- - NIST-800-53-CM-6(a)
- - NIST-800-53-CM-6(a)
- - NIST-800-53-SC-10
- - PCI-DSS-Req-8.1.8
- - logind_session_timeout
- - low_complexity
- - low_disruption
- - medium_severity
- - reboot_required
- - restrict_strategy
- name: Set 'StopIdleSessionSec' to '{{ var_logind_session_timeout }}' in the [Login]
section of '/etc/systemd/logind.conf'
OVAL for rule 'xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su' differs.
--- oval:ssg-use_pam_wheel_for_su:def:1
+++ oval:ssg-use_pam_wheel_for_su:def:1
@@ -1,2 +1,2 @@
criteria AND
-criterion oval:ssg-test_pam_auth_pam_wheel_use_uid:tst:1
+criterion oval:ssg-test_use_pam_wheel_for_su:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su' differs.
--- xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su
+++ xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su
@@ -1,57 +1,8 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then
-declare -a VALUES=()
-declare -a VALUE_NAMES=()
-declare -a ARGS=()
-declare -a NEW_ARGS=()
-declare -a DEL_ARGS=()
-
-
-
-
-VALUES+=("")
-VALUE_NAMES+=("")
-ARGS+=("use_uid")
-NEW_ARGS+=("use_uid")
-
-
-for idx in "${!VALUES[@]}"
-do
- if [ -e "/etc/pam.d/su" ] ; then
- valueRegex="${VALUES[$idx]}" defaultValue="${VALUES[$idx]}"
- # non-empty values need to be preceded by an equals sign
- [ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
- # add an equals sign to non-empty values
- [ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
-
- # fix the value for 'option' if one exists but does not match 'valueRegex'
- if grep -q -P "^\\s*auth\\s+required\\s+pam_wheel.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/su" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+required\\s+pam_wheel.so(\\s.+)?\\s)${VALUE_NAMES[$idx]}=[^[:space:]]*/\\1${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/su"
-
- # add 'option=default' if option is not set
- elif grep -q -E "^\\s*auth\\s+required\\s+pam_wheel.so" < "/etc/pam.d/su" &&
- grep -E "^\\s*auth\\s+required\\s+pam_wheel.so" < "/etc/pam.d/su" | grep -q -E -v "\\s${VALUE_NAMES[$idx]}(=|\\s|\$)" ; then
-
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+required\\s+pam_wheel.so[^\\n]*)/\\1 ${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/su"
- # add a new entry if none exists
- elif ! grep -q -P "^\\s*auth\\s+required\\s+pam_wheel.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}${valueRegex}(\\s|\$)" < "/etc/pam.d/su" ; then
- echo "auth required pam_wheel.so ${VALUE_NAMES[$idx]}${defaultValue}" >> "/etc/pam.d/su"
- fi
- else
- echo "/etc/pam.d/su doesn't exist" >&2
- fi
-done
-
-for idx in "${!ARGS[@]}"
-do
- if ! grep -q -P "^\s*auth\s+required\s+pam_wheel.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/su ; then
- sed --follow-symlinks -i -E -e "s/^\\s*auth\\s+required\\s+pam_wheel.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/su
- if [ -n "${DEL_ARGS[$idx]}" ]; then
- sed --follow-symlinks -i -E -e "s/\s+${DEL_ARGS[$idx]}\S+\s+/ /g" /etc/pam.d/su
- fi
- fi
-done
+# uncomment the option if commented
+sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su
else
>&2 echo 'Remediation is not applicable, nothing was done'
New data stream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su'.
OVAL for rule 'xccdf_org.ssgproject.content_rule_use_pam_wheel_group_for_su' differs.
--- oval:ssg-use_pam_wheel_group_for_su:def:1
+++ oval:ssg-use_pam_wheel_group_for_su:def:1
@@ -1,3 +1,2 @@
criteria AND
-criterion oval:ssg-test_pam_auth_pam_wheel_group:tst:1
-criterion oval:ssg-test_pam_auth_pam_wheel_use_uid:tst:1
+criterion oval:ssg-test_use_pam_wheel_group_for_su:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_use_pam_wheel_group_for_su' differs.
