Merge pull request #14449 from Smouhoune/feat/ssh-client-path-overrides

Parameterize SSH client configuration paths via product properties (preserve defaults)

Author: dodys

linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/ansible/shared.yml

@@ -4,12 +4,15 @@
 # complexity = low
 # disruption = low
 {{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
+{{%- set sshc_main_config = ssh_client_main_config_file -%}}
+{{%- set sshc_config_dir = ssh_client_config_dir -%}}
+{{%- set sshc_rekey_config = ssh_client_config_dir ~ "/02-rekey-limit.conf" -%}}
 
-{{{ ansible_lineinfile(msg='Ensure RekeyLimit is not configured in /etc/ssh/ssh_config', path='/etc/ssh/ssh_config', regex='^\s*RekeyLimit.*$', insensitive=false, create='no', state='absent', rule_title=rule_title) }}}
+{{{ ansible_lineinfile(msg='Ensure RekeyLimit is not configured in ' ~ sshc_main_config, path=sshc_main_config, regex='^\s*RekeyLimit.*$', insensitive=false, create='no', state='absent', rule_title=rule_title) }}}
 
 - name: Collect all include config files for ssh client which configure RekeyLimit
   ansible.builtin.find:
-    paths: "/etc/ssh/ssh_config.d/"
+    paths: "{{{ sshc_config_dir }}}"
     contains: '^[\s]*RekeyLimit.*$'
     patterns: "*.config"
   register: ssh_config_include_files
@@ -21,4 +24,4 @@
     state: "absent"
   loop: "{{ ssh_config_include_files.files }}"
 
-{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', insensitive=false, new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present', rule_title=rule_title) }}}
+{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in ' ~ sshc_rekey_config, path=sshc_rekey_config, regex='^\s*RekeyLimit.*$', insensitive=false, new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present', rule_title=rule_title) }}}

linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/bash/shared.sh

@@ -1,9 +1,10 @@
 # platform = multi_platform_all
 
 {{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
+{{%- set sshc_rekey_config = ssh_client_config_dir ~ "/02-rekey-limit.conf" -%}}
 
-main_config="/etc/ssh/ssh_config"
-include_directory="/etc/ssh/ssh_config.d"
+main_config="{{{ ssh_client_main_config_file }}}"
+include_directory="{{{ ssh_client_config_dir }}}"
 
 if grep -q '^[\s]*RekeyLimit.*$' "$main_config"; then
   sed -i '/^[\s]*RekeyLimit.*/d' "$main_config"
@@ -15,4 +16,4 @@ for file in "$include_directory"/*.conf; do
   fi
 done
 
-{{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", rule_id=rule_id) }}}
+{{{ set_config_file(path=sshc_rekey_config, parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", rule_id=rule_id) }}}

linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/oval/shared.xml

@@ -1,10 +1,13 @@
 
+{{%- set sshc_main_config = ssh_client_main_config_file -%}}
+{{%- set sshc_config_dir = ssh_client_config_dir -%}}
+
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
-    {{{ oval_metadata("Ensure 'RekeyLimit' is configured with the correct value in /etc/ssh/ssh_config and /etc/ssh/ssh_config.d/*.conf", rule_title=rule_title) }}}
+    {{{ oval_metadata("Ensure 'RekeyLimit' is configured with the correct value in " ~ sshc_main_config ~ " and " ~ sshc_config_dir ~ "/*.conf", rule_title=rule_title) }}}
     <criteria comment="RekeyLimit is correctly configured for ssh client" operator="AND">
-      <criterion comment="check that RekeyLimit is not configured in /etc/ssh/ssh_config" test_ref="test_ssh_client_rekey_limit_main_config" negate="true" />
-      <criterion comment="check correct RekeyLimit configuration in /etc/ssh/ssh_config.d/*.conf" test_ref="test_ssh_client_rekey_limit_include_configs" />
+      <criterion comment="check that RekeyLimit is not configured in {{{ sshc_main_config }}}" test_ref="test_ssh_client_rekey_limit_main_config" negate="true" />
+      <criterion comment="check correct RekeyLimit configuration in {{{ sshc_config_dir }}}/*.conf" test_ref="test_ssh_client_rekey_limit_include_configs" />
     </criteria>
   </definition>
 
@@ -22,22 +25,23 @@
   <external_variable comment="Time component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_time" version="1" />
 
