Blame SOURCES/scap-security-guide-0.1.49-ssh-use-strong-rng.patch

05062e
From e826795667e319a336ccbfe0919c044766801cb8 Mon Sep 17 00:00:00 2001
05062e
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
05062e
Date: Fri, 17 Jan 2020 10:49:36 +0100
05062e
Subject: [PATCH 1/7] Added lineinfile shell assignment support to our macros.
05062e
05062e
---
05062e
 shared/macros-ansible.jinja | 20 +++++++++++++++++++
05062e
 shared/macros-bash.jinja    | 26 +++++++++++++++++++++++++
05062e
 shared/macros-oval.jinja    | 39 ++++++++++++++++++++++++++++++++-----
05062e
 3 files changed, 80 insertions(+), 5 deletions(-)
05062e
05062e
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
05062e
index 3e4a441225..c42a5156ce 100644
05062e
--- a/shared/macros-ansible.jinja
05062e
+++ b/shared/macros-ansible.jinja
05062e
@@ -141,6 +141,26 @@
05062e
 {{{ ansible_set_config_file(msg, "/etc/ssh/sshd_config", parameter, value=value, create="yes", prefix_regex='(?i)^\s*', validate="/usr/sbin/sshd -t -f %s", insert_before="^[#\s]*Match") }}}
05062e
 {{%- endmacro %}}
05062e
 
05062e
+{{#
05062e
+  High level macro to set a value in a shell-related file that contains var assignments. This
05062e
+  takes these values: msg (the name for the Ansible task), path to the file, a parameter to set
05062e
+  in the configuration file, and the value to set it to. We specify a case
05062e
+  sensitive comparison in the prefix since this is used to deduplicate since
05062e
+  We also specify the validation program here; see 'bash -c "help set" | grep -e -n'
05062e
+#}}
05062e
+{{%- macro ansible_shell_set(msg, path, parameter, value='', no_quotes=false) %}}
05062e
+{{% if no_quotes -%}}
05062e
+{{%- else -%}}
05062e
+{{%- set quotes = "\"'" -%}}
05062e
+  {{% if "$" in value %}}
05062e
+  {{% set value = '"%s"' % value %}}
05062e
+  {{% else %}}
05062e
+  {{% set value = "'%s'" % value %}}
05062e
+  {{% endif %}}
05062e
+{{%- endif -%}}
05062e
+{{{ ansible_set_config_file(msg, path, parameter, value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^[#\s]*Match") }}}
05062e
+{{%- endmacro %}}
05062e
+
05062e
 {{#
05062e
   High level macro to set a command in tmux configuration file /etc/tmux.conf.
05062e
   Parameters:
05062e
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
05062e
index 43200bdd8a..6c0bb2facc 100644
05062e
--- a/shared/macros-bash.jinja
05062e
+++ b/shared/macros-bash.jinja
05062e
@@ -1,5 +1,31 @@
05062e
 {{# ##### High level macros ##### #}}
05062e
 
05062e
+{{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}}
05062e
+{{% if no_quotes -%}}
05062e
+  {{% if "$" in value %}}
05062e
+  {{% set value = '%s' % value.replace("$", "\\$") %}}
05062e
+  {{% endif %}}
05062e
+{{%- else -%}}
05062e
+  {{% if "$" in value %}}
05062e
+  {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}}
05062e
+  {{% else %}}
05062e
+  {{% set value = "'%s'" % value %}}
05062e
+  {{% endif %}}
05062e
+{{%- endif -%}}
05062e
+{{{ set_config_file(
05062e
+        path=path,
05062e
+        parameter=parameter,
05062e
+        value=value,
05062e
+        create=true,
05062e
+        insert_after="",
05062e
+        insert_before="^Match",
05062e
+        insensitive=false,
05062e
+        separator="=",
05062e
+        separator_regex="=",
05062e
+        prefix_regex="^\s*")
05062e
+    }}}
05062e
+{{%- endmacro -%}}
05062e
+
05062e
 {{%- macro bash_sshd_config_set(parameter, value) -%}}
05062e
 {{{ set_config_file(
05062e
         path="/etc/ssh/sshd_config",
05062e
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
05062e
index 2049a24d6e..696cf36db0 100644
05062e
--- a/shared/macros-oval.jinja
05062e
+++ b/shared/macros-oval.jinja
05062e
@@ -17,8 +17,9 @@
05062e
     - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
05062e
     - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
05062e
     - section (String): If set, the parameter will be checked only within the given section defined by [section].
05062e
+    - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. See comment of oval_line_in_file_state for more info.
05062e
 #}}
05062e
-{{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='') -%}}
05062e
+{{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='', quotes='') -%}}
05062e
 <def-group>
05062e
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
05062e
     <metadata>
05062e
@@ -60,7 +61,7 @@
05062e
   </definition>
05062e
   {{{ oval_line_in_file_test(path, parameter) }}}
05062e
   {{{ oval_line_in_file_object(path, section, prefix_regex, parameter, separator_regex, false, multi_value) }}}
05062e
-  {{{ oval_line_in_file_state(value, multi_value) }}}
05062e
+  {{{ oval_line_in_file_state(value, multi_value, quotes) }}}
05062e
   {{%- if missing_parameter_pass %}}
05062e
   {{{ oval_line_in_file_test(path, parameter, missing_parameter_pass) }}}
05062e
   {{{ oval_line_in_file_object(path, section, prefix_regex, parameter, separator_regex, missing_parameter_pass, multi_value) }}}
05062e
@@ -173,12 +174,21 @@
05062e
   This macro can take two parameters:
05062e
     - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
05062e
     - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
05062e
+    - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string.
05062e
+      For example, for shell quoting, specify quotes="'\""), which will make sure that value, 'value' and "value" are matched, but 'value" or '"value"' won't be.
05062e
 #}}
05062e
-{{%- macro oval_line_in_file_state(value='', multi_value='') -%}}
05062e
+{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='') -%}}
05062e
+{{%- set regex = value -%}}
05062e
+{{%- if quotes != "" %}}
05062e
+{{%- if "\\1" in value > 0 %}}
05062e
+{{{ raise("The regex for matching '%s' already references capturing groups, which doesn't go well with quoting that adds a capturing group to the beginning." % value) }}}
05062e
+{{%- endif %}}
05062e
+{{%- set regex =  "((?:%s)?)%s\\1" % ("|".join(quotes), regex) -%}}
05062e
+{{%- endif %}}
05062e
 {{%- if multi_value %}}
05062e
-{{%- set regex = "^.*\\b"+value+"\\b.*$" -%}}
05062e
+{{%- set regex = "^.*\\b"+regex+"\\b.*$" -%}}
05062e
 {{%- else %}}
05062e
-{{%- set regex = "^"+value+"$" -%}}
05062e
+{{%- set regex = "^"+regex+"$" -%}}
05062e
 {{%- endif %}}
05062e
   <ind:textfilecontent54_state id="state_{{{ rule_id }}}" version="1">
05062e
     <ind:subexpression datatype="string" operation="pattern match">{{{ regex }}}</ind:subexpression>
05062e
@@ -232,6 +242,25 @@
05062e
 {{{ oval_check_config_file("/etc/ssh/sshd_config", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]+', value=value, missing_parameter_pass=missing_parameter_pass, application="sshd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}}
05062e
 {{%- endmacro %}}
05062e
 
