Update sshd_lineinfile template to better fit SLE16 platform

teacup-on-rockingchair · teacup-on-rockingchair · commit f2d2f82727e7 · 2026-05-27T11:22:37.000+03:00
- ansible copy distro defaults and remove Include /usr/etc/ssh/sshd_config.d/*.conf from main config
- bash copy distro defaults and remove Include /usr/etc/ssh/sshd_config.d/*.conf from main config
- removed no longer needed tests checking /usr/etc/ssh stuff
- tests now use sshd_main_config_file and sshd_config_dir(oracle specific test remain unchanged)
diff --git a/shared/templates/sshd_lineinfile/ansible.template b/shared/templates/sshd_lineinfile/ansible.template
@@ -4,46 +4,38 @@
 # complexity = low
 # disruption = low
 
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+{{{ ansible_copy_distro_defaults("/usr/etc/ssh/sshd_config", sshd_main_config_file, rule_title=rule_title) }}}
+- name: Check if SSH {{{ sshd_main_config_file }}} configuration file exists
+  ansible.builtin.stat:
+    path: {{{ sshd_main_config_file }}}
+  register: sshd_main_config_file_{{{ rule_id }}}
+{{{
+    ansible_lineinfile(
+        rule_title + ' - Remove /usr/etc/ssh/sshd_config.d/*.conf include directive from ' + sshd_main_config_file,
+        path=sshd_main_config_file,
+        regex='^\s*Include\s+\/usr\/etc\/ssh\/sshd_config\.d/\*\.conf',
+        state='absent',
+        when='sshd_main_config_file_' + rule_id + '.stat.exists'
+    )
+}}}
+{{% endif %}}
+
 {{% if XCCDF_VARIABLE %}}
 {{{ ansible_instantiate_variables(XCCDF_VARIABLE) }}}
-    {{%- if product == 'sle16' -%}}
-        {{{
-            ansible_sshd_set_usr(
-                parameter=PARAMETER,
-                value="{{ "+XCCDF_VARIABLE+" }}",
-                copy_defaults='true',
-                config_basename=CONFIG_BASENAME,
-                rule_title=rule_title
-            )
-        }}}
-    {{%- else -%}}
-        {{{
-            ansible_sshd_set(
-                parameter=PARAMETER,
-                value="{{ "+XCCDF_VARIABLE+" }}",
-                config_is_distributed=sshd_distributed_config,
-                config_basename=CONFIG_BASENAME, rule_title=rule_title)
-        }}}
-    {{%- endif -%}}
+    {{{
+        ansible_sshd_set(
+            parameter=PARAMETER,
+            value="{{ "+XCCDF_VARIABLE+" }}",
+            config_is_distributed=sshd_distributed_config,
+            config_basename=CONFIG_BASENAME, rule_title=rule_title)
+    }}}
 {{% else %}}
-    {{%- if product == 'sle16' -%}}
-        {{{
-            ansible_sshd_set_usr(
-                parameter=PARAMETER,
-                value=VALUE,
-                copy_defaults='true',
-                config_basename=CONFIG_BASENAME,
-                rule_title=rule_title
-            )
-        }}}
-    {{%- else -%}}
-        {{{
-            ansible_sshd_set(
-                parameter=PARAMETER,
-                value=VALUE,
-                config_is_distributed=sshd_distributed_config,
-                config_basename=CONFIG_BASENAME, rule_title=rule_title)
-        }}}
-    {{%- endif -%}}
-
+    {{{
+        ansible_sshd_set(
+            parameter=PARAMETER,
+            value=VALUE,
+            config_is_distributed=sshd_distributed_config,
+            config_basename=CONFIG_BASENAME, rule_title=rule_title)
+    }}}
  {{% endif %}}
diff --git a/shared/templates/sshd_lineinfile/bash.template b/shared/templates/sshd_lineinfile/bash.template
@@ -4,17 +4,14 @@
 # complexity = low
 # disruption = low
 
