|
|
540324 |
From 604f70aa2d0cce64aed5d699178394523969ba37 Mon Sep 17 00:00:00 2001
|
|
|
540324 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
540324 |
Date: Wed, 27 May 2020 14:34:50 +0200
|
|
|
540324 |
Subject: [PATCH 01/11] add rule, variables, check, remediations
|
|
|
540324 |
|
|
|
540324 |
---
|
|
|
540324 |
.../ssh_client_rekey_limit/ansible/shared.yml | 8 ++++
|
|
|
540324 |
.../ssh_client_rekey_limit/bash/shared.sh | 8 ++++
|
|
|
540324 |
.../ssh_client_rekey_limit/oval/shared.xml | 39 +++++++++++++++++++
|
|
|
540324 |
.../crypto/ssh_client_rekey_limit/rule.yml | 34 ++++++++++++++++
|
|
|
540324 |
.../var_ssh_client_rekey_limit_size.var | 15 +++++++
|
|
|
540324 |
.../var_ssh_client_rekey_limit_time.var | 14 +++++++
|
|
|
540324 |
shared/references/cce-redhat-avail.txt | 1 -
|
|
|
540324 |
7 files changed, 118 insertions(+), 1 deletion(-)
|
|
|
540324 |
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
|
|
|
540324 |
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
|
|
|
540324 |
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
|
|
|
540324 |
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
|
|
|
540324 |
create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
|
|
|
540324 |
create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
|
|
|
540324 |
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
|
|
|
540324 |
new file mode 100644
|
|
|
540324 |
index 0000000000..6d2bcbbd44
|
|
|
540324 |
--- /dev/null
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
|
|
|
540324 |
@@ -0,0 +1,8 @@
|
|
|
540324 |
+# platform = multi_platform_all [0/453]
|
|
|
540324 |
+# reboot = false
|
|
|
540324 |
+# strategy = configure
|
|
|
540324 |
+# complexity = low
|
|
|
540324 |
+# disruption = low
|
|
|
540324 |
+{{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
|
|
|
540324 |
+
|
|
|
540324 |
+{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}}
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
|
|
|
540324 |
new file mode 100644
|
|
|
540324 |
index 0000000000..43d0971ffc
|
|
|
540324 |
--- /dev/null
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
|
|
|
540324 |
@@ -0,0 +1,8 @@
|
|
|
540324 |
+# platform = multi_platform_all
|
|
|
540324 |
+
|
|
|
540324 |
+# Include source function library.
|
|
|
540324 |
+. /usr/share/scap-security-guide/remediation_functions
|
|
|
540324 |
+
|
|
|
540324 |
+{{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
|
|
|
540324 |
+
|
|
|
540324 |
+{{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}}
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
|
|
|
540324 |
new file mode 100644
|
|
|
540324 |
index 0000000000..2412763e3f
|
|
|
540324 |
--- /dev/null
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
|
|
|
540324 |
@@ -0,0 +1,39 @@
|
|
|
540324 |
+{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}}
|
|
|
540324 |
+
|
|
|
540324 |
+
|
|
|
540324 |
+<def-group>
|
|
|
540324 |
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
540324 |
+ <metadata>
|
|
|
540324 |
+ <title>{{{ rule_title }}}</title>
|
|
|
540324 |
+ {{{- oval_affected(products) }}}
|
|
|
540324 |
+ <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
|
|
|
540324 |
+ </metadata>
|
|
|
540324 |
+ <criteria comment="RekeyLimit is correctly configured for ssh client">
|
|
|
540324 |
+ {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
|
|
|
540324 |
+ </criteria>
|
|
|
540324 |
+ </definition>
|
|
|
540324 |
+
|
|
|
540324 |
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_ssh_client_rekey_limit" version="1">
|
|
|
540324 |
+ <ind:object object_ref="obj_ssh_client_rekey_limit"/>
|
|
|
540324 |
+ </ind:textfilecontent54_test>
|
|
|
540324 |
+
|
|
|
540324 |
+ <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit" version="1">
|
|
|
540324 |
+ <ind:filepath>{{{ filepath }}}</ind:filepath>
|
|
|
540324 |
+ <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
|
|
|
540324 |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
540324 |
+ </ind:textfilecontent54_object>
|
|
|
540324 |
+
|
|
|
540324 |
+ <local_variable id="ssh_client_line_regex" datatype="string" comment="The regex of the directive" version="1">
|
|
|
540324 |
+ <concat>
|
|
|
540324 |
+ <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
|
|
|
540324 |
+ <variable_component var_ref="var_ssh_client_rekey_limit_size"/>
|
|
|
540324 |
+ <literal_component>[\s]+</literal_component>
|
|
|
540324 |
+ <variable_component var_ref="var_ssh_client_rekey_limit_time"/>
|
|
|
540324 |
+ <literal_component>[\s]*$</literal_component>
|
|
|
540324 |
+ </concat>
|
|
|
540324 |
+ </local_variable>
|
|
|
540324 |
+
|
|
|
540324 |
+ <external_variable comment="Size component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_size" version="1" />
|
|
|
540324 |
+ <external_variable comment="Time component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_time" version="1" />
|
|
|
540324 |
+</def-group>
|
|
|
540324 |
+
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
|
|
|
540324 |
new file mode 100644
|
|
|
540324 |
index 0000000000..a1b85b0ee5
|
|
|
540324 |
--- /dev/null
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
|
|
|
540324 |
@@ -0,0 +1,34 @@
|
|
|
540324 |
+documentation_complete: true
|
|
|
540324 |
+
|
|
|
540324 |
+prodtype: rhel8
|
|
|
540324 |
+
|
|
|
540324 |
+title: 'Configure session renegotiation for SSH client'
|
|
|
540324 |
+
|
|
|
540324 |
+description: |-
|
|
|
540324 |
+ The <tt>RekeyLimit</tt> parameter specifies how often
|
|
|
540324 |
+ the session key is renegotiated, both in terms of
|
|
|
540324 |
+ amount of data that may be transmitted and the time
|
|
|
540324 |
+ elapsed. To decrease the default limits, put line
|
|
|
540324 |
+ <tt>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.
