From e3b3e0450ca3b850970d1a8f0d3e7e5e068a85a7 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 25 Sep 2024 09:27:15 +0200 Subject: [PATCH 1/9] Update rule description Improve readability and ocil. Also removed removed CIS specific mention from the description. Signed-off-by: Marcus Burghardt --- .../ssh_server/sshd_set_maxstartups/rule.yml | 20 ++++++++----------- 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml index d785b5cb966..a14222504eb 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml @@ -3,20 +3,16 @@ documentation_complete: true title: 'Ensure SSH MaxStartups is configured' description: |- - The MaxStartups parameter specifies the maximum number of concurrent - unauthenticated connections to the SSH daemon. Additional connections will be - dropped until authentication succeeds or the LoginGraceTime expires for a - connection. To confgure MaxStartups, you should add or correct the following - line in the - /etc/ssh/sshd_config file: + The MaxStartups parameter specifies the maximum number of concurrent unauthenticated + connections to the SSH daemon. Additional connections will be dropped until authentication + succeeds or the LoginGraceTime expires for a connection. To configure MaxStartups, you should + add or edit the following line in the /etc/ssh/sshd_config file: 
MaxStartups {{{ xccdf_value("var_sshd_set_maxstartups") }}}
- CIS recommends a MaxStartups value of '10:30:60', or more restrictive where - dictated by site policy. rationale: |- - To protect a system from denial of service due to a large number of pending - authentication connection attempts, use the rate limiting function of MaxStartups - to protect availability of sshd logins and prevent overwhelming the daemon. + To protect a system from denial of service due to a large number of pending authentication + connection attempts, use the rate limiting function of MaxStartups to protect availability of + sshd logins and prevent overwhelming the daemon. severity: medium @@ -37,5 +33,5 @@ ocil_clause: 'maxstartups is not configured' ocil: |- To check if MaxStartups is configured, run the following command: - 
$ sudo grep MaxStartups /etc/ssh/sshd_config
+ 
$ sudo grep -r ^[\s]*MaxStartups /etc/ssh/sshd_config*
If configured, this command should output the configuration. From 5c6ede2bed080d3175f1ec1ca6f8e4c5858d6054 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 25 Sep 2024 10:09:11 +0200 Subject: [PATCH 2/9] Minor improvements for readability There is no change in logic but only minor updates to make it easier to read and more aligned to project style guide. Signed-off-by: Marcus Burghardt --- .../sshd_set_maxstartups/oval/shared.xml | 51 ++++++++++--------- 1 file changed, 28 insertions(+), 23 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml index 8a6b3571338..b54ff5acc54 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml @@ -1,23 +1,22 @@ - - {{{ oval_metadata("Ensure 'MaxStartups' is configured in - '/etc/ssh/sshd_config'") }}} - - - + + {{{ oval_metadata("Ensure 'MaxStartups' is properly configured in SSH configuration files.") }}} + + + {{% if product in ['opensuse', 'sle12', 'sle15'] %}} - + {{% else %}} - + {{% endif %}} - - - + + + @@ -48,16 +47,22 @@ 100 - - - + + + - - - + + + - - - + + + From b24be4ada8acb8db803374ea39fbc4f7851bafc0 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 25 Sep 2024 10:36:48 +0200 Subject: [PATCH 3/9] Also consider SSH drop-in files Signed-off-by: Marcus Burghardt --- .../sshd_set_maxstartups/oval/shared.xml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml index b54ff5acc54..853faf18f49 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml @@ -21,18 +21,21 @@ - - /etc/ssh/sshd_config + + /etc/(ssh|ssh/sshd_config.d) + (sshd_config|.*\.conf)$ (?i)^\s*MaxStartups\s+(\d+):\d+:\d+\s*$ 1 - - /etc/ssh/sshd_config + + /etc/(ssh|ssh/sshd_config.d) + (sshd_config|.*\.conf)$ (?i)^\s*MaxStartups\s+\d+:(\d+):\d+\s*$ 1 - - /etc/ssh/sshd_config + + /etc/(ssh|ssh/sshd_config.d) + (sshd_config|.*\.conf)$ (?i)^\s*MaxStartups\s+\d+:\d+:(\d+)\s*$ 1 From f5f3634b0f0b92020703b602294608819830e95c Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 25 Sep 2024 11:28:12 +0200 Subject: [PATCH 4/9] Remove hard-coded values The rule uses a variable but the OVAL check was not considering the variable values. It was instead using hard-coded values. The OVAL was updated to consume the values from the variable. Signed-off-by: Marcus Burghardt --- .../sshd_set_maxstartups/oval/shared.xml | 39 +++++++++++++++---- 1 file changed, 32 insertions(+), 7 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml index 853faf18f49..7b6384684af 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml @@ -1,5 +1,5 @@ - + {{{ oval_metadata("Ensure 'MaxStartups' is properly configured in SSH configuration files.") }}} @@ -40,14 +40,39 @@ 1 - - 10 + + + + + + + + + + + + + + + + + + + + - - 30 + + - - 100 + + Date: Wed, 25 Sep 2024 11:52:40 +0200 Subject: [PATCH 5/9] Make test scenarios more robust Use directly a variable value instead of referencing a profile in test scenarios. This way the test scenarios won't break if the profile changes. It was also included two new test scenarios for stricter and lenient tests. Signed-off-by: Marcus Burghardt --- .../ssh_server/sshd_set_maxstartups/tests/comment.fail.sh | 3 +-- .../sshd_set_maxstartups/tests/correct_value.pass.sh | 3 +-- .../sshd_set_maxstartups/tests/lenient_value.fail.sh | 8 ++++++++ .../sshd_set_maxstartups/tests/line_not_there.fail.sh | 3 +-- .../ssh_server/sshd_set_maxstartups/tests/nothing.fail.sh | 3 +-- .../sshd_set_maxstartups/tests/stricter_value.pass.sh | 8 ++++++++ 6 files changed, 20 insertions(+), 8 deletions(-) create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/lenient_value.fail.