Merge pull request #14445 from Smouhoune/feat/ssh-path-overrides-product-vars

Parameterize SSH-related file paths via product properties (preserve current defaults)

Author: Mab879

linux_os/guide/services/ssh/directory_groupowner_sshd_config_d/rule.yml

@@ -3,7 +3,7 @@ documentation_complete: true
 title: 'Verify Group Who Owns SSH Server Configuration Files'
 
 description: |-
-    {{{ describe_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}
+    {{{ describe_directory_group_owner(directory=sshd_config_dir, group="root") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -28,19 +28,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}'
+ocil_clause: '{{{ ocil_clause_directory_group_owner(directory=sshd_config_dir, group="root") }}}'
 
 ocil: |-
-    {{{ ocil_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}
+    {{{ ocil_directory_group_owner(directory=sshd_config_dir, group="root") }}}
 
-fixtext: '{{{ fixtext_directory_group_owner(file="/etc/ssh/sshd_config.d", group="root") }}}'
+fixtext: '{{{ fixtext_directory_group_owner(file=sshd_config_dir, group="root") }}}'
 
-srg_requirement: '{{{ srg_requirement_directory_group_owner(file="/etc/ssh/sshd_config.d", group="root") }}}'
+srg_requirement: '{{{ srg_requirement_directory_group_owner(file=sshd_config_dir, group="root") }}}'
 
 template:
     name: file_groupowner
     vars:
-        filepath: '/etc/ssh/sshd_config.d/'
+        filepath: '{{{ sshd_config_dir }}}/'
         gid_or_name: '0'
 
 platform: system_with_kernel

linux_os/guide/services/ssh/directory_owner_sshd_config_d/rule.yml

@@ -3,7 +3,7 @@ documentation_complete: true
 title: 'Verify Owner on SSH Server Configuration Files'
 
 description: |-
-    {{{ describe_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}
+    {{{ describe_directory_owner(directory=sshd_config_dir, owner="root") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -28,19 +28,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}'
+ocil_clause: '{{{ ocil_clause_directory_owner(directory=sshd_config_dir, owner="root") }}}'
 
 ocil: |-
-    {{{ ocil_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}
+    {{{ ocil_directory_owner(directory=sshd_config_dir, owner="root") }}}
 
-fixtext: '{{{ fixtext_directory_owner(file="/etc/ssh/sshd_config.d", owner="root") }}}'
+fixtext: '{{{ fixtext_directory_owner(file=sshd_config_dir, owner="root") }}}'
 
-srg_requirement: '{{{ srg_requirement_directory_owner(file="/etc/ssh/sshd_config.d", owner="root") }}}'
+srg_requirement: '{{{ srg_requirement_directory_owner(file=sshd_config_dir, owner="root") }}}'
 
 template:
     name: file_owner
     vars:
-        filepath: '/etc/ssh/sshd_config.d/'
+        filepath: '{{{ sshd_config_dir }}}/'
         uid_or_name: '0'
 
 platform: system_with_kernel

linux_os/guide/services/ssh/directory_permissions_sshd_config_d/rule.yml

@@ -3,7 +3,7 @@ documentation_complete: true
 title: 'Verify Permissions on SSH Server Config File'
 
 description: |-
-    {{{ describe_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="0700") }}}
+    {{{ describe_directory_permissions(directory=sshd_config_dir, perms="0700") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -28,19 +28,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rwx------") }}}'
+ocil_clause: '{{{ ocil_clause_directory_permissions(directory=sshd_config_dir, perms="-rwx------") }}}'
 
 ocil: |-
-    {{{ ocil_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rwx------") }}}
+    {{{ ocil_directory_permissions(directory=sshd_config_dir, perms="-rwx------") }}}
 
-fixtext: '{{{ fixtext_directory_permissions(file="/etc/ssh/sshd_config.d", mode="0700") }}}'
+fixtext: '{{{ fixtext_directory_permissions(file=sshd_config_dir, mode="0700") }}}'
 
-srg_requirement: '{{{ srg_requirement_directory_permission(file="/etc/ssh/sshd_config.d", mode="0700") }}}'
+srg_requirement: '{{{ srg_requirement_directory_permission(file=sshd_config_dir, mode="0700") }}}'
 
 template:
     name: file_permissions
     vars:
-        filepath: /etc/ssh/sshd_config.d/
+        filepath: '{{{ sshd_config_dir }}}/'
         filemode: '0700'
 
 platform: system_with_kernel

linux_os/guide/services/ssh/file_groupowner_sshd_config/rule.yml

@@ -4,7 +4,7 @@ documentation_complete: true
 title: 'Verify Group Who Owns SSH Server config file'
 
 description: |-
-    {{{ describe_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}}
+    {{{ describe_file_group_owner(file=sshd_main_config_file, group="root") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -36,19 +36,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}}'
+ocil_clause: '{{{ ocil_clause_file_group_owner(file=sshd_main_config_file, group="root") }}}'
 
 ocil: |-
-    {{{ ocil_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}}
+    {{{ ocil_file_group_owner(file=sshd_main_config_file, group="root") }}}
 