|
|
|
540324 |
+
|
|
|
540324 |
+rationale: |-
|
|
|
540324 |
+ By decreasing the limit based on the amount of data and enabling
|
|
|
540324 |
+ time-based limit, effects of potential attacks against
|
|
|
540324 |
+ encryption keys are limited.
|
|
|
540324 |
+
|
|
|
540324 |
+severity: medium
|
|
|
540324 |
+
|
|
|
540324 |
+identifiers:
|
|
|
540324 |
+ cce@rhel8: 82880-6
|
|
|
540324 |
+
|
|
|
540324 |
+references:
|
|
|
540324 |
+ ospp: FCS_SSHS_EXT.1
|
|
|
540324 |
+
|
|
|
540324 |
+ocil_clause: 'it is commented out or is not set'
|
|
|
540324 |
+
|
|
|
540324 |
+ocil: |-
|
|
|
540324 |
+ To check if RekeyLimit is set correctly, run the
|
|
|
540324 |
+ following command:
|
|
|
540324 |
+ $ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
|
|
540324 |
+ If configured properly, output should be
|
|
|
540324 |
+ RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
|
|
|
540324 |
new file mode 100644
|
|
|
540324 |
index 0000000000..bcf051fd97
|
|
|
540324 |
--- /dev/null
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
|
|
|
540324 |
@@ -0,0 +1,15 @@
|
|
|
540324 |
+documentation_complete: true
|
|
|
540324 |
+
|
|
|
540324 |
+title: 'SSH client RekeyLimit - size'
|
|
|
540324 |
+
|
|
|
540324 |
+description: 'Specify the size component of the rekey limit.'
|
|
|
540324 |
+
|
|
|
540324 |
+type: string
|
|
|
540324 |
+
|
|
|
540324 |
+operator: equals
|
|
|
540324 |
+
|
|
|
540324 |
+options:
|
|
|
540324 |
+ ssh_client_default: "default"
|
|
|
540324 |
+ default: "512M"
|
|
|
540324 |
+ "512M": "512M"
|
|
|
540324 |
+ "1G": "1G"
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
|
|
|
540324 |
new file mode 100644
|
|
|
540324 |
index 0000000000..31c76f9ab5
|
|
|
540324 |
--- /dev/null
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
|
|
|
540324 |
@@ -0,0 +1,14 @@
|
|
|
540324 |
+documentation_complete: true
|
|
|
540324 |
+
|
|
|
540324 |
+title: 'SSH client RekeyLimit - size'
|
|
|
540324 |
+
|
|
|
540324 |
+description: 'Specify the size component of the rekey limit.'