05062e
+{{#
05062e
+  High level macro to check if a particular shell variable is set.
05062e
+  This macro can take five parameters:
05062e
+    - path (String): Path to the file.
05062e
+    - parameter (String): The shell variable name.
05062e
+    - value (String): The variable value WITHOUT QUOTES.
05062e
+    - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
05062e
+    - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
05062e
+    - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
05062e
+#}}
05062e
+{{%- macro oval_check_shell_file(path, parameter='', value='', application='', no_quotes=false, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}}
05062e
+{{% if no_quotes -%}}
05062e
+{{%- set quotes = "" -%}}
05062e
+{{%- else -%}}
05062e
+{{%- set quotes = "\"'" -%}}
05062e
+{{%- endif -%}}
05062e
+{{{ oval_check_config_file(path, prefix_regex="^[ \\t]*", parameter=parameter, separator_regex='=', value=value, missing_parameter_pass=missing_parameter_pass, application=application, multi_value=multi_value, missing_config_file_fail=missing_config_file_fail, quotes=quotes) }}}
05062e
+{{%- endmacro %}}
05062e
+
05062e
 {{#
05062e
   High level macro to check if a particular combination of parameter and value in the Audit daemon configuration file is set.
05062e
   This function can take five parameters:
05062e
05062e
From a7281779e424a0b481e1b08ca01d2ebd1af2e834 Mon Sep 17 00:00:00 2001
05062e
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
05062e
Date: Fri, 17 Jan 2020 10:50:16 +0100
05062e
Subject: [PATCH 2/7] Added tests for shell lineinfile.
05062e
05062e
---
05062e
 tests/test_macros_oval.py                     | 142 ++++++++++++++++++
05062e
 .../unit/bash/test_set_config_file.bats.jinja |  56 +++++++
05062e
 2 files changed, 198 insertions(+)
05062e
05062e
diff --git a/tests/test_macros_oval.py b/tests/test_macros_oval.py
05062e
index 65a88ba7b4..8acae8548b 100755
05062e
--- a/tests/test_macros_oval.py
05062e
+++ b/tests/test_macros_oval.py
05062e
@@ -896,6 +896,148 @@ def main():
05062e
         "[vehicle]\nspeed =\n100",
05062e
         "false"
05062e
     )
05062e
+    tester.test(
05062e
+        "SHELL commented out",
05062e
+        r"""{{{ oval_check_shell_file(
05062e
+            path='CONFIG_FILE',
05062e
+            parameter='SHELL',
05062e
+            value='/bin/bash',
05062e
+            missing_parameter_pass=false,
05062e
+            application='',
05062e
+            multi_value=false,
05062e
+            missing_config_file_fail=false,
05062e
+        ) }}}""",
05062e
+        "# SHELL=/bin/bash\n",
05062e
+        "false"
05062e
+    )
05062e
+    tester.test(
05062e
+        "SHELL correct",
05062e
+        r"""{{{ oval_check_shell_file(
05062e
+            path='CONFIG_FILE',
05062e
+            parameter='SHELL',
05062e
+            value='/bin/bash',
05062e
+            missing_parameter_pass=false,
05062e
+            application='',
05062e
+            multi_value=false,
05062e
+            missing_config_file_fail=false,
05062e
+        ) }}}""",
05062e
+        " SHELL=/bin/bash\n",
05062e
+        "true"
05062e
+    )
05062e
+    tester.test(
05062e
+        "SHELL single-quoted",
05062e
+        r"""{{{ oval_check_shell_file(
05062e
+            path='CONFIG_FILE',
05062e
+            parameter='SHELL',
05062e
+            value='/bin"/bash',
05062e
+            missing_parameter_pass=false,
05062e
+            application='',
05062e
+            multi_value=false,
05062e
+            missing_config_file_fail=false,
05062e
+        ) }}}""",
05062e
+        " SHELL='/bin\"/bash'\n",
05062e
+        "true"
05062e
+    )
05062e
+    tester.test(
05062e