-fixtext: '{{{ fixtext_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}}'
+fixtext: '{{{ fixtext_file_group_owner(file=sshd_main_config_file, group="root") }}}'
 
-srg_requirement: '{{{ srg_requirement_file_group_owner(file="/etc/ssh/sshd_config", group="root") }}}'
+srg_requirement: '{{{ srg_requirement_file_group_owner(file=sshd_main_config_file, group="root") }}}'
 
 template:
     name: file_groupowner
     vars:
-        filepath: /etc/ssh/sshd_config
+        filepath: '{{{ sshd_main_config_file }}}'
         gid_or_name: '0'
 
 platform: system_with_kernel

linux_os/guide/services/ssh/file_groupowner_sshd_drop_in_config/rule.yml

@@ -3,7 +3,7 @@ documentation_complete: true
 title: 'Verify Group Who Owns SSH Server Configuration Files'
 
 description: |-
-    {{{ describe_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}
+    {{{ describe_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -28,19 +28,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}'
+ocil_clause: '{{{ ocil_clause_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}}'
 
 ocil: |-
-    {{{ ocil_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}
+    {{{ ocil_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}}
 
-fixtext: '{{{ fixtext_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}'
+fixtext: '{{{ fixtext_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}}'
 
-srg_requirement: '{{{ srg_requirement_files_in_directory_group_owner(directory="/etc/ssh/sshd_config.d", group="root") }}}'
+srg_requirement: '{{{ srg_requirement_files_in_directory_group_owner(directory=sshd_config_dir, group="root") }}}'
 
 template:
     name: file_groupowner
     vars:
-        filepath: '/etc/ssh/sshd_config.d/'
+        filepath: '{{{ sshd_config_dir }}}/'
         file_regex: '^.*$'
         gid_or_name: '0'
 

linux_os/guide/services/ssh/file_owner_sshd_config/rule.yml

@@ -4,7 +4,7 @@ documentation_complete: true
 title: 'Verify Owner on SSH Server config file'
 
 description: |-
-    {{{ describe_file_owner(file="/etc/ssh/sshd_config", owner="root") }}}
+    {{{ describe_file_owner(file=sshd_main_config_file, owner="root") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -36,19 +36,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/ssh/sshd_config", owner="root") }}}'
+ocil_clause: '{{{ ocil_clause_file_owner(file=sshd_main_config_file, owner="root") }}}'
 
 ocil: |-
-    {{{ ocil_file_owner(file="/etc/ssh/sshd_config", owner="root") }}}
+    {{{ ocil_file_owner(file=sshd_main_config_file, owner="root") }}}
 
-fixtext: '{{{ fixtext_file_owner(file="/etc/ssh/sshd_config", owner="root") }}}'
+fixtext: '{{{ fixtext_file_owner(file=sshd_main_config_file, owner="root") }}}'
 
-srg_requirement: '{{{ srg_requirement_file_owner(file="/etc/ssh/sshd_config", owner="root") }}}'
+srg_requirement: '{{{ srg_requirement_file_owner(file=sshd_main_config_file, owner="root") }}}'
 
 template:
     name: file_owner
     vars:
-        filepath: /etc/ssh/sshd_config
+        filepath: '{{{ sshd_main_config_file }}}'
         uid_or_name: '0'
 
 platform: system_with_kernel

linux_os/guide/services/ssh/file_owner_sshd_drop_in_config/rule.yml

@@ -3,7 +3,7 @@ documentation_complete: true
 title: 'Verify Owner on SSH Server Configuration Files'
 
 description: |-
-    {{{ describe_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}
+    {{{ describe_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -29,19 +29,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}'
+ocil_clause: '{{{ ocil_clause_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}}'
 
 ocil: |-
-    {{{ ocil_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}
+    {{{ ocil_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}}
 
-fixtext: '{{{ fixtext_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}'
+fixtext: '{{{ fixtext_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}}'
 