 
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config file" id="test_ssh_client_rekey_limit_main_config" version="1">
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in {{{ sshc_main_config }}}" id="test_ssh_client_rekey_limit_main_config" version="1">
      <ind:object object_ref="obj_ssh_client_rekey_limit_main_config"/>
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_main_config" version="1">
-     <ind:filepath>/etc/ssh/ssh_config</ind:filepath>
+     <ind:filepath>{{{ sshc_main_config }}}</ind:filepath>
      <ind:pattern operation="pattern match">^[\s]*RekeyLimit.*$</ind:pattern>
      <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config.d/*.conf" id="test_ssh_client_rekey_limit_include_configs" version="1">
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in {{{ sshc_config_dir }}}/*.conf" id="test_ssh_client_rekey_limit_include_configs" version="1">
      <ind:object object_ref="obj_ssh_client_rekey_limit_include_configs"/>
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_include_configs" version="1">
-     <ind:filepath operation="pattern match">^/etc/ssh/ssh_config\.d/.*\.conf$</ind:filepath>
+     <ind:path>{{{ sshc_config_dir }}}</ind:path>
+     <ind:filename operation="pattern match">.*\.conf$</ind:filename>
      <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
      <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>

linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml

@@ -1,5 +1,8 @@
 documentation_complete: true
 
+{{% set sshc_main_config = ssh_client_main_config_file %}}
+{{% set sshc_config_dir = ssh_client_config_dir %}}
+{{% set sshc_rekey_config = ssh_client_config_dir ~ "/02-rekey-limit.conf" %}}
 
 title: 'Configure session renegotiation for SSH client'
 
@@ -8,11 +11,11 @@ description: |-
     the session key is renegotiated, both in terms of
     amount of data that may be transmitted and the time
     elapsed. To decrease the default limits, put line
-    <tt>RekeyLimit {{{ xccdf_value("var_ssh_client_rekey_limit_size") }}} {{{ xccdf_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.
+    <tt>RekeyLimit {{{ xccdf_value("var_ssh_client_rekey_limit_size") }}} {{{ xccdf_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>{{{ sshc_rekey_config }}}</tt>.
     Make sure that there is no other <tt>RekeyLimit</tt> configuration preceding
     the <tt>include</tt> directive in the main config file
-    <tt>/etc/ssh/ssh_config</tt>. Check also other files in
-    <tt>/etc/ssh/ssh_config.d</tt> directory. Files are processed according to
+    <tt>{{{ sshc_main_config }}}</tt>. Check also other files in
+    <tt>{{{ sshc_config_dir }}}</tt> directory. Files are processed according to
     lexicographical order of file names. Make sure that there is no file
     processed before <tt>02-rekey-limit.conf</tt> containing definition of
     <tt>RekeyLimit</tt>.
@@ -37,12 +40,12 @@ ocil_clause: 'it is commented out or is not set'
 
 ocil: |-
     To check if RekeyLimit is set correctly, run the following command:
-    <pre>$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf</pre>
+    <pre>$ sudo grep RekeyLimit {{{ sshc_config_dir }}}/*.conf</pre>
     If configured properly, output should be
-    <pre>/etc/ssh/ssh_config.d/02-rekey-limit.conf:
+    <pre>{{{ sshc_rekey_config }}}:
     RekeyLimit {{{ xccdf_value("var_ssh_client_rekey_limit_size") }}} {{{ xccdf_value("var_ssh_client_rekey_limit_time") }}}</pre>
     Check also the main configuration file with the following command:
-    <pre>$ sudo grep RekeyLimit /etc/ssh/ssh_config</pre>
+    <pre>$ sudo grep RekeyLimit {{{ sshc_main_config }}}</pre>
     The command should not return any output.
 
 fixtext: |-
@@ -53,4 +56,3 @@ fixtext: |-
     Restart the SSH daemon for the settings to take effect.
 
     $ sudo systemctl restart sshd.service
-

linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/bash/shared.sh

@@ -1,14 +1,16 @@
 # platform = multi_platform_ubuntu
 
 ssh_approved_ciphers="aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr"
+{{% set sshc_cipher_list_config = ssh_client_config_dir ~ "/00-cipher-list.conf" %}}
 
-main_config="/etc/ssh/ssh_config"
-include_directory="/etc/ssh/ssh_config.d"
+main_config="{{{ ssh_client_main_config_file }}}"
+include_directory="{{{ ssh_client_config_dir }}}"
+cipher_list_config="$include_directory/00-cipher-list.conf"
 
 sed -i '/^\s*[Cc]iphers.*/d' "$main_config" "$include_directory"/*.conf || true
 
-if ! grep -qE '^[Hh]ost\s+\*$' /etc/ssh/ssh_config.d/00-cipher-list.conf; then
-  echo 'Host *' >> /etc/ssh/ssh_config.d/00-cipher-list.conf
+if ! grep -qE '^[Hh]ost\s+\*$' "$cipher_list_config"; then
+  echo 'Host *' >> "$cipher_list_config"
 fi
 