+        "SHELL double-quoted",
05062e
+        r"""{{{ oval_check_shell_file(
05062e
+            path='CONFIG_FILE',
05062e
+            parameter='SHELL',
05062e
+            value='  /bin/bash',
05062e
+            missing_parameter_pass=false,
05062e
+            application='',
05062e
+            multi_value=false,
05062e
+            missing_config_file_fail=false,
05062e
+        ) }}}""",
05062e
+        """ SHELL="  /bin/bash"\n""",
05062e
+        "true"
05062e
+    )
05062e
+    tester.test(
05062e
+        "SHELL unwanted double-quoted",
05062e
+        r"""{{{ oval_check_shell_file(
05062e
+            path='CONFIG_FILE',
05062e
+            parameter='SHELL',
05062e
+            value='  /bin/bash',
05062e
+            no_quotes=true,
05062e
+            missing_parameter_pass=false,
05062e
+            application='',
05062e
+            multi_value=false,
05062e
+            missing_config_file_fail=false,
05062e
+        ) }}}""",
05062e
+        """ SHELL="  /bin/bash"\n""",
05062e
+        "false"
05062e
+    )
05062e
+    tester.test(
05062e
+        "SHELL unwanted single-quoted",
05062e
+        r"""{{{ oval_check_shell_file(
05062e
+            path='CONFIG_FILE',
05062e
+            parameter='SHELL',
05062e
+            value='/bin"/bash',
05062e
+            no_quotes=true,
05062e
+            missing_parameter_pass=false,
05062e
+            application='',
05062e
+            multi_value=false,
05062e
+            missing_config_file_fail=false,
05062e
+        ) }}}""",
05062e
+        " SHELL='/bin\"/bash'\n",
05062e
+        "false"
05062e
+    )
05062e
+    tester.test(
05062e
+        "SHELL double-quoted spaced",
05062e
+        r"""{{{ oval_check_shell_file(
05062e
+            path='CONFIG_FILE',
05062e
+            parameter='SHELL',
05062e
+            value='/bin/bash',
05062e
+            missing_parameter_pass=false,
05062e
+            application='',
05062e
+            multi_value=false,
05062e
+            missing_config_file_fail=false,
05062e
+        ) }}}""",
05062e
+        """ SHELL= "/bin/bash"\n""",
05062e
+        "false"
05062e
+    )
05062e
+    tester.test(
05062e
+        "SHELL bad_var_case",
05062e
+        r"""{{{ oval_check_shell_file(
05062e
+            path='CONFIG_FILE',
05062e
+            parameter='SHELL',
05062e
+            value='/bin/bash',
05062e
+            missing_parameter_pass=false,
05062e
+            application='',
05062e
+            multi_value=false,
05062e
+            missing_config_file_fail=false,
05062e
+        ) }}}""",
05062e
+        """ Shell="/bin/bash"\n""",
05062e
+        "false"
05062e
+    )
05062e
+    tester.test(
05062e
+        "SHELL bad_value_case",
05062e
+        r"""{{{ oval_check_shell_file(
05062e
+            path='CONFIG_FILE',
05062e
+            parameter='SHELL',
05062e
+            value='/bin/bash',
05062e
+            missing_parameter_pass=false,
05062e
+            application='',
05062e
+            multi_value=false,
05062e
+            missing_config_file_fail=false,
05062e
+        ) }}}""",
05062e
+        """ SHELL="/bin/Bash"\n""",
05062e
+        "false"
05062e
+    )
05062e
+    tester.test(
05062e
+        "SHELL badly quoted",
05062e
+        r"""{{{ oval_check_shell_file(
05062e
+            path='CONFIG_FILE',
05062e
+            parameter='SHELL',
05062e
+            value='/bin/bash',
05062e
+            missing_parameter_pass=false,
05062e
+            application='',
05062e
+            multi_value=false,
05062e
+            missing_config_file_fail=false,
05062e
+        ) }}}""",
05062e
+        """ SHELL="/bin/bash'\n""",
05062e
+        "false"
05062e
+    )
05062e
 
