For sle16 enhance the check to cover cases with sshd_config in /usr and subfolders for sshd_set_login_grace_time rule

Author: teacup-on-rockingchair

linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/oval/sle16.xml

@@ -0,0 +1,153 @@
+<def-group>
+  <definition class="compliance" id="{{{rule_id}}}" version="1">
+    {{{ oval_metadata("The SSH number seconds for login grace time should be set to an appropriate value.", rule_title=rule_title) }}}
+    <criteria comment="SSH is configured correctly or is not installed" operator="OR">
+      <criteria comment="sshd is not installed" operator="AND">
+        <extend_definition comment="sshd is not required or requirement is unset" definition_ref="sshd_not_required_or_unset"/>
+        <extend_definition comment="rpm package openssh-server removed" definition_ref="package_openssh-server_removed"/>
+      </criteria>
+      <criteria comment="sshd is installed and configured using /etc/ssh/sshd_config" operator="AND">
+        <extend_definition comment="sshd is required or requirement is unset" definition_ref="sshd_required_or_unset"/>
+        <extend_definition comment="rpm package openssh-server installed" definition_ref="package_openssh-server_installed"/>
+        <criteria comment="LoginGraceTime is configured correctly in /etc/ssh/sshd_config" operator="AND">
+          <criterion comment="SSH configuration /etc/ssh/sshd_config exists" test_ref="test_etc_ssh_sshd_config_exist"/>
+          <criterion comment="Check LoginGraceTime in /usr/etc/ssh/sshd_config" test_ref="test_sshd_login_grace_time_etc" />
+          <criterion comment="Check LoginGraceTime in /etc/ssh/sshd_config.d/" test_ref="test_sshd_login_grace_time_config_dir"/>
+          <criterion comment="Check LoginGraceTime in /usr/etc/ssh/sshd_config.d/" test_ref="test_sshd_login_grace_time_usr_config_dir"/>
+          <criterion comment="the configuration exists" test_ref="test_login_grace_time_present_etc" />
+        </criteria>
+      </criteria>
+      <criteria comment="sshd is installed and configured using /usr/etc/ssh/sshd_config" operator="AND">
+        <extend_definition comment="sshd is required or requirement is unset" definition_ref="sshd_required_or_unset" />
+        <extend_definition comment="rpm package openssh-server installed" definition_ref="package_openssh-server_installed" />
+        <criteria comment="LoginGraceTime is configured correctly in /usr/etc/ssh/sshd_config" operator="AND">
+          <criterion comment="SSH configuration /etc/ssh/sshd_config does not exists" test_ref="test_etc_ssh_sshd_config_exist" negate="true"/>
+          <criterion comment="Check LoginGraceTime in /usr/etc/ssh/sshd_config" test_ref="test_sshd_login_grace_time_usr" />
+          <criterion comment="Check LoginGraceTime in /etc/ssh/sshd_config.d/" test_ref="test_sshd_login_grace_time_config_dir"/>
+          <criterion comment="Check LoginGraceTime in /usr/etc/ssh/sshd_config.d/" test_ref="test_sshd_login_grace_time_usr_config_dir"/>
+          <criterion comment="the configuration exists" test_ref="test_login_grace_time_present_usr" />
+        </criteria>
+      </criteria>
+    </criteria>
+  </definition>
+
+  <unix:file_test check="all" check_existence="all_exist"
+      comment="SSH configuration /etc/ssh/sshd_config exists"
+      id="test_etc_ssh_sshd_config_exist"
+      state_operator="AND" version="1">
+    <unix:object object_ref="obj_etc_ssh_sshd_config_exist"/>
+  </unix:file_test>
+  <unix:file_object
+      comment="SSH configuration /etc/ssh/sshd_config exists"
+      id="obj_etc_ssh_sshd_config_exist" version="1">
+    <unix:filepath operation="pattern match">^/etc/ssh/sshd_config</unix:filepath>
+  </unix:file_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="any_exist"
+    comment="LoginGraceTime is configured in /etc/ssh/sshd_config"
+    id="test_sshd_login_grace_time_etc" version="1">
+    <ind:object object_ref="object_sshd_login_grace_time_etc" />
+    <ind:state state_ref="state_login_grace_time_value_upper_bound" />
+    <ind:state state_ref="state_login_grace_time_value_lower_bound" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_sshd_login_grace_time_etc" version="2">
+    <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*(?i)LoginGraceTime[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="any_exist"
+    comment="LoginGraceTime is configured in /usr/etc/ssh/sshd_config"
+    id="test_sshd_login_grace_time_usr" version="1">
+    <ind:object object_ref="object_sshd_login_grace_time_usr" />
+    <ind:state state_ref="state_login_grace_time_value_upper_bound" />
+    <ind:state state_ref="state_login_grace_time_value_lower_bound" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_sshd_login_grace_time_usr" version="2">
+    <ind:filepath>/usr/etc/ssh/sshd_config</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*(?i)LoginGraceTime[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="any_exist"
+    comment="LoginGraceTime is configured in drop-in directory /etc/ssh/sshd_config.d"
+    id="test_sshd_login_grace_time_config_dir" version="1">
+    <ind:object object_ref="object_sshd_login_grace_time_config_dir" />
+    <ind:state state_ref="state_login_grace_time_value_upper_bound" />
+    <ind:state state_ref="state_login_grace_time_value_lower_bound" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_sshd_login_grace_time_config_dir" version="2">
+    <ind:path>/etc/ssh/sshd_config.d</ind:path>
+    <ind:filename operation="pattern match">.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^[\s]*(?i)LoginGraceTime[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="any_exist"
+    comment="LoginGraceTime is configured in included directory /usr/etc/ssh/sshd_config.d"
+    id="test_sshd_login_grace_time_usr_config_dir" version="1">
+    <ind:object object_ref="object_sshd_login_grace_time_usr_config_dir" />
+    <ind:state state_ref="state_login_grace_time_value_upper_bound" />
+    <ind:state state_ref="state_login_grace_time_value_lower_bound" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_sshd_login_grace_time_usr_config_dir" version="2">
+    <ind:path>/usr/etc/ssh/sshd_config.d</ind:path>
+    <ind:filename operation="pattern match">.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^[\s]*(?i)LoginGraceTime[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state comment="upper bound of LoginGraceTime in seconds"
+  id="state_login_grace_time_value_upper_bound" version="1">
+    <ind:subexpression datatype="int" operation="less than or equal" var_check="all"
+    var_ref="var_sshd_set_login_grace_time" />
+  </ind:textfilecontent54_state>
+
+  <ind:textfilecontent54_state comment="lower bound of LoginGraceTime in seconds"
+  id="state_login_grace_time_value_lower_bound" version="1">
+    <ind:subexpression datatype="int" operation="greater than">0</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+  <ind:textfilecontent54_test id="test_login_grace_time_present_etc" version="1"
+    check="all" check_existence="at_least_one_exists"
+    comment="Verify that the value of LoginGraceTime is present">
+    <ind:object object_ref="obj_collection_obj_sshd_set_login_grace_time" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object comment="All confs collection" id="obj_collection_obj_sshd_set_login_grace_time" version="1">
+    <set set_operator="UNION">
+      <set set_operator="UNION">
+        <object_reference>object_sshd_login_grace_time_etc</object_reference>
+      </set>
+      <set set_operator="UNION">
+        <object_reference>object_sshd_login_grace_time_config_dir</object_reference>
+        <object_reference>object_sshd_login_grace_time_usr_config_dir</object_reference>
+      </set>
+    </set>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test id="test_login_grace_time_present_usr" version="1"
+    check="all" check_existence="at_least_one_exists"
+    comment="Verify that the value of LoginGraceTime is present">
+    <ind:object object_ref="obj_collection_obj_sshd_set_login_grace_time_usr" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object comment="All confs collection" id="obj_collection_obj_sshd_set_login_grace_time_usr" version="1">
+    <set set_operator="UNION">
+      <set set_operator="UNION">
+        <object_reference>object_sshd_login_grace_time_usr</object_reference>
+      </set>
+      <set set_operator="UNION">
+        <object_reference>object_sshd_login_grace_time_config_dir</object_reference>
+        <object_reference>object_sshd_login_grace_time_usr_config_dir</object_reference>
+      </set>
+    </set>
+  </ind:textfilecontent54_object>
+
+  <external_variable comment="logingracetime value" datatype="int" id="var_sshd_set_login_grace_time" version="1" />
+
+</def-group>

linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_etc_sshd_config_drop_in.pass.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+source include.sh
+
+echo "LoginGraceTime 60" >> /etc/ssh/sshd_config.d/01-complianceascode.conf

linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+source include.sh
+
+touch /etc/ssh/sshd_config
+echo "LoginGraceTime 1" >> /usr/etc/ssh/sshd_config

linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_usr_etc_sshd_config.pass.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+source include.sh
+
+echo "LoginGraceTime 1" >> /usr/etc/ssh/sshd_config

linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+source include.sh
+
+echo "LoginGraceTime 60" >> /usr/etc/ssh/sshd_config.d/01-complianceascode.conf

linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/include.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+declare -a SSHD_PATHS=("/etc/ssh/sshd_config")
+{{% if product == 'sle16' %}}
+SSHD_PATHS+=("/usr/etc/ssh/sshd_config" /usr/etc/ssh/sshd_config.d/* /etc/ssh/sshd_config.d/*)
+{{% endif %}}
+# clean up configurations
+sed -i '/^LoginGraceTime.*/d' "${SSHD_PATHS[@]}"
+
+# restore to defaults for sle16
+{{% if product == 'sle16' %}}
+if [ -e "/etc/ssh/sshd_config" ] ; then
+    rm /etc/ssh/sshd_config
+fi
+{{% endif %}}

linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/lower_bound.pass.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# profiles = xccdf_org.ssgproject.content_profile_cis
+# profiles = xccdf_org.ssgproject.content_profile_cis,xccdf_org.ssgproject.content_profile_pci-dss-4
 # platform = multi_platform_all
 
 SSHD_CONFIG="/etc/ssh/sshd_config"

linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/no_limit.fail.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# profiles = xccdf_org.ssgproject.content_profile_cis
+# profiles = xccdf_org.ssgproject.content_profile_cis,xccdf_org.ssgproject.content_profile_pci-dss-4
 # platform = multi_platform_all
 
 SSHD_CONFIG="/etc/ssh/sshd_config"

linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high.fail.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# profiles = xccdf_org.ssgproject.content_profile_cis
+# profiles = xccdf_org.ssgproject.content_profile_cis,xccdf_org.ssgproject.content_profile_pci-dss-4
 # platform = multi_platform_all
 
 SSHD_CONFIG="/etc/ssh/sshd_config"

linux_os/guide/services/ssh/ssh_server/sshd_set_login_grace_time/tests/too_high_etc_sshd_config_drop_in.fail.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+source include.sh
+
+echo "LoginGraceTime 61" >> /etc/ssh/sshd_config.d/01-complianceascode.conf