--- xccdf_org.ssgproject.content_rule_use_pam_wheel_group_for_su
+++ xccdf_org.ssgproject.content_rule_use_pam_wheel_group_for_su
@@ -1,66 +1,21 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then
-declare -a VALUES=()
-declare -a VALUE_NAMES=()
-declare -a ARGS=()
-declare -a NEW_ARGS=()
-declare -a DEL_ARGS=()
+var_pam_wheel_group_for_su=''
+PAM_CONF=/etc/pam.d/su
-
-
-
-var_pam_wheel_group_for_su=''
-
-VALUES+=("$var_pam_wheel_group_for_su")
-VALUE_NAMES+=("group")
-ARGS+=("")
-NEW_ARGS+=("")
-
-VALUES+=("")
-VALUE_NAMES+=("")
-ARGS+=("use_uid")
-NEW_ARGS+=("use_uid")
-
-
-for idx in "${!VALUES[@]}"
-do
- if [ -e "/etc/pam.d/su" ] ; then
- valueRegex="${VALUES[$idx]}" defaultValue="${VALUES[$idx]}"
- # non-empty values need to be preceded by an equals sign
- [ -n "${valueRegex}" ] && valueRegex="=${valueRegex}"
- # add an equals sign to non-empty values
- [ -n "${defaultValue}" ] && defaultValue="=${defaultValue}"
-
- # fix the value for 'option' if one exists but does not match 'valueRegex'
- if grep -q -P "^\\s*auth\\s+required\\s+pam_wheel.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}(?"'!'"${valueRegex}(\\s|\$))" < "/etc/pam.d/su" ; then
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+required\\s+pam_wheel.so(\\s.+)?\\s)${VALUE_NAMES[$idx]}=[^[:space:]]*/\\1${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/su"
-
- # add 'option=default' if option is not set
- elif grep -q -E "^\\s*auth\\s+required\\s+pam_wheel.so" < "/etc/pam.d/su" &&
- grep -E "^\\s*auth\\s+required\\s+pam_wheel.so" < "/etc/pam.d/su" | grep -q -E -v "\\s${VALUE_NAMES[$idx]}(=|\\s|\$)" ; then
-
- sed --follow-symlinks -i -E -e "s/^(\\s*auth\\s+required\\s+pam_wheel.so[^\\n]*)/\\1 ${VALUE_NAMES[$idx]}${defaultValue}/" "/etc/pam.d/su"
- # add a new entry if none exists
- elif ! grep -q -P "^\\s*auth\\s+required\\s+pam_wheel.so(\\s.+)?\\s+${VALUE_NAMES[$idx]}${valueRegex}(\\s|\$)" < "/etc/pam.d/su" ; then
- echo "auth required pam_wheel.so ${VALUE_NAMES[$idx]}${defaultValue}" >> "/etc/pam.d/su"
- fi
- else
- echo "/etc/pam.d/su doesn't exist" >&2
+pamstr=$(grep -P '^auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)(?=[^#]*\bgroup=)' ${PAM_CONF})
+if [ -z "$pamstr" ]; then
+ sed -Ei '/^auth\b.*\brequired\b.*\bpam_wheel\.so/d' ${PAM_CONF} # remove any remaining uncommented pam_wheel.so line
+ sed -Ei "/^auth\s+sufficient\s+pam_rootok\.so.*$/a auth required pam_wheel.so use_uid group=${var_pam_wheel_group_for_su}" ${PAM_CONF}
+else
+ group_val=$(echo -n "$pamstr" | grep -Eo '\bgroup=[_a-z][-0-9_a-z]*' | cut -d '=' -f 2)
+ if [ -z "${group_val}" ] || [ ${group_val} != ${var_pam_wheel_group_for_su} ]; then
+ sed -Ei "s/(^auth\s+required\s+pam_wheel.so\s+[^#]*group=)[_a-z][-0-9_a-z]*/\1${var_pam_wheel_group_for_su}/" ${PAM_CONF}
fi
-done
-
-for idx in "${!ARGS[@]}"
-do
- if ! grep -q -P "^\s*auth\s+required\s+pam_wheel.so.*\s+${ARGS[$idx]}\s*$" /etc/pam.d/su ; then
- sed --follow-symlinks -i -E -e "s/^\\s*auth\\s+required\\s+pam_wheel.so.*\$/& ${NEW_ARGS[$idx]}/" /etc/pam.d/su
- if [ -n "${DEL_ARGS[$idx]}" ]; then
- sed --follow-symlinks -i -E -e "s/\s+${DEL_ARGS[$idx]}\S+\s+/ /g" /etc/pam.d/su
- fi
- fi
-done
+fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
New data stream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_use_pam_wheel_group_for_su'.
OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_uefi_admin_username' differs.