-srg_requirement: '{{{ srg_requirement_files_in_directory_owner(directory="/etc/ssh/sshd_config.d", owner="root") }}}'
+srg_requirement: '{{{ srg_requirement_files_in_directory_owner(directory=sshd_config_dir, owner="root") }}}'
 
 template:
     name: file_owner
     vars:
-        filepath: '/etc/ssh/sshd_config.d/'
+        filepath: '{{{ sshd_config_dir }}}/'
         file_regex: '^.*$'
         uid_or_name: '0'
 

linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml

@@ -4,7 +4,7 @@ documentation_complete: true
 title: 'Verify Permissions on SSH Server config file'
 
 description: |-
-    {{{ describe_file_permissions(file="/etc/ssh/sshd_config", perms="0600") }}}
+    {{{ describe_file_permissions(file=sshd_main_config_file, perms="0600") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -36,20 +36,20 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/sshd_config", perms="-rw-------") }}}'
+ocil_clause: '{{{ ocil_clause_file_permissions(file=sshd_main_config_file, perms="-rw-------") }}}'
 
 ocil: |-
-    {{{ ocil_file_permissions(file="/etc/ssh/sshd_config", perms="-rw-------") }}}
+    {{{ ocil_file_permissions(file=sshd_main_config_file, perms="-rw-------") }}}
 
-fixtext: '{{{ fixtext_file_permissions(file="/etc/ssh/sshd_config", mode="0600") }}}'
+fixtext: '{{{ fixtext_file_permissions(file=sshd_main_config_file, mode="0600") }}}'
 
-srg_requirement: '{{{ srg_requirement_file_permission(file="/etc/ssh/sshd_config", mode="0600") }}}'
+srg_requirement: '{{{ srg_requirement_file_permission(file=sshd_main_config_file, mode="0600") }}}'
 
 template:
     name: file_permissions
     vars:
         filepath:
-            - /etc/ssh/sshd_config
+            - '{{{ sshd_main_config_file }}}'
         filemode: '0600'
 
 platform: system_with_kernel

linux_os/guide/services/ssh/file_permissions_sshd_drop_in_config/rule.yml

@@ -3,7 +3,7 @@ documentation_complete: true
 title: 'Verify Permissions on SSH Server Config File'
 
 description: |-
-    {{{ describe_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="0600") }}}
+    {{{ describe_files_in_directory_permissions(directory=sshd_config_dir, perms="0600") }}}
 
 rationale: |-
     Service configuration files enable or disable features of their respective
@@ -28,19 +28,19 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
 
-ocil_clause: '{{{ ocil_clause_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rw-------") }}}'
+ocil_clause: '{{{ ocil_clause_files_in_directory_permissions(directory=sshd_config_dir, perms="-rw-------") }}}'
 
 ocil: |-
-    {{{ ocil_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", perms="-rw-------") }}}
+    {{{ ocil_files_in_directory_permissions(directory=sshd_config_dir, perms="-rw-------") }}}
 
-fixtext: '{{{ fixtext_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", mode="0600") }}}'
+fixtext: '{{{ fixtext_files_in_directory_permissions(directory=sshd_config_dir, mode="0600") }}}'
 
-srg_requirement: '{{{ srg_requirement_files_in_directory_permissions(directory="/etc/ssh/sshd_config.d", mode="0600") }}}'
+srg_requirement: '{{{ srg_requirement_files_in_directory_permissions(directory=sshd_config_dir, mode="0600") }}}'
 
 template:
     name: file_permissions
     vars:
-        filepath: '/etc/ssh/sshd_config.d/'
+        filepath: '{{{ sshd_config_dir }}}/'
         file_regex: '^.*$'
         filemode: '0600'
 

linux_os/guide/services/ssh/file_sshd_50_redhat_exists/rule.yml

@@ -1,9 +1,10 @@
+{{% set sshd_redhat_drop_in_file = sshd_config_dir ~ "/50-redhat.conf" %}}
 documentation_complete: true
 
-title: 'The File /etc/ssh/sshd_config.d/50-redhat.conf Must Exist'
+title: 'The File {{{ sshd_redhat_drop_in_file }}} Must Exist'
 
 description: |-
-    The <tt>/etc/ssh/sshd_config.d/50-redhat.conf</tt> file must exist as it contains important
+    The <tt>{{{ sshd_redhat_drop_in_file }}}</tt> file must exist as it contains important
     settings to secure SSH.
 
 
@@ -29,7 +30,7 @@ warnings:
 template:
     name: 'file_existence'
     vars:
-        filepath: '/etc/ssh/sshd_config.d/50-redhat.conf'
+        filepath: '{{{ sshd_redhat_drop_in_file }}}'
         exists: true
     backends:
         ansible: off