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/stricter_value.pass.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/comment.fail.sh index 9c2d5053da7..02d9e14520a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/comment.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/comment.fail.sh @@ -1,6 +1,5 @@ #!/bin/bash -# -# profiles = xccdf_org.ssgproject.content_profile_cis +# variables = var_sshd_set_maxstartups=10:30:60 if grep -q "^MaxStartups" /etc/ssh/sshd_config; then sed -i "s/^MaxStartups.*/# MaxStartups 10:30:60/" /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value.pass.sh index 98b2ce55e91..6f1a852bdc7 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value.pass.sh @@ -1,6 +1,5 @@ #!/bin/bash -# -# profiles = xccdf_org.ssgproject.content_profile_cis +# variables = var_sshd_set_maxstartups=10:30:60 if grep -q "^MaxStartups" /etc/ssh/sshd_config; then sed -i "s/^MaxStartups.*/MaxStartups 10:30:60/" /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/lenient_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/lenient_value.fail.sh new file mode 100644 index 00000000000..7987ffeca9d --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/lenient_value.fail.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# variables = var_sshd_set_maxstartups=10:30:60 + +if grep -q "^MaxStartups" /etc/ssh/sshd_config; then + sed -i "s/^MaxStartups.*/MaxStartups 10:30:60/" /etc/ssh/sshd_config +else + echo "MaxStartups 20:40:60" >> /etc/ssh/sshd_config +fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/line_not_there.fail.sh index 97809176d2c..6ca3228b48a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/line_not_there.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/line_not_there.fail.sh @@ -1,5 +1,4 @@ #!/bin/bash -# -# profiles = xccdf_org.ssgproject.content_profile_cis +# variables = var_sshd_set_maxstartups=10:30:60 sed -i "/^MaxStartups.*/d" /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/nothing.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/nothing.fail.sh index 3aec68a453e..749115f42af 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/nothing.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/nothing.fail.sh @@ -1,5 +1,4 @@ #!/bin/bash -# -# profiles = xccdf_org.ssgproject.content_profile_cis +# variables = var_sshd_set_maxstartups=10:30:60 true diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/stricter_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/stricter_value.pass.sh new file mode 100644 index 00000000000..1df1bf36ad8 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/stricter_value.pass.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# variables = var_sshd_set_maxstartups=10:30:60 + +if grep -q "^MaxStartups" /etc/ssh/sshd_config; then + sed -i "s/^MaxStartups.*/MaxStartups 10:30:60/" /etc/ssh/sshd_config +else + echo "MaxStartups 5:60:30" >> /etc/ssh/sshd_config +fi From 217343cd68ae8462ccadfaa26e29b5d877634532 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 25 Sep 2024 14:03:31 +0200 Subject: [PATCH 6/9] Use template for sshd_set_maxstartups The OVAL logic sshd_set_maxstartups is very specific and it is not worth to move it in the template, but we can benefit from the templated remediation and test scenarios. Signed-off-by: Marcus Burghardt --- .../ssh_server/sshd_set_maxstartups/ansible/shared.yml | 8 -------- .../ssh/ssh_server/sshd_set_maxstartups/bash/shared.sh | 9 --------- .../ssh/ssh_server/sshd_set_maxstartups/rule.yml | 9 +++++++++ shared/templates/sshd_lineinfile/template.py | 8 ++++++-- 4 files changed, 15 insertions(+), 19 deletions(-) delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/ansible/shared.yml delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/bash/shared.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/ansible/shared.yml deleted file mode 100644 index 2c9889e2b5a..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/ansible/shared.yml +++ /dev/null @@ -1,8 +0,0 @@ -# platform = multi_platform_all -# reboot = false -# strategy = restrict -# complexity = low -# disruption = low -- (xccdf-var var_sshd_set_maxstartups) - -{{{ ansible_sshd_set(parameter="MaxStartups", value="{{ var_sshd_set_maxstartups }}") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/bash/shared.sh deleted file mode 100644 index dd5a7031d45..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/bash/shared.sh +++ /dev/null @@ -1,9 +0,0 @@ -# platform = multi_platform_all -# reboot = false -# strategy = restrict -# complexity = low -# disruption = low - -{{{ bash_instantiate_variables("var_sshd_set_maxstartups") }}} - -{{{ bash_sshd_config_set(parameter="MaxStartups", value="$var_sshd_set_maxstartups") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml index a14222504eb..a327dc85b72 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml @@ -35,3 +35,12 @@ ocil: |- To check if MaxStartups is configured, run the following command: 