--- oval:ssg-grub2_uefi_admin_username:def:1
+++ oval:ssg-grub2_uefi_admin_username:def:1
@@ -1,5 +1,2 @@
criteria OR
criterion oval:ssg-test_bootloader_uefi_superuser_differ_from_other_users:tst:1
-criteria AND
-criterion oval:ssg-test_grub2_uefi_admin_username_stub:tst:1
-criterion oval:ssg-test_bootloader_uefi_boot_superuser_differ_from_other_users:tst:1
OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_uefi_password' differs.
--- oval:ssg-grub2_uefi_password:def:1
+++ oval:ssg-grub2_uefi_password:def:1
@@ -1,5 +1,2 @@
criteria OR
criterion oval:ssg-test_grub2_uefi_password_usercfg:tst:1
-criteria AND
-criterion oval:ssg-test_grub2_uefi_password_stub:tst:1
-criterion oval:ssg-test_grub2_uefi_password_boot_usercfg:tst:1
New data stream is missing OCIL for rule 'xccdf_org.ssgproject.content_rule_wireless_disable_in_bios'.
New data stream is missing OCIL for rule 'xccdf_org.ssgproject.content_rule_bios_disable_usb_boot'.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_dnsmasq_removed'.
--- xccdf_org.ssgproject.content_rule_package_dnsmasq_removed
+++ xccdf_org.ssgproject.content_rule_package_dnsmasq_removed
@@ -10,6 +10,9 @@
$ sudo yum erase dnsmasq
+[reference]:
+2.1.6
+
[rationale]:
Unless a system is specifically designated to act as a DNS
caching, DNS forwarding and/or DHCP server, it is recommended that the
xccdf_org.ssgproject.content_rule_service_dnsmasq_disabled is missing in new data stream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0'.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
@@ -15,8 +15,6 @@
value of 0 in
-
-
/etc/ssh/sshd_config:
[reference]:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive
@@ -2,7 +2,6 @@
if rpm --quiet -q kernel-core; then
var_sshd_set_keepalive=''
-
if [ -e "/etc/ssh/sshd_config" ] ; then
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
+++ xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
@@ -2,7 +2,6 @@
if rpm --quiet -q kernel-core; then
sshd_idle_timeout_value=''
-
if [ -e "/etc/ssh/sshd_config" ] ; then
New content has different text for rule 'xccdf_org.ssgproject.content_rule_disable_host_auth'.
--- xccdf_org.ssgproject.content_rule_disable_host_auth
+++ xccdf_org.ssgproject.content_rule_disable_host_auth
@@ -15,8 +15,6 @@
following line in
-
-
/etc/ssh/sshd_config:
HostbasedAuthentication no
OCIL for rule 'xccdf_org.ssgproject.content_rule_disable_host_auth' differs.
--- ocil:ssg-disable_host_auth_ocil:questionnaire:1
+++ ocil:ssg-disable_host_auth_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's HostbasedAuthentication option is set, run the following command:
$ sudo grep -i HostbasedAuthentication /etc/ssh/sshd_config
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_compression' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_compression
+++ xccdf_org.ssgproject.content_rule_sshd_disable_compression
@@ -2,7 +2,6 @@
if rpm --quiet -q kernel-core; then
var_sshd_disable_compression=''
-
if [ -e "/etc/ssh/sshd_config" ] ; then
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
+++ xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
@@ -11,8 +11,6 @@
add or correct the following line in
-
-
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords' differs.
--- ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command:
$ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_forwarding'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_forwarding
@@ -8,8 +8,6 @@
options and may simplify restricted configurations.
To explicitly disable SSHD forwarding, add or correct the following line in
-
-
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_forwarding' differs.
--- ocil:ssg-sshd_disable_forwarding_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_forwarding_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's DisableForwarding option is set, run the following command:
$ sudo grep -i DisableForwarding /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
@@ -10,8 +10,6 @@
configuration is used if no value is set for GSSAPIAuthentication.
To explicitly disable GSSAPI authentication, add or correct the following line in
-
-
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth' differs.
--- ocil:ssg-sshd_disable_gssapi_auth_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_gssapi_auth_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command:
$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
@@ -10,8 +10,6 @@
The appropriate configuration is used if no value is set for KerberosAuthentication.
To explicitly disable Kerberos authentication, add or correct the following line in
-
-
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth' differs.
--- ocil:ssg-sshd_disable_kerb_auth_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_kerb_auth_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's KerberosAuthentication option is set, run the following command:
$ sudo grep -i KerberosAuthentication /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
@@ -6,8 +6,6 @@
Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms. To disable PubkeyAuthentication authentication, add or
correct the following line in
-
-
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth' differs.