05062e
     tester.finish()
05062e
 
05062e
diff --git a/tests/unit/bash/test_set_config_file.bats.jinja b/tests/unit/bash/test_set_config_file.bats.jinja
05062e
index 3dc2c721d4..4126d0440e 100644
05062e
--- a/tests/unit/bash/test_set_config_file.bats.jinja
05062e
+++ b/tests/unit/bash/test_set_config_file.bats.jinja
05062e
@@ -126,3 +126,59 @@ function call_set_config_file {
05062e
 
05062e
     rm "$tmp_file"
05062e
 }
05062e
+
05062e
+@test "Basic Bash remediation" {
05062e
+    tmp_file="$(mktemp)"
05062e
+    printf "%s\n" "something=foo" > "$tmp_file"
05062e
+    expected_output="something='va lue'\n"
05062e
+
05062e
+    {{{ bash_shell_file_set("$tmp_file", "something", "va lue") | indent(4) }}}
05062e
+
05062e
+    run diff -U2 "$tmp_file" <(printf "$expected_output")
05062e
+    echo "$output"
05062e
+    [ "$status" -eq 0 ]
05062e
+
05062e
+    rm "$tmp_file"
05062e
+}
05062e
+
05062e
+@test "Variable remediation - preserve dollar and use double quotes" {
05062e
+    tmp_file="$(mktemp)"
05062e
+    printf "%s\n" "something=bar" > "$tmp_file"
05062e
+    expected_output='something="$value"'"\n"
05062e
+
05062e
+    {{{ bash_shell_file_set("$tmp_file", "something", '$value') | indent(4) }}}
05062e
+
05062e
+    run diff -U2 "$tmp_file" <(printf "$expected_output")
05062e
+    echo "$output"
05062e
+    [ "$status" -eq 0 ]
05062e
+
05062e
+    rm "$tmp_file"
05062e
+}
05062e
+
05062e
+@test "Basic Bash remediation - don't quote" {
05062e
+    tmp_file="$(mktemp)"
05062e
+    printf "%s\n" "something=foo" > "$tmp_file"
05062e
+    expected_output="something=va lue\n"
05062e
+
05062e
+    {{{ bash_shell_file_set("$tmp_file", "something", "va lue", no_quotes=true) | indent(4) }}}
05062e
+
05062e
+    run diff -U2 "$tmp_file" <(printf "$expected_output")
05062e
+    echo "$output"
05062e
+    [ "$status" -eq 0 ]
05062e
+
05062e
+    rm "$tmp_file"
05062e
+}
05062e
+
05062e
+@test "Variable remediation - don't quote" {
05062e
+    tmp_file="$(mktemp)"
05062e
+    printf "%s\n" "something=bar" > "$tmp_file"
05062e
+    expected_output='something=$value'"\n"
05062e
+
05062e
+    {{{ bash_shell_file_set("$tmp_file", "something", '$value', no_quotes=true) | indent(4) }}}
05062e
+
05062e
+    run diff -U2 "$tmp_file" <(printf "$expected_output")
05062e
+    echo "$output"
05062e
+    [ "$status" -eq 0 ]
05062e
+
05062e
+    rm "$tmp_file"
05062e
+}
05062e
05062e
From 347e7ab345a35fc3045a886d883d8efe7d9820b2 Mon Sep 17 00:00:00 2001
05062e
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
05062e
Date: Fri, 17 Jan 2020 10:51:02 +0100
05062e
Subject: [PATCH 3/7] Added the shell lineinfile template.
05062e
05062e
---
05062e
 docs/manual/developer_guide.adoc              | 21 +++++++++++++++++
05062e
 .../template_ANSIBLE_shell_lineinfile         | 21 +++++++++++++++++
05062e
 .../templates/template_BASH_shell_lineinfile  |  6 +++++
05062e
 .../templates/template_OVAL_shell_lineinfile  | 10 ++++++++
05062e
 ssg/templates.py                              | 23 +++++++++++++++++++
05062e
 5 files changed, 81 insertions(+)
05062e
 create mode 100644 shared/templates/template_ANSIBLE_shell_lineinfile
05062e
 create mode 100644 shared/templates/template_BASH_shell_lineinfile
05062e
 create mode 100644 shared/templates/template_OVAL_shell_lineinfile
05062e
05062e
diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc
05062e
index aa0a7491c3..b5d22213b7 100644
05062e
--- a/docs/manual/developer_guide.adoc
05062e
+++ b/docs/manual/developer_guide.adoc
05062e
@@ -1591,6 +1591,27 @@ service_enabled::
05062e
 ** *daemonname* - name of the daemon. This argument is optional. If *daemonname* is not specified it means the name of the daemon is the same as the name of service.
05062e
 * Languages: Ansible, Bash, OVAL, Puppet
05062e
 
