Skip to content

Commit 9fe83ea

Browse files
teacup-on-rockingchairteacup-on-rockingchair
authored
Merge pull request #14458 from teacup-on-rockingchair/sle16_sshd_lineinfile_fixes
Sle16 sshd lineinfile related fixes
2 parents 48ec5df + 8b9f0fd commit 9fe83ea

84 files changed

Lines changed: 1904 additions & 50 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/sle16.xml

Lines changed: 100 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,100 @@
1+
{{% macro test_sshd_lineinfile(filepath, param, id) %}}
2+
{{%- set object_id = filepath | replace("/", "_") | replace("-", "_") | replace(".", "_") -%}}
3+
<ind:textfilecontent54_test id="{{{ id }}}" version="1" check="all"
4+
check_existence="only_one_exists" comment="Check if there is an {{{ param }}} entry in {{{ filepath }}}">
5+
<ind:object object_ref="object_{{{ param }}}{{{ object_id }}}" />
6+
</ind:textfilecontent54_test>
7+
<ind:textfilecontent54_object id="object_{{{ param }}}{{{ object_id }}}" version="1">
8+
<ind:filepath operation="pattern match">^{{{ filepath }}}</ind:filepath>
9+
<ind:pattern operation="pattern match" datatype="string">(?i)^[ ]*{{{ param }}}[ ]+((?:[^ \n]+[ ]*)+)$</ind:pattern>
10+
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
11+
</ind:textfilecontent54_object>
12+
{{% endmacro %}}
13+
14+
{{% macro test_sshd_lineindir(filepath, param, id) %}}
15+
{{%- set object_id = filepath | replace("/", "_") | replace("-", "_") | replace(".", "_") -%}}
16+
<ind:textfilecontent54_test id="{{{ id }}}" version="1" check="all"
17+
check_existence="only_one_exists" comment="Check if there is an {{{ param }}} entry in {{{ filepath }}}">
18+
<ind:object object_ref="object_{{{ param }}}{{{ object_id }}}" />
19+
</ind:textfilecontent54_test>
20+
<ind:textfilecontent54_object id="object_{{{ param }}}{{{ object_id }}}" version="1">
21+
<ind:path>{{{ filepath }}}</ind:path>
22+
<ind:filename operation="pattern match">.*\.conf$</ind:filename>
23+
<ind:pattern operation="pattern match" datatype="string">(?i)^[ ]*{{{ param }}}[ ]+((?:[^ \n]+[ ]*)+)$</ind:pattern>
24+
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
25+
</ind:textfilecontent54_object>
26+
{{% endmacro %}}
27+
28+
<def-group>
29+
<definition class="compliance" id="{{{ rule_id }}}" version="1">
30+
{{{ oval_metadata("One of the following parameters of the sshd configuration file is set: AllowUsers, DenyUsers, AllowGroups, DenyGroups.", rule_title=rule_title) }}}
31+
<criteria operator="OR" comment="sshd limits the users who can log in">
32+
<criteria comment="AllowUsers, DenyUsers, AllowGroups, DenyGroups when using /etc/ssh/sshd_config" operator="AND">
33+
<criterion comment="SSH configuration /etc/ssh/sshd_config exists" test_ref="test_etc_ssh_sshd_config_exist"/>
34+
<criteria operator="OR">
35+
<criterion test_ref="test_allow_user_is_configured_etc_ssh_sshdconfig" />
36+
<criterion test_ref="test_allow_groups_is_configured_etc_ssh_sshdconfig" />
37+
<criterion test_ref="test_deny_users_is_configured_etc_ssh_sshdconfig" />
38+
<criterion test_ref="test_deny_groups_is_configured_etc_ssh_sshdconfig" />
39+
<criterion test_ref="test_allow_user_is_configured_etc_ssh_sshdconfig_dir" />
40+
<criterion test_ref="test_allow_groups_is_configured_etc_ssh_sshdconfig_dir" />
41+
<criterion test_ref="test_deny_users_is_configured_etc_ssh_sshdconfig_dir" />
42+
<criterion test_ref="test_deny_groups_is_configured_etc_ssh_sshdconfig_dir" />
43+
<criterion test_ref="test_allow_user_is_configured_usr_etc_ssh_sshdconfig_dir" />
44+
<criterion test_ref="test_allow_groups_is_configured_usr_etc_ssh_sshdconfig_dir" />
45+
<criterion test_ref="test_deny_users_is_configured_usr_etc_ssh_sshdconfig_dir" />
46+
<criterion test_ref="test_deny_groups_is_configured_usr_etc_ssh_sshdconfig_dir" />
47+
</criteria>
48+
</criteria>
49+
<criteria comment="AllowUsers, DenyUsers, AllowGroups, DenyGroups when using /usr/etc/ssh/sshd_config" operator="AND">