-{{{ set_config_file(path="/etc/ssh/ssh_config.d/00-cipher-list.conf", parameter="Ciphers", value='$ssh_approved_ciphers', create=true, insert_before="", insert_after="^Host\s+\*$", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", rule_id=rule_id) }}}
+{{{ set_config_file(path=sshc_cipher_list_config, parameter="Ciphers", value='$ssh_approved_ciphers', create=true, insert_before="", insert_after="^Host\s+\*$", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", rule_id=rule_id) }}}

linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/oval/shared.xml

@@ -1,40 +1,42 @@
 {{%- if product == 'ubuntu2404' %}}
 {{%- set ssh_approved_ciphers="aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr" %}}
 {{%- endif %}}
+{{%- set sshc_main_config = ssh_client_main_config_file -%}}
+{{%- set sshc_config_dir = ssh_client_config_dir -%}}
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
     {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.", rule_title=rule_title) }}}
     <criteria comment="the configuration is correct if it exists" operator="AND">
-      <criterion comment="Check the ciphers in /etc/ssh/ssh_config if any"
+      <criterion comment="Check the ciphers in {{{ sshc_main_config }}} if any"
         test_ref="test_{{{ rule_id }}}" />
-      <criterion comment="Check the ciphers in /etc/ssh/ssh_config.d if any"
+      <criterion comment="Check the ciphers in {{{ sshc_config_dir }}} if any"
         test_ref="test_{{{ rule_id }}}_config_dir" />
       <criterion comment="the configuration exists" test_ref="test_ciphers_present_{{{ rule_id }}}" />
     </criteria>
   </definition>
 
   <ind:textfilecontent54_test check="all" check_existence="any_exist"
-    comment="tests the value of ciphers setting in the /etc/ssh/ssh_config file"
+    comment="tests the value of ciphers setting in {{{ sshc_main_config }}}"
     id="test_{{{ rule_id }}}" version="1">
     <ind:object object_ref="obj_{{{ rule_id }}}" />
     <ind:state state_ref="state_{{{ rule_id }}}" />
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
-    <ind:filepath>/etc/ssh/ssh_config</ind:filepath>
+    <ind:filepath>{{{ sshc_main_config }}}</ind:filepath>
     <ind:pattern operation="pattern match">^[ \t]*(?i)ciphers(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
   <ind:textfilecontent54_test check="all" check_existence="any_exist"
-    comment="tests the value of ciphers setting in the /etc/ssh/ssh_config.d file"
+    comment="tests the value of ciphers setting in {{{ sshc_config_dir }}}"
     id="test_{{{ rule_id }}}_config_dir" version="1">
     <ind:object object_ref="obj_{{{ rule_id }}}_config_dir" />
     <ind:state state_ref="state_{{{ rule_id }}}" />
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_config_dir" version="1">
-    <ind:path>/etc/ssh/ssh_config.d</ind:path>
+    <ind:path>{{{ sshc_config_dir }}}</ind:path>
     <ind:filename operation="pattern match">.*\.conf$</ind:filename>
     <ind:pattern operation="pattern match">^[ \t]*(?i)ciphers(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>

linux_os/guide/services/ssh/ssh_client/ssh_client_use_approved_ciphers_ordered_stig/rule.yml

@@ -1,13 +1,14 @@
 {{%- if product == 'ubuntu2404' %}}
 {{%- set ssh_approved_ciphers = "aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr" %}}
 {{%- endif %}}
+{{%- set sshc_main_config = ssh_client_main_config_file -%}}
 documentation_complete: true
 
 title: 'Use Only FIPS 140-3 Validated Ciphers in SSH Client Configuration'
 
 description: |-
     Limit the ciphers to those algorithms which are FIPS-approved.
-    The following line in <tt>/etc/ssh/ssh_config</tt>
+    The following line in <tt>{{{ sshc_main_config }}}</tt>
     demonstrates use of FIPS-approved ciphers:
     {{%- if 'ubuntu' in product %}}
     <pre>Ciphers {{{ ssh_approved_ciphers }}}</pre>

linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/bash/shared.sh

@@ -1,14 +1,16 @@
 # platform = multi_platform_ubuntu
 
 {{{ bash_instantiate_variables("ssh_approved_macs") }}}
+{{%- set sshc_mac_list_config = ssh_client_config_dir ~ "/00-mac-list.conf" -%}}
 