05062e
+shell_lineinfile::
05062e
+* Checks shell variable assignments in files.
05062e
+Remediations will paste assignments with single shell quotes unless there is the dollar sign in the value string, in which case double quotes are administered.
05062e
+The OVAL checks for a match with either of no quotes, single quoted string, or double quoted string.
05062e
+* Parameters:
05062e
+** *path* - What file to check.
05062e
+** *parameter* - name of the shell variable, eg. `SHELL`.
05062e
+** *value* - value of the SSH configuration option specified by *parameter*, eg. `"/bin/bash"`. Don't pass extra shell quoting - that will be handled on the lower level.
05062e
+** *no_quotes* - If set to `"true"`, the assigned value has to be without quotes during the check and remediation doesn't quote assignments either.
05062e
+** *missing_parameter_pass* - If set to `"true"` the OVAL check will pass if the parameter is not present in the target file.
05062e
+* Languages: Ansible, Bash, OVAL
05062e
+* Example:
05062e
+A template invocation specifying that parameter `HISTSIZE` should be set to value `500` in `/etc/profile` will produce a check that passes if any of the following lines are present in `/etc/profile`:
05062e
+** `HISTSIZE=500`
05062e
+** `HISTSIZE="500"`
05062e
+** `HISTSIZE='500'`
05062e
++
05062e
+The remediation would insert one of the quoted forms if the line was not present.
05062e
++
05062e
+If the `no_quotes` would be set in the template, only the first form would be checked for, and the unquoted assignment would be inserted to the file by the remediation if not present.
05062e
+
05062e
 sshd_lineinfile::
05062e
 * Checks SSH server configuration items in `/etc/ssh/sshd_config`.
05062e
 * Parameters:
05062e
diff --git a/shared/templates/template_ANSIBLE_shell_lineinfile b/shared/templates/template_ANSIBLE_shell_lineinfile
05062e
new file mode 100644
05062e
index 0000000000..7d0a3ebcbd
05062e
--- /dev/null
05062e
+++ b/shared/templates/template_ANSIBLE_shell_lineinfile
05062e
@@ -0,0 +1,21 @@
05062e
+# platform = multi_platform_all
05062e
+# reboot = false
05062e
+# strategy = restrict
05062e
+# complexity = low
05062e
+# disruption = low
05062e
+{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'." -%}}
05062e
+{{%- if NO_QUOTES -%}}
05062e
+	{{% set msg = "Setting unquoted " ~ msg %}}
05062e
+{{%- else -%}}
05062e
+	{{% set msg = "Setting shell-quoted " ~ msg %}}
05062e
+{{%- endif -%}}
05062e
+{{{
05062e
+    ansible_shell_set(
05062e
+        msg=msg,
05062e
+        path=PATH,
05062e
+        parameter=PARAMETER,
05062e
+        value=VALUE,
05062e
+	no_quotes=NO_QUOTES
05062e
+    )
05062e
+}}}
05062e
+
05062e
diff --git a/shared/templates/template_BASH_shell_lineinfile b/shared/templates/template_BASH_shell_lineinfile
05062e
new file mode 100644
05062e
index 0000000000..6bf869d62b
05062e
--- /dev/null
05062e
+++ b/shared/templates/template_BASH_shell_lineinfile
05062e
@@ -0,0 +1,6 @@
05062e
+# platform = multi_platform_all
05062e
+# reboot = false
05062e
+# strategy = restrict
05062e
+# complexity = low
05062e
+# disruption = low
05062e
+{{{ bash_shell_file_set(path=PATH, parameter=PARAMETER, value=VALUE, no_quotes=NO_QUOTES) }}}
05062e
diff --git a/shared/templates/template_OVAL_shell_lineinfile b/shared/templates/template_OVAL_shell_lineinfile
05062e
new file mode 100644
05062e
index 0000000000..fd05b6b568
05062e
--- /dev/null
05062e
+++ b/shared/templates/template_OVAL_shell_lineinfile
05062e
@@ -0,0 +1,10 @@
05062e
+{{{
05062e
+oval_check_shell_file(
05062e
+	path=PATH,
05062e
+	parameter=PARAMETER,
05062e
+	value=VALUE,
05062e
+	no_quotes=NO_QUOTES,
05062e
+	missing_parameter_pass=MISSING_PARAMETER_PASS
05062e
+)
05062e
+}}}
05062e
+
05062e
diff --git a/ssg/templates.py b/ssg/templates.py
05062e
index f4f56c94e6..c2c82e6c29 100644
05062e
--- a/ssg/templates.py
05062e
+++ b/ssg/templates.py
05062e
@@ -290,6 +290,29 @@ def sshd_lineinfile(data, lang):
05062e
     return data
05062e
 