+{{% if product in ['sle16', 'slmicro6'] %}}
+    {{{ bash_copy_distro_defaults("/usr/etc/ssh/sshd_config", sshd_main_config_file) }}}
+    {{{ lineinfile_absent(sshd_main_config_file, "^\s*Include\s*/usr/etc/ssh/sshd_config\.d/\*\.conf", sed_path_separator="#", rule_id=rule_id) }}}
+{{% endif %}}
+
 {{% if XCCDF_VARIABLE %}}
     {{{- bash_instantiate_variables(XCCDF_VARIABLE) -}}}
-    {{%- if product == 'sle16' -%}}
-        {{{- bash_sshd_remediation_usr(parameter=PARAMETER, value="$" ~ XCCDF_VARIABLE, copy_defaults=true, config_basename=CONFIG_BASENAME, rule_id=rule_id) -}}}
-    {{%- else -%}}
-        {{{- bash_sshd_remediation(parameter=PARAMETER, value="$" ~ XCCDF_VARIABLE, config_is_distributed=sshd_distributed_config, config_basename=CONFIG_BASENAME, rule_id=rule_id) -}}}
-    {{%- endif -%}}
+    {{{- bash_sshd_remediation(parameter=PARAMETER, value="$" ~ XCCDF_VARIABLE, config_is_distributed=sshd_distributed_config, config_basename=CONFIG_BASENAME, rule_id=rule_id) -}}}
 {{%- else -%}}
-    {{%- if product == 'sle16' -%}}
-        {{{- bash_sshd_remediation_usr(parameter=PARAMETER, value=VALUE, copy_defaults=true, config_basename=CONFIG_BASENAME, rule_id=rule_id) -}}}
-    {{%- else -%}}
-        {{{- bash_sshd_remediation(parameter=PARAMETER, value=VALUE, config_is_distributed=sshd_distributed_config, config_basename=CONFIG_BASENAME, rule_id=rule_id) -}}}
-    {{%- endif -%}}
+    {{{- bash_sshd_remediation(parameter=PARAMETER, value=VALUE, config_is_distributed=sshd_distributed_config, config_basename=CONFIG_BASENAME, rule_id=rule_id) -}}}
 {{%- endif -%}}
diff --git a/shared/templates/sshd_lineinfile/oval.template b/shared/templates/sshd_lineinfile/oval.template
@@ -1,53 +1,27 @@
-{{%- if product == 'sle16' -%}}
-    {{%- if XCCDF_VARIABLE -%}}
-        {{{
-            sshd_oval_check_usr(
-                parameter=PARAMETER,
-                xccdf_variable=XCCDF_VARIABLE,
-                missing_parameter_pass=MISSING_PARAMETER_PASS,
-                datatype=DATATYPE,
-                rule_id=rule_id,
-                rule_title=rule_title
-            )
-        }}}
-    {{%- else -%}}
-        {{{
-            sshd_oval_check_usr(
+{{%- if XCCDF_VARIABLE -%}}
+    {{{
+        sshd_oval_check(
             parameter=PARAMETER,
-            value=VALUE,
-            missing_parameter_pass=MISSING_PARAMETER_PASS,
-            datatype=DATATYPE,
-            rule_id=rule_id,
-            rule_title=rule_title
-            )
-        }}}
-    {{%- endif -%}}
-{{%- else -%}}
-    {{%- if XCCDF_VARIABLE -%}}
-        {{{
-            sshd_oval_check(
-                parameter=PARAMETER,
-                xccdf_variable=XCCDF_VARIABLE,
-                missing_parameter_pass=MISSING_PARAMETER_PASS,
-                config_is_distributed=sshd_distributed_config,
-                runtime_check=sshd_runtime_check,
-                datatype=DATATYPE,
-                rule_id=rule_id,
-                rule_title=rule_title
-            )
-        }}}
-    {{%- else -%}}
-        {{{
-            sshd_oval_check(
-            parameter=PARAMETER,
-            value=VALUE,
+            xccdf_variable=XCCDF_VARIABLE,
             missing_parameter_pass=MISSING_PARAMETER_PASS,
             config_is_distributed=sshd_distributed_config,
             runtime_check=sshd_runtime_check,
             datatype=DATATYPE,
             rule_id=rule_id,
             rule_title=rule_title
-            )
-        }}}
-    {{%- endif -%}}
+        )
+    }}}
+{{%- else -%}}
+    {{{
+        sshd_oval_check(
+        parameter=PARAMETER,
+        value=VALUE,
+        missing_parameter_pass=MISSING_PARAMETER_PASS,
+        config_is_distributed=sshd_distributed_config,
+        runtime_check=sshd_runtime_check,
+        datatype=DATATYPE,
+        rule_id=rule_id,
+        rule_title=rule_title
+        )
+    }}}
 {{%- endif -%}}
diff --git a/shared/templates/sshd_lineinfile/tests/common.sh b/shared/templates/sshd_lineinfile/tests/common.sh
@@ -1,15 +1,12 @@
 #!/bin/bash
 
