For sle16 enhance the check to cover cases with sshd_config in /usr and subfolders for sshd_set_maxstartups rule

teacup-on-rockingchair · teacup-on-rockingchair · commit 8f0e0ed06934 · 2026-02-26T08:07:03.000+02:00
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/sle16.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/sle16.xml
@@ -0,0 +1,151 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="2">
+    {{{ oval_metadata("Ensure 'MaxStartups' is properly configured in SSH configuration files.", rule_title=rule_title) }}}
+    <criteria operator="OR" comment="sshd MaxStartups parameter is properly configured if sshd is installed">
+      <criteria operator="AND" comment="sshd is not installed">
+        <extend_definition definition_ref="sshd_not_required_or_unset"
+          comment="sshd is not required or requirement is unset"/>
+        <extend_definition definition_ref="package_openssh-server_removed"
+          comment="rpm package openssh-server is removed"/>
+      </criteria>
+      <criteria operator="OR">
+        <criteria comment="MaxStartups is configured correctly in /etc/ssh/sshd_config" operator="AND">
+          <criterion comment="SSH configuration /etc/ssh/sshd_config exists" test_ref="test_etc_ssh_sshd_config_exist"/>
+          <criterion test_ref="tst_maxstartups_start_parameter" comment="SSH MaxStartups start parameter is less than or equal to 10"/>
+          <criterion test_ref="tst_maxstartups_rate_parameter" comment="SSH MaxStartups rate parameter is greater than or equal to 30"/>
+          <criterion test_ref="tst_maxstartups_full_parameter" comment="SSH MaxStartups full parameter is less than or equal to 100"/>
+        </criteria>
+        <criteria comment="MaxStartups is configured correctly in /usr/etc/ssh/sshd_config" operator="AND">
+          <criterion comment="SSH configuration /etc/ssh/sshd_config does not exists" test_ref="test_etc_ssh_sshd_config_exist" negate="true"/>
+          <criterion test_ref="tst_maxstartups_start_parameter_usr" comment="SSH MaxStartups start parameter is less than or equal to 10"/>
+          <criterion test_ref="tst_maxstartups_rate_parameter_usr" comment="SSH MaxStartups rate parameter is greater than or equal to 30"/>
+          <criterion test_ref="tst_maxstartups_full_parameter_usr" comment="SSH MaxStartups full parameter is less than or equal to 100"/>
+        </criteria>
+      </criteria>
+    </criteria>
+  </definition>
+
+  <unix:file_test check="all" check_existence="all_exist"
+      comment="SSH configuration /etc/ssh/sshd_config exists"
+      id="test_etc_ssh_sshd_config_exist"
+      state_operator="AND" version="1">
+    <unix:object object_ref="obj_etc_ssh_sshd_config_exist"/>
+  </unix:file_test>
+  <unix:file_object
+      comment="SSH configuration /etc/ssh/sshd_config exists"
+      id="obj_etc_ssh_sshd_config_exist" version="1">
+    <unix:filepath operation="pattern match">^/etc/ssh/sshd_config</unix:filepath>
+  </unix:file_object>
+
+  <ind:textfilecontent54_test id="tst_maxstartups_start_parameter" version="2"
+    check="all" check_existence="at_least_one_exists"
+    comment="SSH MaxStartups start parameter is less than or equal to the expected value">
+    <ind:object object_ref="obj_sshd_config_maxstartups_first_parameter"/>
+    <ind:state state_ref="ste_sshd_config_start_parameter_valid"/>
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_test id="tst_maxstartups_rate_parameter" version="2"
+    check="all" check_existence="at_least_one_exists"
+    comment="SSH MaxStartups rate parameter is greater than or equal to the expected value">
+    <ind:object object_ref="obj_sshd_config_maxstartups_second_parameter"/>
+    <ind:state state_ref="ste_sshd_config_rate_parameter_valid"/>
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_test id="tst_maxstartups_full_parameter" version="2"
+    check="all" check_existence="at_least_one_exists"
+    comment="SSH MaxStartups full parameter is less than or equal to the expected value">
+    <ind:object object_ref="obj_sshd_config_maxstartups_third_parameter"/>
