sshd_disable_compression: accept both "no" and "delayed" - RHEL 9 STIG#14831
sshd_disable_compression: accept both "no" and "delayed" - RHEL 9 STIG#14831macko1 wants to merge 3 commits into
Conversation
|
Skipping CI for Draft Pull Request. |
eb216f4 to
20d65c5
Compare
69fdd62 to
e95c01f
Compare
|
Please adjust the title to remove |
|
@macko1 The CI fail on CentOS 9 with Ansible looks legit, the test /hardening/host-os/ansible/stig fails with this message |
#14831 (comment) - I thought that the 'Merge request ready' event will remove the 'draft' from the title, I didn't double check. (iirc gitlab does this) Apparently not. Fixed @Mab879, thanks for the headsup. @jan-cerny I'll take a look, thanks. |
|
IIUC it isn't now needed to add/remove DRAFT word to the title anymore because they started to add gray/color item both in the PR and in the list of PRs automatically. |
e95c01f to
6ad1338
Compare
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_compression' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_compression
+++ xccdf_org.ssgproject.content_rule_sshd_disable_compression
@@ -1,7 +1,8 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core; then
-var_sshd_disable_compression=''
+# Same metadata as other sshd_lineinfile rules (e.g. sshd_set_idle_timeout).
+
if [ -e "/etc/ssh/sshd_config" ] ; then
LC_ALL=C sed -i "/^\s*Compression\s\+/Id" "/etc/ssh/sshd_config"
@@ -13,7 +14,7 @@
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert at the beginning of the file
-printf '%s\n' "Compression $var_sshd_disable_compression" > "/etc/ssh/sshd_config"
+printf '%s\n' "Compression no" > "/etc/ssh/sshd_config"
cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_compression' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_compression
+++ xccdf_org.ssgproject.content_rule_sshd_disable_compression
@@ -14,11 +14,6 @@
- no_reboot_needed
- restrict_strategy
- sshd_disable_compression
-- name: XCCDF Value var_sshd_disable_compression # promote to variable
- set_fact:
- var_sshd_disable_compression: !!str
- tags:
- - always
- name: Disable Compression Or Set Compression to delayed
block:
@@ -46,7 +41,7 @@
path: /etc/ssh/sshd_config
create: true
regexp: (?i)(?i)^\s*Compression\s+
- line: Compression {{ var_sshd_disable_compression }}
+ line: Compression no
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s |
8ac12fc to
43846df
Compare
jan-cerny
left a comment
There was a problem hiding this comment.
I have reviewed the code and executed Automatus TSs locally on a RHEL 9 VM back end.
|
@ComplianceAsCode/oracle-maintainers PTAL whether the new variable selection is OK for OL 9 STIG. |
43846df to
fa5ab23
Compare
DISA STIG V-258002 allows Compression in /etc/ssh/sshd_config to be set to "no" or "delayed". The rule only accepted "no". Add custom OVAL, bash, and ansible remediations: - oval/shared.xml: check with value="(no|delayed)" (pattern match) - bash/shared.sh: remediation writes "no" (strictest valid value) - ansible/shared.yml: remediation writes "no" - tests/delayed_value.pass.sh: verify "delayed" passes Add "stig" option with value "no|delayed" to var_sshd_disable_compression.var. Update RHEL 9 and OL9 STIG controls to select var_sshd_disable_compression=stig.
"delayed" is now a valid value for sshd_disable_compression. "yes" is always invalid per DISA STIG V-258002.
fa5ab23 to
2462b41
Compare
| # disruption = low | ||
| # Same metadata as other sshd_lineinfile rules (e.g. sshd_set_idle_timeout). | ||
|
|
||
| {{{ bash_sshd_remediation(parameter="Compression", value="no", config_is_distributed=sshd_distributed_config, config_basename="00-complianceascode-hardening.conf", rule_id=rule_id) }}} |
There was a problem hiding this comment.
@jan-cerny Are we OK with the hardcoded 'value="no"' here and in the ansible remediation?
Other rules instantiate the variables and then extract the correct value. Having explicit 'no' looks better IMHO, even though it breaks the pattern.
|
/retest |
|
@macko1: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Description:
DISA STIG V-258002 (RHEL-09-255130) requires that sshd must not allow compression or must only allow compression after successful authentication. The
Compressionparameter in/etc/ssh/sshd_configacceptsno(disables compression) anddelayed(compresses only after authentication). Both satisfy the STIG requirement.Systems with
Compression delayedwere incorrectly flagged as non-compliant because thesshd_lineinfiletemplate generated an OVAL check withoperation="equals"andvar_sshd_disable_compression, forcing an exact match againstno.The fix: custom OVAL check accepts both
noanddelayed(regex^(no|delayed)$). Custom bash and ansible remediations writeCompression no(strictest valid value).Rationale:
8 rules in the codebase use custom OVAL, bash, and ansible to handle variables with multiple acceptable values:
set_password_hashing_algorithm_logindefsset_password_hashing_algorithm_passwordauthset_password_hashing_algorithm_systemauthauditd_data_disk_error_actionauditd_data_disk_full_actionauditd_data_retention_admin_space_left_actionauditd_data_retention_space_left_actionauditd_name_formatThe
stigoption name follows the convention invar_password_hashing_algorithm(cis_rhel8,cis_ubuntu2204)Fixes sshd_disable_compression only seems to check for no #13078
Review Hints:
Test on RHEL 9:
pattern matchwith^(no|delayed)$:./build_product rhel9 -r sshd_disable_compression grep 'subexpression' build/rhel9/checks/oval/sshd_disable_compression.xmlDockerfiles/test_suite-rhel9(use your SSH public key):podman build \ --build-arg "CLIENT_PUBLIC_KEY=$(cat <ssh_public_key>)" \ -t ssg_test_suite \ -f Dockerfiles/test_suite-rhel9 Dockerfiles/SSH_ADDITIONAL_OPTIONSmust point to the same key used in step 2):SSH_ADDITIONAL_OPTIONS="-o IdentityFile=<ssh_private_key>" \ tests/automatus.py rule \ --container ssg_test_suite \ --datastream build/ssg-rhel9-ds.xml \ --remediate-using bash \ sshd_disable_compressiontests/automatus.py rule \ --libvirt qemu:///session <vm_name> \ --datastream build/ssg-rhel9-ds.xml \ --remediate-using ansible \ sshd_disable_compression