-mkdir -p /etc/ssh/sshd_config.d
-touch /etc/ssh/sshd_config.d/nothing
+mkdir -p "{{{ sshd_config_dir }}}"
+touch "{{{ sshd_config_dir }}}/nothing"
 
-declare -a SSHD_PATHS=("/etc/ssh/sshd_config" /etc/ssh/sshd_config.d/*)
-{{% if product == 'sle16' %}}
-SSHD_PATHS+=("/usr/etc/ssh/sshd_config" /usr/etc/ssh/sshd_config.d/*)
-{{% endif %}}
+declare -a SSHD_PATHS=("{{{ sshd_main_config_file }}}" "{{{ sshd_config_dir }}}/*")
 
 if grep -q "^\s*{{{ PARAMETER }}}" "${SSHD_PATHS[@]}" ; then
 	sed -i "s/^{{{ PARAMETER }}}.*/# {{{ PARAMETER }}} {{{ CORRECT_VALUE }}}/g" "${SSHD_PATHS[@]}"
 else
-	echo "# {{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" >> /etc/ssh/sshd_config
+	echo "# {{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" >> "{{{ sshd_main_config_file }}}"
 fi
diff --git a/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh b/shared/templates/sshd_lineinfile/tests/correct_value_directory.pass.sh
@@ -8,7 +8,7 @@
 source common.sh
 
 {{% if product in ["ol8", "ol9"] %}}
-{{{ bash_replace_or_append("/etc/ssh/sshd_config", "Include", "/etc/ssh/sshd_config.d/*.conf", "%s %s", cce_identifiers=cce_identifiers) }}}
+{{{ bash_replace_or_append("{{{ sshd_main_config_file }}}", "Include", "{{{ sshd_config_dir }}}/*.conf", "%s %s", cce_identifiers=cce_identifiers) }}}
 {{% endif %}}
 
 {{{ bash_sshd_remediation(parameter=PARAMETER, value=CORRECT_VALUE, config_is_distributed=sshd_distributed_config, rule_id=rule_id) -}}}
diff --git a/shared/templates/sshd_lineinfile/tests/correct_value_usr_config_dir.pass.sh b/shared/templates/sshd_lineinfile/tests/correct_value_usr_config_dir.pass.sh
diff --git a/shared/templates/sshd_lineinfile/tests/correct_value_usr_config_path.pass.sh b/shared/templates/sshd_lineinfile/tests/correct_value_usr_config_path.pass.sh
diff --git a/shared/templates/sshd_lineinfile/tests/duplicated_param.pass.sh b/shared/templates/sshd_lineinfile/tests/duplicated_param.pass.sh
@@ -1,12 +1,9 @@
 #!/bin/bash
 
-declare -a SSHD_PATHS=("/etc/ssh/sshd_config" /etc/ssh/sshd_config.d/*)
-{{% if product == 'sle16' %}}
-SSHD_PATHS+=("/usr/etc/ssh/sshd_config" /usr/etc/ssh/sshd_config.d/*)
-{{% endif %}}
+declare -a SSHD_PATHS=("{{{ sshd_main_config_file }}}" "{{{ sshd_config_dir }}}/*")
 
-mkdir -p /etc/ssh/sshd_config.d
-touch /etc/ssh/sshd_config.d/nothing
+mkdir -p "{{{ sshd_config_dir }}}"
+touch "{{{ sshd_config_dir }}}/nothing"
 
 if grep -q "^\s*{{{ PARAMETER }}}" "${SSHD_PATHS[@]}" ; then
     sed -i "/^\s*{{{ PARAMETER }}}.*/Id" "${SSHD_PATHS[@]}"
diff --git a/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh b/shared/templates/sshd_lineinfile/tests/duplicated_param_directory.pass.sh
@@ -2,17 +2,14 @@
 
 # platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 10,SUSE Linux Enterprise 16,multi_platform_fedora,multi_platform_ubuntu
 
-mkdir -p /etc/ssh/sshd_config.d
-touch /etc/ssh/sshd_config.d/nothing
+mkdir -p "{{{ sshd_config_dir }}}"
+touch "{{{ sshd_config_dir }}}/nothing"
 