+    <ind:state state_ref="ste_sshd_config_full_parameter_valid"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_sshd_config_maxstartups_first_parameter" version="2">
+    <ind:path operation="pattern match">^(/etc/ssh|/etc/ssh/sshd_config.d|/usr/etc/ssh/sshd_config.d)</ind:path>
+    <ind:filename operation="pattern match">(sshd_config|.*\.conf)$</ind:filename>
+    <ind:pattern operation="pattern match" datatype="string">(?i)^\s*MaxStartups\s+(\d+):\d+:\d+\s*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_object id="obj_sshd_config_maxstartups_second_parameter" version="2">
+    <ind:path operation="pattern match">^(/etc/ssh|/etc/ssh/sshd_config.d|/usr/etc/ssh/sshd_config.d)</ind:path>
+    <ind:filename operation="pattern match">(sshd_config|.*\.conf)$</ind:filename>
+    <ind:pattern operation="pattern match" datatype="string">(?i)^\s*MaxStartups\s+\d+:(\d+):\d+\s*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_object id="obj_sshd_config_maxstartups_third_parameter" version="2">
+    <ind:path operation="pattern match">^(/etc/ssh|/etc/ssh/sshd_config.d|/usr/etc/ssh/sshd_config.d)</ind:path>
+    <ind:filename operation="pattern match">(sshd_config|.*\.conf)$</ind:filename>
+    <ind:pattern operation="pattern match" datatype="string">(?i)^\s*MaxStartups\s+\d+:\d+:(\d+)\s*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test id="tst_maxstartups_start_parameter_usr" version="2"
+    check="all" check_existence="at_least_one_exists"
+    comment="SSH MaxStartups start parameter is less than or equal to the expected value">
+    <ind:object object_ref="obj_sshd_config_maxstartups_first_parameter_usr"/>
+    <ind:state state_ref="ste_sshd_config_start_parameter_valid"/>
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_test id="tst_maxstartups_rate_parameter_usr" version="2"
+    check="all" check_existence="at_least_one_exists"
+    comment="SSH MaxStartups rate parameter is greater than or equal to the expected value">
+    <ind:object object_ref="obj_sshd_config_maxstartups_second_parameter_usr"/>
+    <ind:state state_ref="ste_sshd_config_rate_parameter_valid"/>
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_test id="tst_maxstartups_full_parameter_usr" version="2"
+    check="all" check_existence="at_least_one_exists"
+    comment="SSH MaxStartups full parameter is less than or equal to the expected value">
+    <ind:object object_ref="obj_sshd_config_maxstartups_third_parameter_usr"/>
+    <ind:state state_ref="ste_sshd_config_full_parameter_valid"/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_sshd_config_maxstartups_first_parameter_usr" version="2">
+    <ind:path operation="pattern match">^(/usr/etc/ssh|/etc/ssh/sshd_config.d|/usr/etc/ssh/sshd_config.d)</ind:path>
+    <ind:filename operation="pattern match">(sshd_config|.*\.conf)$</ind:filename>
+    <ind:pattern operation="pattern match" datatype="string">(?i)^\s*MaxStartups\s+(\d+):\d+:\d+\s*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_object id="obj_sshd_config_maxstartups_second_parameter_usr" version="2">
+    <ind:path operation="pattern match">^(/usr/etc/ssh|/etc/ssh/sshd_config.d|/usr/etc/ssh/sshd_config.d)</ind:path>
+    <ind:filename operation="pattern match">(sshd_config|.*\.conf)$</ind:filename>
+    <ind:pattern operation="pattern match" datatype="string">(?i)^\s*MaxStartups\s+\d+:(\d+):\d+\s*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_object id="obj_sshd_config_maxstartups_third_parameter_usr" version="2">
+    <ind:path operation="pattern match">^(/usr/etc/ssh|/etc/ssh/sshd_config.d|/usr/etc/ssh/sshd_config.d)</ind:path>
+    <ind:filename operation="pattern match">(sshd_config|.*\.conf)$</ind:filename>
+    <ind:pattern operation="pattern match" datatype="string">(?i)^\s*MaxStartups\s+\d+:\d+:(\d+)\s*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <external_variable id="var_sshd_set_maxstartups" version="1"
+    datatype="string" comment="Expected value for MaxStartups parameter"/>
+
+  <local_variable id="var_sshd_set_maxstartups_first" version="1" datatype="int"
+    comment="First number from MaxStartup parameter value.">
+    <regex_capture pattern="(\d+):\d+:\d+">