50+
<criterion comment="SSH configuration /etc/ssh/sshd_config does not exists" test_ref="test_etc_ssh_sshd_config_exist" negate="true"/>
51+
<criteria operator="OR">
52+
<criterion test_ref="test_allow_user_is_configured_usr_etc_ssh_sshdconfig" />
53+
<criterion test_ref="test_allow_groups_is_configured_usr_etc_ssh_sshdconfig" />
54+
<criterion test_ref="test_deny_users_is_configured_usr_etc_ssh_sshdconfig" />
55+
<criterion test_ref="test_deny_groups_is_configured_usr_etc_ssh_sshdconfig" />
56+
<criterion test_ref="test_allow_user_is_configured_etc_ssh_sshdconfig_dir" />
57+
<criterion test_ref="test_allow_groups_is_configured_etc_ssh_sshdconfig_dir" />
58+
<criterion test_ref="test_deny_users_is_configured_etc_ssh_sshdconfig_dir" />
59+
<criterion test_ref="test_deny_groups_is_configured_etc_ssh_sshdconfig_dir" />
60+
<criterion test_ref="test_allow_user_is_configured_usr_etc_ssh_sshdconfig_dir" />
61+
<criterion test_ref="test_allow_groups_is_configured_usr_etc_ssh_sshdconfig_dir" />
62+
<criterion test_ref="test_deny_users_is_configured_usr_etc_ssh_sshdconfig_dir" />
63+
<criterion test_ref="test_deny_groups_is_configured_usr_etc_ssh_sshdconfig_dir" />
64+
</criteria>
65+
</criteria>
66+
</criteria>
67+
</definition>
68+
69+
<unix:file_test check="all" check_existence="all_exist"
70+
comment="SSH configuration /etc/ssh/sshd_config exists"
71+
id="test_etc_ssh_sshd_config_exist"
72+
state_operator="AND" version="1">
73+
<unix:object object_ref="obj_etc_ssh_sshd_config_exist"/>
74+
</unix:file_test>
75+
<unix:file_object
76+
comment="SSH configuration /etc/ssh/sshd_config exists"
77+
id="obj_etc_ssh_sshd_config_exist" version="1">
78+
<unix:filepath operation="pattern match">^/etc/ssh/sshd_config</unix:filepath>
79+
</unix:file_object>
80+
81+
{{{ test_sshd_lineinfile("/etc/ssh/sshd_config", "AllowUsers", "test_allow_user_is_configured_etc_ssh_sshdconfig") }}}
82+
{{{ test_sshd_lineinfile("/etc/ssh/sshd_config", "AllowGroups", "test_allow_groups_is_configured_etc_ssh_sshdconfig") }}}
83+
{{{ test_sshd_lineinfile("/etc/ssh/sshd_config", "DenyUsers", "test_deny_users_is_configured_etc_ssh_sshdconfig") }}}
84+
{{{ test_sshd_lineinfile("/etc/ssh/sshd_config", "DenyGroups", "test_deny_groups_is_configured_etc_ssh_sshdconfig") }}}
85+
86+
{{{ test_sshd_lineinfile("/usr/etc/ssh/sshd_config", "AllowUsers", "test_allow_user_is_configured_usr_etc_ssh_sshdconfig") }}}
87+
{{{ test_sshd_lineinfile("/usr/etc/ssh/sshd_config", "AllowGroups", "test_allow_groups_is_configured_usr_etc_ssh_sshdconfig") }}}
88+
{{{ test_sshd_lineinfile("/usr/etc/ssh/sshd_config", "DenyUsers", "test_deny_users_is_configured_usr_etc_ssh_sshdconfig") }}}
89+
{{{ test_sshd_lineinfile("/usr/etc/ssh/sshd_config", "DenyGroups", "test_deny_groups_is_configured_usr_etc_ssh_sshdconfig") }}}
90+
91+
{{{ test_sshd_lineindir("/etc/ssh/sshd_config.d", "AllowUsers", "test_allow_user_is_configured_etc_ssh_sshdconfig_dir") }}}
92+
{{{ test_sshd_lineindir("/etc/ssh/sshd_config.d", "AllowGroups", "test_allow_groups_is_configured_etc_ssh_sshdconfig_dir") }}}
93+
{{{ test_sshd_lineindir("/etc/ssh/sshd_config.d", "DenyUsers", "test_deny_users_is_configured_etc_ssh_sshdconfig_dir") }}}
94+
{{{ test_sshd_lineindir("/etc/ssh/sshd_config.d", "DenyGroups", "test_deny_groups_is_configured_etc_ssh_sshdconfig_dir") }}}
95+
96+
{{{ test_sshd_lineindir("/usr/etc/ssh/sshd_config.d", "AllowUsers", "test_allow_user_is_configured_usr_etc_ssh_sshdconfig_dir") }}}
97+
{{{ test_sshd_lineindir("/usr/etc/ssh/sshd_config.d", "AllowGroups", "test_allow_groups_is_configured_usr_etc_ssh_sshdconfig_dir") }}}
98+
{{{ test_sshd_lineindir("/usr/etc/ssh/sshd_config.d", "DenyUsers", "test_deny_users_is_configured_usr_etc_ssh_sshdconfig_dir") }}}
99+
{{{ test_sshd_lineindir("/usr/etc/ssh/sshd_config.d", "DenyGroups", "test_deny_groups_is_configured_usr_etc_ssh_sshdconfig_dir") }}}
100+
</def-group>

linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_groups.pass.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
11
#!/bin/bash
22

3-
find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d'
3+
source common.sh
44
echo "AllowGroups testgroup1 testgroup2 testgroup3" >> /etc/ssh/sshd_config

linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_groups_etc_ssh_sshd_config_dir.pass.sh

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
#!/bin/bash
2+
# platform = SUSE Linux Enterprise 16
3+
source common.sh
4+
echo "AllowGroups group" >> /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf

linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users.pass.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
11
#!/bin/bash
22

3-
find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d'
3+
source common.sh
44
echo "AllowUsers testuser1 testuser2 testuser3" >> /etc/ssh/sshd_config

linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users_groups.pass.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
#!/bin/bash
22

3-
find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d'
3+
source common.sh
44
echo "AllowUsers testuser1 testuser2 testuser3" >> /etc/ssh/sshd_config
55
echo "AllowGroups testgroup1 testgroup2 testgroup3" >> /etc/ssh/sshd_config

linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/allow_users_usr_etc_ssh_sshd_config.pass.sh

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
#!/bin/bash
2+
# platform = SUSE Linux Enterprise 16
3+
source common.sh
4+
5+
echo "AllowUsers testuser1 testuser2 testuser3" >> /usr/etc/ssh/sshd_config

linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/common.sh

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
#!/bin/bash
2+
3+
declare -a SSHD_PATHS=("/etc/ssh/sshd_config")
4+
{{% if product == 'sle16' %}}
5+
SSHD_PATHS+=("/usr/etc/ssh/sshd_config" /usr/etc/ssh/sshd_config.d/* /etc/ssh/sshd_config.d/*)
6+
{{% endif %}}
7+
# clean up configurations
8+
sed -i '/^(Allow|Deny)(Users|Groups).*/d' "${SSHD_PATHS[@]}"
9+
10+
# restore to defaults for sle16
11+
{{% if product == 'sle16' %}}
12+
if [ -e "/etc/ssh/sshd_config" ] ; then
13+
rm /etc/ssh/sshd_config
14+
fi
15+
{{% endif %}}

linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_group_in_usr_etc_missing.fail.sh

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
#!/bin/bash
2+
# remediation = none
3+
# platform = SUSE Linux Enterprise 16
4+
source common.sh
5+
6+
touch /etc/ssh/sshd_config
7+
echo "DenyGroups testgroup" >> /usr/etc/ssh/sshd_config

linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_groups.pass.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
11
#!/bin/bash
22

3-
find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d'
3+
source common.sh
44
echo "DenyGroups testgroup1 testgroup2 testgroup3" >> /etc/ssh/sshd_config

linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/tests/deny_users.pass.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
11
#!/bin/bash
22

3-
find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d'
3+
source common.sh
44
echo "DenyUsers testuser1 testuser2 testuser3" >> /etc/ssh/sshd_config

0 commit comments

Comments
 (0)