 {{% if product in ["ol8", "ol9"] %}}
 {{{ bash_replace_or_append("/etc/ssh/sshd_config", "Include", "/etc/ssh/sshd_config.d/*.conf", "%s %s", cce_identifiers=cce_identifiers) }}}
 {{% endif %}}
 
-declare -a SSHD_PATHS=("/etc/ssh/sshd_config" /etc/ssh/sshd_config.d/*)
-{{% if product == 'sle16' %}}
-SSHD_PATHS+=("/usr/etc/ssh/sshd_config" /usr/etc/ssh/sshd_config.d/*)
-{{% endif %}}
+declare -a SSHD_PATHS=("{{{ sshd_main_config_file }}}" "{{{ sshd_config_dir }}}/*")
 
 if grep -q "^\s*{{{ PARAMETER }}}" "${SSHD_PATHS[@]}" ; then
     sed -i "/^\s*{{{ PARAMETER }}}.*/Id" "${SSHD_PATHS[@]}"
@@ -22,5 +19,9 @@ fi
 # variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
 {{% endif %}}
 
-echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" >> /etc/ssh/sshd_config.d/first.conf
-echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" >> /etc/ssh/sshd_config.d/second.conf
+{{% if product in ["sle16", "slmicro6"] %}}
+touch "{{{ sshd_main_config_file }}}"
+{{% endif %}}
+
+echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" >> "{{{ sshd_config_dir }}}/first.conf"
+echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" >> "{{{ sshd_config_dir }}}/second.conf"
diff --git a/shared/templates/sshd_lineinfile/tests/line_not_there.fail.sh b/shared/templates/sshd_lineinfile/tests/line_not_there.fail.sh
@@ -2,12 +2,14 @@
 
 SSHD_PARAM={{{ PARAMETER }}}
 
-mkdir -p /etc/ssh/sshd_config.d
-touch /etc/ssh/sshd_config.d/nothing
-
-{{% if product == 'sle16' %}}
-touch /etc/ssh/sshd_config
-sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* /usr/etc/ssh/sshd_config /usr/etc/ssh/sshd_config.d/*
-{{% else %}}
-sed -i "/^\s*${SSHD_PARAM}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+declare -a SSHD_PATHS=("{{{ sshd_main_config_file }}}" "{{{ sshd_config_dir }}}/*")
+mkdir -p "{{{ sshd_config_dir }}}"
+touch "{{{ sshd_config_dir }}}/nothing"
+
+{{% if product in ['sle16', 'slmicro6'] %}}
+touch "{{{ sshd_main_config_file }}}"
 {{% endif %}}
+
+if grep -q "^\s*${SSHD_PARAM}" "${SSHD_PATHS[@]}" ; then
+    sed -i "/^\s*${SSHD_PARAM}.*/Id" "${SSHD_PATHS[@]}"
+fi
diff --git a/shared/templates/sshd_lineinfile/tests/main_config_missing.fail.sh b/shared/templates/sshd_lineinfile/tests/main_config_missing.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+
+{{% if XCCDF_VARIABLE %}}
+# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
+{{% endif %}}
+
+if [ -e "{{{ sshd_main_config_file }}}" ] ; then
+    rm "{{{ sshd_main_config_file }}}"
+fi
+# correct value in drop-in, but missing global main config
+echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" >> "{{{ sshd_config_dir }}}/other.conf"
diff --git a/shared/templates/sshd_lineinfile/tests/param_conflict.fail.sh b/shared/templates/sshd_lineinfile/tests/param_conflict.fail.sh
@@ -1,17 +1,18 @@
 #!/bin/bash
 
-
 {{% if XCCDF_VARIABLE %}}
 # variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
 {{% endif %}}
 
 
-mkdir -p /etc/ssh/sshd_config.d
-touch /etc/ssh/sshd_config.d/nothing
+mkdir -p "{{{ sshd_config_dir }}}"
+touch "{{{ sshd_config_dir }}}/nothing"
+
+declare -a SSHD_PATHS=("{{{ sshd_main_config_file }}}" "{{{ sshd_config_dir }}}/*")
 
-if grep -q "^\s*{{{ PARAMETER }}}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
-	sed -i "/^\s*{{{ PARAMETER }}}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+if grep -q "^\s*{{{ PARAMETER }}}" "${SSHD_PATHS[@]}" ; then
+	sed -i "/^\s*{{{ PARAMETER }}}.*/Id" "${SSHD_PATHS[@]}"
 fi
 
-echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" >> /etc/ssh/sshd_config
-echo "{{{ PARAMETER }}} {{{ WRONG_VALUE }}}" >> /etc/ssh/sshd_config
+echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" >> "{{{ sshd_main_config_file }}}"
+echo "{{{ PARAMETER }}} {{{ WRONG_VALUE }}}" >> "{{{ sshd_main_config_file }}}"
diff --git a/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/param_conflict_directory.fail.sh
@@ -7,16 +7,18 @@
 # variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
 {{% endif %}}
 
-mkdir -p /etc/ssh/sshd_config.d
-touch /etc/ssh/sshd_config.d/nothing
+mkdir -p "{{{ sshd_config_dir }}}"
+touch "{{{ sshd_config_dir }}}/nothing"
+
+declare -a SSHD_PATHS=("{{{ sshd_main_config_file }}}" "{{{ sshd_config_dir }}}/*")
 
 {{% if product in ["ol8", "ol9"] %}}
 {{{ bash_replace_or_append("/etc/ssh/sshd_config", "Include", "/etc/ssh/sshd_config.d/*.conf", "%s %s", cce_identifiers=cce_identifiers) }}}
 {{% endif %}}
 
-if grep -q "^\s*{{{ PARAMETER }}}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
-	sed -i "/^\s*{{{ PARAMETER }}}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+if grep -q "^\s*{{{ PARAMETER }}}" "${SSHD_PATHS[@]}"; then
+	sed -i "/^\s*{{{ PARAMETER }}}.*/Id" "${SSHD_PATHS[@]}"
 fi
 
-echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" > /etc/ssh/sshd_config.d/good_config.conf
-echo "{{{ PARAMETER }}} {{{ WRONG_VALUE }}}" > /etc/ssh/sshd_config.d/bad_config.conf
+echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" > "{{{ sshd_config_dir }}}/good_config.conf"
+echo "{{{ PARAMETER }}} {{{ WRONG_VALUE }}}" > "{{{ sshd_config_dir }}}/bad_config.conf"
diff --git a/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/param_conflict_file_with_directory.fail.sh
@@ -6,16 +6,18 @@
 # variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}}
 {{% endif %}}
 
-mkdir -p /etc/ssh/sshd_config.d
-touch /etc/ssh/sshd_config.d/nothing
+mkdir -p "{{{ sshd_config_dir }}}"
+touch "{{{ sshd_config_dir }}}/nothing"
+
+declare -a SSHD_PATHS=("{{{ sshd_main_config_file }}}" "{{{ sshd_config_dir }}}/*")
 
 {{% if product in ["ol8", "ol9"] %}}
 {{{ bash_replace_or_append("/etc/ssh/sshd_config", "Include", "/etc/ssh/sshd_config.d/*.conf", "%s %s", cce_identifiers=cce_identifiers) }}}
 {{% endif %}}
 
-if grep -q "^\s*{{{ PARAMETER }}}" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/* ; then
-	sed -i "/^\s*{{{ PARAMETER }}}.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+if grep -q "^\s*{{{ PARAMETER }}}" "${SSHD_PATHS[@]}" ; then
+	sed -i "/^\s*{{{ PARAMETER }}}.*/Id" "${SSHD_PATHS[@]}"
 fi
 
-echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" >> /etc/ssh/sshd_config
-echo "{{{ PARAMETER }}} {{{ WRONG_VALUE }}}" > /etc/ssh/sshd_config.d/bad_config.conf
+echo "{{{ PARAMETER }}} {{{ CORRECT_VALUE }}}" >> "{{{ sshd_main_config_file }}}"
+echo "{{{ PARAMETER }}} {{{ WRONG_VALUE }}}" > "{{{ sshd_config_dir }}}/bad_config.conf"
diff --git a/shared/templates/sshd_lineinfile/tests/wrong_value.fail.sh b/shared/templates/sshd_lineinfile/tests/wrong_value.fail.sh
diff --git a/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh b/shared/templates/sshd_lineinfile/tests/wrong_value_directory.fail.sh
diff --git a/shared/templates/sshd_lineinfile/tests/wrong_value_usr_config_dir.fail.sh b/shared/templates/sshd_lineinfile/tests/wrong_value_usr_config_dir.fail.sh
diff --git a/shared/templates/sshd_lineinfile/tests/wrong_value_usr_config_path.fail.sh b/shared/templates/sshd_lineinfile/tests/wrong_value_usr_config_path.fail.sh