05062e
 
05062e
+@template(["ansible", "bash", "oval"])
05062e
+def shell_lineinfile(data, lang):
05062e
+    value = data["value"]
05062e
+    if value[0] in ("'", '"') and value[0] == value[1]:
05062e
+        msg = (
05062e
+            "Value >>{value}<< of shell variable '{varname}' "
05062e
+            "has been supplied with quotes, please fix the content - "
05062e
+            "shell quoting is handled by the check/remediation code."
05062e
+            .format(value=value, varname=data["parameter"]))
05062e
+        raise Exception(msg)
05062e
+    missing_parameter_pass = data.get("missing_parameter_pass", "false")
05062e
+    if missing_parameter_pass == "true":
05062e
+        missing_parameter_pass = True
05062e
+    elif missing_parameter_pass == "false":
05062e
+        missing_parameter_pass = False
05062e
+    data["missing_parameter_pass"] = missing_parameter_pass
05062e
+    no_quotes = False
05062e
+    if data["no_quotes"] == "true":
05062e
+        no_quotes = True
05062e
+    data["no_quotes"] = no_quotes
05062e
+    return data
05062e
+
05062e
+
05062e
 @template(["ansible", "bash", "oval"])
05062e
 def timer_enabled(data, lang):
05062e
     if "packagename" not in data:
05062e
05062e
From ac5d1a8ad511e828e652ce1ca58b06c18f8c083b Mon Sep 17 00:00:00 2001
05062e
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
05062e
Date: Tue, 21 Jan 2020 14:13:01 +0100
05062e
Subject: [PATCH 4/7] Fixed the templated string evaluation.
05062e
05062e
---
05062e
 ssg/templates.py | 2 +-
05062e
 1 file changed, 1 insertion(+), 1 deletion(-)
05062e
05062e
diff --git a/ssg/templates.py b/ssg/templates.py
05062e
index c2c82e6c29..873f543f41 100644
05062e
--- a/ssg/templates.py
05062e
+++ b/ssg/templates.py
05062e
@@ -293,7 +293,7 @@ def sshd_lineinfile(data, lang):
05062e
 @template(["ansible", "bash", "oval"])
05062e
 def shell_lineinfile(data, lang):
05062e
     value = data["value"]
05062e
-    if value[0] in ("'", '"') and value[0] == value[1]:
05062e
+    if value[0] in ("'", '"') and value[0] == value[-1]:
05062e
         msg = (
05062e
             "Value >>{value}<< of shell variable '{varname}' "
05062e
             "has been supplied with quotes, please fix the content - "
05062e
05062e
From 8589574707c63eb3ac4c56674326b70dacfd2ee4 Mon Sep 17 00:00:00 2001
05062e
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
05062e
Date: Tue, 21 Jan 2020 14:46:39 +0100
05062e
Subject: [PATCH 5/7] Fixed jinja macros
05062e
05062e
- Fixed macro descriptions.
05062e
- Fixed Ansible insert_after.
05062e
---
05062e
 shared/macros-ansible.jinja | 18 ++++++++----------
05062e
 shared/macros-bash.jinja    |  2 +-
05062e
 shared/macros-oval.jinja    |  7 +++----
05062e
 3 files changed, 12 insertions(+), 15 deletions(-)
05062e
05062e
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
05062e
index c42a5156ce..81e18e2d5c 100644
05062e
--- a/shared/macros-ansible.jinja
05062e
+++ b/shared/macros-ansible.jinja
05062e
@@ -143,22 +143,20 @@
05062e
 
05062e
 {{#
05062e
   High level macro to set a value in a shell-related file that contains var assignments. This
05062e
-  takes these values: msg (the name for the Ansible task), path to the file, a parameter to set
05062e
-  in the configuration file, and the value to set it to. We specify a case
05062e
-  sensitive comparison in the prefix since this is used to deduplicate since
05062e
+  takes these values:
05062e
+  - msg (the name for the Ansible task),
05062e
+  - path to the file,
05062e
+  - parameter to set in the configuration file, and
05062e
+  - value to set it to.
05062e
   We also specify the validation program here; see 'bash -c "help set" | grep -e -n'
05062e
 #}}
05062e
 {{%- macro ansible_shell_set(msg, path, parameter, value='', no_quotes=false) %}}
05062e
 {{% if no_quotes -%}}
05062e
 {{%- else -%}}
05062e
-{{%- set quotes = "\"'" -%}}
05062e
-  {{% if "$" in value %}}
05062e
-  {{% set value = '"%s"' % value %}}
05062e
-  {{% else %}}
05062e
-  {{% set value = "'%s'" % value %}}
05062e
-  {{% endif %}}
05062e
+{{# Use the double quotes in all cases, as the underlying macro single-quotes the assignment line. #}}
05062e
+{{% set value = '"%s"' % value %}}
05062e
 {{%- endif -%}}
05062e
-{{{ ansible_set_config_file(msg, path, parameter, value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^[#\s]*Match") }}}
05062e
+{{{ ansible_set_config_file(msg, path, parameter, separator="=", separator_regex="=", value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^# " ~ parameter) }}}
05062e
 {{%- endmacro %}}
05062e
 
05062e
 {{#
05062e
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
05062e
index 6c0bb2facc..dc7fd25588 100644
05062e
--- a/shared/macros-bash.jinja
05062e
+++ b/shared/macros-bash.jinja
05062e
@@ -18,7 +18,7 @@
05062e
         value=value,
05062e
         create=true,
05062e
         insert_after="",
05062e
-        insert_before="^Match",
05062e
+        insert_before="^#\s*" ~ parameter,
05062e
         insensitive=false,
05062e
         separator="=",
05062e
         separator_regex="=",
05062e
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
05062e
index 696cf36db0..cfa9de9d2d 100644
05062e
--- a/shared/macros-oval.jinja
05062e
+++ b/shared/macros-oval.jinja
05062e
@@ -233,7 +233,7 @@
05062e
     - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
05062e
     - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
05062e
     - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
05062e
-    - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
05062e
+    - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
05062e
 