--- ocil:ssg-sshd_disable_pubkey_auth_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_pubkey_auth_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's PubkeyAuthentication option is set, run the following command:
$ sudo grep -i PubkeyAuthentication /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
@@ -13,8 +13,6 @@
To explicitly disable support for .rhosts files, add or correct the following line in
-
-
/etc/ssh/sshd_config:
IgnoreRhosts yes
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts' differs.
--- ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's IgnoreRhosts option is set, run the following command:
$ sudo grep -i IgnoreRhosts /etc/ssh/sshd_config
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa' differs.
--- ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1
@@ -3,9 +3,6 @@
$ rpm -qi openssh-server | grep Version
Versions equal to or higher than 7.4 have deprecated the RhostsRSAAuthentication option.
If version is lower than 7.4, run the following command to check configuration:
-
-
-
To determine how the SSH daemon's RhostsRSAAuthentication option is set, run the following command:
$ sudo grep -i RhostsRSAAuthentication /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_login
@@ -6,8 +6,6 @@
The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line in
-
-
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login' differs.
--- ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's PermitRootLogin option is set, run the following command:
$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
@@ -4,8 +4,6 @@
[description]:
To disable password-based root logins over SSH, add or correct the following line in
-
-
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login' differs.
--- ocil:ssg-sshd_disable_root_password_login_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_root_password_login_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's PermitRootLogin option is set, run the following command:
$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
@@ -5,8 +5,6 @@
[description]:
The AllowTcpForwarding parameter specifies whether TCP forwarding is permitted.
To disable TCP forwarding, add or correct the following line in
-
-
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding' differs.
--- ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's AllowTcpForwarding option is set, run the following command:
$ sudo grep -i AllowTcpForwarding /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
@@ -8,8 +8,6 @@
To ensure this behavior is disabled, add or correct the following line in
-
-
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts' differs.
--- ocil:ssg-sshd_disable_user_known_hosts_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_user_known_hosts_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command:
$ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
@@ -12,8 +12,6 @@
configuration is used if no value is set for X11Forwarding.
To explicitly disable X11 Forwarding, add or correct the following line in
-
-
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding' differs.
--- ocil:ssg-sshd_disable_x11_forwarding_ocil:questionnaire:1
+++ ocil:ssg-sshd_disable_x11_forwarding_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's X11Forwarding option is set, run the following command:
$ sudo grep -i X11Forwarding /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env'.
--- xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
+++ xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
@@ -9,8 +9,6 @@
configuration is used if no value is set for PermitUserEnvironment.
To explicitly disable Environment options, add or correct the following
-
-
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env' differs.
--- ocil:ssg-sshd_do_not_permit_user_env_ocil:questionnaire:1
+++ ocil:ssg-sshd_do_not_permit_user_env_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's PermitUserEnvironment option is set, run the following command:
$ sudo grep -i PermitUserEnvironment /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth'.
--- xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
@@ -6,8 +6,6 @@
Sites setup to use Kerberos or other GSSAPI Authentication require setting
sshd to accept this authentication.
To enable GSSAPI authentication, add or correct the following line in
-
-
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth' differs.
--- ocil:ssg-sshd_enable_gssapi_auth_ocil:questionnaire:1
+++ ocil:ssg-sshd_enable_gssapi_auth_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command:
$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pam'.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pam
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pam
@@ -9,8 +9,6 @@
authentication types.
To enable PAM authentication, add or correct the following line in
-
-
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pam' differs.
--- ocil:ssg-sshd_enable_pam_ocil:questionnaire:1
+++ ocil:ssg-sshd_enable_pam_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's UsePAM option is set, run the following command:
$ sudo grep -i UsePAM /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth'.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
@@ -9,8 +9,6 @@
configuration is used if no value is set for PubkeyAuthentication.
To explicitly enable Public Key Authentication, add or correct the following
-
-
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth' differs.
--- ocil:ssg-sshd_enable_pubkey_auth_ocil:questionnaire:1
+++ ocil:ssg-sshd_enable_pubkey_auth_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's PubkeyAuthentication option is set, run the following command:
$ sudo grep -i PubkeyAuthentication /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes'.
--- xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
+++ xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
@@ -13,8 +13,6 @@
To explicitly enable StrictModes in SSH, add or correct the following line in
-
-
/etc/ssh/sshd_config:
StrictModes yes
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes' differs.