$ sudo grep -r ^[\s]*MaxStartups /etc/ssh/sshd_config*
If configured, this command should output the configuration. + +template: + name: sshd_lineinfile + vars: + parameter: MaxStartups + xccdf_variable: var_sshd_set_maxstartups + datatype: string + backends: + oval: "off" diff --git a/shared/templates/sshd_lineinfile/template.py b/shared/templates/sshd_lineinfile/template.py index 5d717efd8c0..77756399d94 100644 --- a/shared/templates/sshd_lineinfile/template.py +++ b/shared/templates/sshd_lineinfile/template.py @@ -13,8 +13,12 @@ def set_variables_for_test_scenarios(data): elif data["datatype"] == "string": if not data.get("value"): # this implies XCCDF variable is used - data["wrong_value"] = "wrong_value" - data["correct_value"] = "correct_value" + if data['xccdf_variable'] == 'var_sshd_set_maxstartups': + data["wrong_value"] = "30:10:110" + data["correct_value"] = "10:30:60" + else: + data["wrong_value"] = "wrong_value" + data["correct_value"] = "correct_value" else: data["wrong_value"] = "wrong_value" data["correct_value"] = str(data["value"]) From 93b86c4c1be8dc08b68e06143ef607e5ec7983ce Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 25 Sep 2024 14:05:21 +0200 Subject: [PATCH 7/9] Fix the assumption of OVAL check The OVAL check would fail if the parameter was mentioned twice, for example in the main configuration file and in a drop-in file. It is not a problem at all if both are compliant. Signed-off-by: Marcus Burghardt --- .../sshd_set_maxstartups/oval/shared.xml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml index 7b6384684af..e2ccb744248 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml @@ -75,21 +75,21 @@ var_ref="var_sshd_set_maxstartups_third"/> - + - + - + From 9b1e4da7f45e0b643bf055280564133ccbb5aaae Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 25 Sep 2024 14:11:31 +0200 Subject: [PATCH 8/9] Remove duplicated tests These tests are already covered by the template. Only two test scenarios specific for this rule were kept. Signed-off-by: Marcus Burghardt --- .../ssh_server/sshd_set_maxstartups/tests/comment.fail.sh | 8 -------- .../sshd_set_maxstartups/tests/correct_value.pass.sh | 8 -------- .../sshd_set_maxstartups/tests/line_not_there.fail.sh | 4 ---- .../ssh_server/sshd_set_maxstartups/tests/nothing.fail.sh | 4 ---- 4 files changed, 24 deletions(-) delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/comment.fail.sh delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value.pass.sh delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/line_not_there.fail.sh delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/nothing.fail.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/comment.fail.sh deleted file mode 100644 index 02d9e14520a..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/comment.fail.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash -# variables = var_sshd_set_maxstartups=10:30:60 - -if grep -q "^MaxStartups" /etc/ssh/sshd_config; then - sed -i "s/^MaxStartups.*/# MaxStartups 10:30:60/" /etc/ssh/sshd_config -else - echo "# MaxStartups 10:30:60" >> /etc/ssh/sshd_config -fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value.pass.sh deleted file mode 100644 index 6f1a852bdc7..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value.pass.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash -# variables = var_sshd_set_maxstartups=10:30:60 - -if grep -q "^MaxStartups" /etc/ssh/sshd_config; then - sed -i "s/^MaxStartups.*/MaxStartups 10:30:60/" /etc/ssh/sshd_config -else - echo "MaxStartups 10:30:60" >> /etc/ssh/sshd_config -fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/line_not_there.fail.sh deleted file mode 100644 index 6ca3228b48a..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/line_not_there.fail.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash -# variables = var_sshd_set_maxstartups=10:30:60 - -sed -i "/^MaxStartups.*/d" /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/nothing.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/nothing.fail.sh deleted file mode 100644 index 749115f42af..00000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/nothing.fail.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash -# variables = var_sshd_set_maxstartups=10:30:60 - -true From d9ba185b65b1297392fd839d5d29104522171e7a Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 26 Sep 2024 10:33:22 +0200 Subject: [PATCH 9/9] Minor wording fixes in comments Signed-off-by: Marcus Burghardt --- .../ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml index e2ccb744248..dfad08d8a7b 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml @@ -50,13 +50,13 @@ + comment="Second number from MaxStartup parameter value."> + comment="Third number from MaxStartup parameter value.">