05062e
   We specify a case insensitive comparison in the prefix because
05062e
   sshd_config has case-insensitive parameters (but case-sensitive values).
05062e
@@ -250,7 +250,7 @@
05062e
     - value (String): The variable value WITHOUT QUOTES.
05062e
     - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
05062e
     - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
05062e
-    - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
05062e
+    - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
05062e
 #}}
05062e
 {{%- macro oval_check_shell_file(path, parameter='', value='', application='', no_quotes=false, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}}
05062e
 {{% if no_quotes -%}}
05062e
@@ -268,8 +268,7 @@
05062e
     - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
05062e
     - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
05062e
     - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
05062e
-    - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
05062e
-
05062e
+    - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
05062e
 #}}
05062e
 {{%- macro oval_auditd_config(parameter='', value='', missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}}
05062e
 {{{ oval_check_config_file("/etc/audit/auditd.conf", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]*=[ \\t]*', value="(?i)"+value+"(?-i)", missing_parameter_pass=missing_parameter_pass, application="auditd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}}
05062e
05062e
From af0e3ba8ef2d5b53dcffed4432ec0415a81ab2bc Mon Sep 17 00:00:00 2001
05062e
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
05062e
Date: Wed, 22 Jan 2020 11:37:39 +0100
05062e
Subject: [PATCH 6/7] Shell lineinfile macros and templates style fixes.
05062e
05062e
---
05062e
 shared/macros-ansible.jinja                        |  2 +-
05062e
 shared/macros-oval.jinja                           | 10 ++++++++--
05062e
 shared/templates/template_ANSIBLE_shell_lineinfile |  4 ++--
05062e
 3 files changed, 11 insertions(+), 5 deletions(-)
05062e
05062e
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
05062e
index 81e18e2d5c..f752e7a2be 100644
05062e
--- a/shared/macros-ansible.jinja
05062e
+++ b/shared/macros-ansible.jinja
05062e
@@ -25,7 +25,7 @@
05062e
     {{%- elif insert_before %}}
05062e
     insertbefore: '{{{ insert_before }}}'
05062e
     {{%- endif %}}
05062e
-    {{% else %}}
05062e
+    {{%- else %}}
05062e
     state: '{{{ state }}}'
05062e
     {{%- endif %}}
05062e
     {{%- if validate %}}
05062e
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
05062e
index cfa9de9d2d..5f391efdcb 100644
05062e
--- a/shared/macros-oval.jinja
05062e
+++ b/shared/macros-oval.jinja
05062e
@@ -13,13 +13,16 @@
05062e
     - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
05062e
     - separator_regex (String): Regular expression to be used as the separator of parameter and value in a configuration file. If spaces are allowed, this should be included in the regular expression.
05062e
     - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
05062e
-    - application (String): The application which the configuration file is being checked. Can be any value and does not affect the OVAL check.
05062e
+    - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
05062e
     - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
05062e
     - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
05062e
     - section (String): If set, the parameter will be checked only within the given section defined by [section].
05062e
     - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. See comment of oval_line_in_file_state for more info.
05062e
 #}}
05062e
 {{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='', quotes='') -%}}
05062e
+{{%- if application == '' -%}}
05062e
+	{{%- set application = "The respective application or service" -%}}
05062e
+{{%- endif -%}}
05062e
 <def-group>
05062e
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
05062e
     <metadata>
05062e
@@ -248,6 +251,9 @@
05062e
     - path (String): Path to the file.
05062e
     - parameter (String): The shell variable name.
05062e
     - value (String): The variable value WITHOUT QUOTES.
05062e
+    - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
05062e
+    - no_quotes (boolean): If set, the check will require that the RHS of the assignment is the literal value, without quotes.
05062e
+        If no_quotes is false, then one level of single or double quotes won't be regarded as part of the value by the check.
05062e
     - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
05062e
     - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
05062e
     - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
05062e
@@ -342,7 +348,7 @@
05062e
     - parameter (String): The parameter to be checked in the configuration file.
05062e
     - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
05062e
     - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
05062e
-    - application (String): The application which the configuration file is being checked. Can be any value and does not affect the OVAL check.
05062e
+    - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
05062e
     - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
05062e
     - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
05062e
 #}}
05062e
diff --git a/shared/templates/template_ANSIBLE_shell_lineinfile b/shared/templates/template_ANSIBLE_shell_lineinfile
05062e
index 7d0a3ebcbd..3e6c5619ea 100644
05062e
--- a/shared/templates/template_ANSIBLE_shell_lineinfile
05062e
+++ b/shared/templates/template_ANSIBLE_shell_lineinfile
05062e
@@ -3,7 +3,7 @@
05062e
 # strategy = restrict
05062e
 # complexity = low
05062e
 # disruption = low
05062e
-{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'." -%}}
05062e
+{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'" -%}}
05062e
 {{%- if NO_QUOTES -%}}
05062e
 	{{% set msg = "Setting unquoted " ~ msg %}}
05062e
 {{%- else -%}}
05062e
@@ -15,7 +15,7 @@
05062e
         path=PATH,
05062e
         parameter=PARAMETER,
05062e
         value=VALUE,
05062e
-	no_quotes=NO_QUOTES
05062e
+        no_quotes=NO_QUOTES
05062e
     )
05062e
 }}}
05062e
 