--- ocil:ssg-sshd_enable_strictmodes_ocil:questionnaire:1
+++ ocil:ssg-sshd_enable_strictmodes_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's StrictModes option is set, run the following command:
$ sudo grep -i StrictModes /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner'.
--- xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
+++ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
@@ -5,8 +5,6 @@
[description]:
To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in
-
-
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner' differs.
--- ocil:ssg-sshd_enable_warning_banner_ocil:questionnaire:1
+++ ocil:ssg-sshd_enable_warning_banner_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's Banner option is set, run the following command:
$ sudo grep -i Banner /etc/ssh/sshd_config
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net' differs.
--- ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1
+++ ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's Banner option is set, run the following command:
$ sudo grep -i Banner /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding'.
--- xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
@@ -9,8 +9,6 @@
To enable X11 Forwarding, add or correct the following line in
-
-
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding' differs.
--- ocil:ssg-sshd_enable_x11_forwarding_ocil:questionnaire:1
+++ ocil:ssg-sshd_enable_x11_forwarding_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's X11Forwarding option is set, run the following command:
$ sudo grep -i X11Forwarding /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_print_last_log'.
--- xccdf_org.ssgproject.content_rule_sshd_print_last_log
+++ xccdf_org.ssgproject.content_rule_sshd_print_last_log
@@ -9,8 +9,6 @@
The appropriate configuration is used if no value is set for PrintLastLog.
To explicitly enable LastLog in SSH, add or correct the following line in
-
-
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_print_last_log' differs.
--- ocil:ssg-sshd_print_last_log_ocil:questionnaire:1
+++ ocil:ssg-sshd_print_last_log_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's PrintLastLog option is set, run the following command:
$ sudo grep -i PrintLastLog /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_rekey_limit'.
--- xccdf_org.ssgproject.content_rule_sshd_rekey_limit
+++ xccdf_org.ssgproject.content_rule_sshd_rekey_limit
@@ -8,8 +8,6 @@
amount of data that may be transmitted and the time
elapsed.
To decrease the default limits, add or correct the following line in
-
-
/etc/ssh/sshd_config:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
+++ xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
@@ -2,7 +2,6 @@
if rpm --quiet -q kernel-core; then
var_sshd_set_login_grace_time=''
-
if [ -e "/etc/ssh/sshd_config" ] ; then
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info'.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
@@ -9,8 +9,6 @@
configuration is used if no value is set for LogLevel.
To explicitly specify the log level in SSH, add or correct the following line in
-
-
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info' differs.
--- ocil:ssg-sshd_set_loglevel_info_ocil:questionnaire:1
+++ ocil:ssg-sshd_set_loglevel_info_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's LogLevel option is set, run the following command:
$ sudo grep -i LogLevel /etc/ssh/sshd_config
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose'.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
@@ -6,8 +6,6 @@
The VERBOSE parameter configures the SSH daemon to record login and logout activity.
To specify the log level in
SSH, add or correct the following line in
-
-
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose' differs.
--- ocil:ssg-sshd_set_loglevel_verbose_ocil:questionnaire:1
+++ ocil:ssg-sshd_set_loglevel_verbose_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's LogLevel option is set, run the following command:
$ sudo grep -i LogLevel /etc/ssh/sshd_config
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
@@ -2,7 +2,6 @@
if rpm --quiet -q kernel-core; then
sshd_max_auth_tries_value=''
-
if [ -e "/etc/ssh/sshd_config" ] ; then
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_sessions' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
@@ -2,7 +2,6 @@
if rpm --quiet -q kernel-core; then
var_sshd_max_sessions=''
-
if [ -e "/etc/ssh/sshd_config" ] ; then
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_maxstartups' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
+++ xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
@@ -2,7 +2,6 @@
if rpm --quiet -q kernel-core; then
var_sshd_set_maxstartups=''
-
if [ -e "/etc/ssh/sshd_config" ] ; then
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
+++ xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
@@ -4,22 +4,27 @@
sshd_approved_ciphers=''
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^Ciphers")
-if [ -e "/etc/ssh/sshd_config" ] ; then
-
- LC_ALL=C sed -i "/^\s*Ciphers\s\+/Id" "/etc/ssh/sshd_config"
+# shellcheck disable=SC2059
+printf -v formatted_output "%s %s" "$stripped_key" "$sshd_approved_ciphers"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^Ciphers\\>" "/etc/ssh/sshd_config"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ LC_ALL=C sed -i --follow-symlinks "s/^Ciphers\\>.*/$escaped_formatted_output/gi" "/etc/ssh/sshd_config"
else
- touch "/etc/ssh/sshd_config"
+ if [[ -s "/etc/ssh/sshd_config" ]] && [[ -n "$(tail -c 1 -- "/etc/ssh/sshd_config" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/ssh/sshd_config"
+ fi
+ cce="CCE-81032-5"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/ssh/sshd_config" >> "/etc/ssh/sshd_config"
+ printf '%s\n' "$formatted_output" >> "/etc/ssh/sshd_config"
fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/ssh/sshd_config"
-
-cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert at the beginning of the file
-printf '%s\n' "Ciphers $sshd_approved_ciphers" > "/etc/ssh/sshd_config"
-cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-# Clean up after ourselves.
