content
content copied to clipboard
ComplianceAsCode
Ensure consistency among SSH related rules
Description of problem:
The template sshd_lineinfile is intended to be used by SSH related rules that care about configuration parameters.
The template is robust and had some recent improvements:
- https://github.com/ComplianceAsCode/content/pull/12251
- https://github.com/ComplianceAsCode/content/pull/12419
Many rules are already using this template, but the following rules were not yet migrated:
- sshd_rekey_limit
- sshd_set_idle_timeout
- sshd_use_approved_ciphers
- sshd_use_directory_configuration
- sshd_use_strong_kex
- sshd_use_strong_macs
It seems they are relatively simple to be migrated and this way we can no only reduce duplication but also improve the consistency among these rules.
SCAP Security Guide Version:
master as of 2024-09-25
Operating System Version:
Multiple products would benefit from this improvement.
Steps to Reproduce:
- ./build_product rhel9
- Test each rule
for rule in sshd_rekey_limit sshd_set_idle_timeout sshd_use_approved_ciphers sshd_use_directory_configuration sshd_use_strong_kex sshd_use_strong_macs; do
./tests/automatus.py rule --libvirt qemu:///session rhel9 --datastream build/ssg-rhel9-ds.xml --dontclean $rule
done
Actual Results:
Although all tests may pass, there are differences on how each rule is tested, checked and remediated.
Expected Results:
All rules share as much as possible from the ssh_lineinfile template.
Additional Information/Debugging Steps:
This issue was raised when I was working on https://github.com/ComplianceAsCode/content/pull/12419
We took a look into the rules and we think that some of them are still good candidates to be rewritten using template.