05062e
05062e
From a7779d2fae1086838daa1ded483decd499e8749f Mon Sep 17 00:00:00 2001
05062e
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
05062e
Date: Tue, 21 Jan 2020 16:43:23 +0100
05062e
Subject: [PATCH 7/7] Add a shell_lineinfile template exemplary rule.
05062e
05062e
---
05062e
 .../ssh_server/sshd_use_strong_rng/rule.yml   | 47 +++++++++++++++++++
05062e
 .../tests/bad_config.fail.sh                  |  3 ++
05062e
 .../tests/good_config.pass.sh                 |  3 ++
05062e
 .../tests/no_config.fail.sh                   |  3 ++
05062e
 .../sshd_use_strong_rng/tests/quoted.fail.sh  |  3 ++
05062e
 rhel8/profiles/ospp.profile                   |  1 +
05062e
 shared/references/cce-redhat-avail.txt        |  1 -
05062e
 7 files changed, 60 insertions(+), 1 deletion(-)
05062e
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
05062e
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh
05062e
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh
05062e
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh
05062e
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh
05062e
05062e
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
05062e
new file mode 100644
05062e
index 0000000000..4bfb72702b
05062e
--- /dev/null
05062e
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
05062e
@@ -0,0 +1,47 @@
05062e
+documentation_complete: true
05062e
+
05062e
+# TODO: The plan is not to need this for RHEL>=8.4
05062e
+# TODO: Compliant setting is SSH_USE_STRONG_RNG set to 32 or more
05062e
+prodtype: rhel8
05062e
+
05062e
+title: 'SSH server uses strong entropy to seed'
05062e
+
05062e
+description: |-
05062e
+    To set up SSH server to use entropy from a high-quality source, edit the <tt>/etc/sysconfig/sshd</tt> file.
05062e
+    The <tt>SSH_USE_STRONG_RNG</tt> configuration value determines how many bytes of entropy to use, so
05062e
+    make sure that the file contains line
05062e
+    
SSH_USE_STRONG_RNG=32
05062e
+
05062e
+rationale: |-
05062e
+    SSH implementation in RHEL8 uses the openssl library, which doesn't use high-entropy sources by default.
05062e
+    Randomness is needed to generate data-encryption keys, and as plaintext padding and initialization vectors
05062e
+    in encryption algorithms, and high-quality entropy elliminates the possibility that the output of
05062e
+    the random number generator used by SSH would be known to potential attackers.
05062e
+
05062e
+severity: medium
05062e
+
05062e
+identifiers:
05062e
+    cce@rhel8: 82462-3
05062e
+
05062e
+references:
05062e
+    ospp: FIA_AFL.1
05062e
+
05062e
+ocil: |-
05062e
+    To determine whether the SSH service is configured to use strong entropy seed,
05062e
+    run 
$ sudo grep SSH_USE_STRONG_RNG /etc/sysconfig/sshd
05062e
+    If a line indicating that SSH_USE_STRONG_RNG is set to 32 is returned,
05062e
+    then the option is set correctly.
05062e
+
05062e
+ocil_clause: |-
05062e
+    The SSH_USE_STRONG_RNG is not set to 32 in /etc/sysconfig/sshd
05062e
+
05062e
+warnings:
05062e
+    - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy causes the connection to be blocked until enough entropy is available."
05062e
+
05062e
+template:
05062e
+    name: shell_lineinfile
05062e
+    vars:
05062e
+        path: '/etc/sysconfig/sshd'
05062e
+        parameter: 'SSH_USE_STRONG_RNG'
05062e
+        value: '32'
05062e
+        no_quotes: 'true'
05062e
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh
05062e
new file mode 100644
05062e
index 0000000000..f4f8c22f64
05062e
--- /dev/null
05062e
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh
05062e
@@ -0,0 +1,3 @@
05062e
+# platform = multi_platform_rhel
05062e
+
05062e
+echo 'SSH_USE_STRONG_RNG=1' > /etc/sysconfig/sshd
05062e
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh
05062e
new file mode 100644
05062e
index 0000000000..70f53ac22b
05062e
--- /dev/null
05062e
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh
05062e
@@ -0,0 +1,3 @@
05062e
+# platform = multi_platform_rhel
05062e
+
05062e
+echo 'SSH_USE_STRONG_RNG=32' > /etc/sysconfig/sshd
05062e
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh
05062e
new file mode 100644
05062e
index 0000000000..1e5f0b2998
05062e
--- /dev/null
05062e
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh
05062e
@@ -0,0 +1,3 @@
05062e
+# platform = multi_platform_rhel
05062e
+
05062e
+rm -f /etc/sysconfig/sshd
05062e
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh
05062e
new file mode 100644
05062e
index 0000000000..a10d24a73b
05062e
--- /dev/null
05062e
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh
05062e
@@ -0,0 +1,3 @@
05062e
+# platform = multi_platform_rhel
05062e
+
05062e
+echo 'SSH_USE_STRONG_RNG="32"' > /etc/sysconfig/sshd
05062e
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
05062e
index f97527a914..63aea526b7 100644
05062e
--- a/rhel8/profiles/ospp.profile
05062e
+++ b/rhel8/profiles/ospp.profile
05062e
@@ -58,6 +58,7 @@ selections:
05062e
     - sshd_set_keepalive
05062e
     - sshd_enable_warning_banner
05062e
     - sshd_rekey_limit
05062e
+    - sshd_use_strong_rng
05062e
 
05062e
     # Time Server
05062e
     - chronyd_client_only
05062e
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
05062e
index b665fa1cea..1ff291c7df 100644
05062e
--- a/shared/references/cce-redhat-avail.txt
05062e
+++ b/shared/references/cce-redhat-avail.txt
05062e
@@ -1,4 +1,3 @@
05062e
-CCE-82462-3
05062e
 CCE-82463-1
05062e
 CCE-82464-9
05062e
 CCE-82465-6