-main_config="/etc/ssh/ssh_config"
-include_directory="/etc/ssh/ssh_config.d"
+main_config="{{{ ssh_client_main_config_file }}}"
+include_directory="{{{ ssh_client_config_dir }}}"
+mac_list_config="$include_directory/00-mac-list.conf"
 
 sed -i '/^\s*MACs.*/d' "$main_config" "$include_directory"/*.conf || true
 
-if ! grep -qE '^[Hh]ost\s+\*$' /etc/ssh/ssh_config.d/00-mac-list.conf; then
-  echo 'Host *' >> /etc/ssh/ssh_config.d/00-mac-list.conf
+if ! grep -qE '^[Hh]ost\s+\*$' "$mac_list_config"; then
+  echo 'Host *' >> "$mac_list_config"
 fi
 
-{{{ set_config_file(path="/etc/ssh/ssh_config.d/00-mac-list.conf", parameter="MACs", value='$ssh_approved_macs', create=true, insert_before="", insert_after="^Host\s+\*$", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", rule_id=rule_id) }}}
+{{{ set_config_file(path=sshc_mac_list_config, parameter="MACs", value='$ssh_approved_macs', create=true, insert_before="", insert_after="^Host\s+\*$", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", rule_id=rule_id) }}}

linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/oval/shared.xml

@@ -1,39 +1,42 @@
+{{%- set sshc_main_config = ssh_client_main_config_file -%}}
+{{%- set sshc_config_dir = ssh_client_config_dir -%}}
+
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
     {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.", rule_title=rule_title) }}}
     <criteria comment="ssh is configured correctly" operator="AND">
       <criteria comment="the configuration is correct if it exists" operator="AND">
-        <criterion comment="Check the MACs in /etc/ssh/ssh_config if any"
+        <criterion comment="Check the MACs in {{{ sshc_main_config }}} if any"
           test_ref="test_{{{ rule_id }}}" />
-        <criterion comment="Check the MACs in /etc/ssh/ssh_config.d if any"
+        <criterion comment="Check the MACs in {{{ sshc_config_dir }}} if any"
           test_ref="test_{{{ rule_id }}}_config_dir" />
       </criteria>
       <criterion comment="the configuration exists" test_ref="test_MACs_present_{{{ rule_id }}}" />
     </criteria>
   </definition>
 
   <ind:textfilecontent54_test check="all" check_existence="any_exist"
-    comment="tests the value of MACs setting in the /etc/ssh/ssh_config file"
+    comment="tests the value of MACs setting in {{{ sshc_main_config }}}"
     id="test_{{{ rule_id }}}" version="1">
     <ind:object object_ref="obj_{{{ rule_id }}}" />
     <ind:state state_ref="state_{{{ rule_id }}}" />
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
-    <ind:filepath>/etc/ssh/ssh_config</ind:filepath>
+    <ind:filepath>{{{ sshc_main_config }}}</ind:filepath>
     <ind:pattern operation="pattern match">^[ \t]*(?i)MACs(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
   <ind:textfilecontent54_test check="all" check_existence="any_exist"
-    comment="tests the value of MACs setting in the /etc/ssh/ssh_config.d file"
+    comment="tests the value of MACs setting in {{{ sshc_config_dir }}}"
     id="test_{{{ rule_id }}}_config_dir" version="1">
     <ind:object object_ref="obj_{{{ rule_id }}}_config_dir" />
     <ind:state state_ref="state_{{{ rule_id }}}" />
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_config_dir" version="1">
-    <ind:path>/etc/ssh/ssh_config.d</ind:path>
+    <ind:path>{{{ sshc_config_dir }}}</ind:path>
     <ind:filename operation="pattern match">.*\.conf$</ind:filename>
     <ind:pattern operation="pattern match">^[ \t]*(?i)MACs(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>

linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml

@@ -1,10 +1,12 @@
 documentation_complete: true
+{{% set sshc_main_config = ssh_client_main_config_file %}}
+{{%- set sshc_config_dir = ssh_client_config_dir -%}}
 
 title: 'Use Only FIPS 140-3 Validated MACs'
 
 description: |-
     Limit the MACs to those hash algorithms which are FIPS-approved.
-    The following line in <tt>/etc/ssh/ssh_config</tt>
+    The following line in <tt>{{{ sshc_main_config }}}</tt>
     demonstrates use of FIPS-approved MACs:
 
     <pre>MACs {{{ ssh_approved_macs }}}</pre>
@@ -22,11 +24,10 @@ ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algor
 ocil: |-
     Only FIPS-approved MACs should be used. To verify that only FIPS-approved
     MACs are in use, run the following command:
-    <pre>$ sudo grep -ir macs /etc/ssh/ssh_config*</pre>
+    <pre>$ sudo grep -ir macs {{{ sshc_main_config }}} {{{ sshc_config_dir }}}</pre>
     The output should contain only following MACs:
     <pre>MACs {{{ xccdf_value("ssh_approved_macs") }}}</pre>
 
 warnings:
     - general: |-
         The system needs to be rebooted for these changes to take effect.
-