-rm "/etc/ssh/sshd_config.bak"
else
>&2 echo 'Remediation is not applicable, nothing was done'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
+++ xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
@@ -2,7 +2,6 @@
if rpm --quiet -q kernel-core && { ( rpm --quiet -q openssh-server && { real="$(epoch=$(rpm -q --queryformat '%{EPOCH}' openssh-server); version=$(rpm -q --queryformat '%{VERSION}' openssh-server); [ "$epoch" = "(none)" ] && echo "0:$version" || echo "$epoch:$version")"; expected="0:7.5"; [[ "$real" != "$expected" ]] && printf "%s\n%s" "$real" "$expected" | sort -VC; } ); }; then
var_sshd_priv_separation=''
-
if [ -e "/etc/ssh/sshd_config" ] ; then
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_kex' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_strong_kex
+++ xccdf_org.ssgproject.content_rule_sshd_use_strong_kex
@@ -2,8 +2,6 @@
if rpm --quiet -q kernel-core; then
sshd_strong_kex=''
-
-
if [ -e "/etc/ssh/sshd_config" ] ; then
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost'.
--- xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
+++ xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
@@ -11,8 +11,6 @@
To explicitly prevent remote connections to the proxy display, add or correct
the following line in
-
-
/etc/ssh/sshd_config:
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost' differs.
--- ocil:ssg-sshd_x11_use_localhost_ocil:questionnaire:1
+++ ocil:ssg-sshd_x11_use_localhost_ocil:questionnaire:1
@@ -1,6 +1,3 @@
-
-
-
To determine how the SSH daemon's X11UseLocalhost option is set, run the following command:
$ sudo grep -i X11UseLocalhost /etc/ssh/sshd_config |
svet-se
approved these changes
Mar 9, 2026
Mab879
reviewed
Mar 9, 2026
| #!/bin/bash | ||
|
|
||
| # platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu | ||
| # platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 10,Red Hat Enterprise Linux 9,SUSE Linux Enterprise 16,multi_platform_fedora,multi_platform_ubuntu |
Member
There was a problem hiding this comment.
RHEL 10 and RHEL 9 are not in correct order
| #!/bin/bash | ||
|
|
||
| # platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu | ||
| # platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 10,Red Hat Enterprise Linux 9,SUSE Linux Enterprise 16,multi_platform_fedora,multi_platform_ubuntu |
| #!/bin/bash | ||
|
|
||
| # platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu | ||
| # platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 10,Red Hat Enterprise Linux 9,SUSE Linux Enterprise 16,multi_platform_fedora,multi_platform_ubuntu |
| #!/bin/bash | ||
|
|
||
| # platform = multi_platform_fedora,Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,multi_platform_ubuntu | ||
| # platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 10,Red Hat Enterprise Linux 9,SUSE Linux Enterprise 16,multi_platform_fedora,multi_platform_ubuntu |
Co-authored-by: Matthew Burket <m@tthewburket.com>
Co-authored-by: Matthew Burket <m@tthewburket.com>
Thanks to @Mab879 for the note 🙇
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Rationale:
General rule for all SSH server configuration changes
/etc/ssh/sshd_configexists: check/etc/ssh/sshd_config, /etc/ssh/sshd_config.d/*.conf, /usr/etc/ssh/sshd_config.d/*.conf/etc/ssh/sshd_configdoes not exists: check/usr/etc/ssh/sshd_config, /etc/ssh/sshd_config.d/*.conf, /usr/etc/ssh/sshd_config.d/*.confRegarding remedations
/usr/etc/ssh/sshd_configto/etc/ssh/sshd_config(if/etc/ssh/sshd_configdoes not exist),configs are added to
/etc/ssh/sshd_config.d/*.conf(1st Include in sshd_config)