diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/ansible/shared.yml
deleted file mode 100644
index 2c9889e2b5a..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/ansible/shared.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-# platform = multi_platform_all
-# reboot = false
-# strategy = restrict
-# complexity = low
-# disruption = low
-- (xccdf-var var_sshd_set_maxstartups)
-
-{{{ ansible_sshd_set(parameter="MaxStartups", value="{{ var_sshd_set_maxstartups }}") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/bash/shared.sh
deleted file mode 100644
index dd5a7031d45..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/bash/shared.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-# platform = multi_platform_all
-# reboot = false
-# strategy = restrict
-# complexity = low
-# disruption = low
-
-{{{ bash_instantiate_variables("var_sshd_set_maxstartups") }}}
-
-{{{ bash_sshd_config_set(parameter="MaxStartups", value="$var_sshd_set_maxstartups") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml
index 8a6b3571338..dfad08d8a7b 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml
@@ -1,63 +1,96 @@
-
- {{{ oval_metadata("Ensure 'MaxStartups' is configured in
- '/etc/ssh/sshd_config'") }}}
-
-
-
+
+ {{{ oval_metadata("Ensure 'MaxStartups' is properly configured in SSH configuration files.") }}}
+
+
+
{{% if product in ['opensuse', 'sle12', 'sle15'] %}}
-
+
{{% else %}}
-
+
{{% endif %}}
-
-
-
+
+
+
-
- /etc/ssh/sshd_config
+
+ /etc/(ssh|ssh/sshd_config.d)
+ (sshd_config|.*\.conf)$
(?i)^\s*MaxStartups\s+(\d+):\d+:\d+\s*$
1
-
- /etc/ssh/sshd_config
+
+ /etc/(ssh|ssh/sshd_config.d)
+ (sshd_config|.*\.conf)$
(?i)^\s*MaxStartups\s+\d+:(\d+):\d+\s*$
1
-
- /etc/ssh/sshd_config
+
+ /etc/(ssh|ssh/sshd_config.d)
+ (sshd_config|.*\.conf)$
(?i)^\s*MaxStartups\s+\d+:\d+:(\d+)\s*$
1
-
- 10
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
- 30
+
+
-
- 100
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml
index d785b5cb966..a327dc85b72 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml
@@ -3,20 +3,16 @@ documentation_complete: true
title: 'Ensure SSH MaxStartups is configured'
description: |-
- The MaxStartups parameter specifies the maximum number of concurrent
- unauthenticated connections to the SSH daemon. Additional connections will be
- dropped until authentication succeeds or the LoginGraceTime expires for a
- connection. To confgure MaxStartups, you should add or correct the following
- line in the
- /etc/ssh/sshd_config file:
+ The MaxStartups parameter specifies the maximum number of concurrent unauthenticated
+ connections to the SSH daemon. Additional connections will be dropped until authentication
+ succeeds or the LoginGraceTime expires for a connection. To configure MaxStartups, you should
+ add or edit the following line in the /etc/ssh/sshd_config file:
MaxStartups {{{ xccdf_value("var_sshd_set_maxstartups") }}}
- CIS recommends a MaxStartups value of '10:30:60', or more restrictive where
- dictated by site policy.
rationale: |-
- To protect a system from denial of service due to a large number of pending
- authentication connection attempts, use the rate limiting function of MaxStartups
- to protect availability of sshd logins and prevent overwhelming the daemon.
+ To protect a system from denial of service due to a large number of pending authentication
+ connection attempts, use the rate limiting function of MaxStartups to protect availability of
+ sshd logins and prevent overwhelming the daemon.
severity: medium
@@ -37,5 +33,14 @@ ocil_clause: 'maxstartups is not configured'
ocil: |-
To check if MaxStartups is configured, run the following command:
- $ sudo grep MaxStartups /etc/ssh/sshd_config
+ $ sudo grep -r ^[\s]*MaxStartups /etc/ssh/sshd_config*
If configured, this command should output the configuration.
+
+template:
+ name: sshd_lineinfile
+ vars:
+ parameter: MaxStartups
+ xccdf_variable: var_sshd_set_maxstartups
+ datatype: string
+ backends:
+ oval: "off"
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/comment.fail.sh
deleted file mode 100644
index 9c2d5053da7..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/comment.fail.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/bin/bash
-#
-# profiles = xccdf_org.ssgproject.content_profile_cis
-
-if grep -q "^MaxStartups" /etc/ssh/sshd_config; then
- sed -i "s/^MaxStartups.*/# MaxStartups 10:30:60/" /etc/ssh/sshd_config
-else
- echo "# MaxStartups 10:30:60" >> /etc/ssh/sshd_config
-fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/lenient_value.fail.sh
similarity index 56%
rename from linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value.pass.sh
rename to linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/lenient_value.fail.sh
index 98b2ce55e91..7987ffeca9d 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/lenient_value.fail.sh
@@ -1,9 +1,8 @@
#!/bin/bash
-#
-# profiles = xccdf_org.ssgproject.content_profile_cis
+# variables = var_sshd_set_maxstartups=10:30:60
if grep -q "^MaxStartups" /etc/ssh/sshd_config; then
sed -i "s/^MaxStartups.*/MaxStartups 10:30:60/" /etc/ssh/sshd_config
else
- echo "MaxStartups 10:30:60" >> /etc/ssh/sshd_config
+ echo "MaxStartups 20:40:60" >> /etc/ssh/sshd_config
fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/line_not_there.fail.sh
deleted file mode 100644
index 97809176d2c..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/line_not_there.fail.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-#
-# profiles = xccdf_org.ssgproject.content_profile_cis
-
-sed -i "/^MaxStartups.*/d" /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/nothing.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/nothing.fail.sh
deleted file mode 100644
index 3aec68a453e..00000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/nothing.fail.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-#
-# profiles = xccdf_org.ssgproject.content_profile_cis
-
-true
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/stricter_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/stricter_value.pass.sh
new file mode 100644
index 00000000000..1df1bf36ad8
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/stricter_value.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# variables = var_sshd_set_maxstartups=10:30:60
+
+if grep -q "^MaxStartups" /etc/ssh/sshd_config; then
+ sed -i "s/^MaxStartups.*/MaxStartups 10:30:60/" /etc/ssh/sshd_config
+else
+ echo "MaxStartups 5:60:30" >> /etc/ssh/sshd_config
+fi
diff --git a/shared/templates/sshd_lineinfile/template.py b/shared/templates/sshd_lineinfile/template.py
index 5d717efd8c0..77756399d94 100644
--- a/shared/templates/sshd_lineinfile/template.py
+++ b/shared/templates/sshd_lineinfile/template.py
@@ -13,8 +13,12 @@ def set_variables_for_test_scenarios(data):
elif data["datatype"] == "string":
if not data.get("value"):
# this implies XCCDF variable is used
- data["wrong_value"] = "wrong_value"
- data["correct_value"] = "correct_value"
+ if data['xccdf_variable'] == 'var_sshd_set_maxstartups':
+ data["wrong_value"] = "30:10:110"
+ data["correct_value"] = "10:30:60"
+ else:
+ data["wrong_value"] = "wrong_value"
+ data["correct_value"] = "correct_value"
else:
data["wrong_value"] = "wrong_value"
data["correct_value"] = str(data["value"])