+      <variable_component var_ref="var_sshd_set_maxstartups"/>
+    </regex_capture>
+  </local_variable>
+  <local_variable id="var_sshd_set_maxstartups_second" version="1" datatype="int"
+    comment="Second number from MaxStartup parameter value.">
+    <regex_capture pattern="\d+:(\d+):\d+">
+      <variable_component var_ref="var_sshd_set_maxstartups"/>
+    </regex_capture>
+  </local_variable>
+  <local_variable id="var_sshd_set_maxstartups_third" version="1" datatype="int"
+    comment="Third number from MaxStartup parameter value.">
+    <regex_capture pattern="\d+:\d+:(\d+)">
+      <variable_component var_ref="var_sshd_set_maxstartups" />
+    </regex_capture>
+  </local_variable>
+
+  <ind:textfilecontent54_state id="ste_sshd_config_start_parameter_valid" version="2">
+    <ind:subexpression datatype="int" operation="less than or equal"
+      var_ref="var_sshd_set_maxstartups_first"/>
+  </ind:textfilecontent54_state>
+  <ind:textfilecontent54_state id="ste_sshd_config_rate_parameter_valid" version="2">
+    <ind:subexpression datatype="int" operation="greater than or equal"
+      var_ref="var_sshd_set_maxstartups_second"/>
+  </ind:textfilecontent54_state>
+  <ind:textfilecontent54_state id="ste_sshd_config_full_parameter_valid" version="2">
+    <ind:subexpression datatype="int" operation="less than or equal"
+      var_ref="var_sshd_set_maxstartups_third"/>
+  </ind:textfilecontent54_state>
+
+</def-group>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_etc_sshd_config_drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_etc_sshd_config_drop_in.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = var_sshd_set_maxstartups=10:30:60
+source include.sh
+
+echo "MaxStartups 10:30:60" >> /etc/ssh/sshd_config.d/01-complianceascode.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_in_usr_etc_sshd_config_present.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = var_sshd_set_maxstartups=10:30:60
+source include.sh
+
+touch /etc/ssh/sshd_config
+echo "MaxStartups 10:30:60" >> /usr/etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_usr_etc_sshd_config.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_usr_etc_sshd_config.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = var_sshd_set_maxstartups=10:30:60
+source include.sh
+
+echo "MaxStartups 10:30:60" >> /usr/etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value_usr_etc_sshd_config_drop_in.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = var_sshd_set_maxstartups=10:30:60
+source include.sh
+
+echo "MaxStartups 10:30:60" >> /usr/etc/ssh/sshd_config.d/01-complianceascode.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/include.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/include.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+declare -a SSHD_PATHS=("/etc/ssh/sshd_config")
+{{% if product == 'sle16' %}}
+SSHD_PATHS+=("/usr/etc/ssh/sshd_config" /usr/etc/ssh/sshd_config.d/* /etc/ssh/sshd_config.d/*)
+{{% endif %}}
+# clean up configurations
+sed -i '/^MaxStartups.*/d' "${SSHD_PATHS[@]}"
+
+# restore to defaults for sle16
+{{% if product == 'sle16' %}}
+if [ -e "/etc/ssh/sshd_config" ] ; then
+    rm /etc/ssh/sshd_config
+fi
+{{% endif %}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_etc_sshd_config_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_etc_sshd_config_drop_in.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = var_sshd_set_maxstartups=10:30:60
+source include.sh
+
+echo "MaxStartups 10:30:61" >> /etc/ssh/sshd_config.d/01-complianceascode.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_usr_etc_sshd_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_usr_etc_sshd_config.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = var_sshd_set_maxstartups=10:30:60
+source include.sh
+
+echo "MaxStartups 10:29:60" >> /usr/etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/wrong_value_usr_etc_sshd_config_drop_in.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# variables = var_sshd_set_maxstartups=10:30:60
+source include.sh
+
+echo "MaxStartups 11:30:60">> /usr/etc/ssh/sshd_config.d/01-complianceascode.conf