|
|
|
540324 |
+
|
|
|
540324 |
+type: string
|
|
|
540324 |
+
|
|
|
540324 |
+operator: equals
|
|
|
540324 |
+
|
|
|
540324 |
+options:
|
|
|
540324 |
+ ssh_client_default: "none"
|
|
|
540324 |
+ default: "1h"
|
|
|
540324 |
+ "1hour": "1h"
|
|
|
540324 |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
540324 |
index 45d03a2c1d..e060d2fb1c 100644
|
|
|
540324 |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
540324 |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
540324 |
@@ -1,4 +1,3 @@
|
|
|
540324 |
-CCE-82880-6
|
|
|
540324 |
CCE-82882-2
|
|
|
540324 |
CCE-82883-0
|
|
|
540324 |
CCE-82888-9
|
|
|
540324 |
|
|
|
540324 |
From a0d54462b9a1e65de3598d7fc262f61a8e3a06ea Mon Sep 17 00:00:00 2001
|
|
|
540324 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
540324 |
Date: Wed, 27 May 2020 14:35:24 +0200
|
|
|
540324 |
Subject: [PATCH 02/11] add tests
|
|
|
540324 |
|
|
|
540324 |
---
|
|
|
540324 |
.../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 4 ++++
|
|
|
540324 |
.../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 4 ++++
|
|
|
540324 |
.../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 3 +++
|
|
|
540324 |
.../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 4 ++++
|
|
|
540324 |
4 files changed, 15 insertions(+)
|
|
|
540324 |
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
|
|
|
540324 |
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
|
|
|
540324 |
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
|
|
|
540324 |
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
|
|
540324 |
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
|
|
|
540324 |
new file mode 100644
|
|
|
540324 |
index 0000000000..2ac0bbf350
|
|
|
540324 |
--- /dev/null
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
|
|
|
540324 |
@@ -0,0 +1,4 @@
|
|
|
540324 |
+# platform = multi_platform_all
|
|
|
540324 |
+
|
|
|
540324 |
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
|
|
|
540324 |
+echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
|
|
|
540324 |
new file mode 100644
|
|
|
540324 |
index 0000000000..fec859fe05
|
|
|
540324 |
--- /dev/null
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
|
|
|
540324 |
@@ -0,0 +1,4 @@
|
|
|
540324 |
+# platform = multi_platform_all
|
|
|
540324 |
+
|
|
|
540324 |
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
|
|
|
540324 |
+echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
|
|
|
540324 |
new file mode 100644
|
|
|
540324 |
index 0000000000..a6cd10163f
|
|
|
540324 |
--- /dev/null
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
|
|
|
540324 |
@@ -0,0 +1,3 @@
|
|
|
540324 |
+# platform = multi_platform_all
|
|
|
540324 |
+
|
|
|
540324 |
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
|
|
540324 |
new file mode 100644
|
|
|
540324 |
index 0000000000..a6a2ba7adf
|
|
|
540324 |
--- /dev/null
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
|
|
540324 |
@@ -0,0 +1,4 @@
|
|
|
540324 |
+# platform = multi_platform_all
|
|
|
540324 |
+
|
|
|
540324 |
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
|
|
|
540324 |
+echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
|
|
|
540324 |
|
|
|
540324 |
From 6ce9e9d55eab07f1c2a3a8d0b28f104d0b5992da Mon Sep 17 00:00:00 2001
|
|
|
540324 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
540324 |
Date: Wed, 27 May 2020 14:35:43 +0200
|
|
|
540324 |
Subject: [PATCH 03/11] add rule to rhel8 ospp, update stable profiles
|
|
|
540324 |
|
|
|
540324 |
---
|
|
|
540324 |
rhel8/profiles/ospp.profile | 5 +++++
|
|
|
540324 |
tests/data/profile_stability/rhel8/ospp.profile | 3 +++
|
|
|
540324 |
tests/data/profile_stability/rhel8/stig.profile | 3 +++
|
|
|
540324 |
3 files changed, 11 insertions(+)
|
|
|
540324 |
|
|
|
540324 |
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
|
|
|
540324 |
index 0dca8350f9..07d32b814d 100644
|
|
|
540324 |
--- a/rhel8/profiles/ospp.profile
|
|
|
540324 |
+++ b/rhel8/profiles/ospp.profile
|
|
|
540324 |
@@ -410,3 +410,8 @@ selections:
|
|
|
540324 |
|
|
|
540324 |
# Prevent Kerberos use by system daemons
|
|
|
540324 |
- kerberos_disable_no_keytab
|
|
|
540324 |
+
|
|
|
540324 |
+ # set ssh client rekey limit
|
|
|
540324 |
+ - ssh_client_rekey_limit
|
|
|
540324 |
+ - var_ssh_client_rekey_limit_size=1G
|
|
|
540324 |
+ - var_ssh_client_rekey_limit_time=1hour
|
|
|
540324 |
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
|
|
540324 |
index 25f7922bf3..b0d7672c36 100644
|
|
|
540324 |
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
|
|
540324 |
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
|
|
540324 |
@@ -240,4 +240,7 @@ selections:
|
|
|
540324 |
- grub2_vsyscall_argument.severity=info
|
|
|
540324 |
- sysctl_user_max_user_namespaces.role=unscored
|
|
|
540324 |
- sysctl_user_max_user_namespaces.severity=info
|
|
|
540324 |
+- ssh_client_rekey_limit
|
|
|
540324 |
+- var_ssh_client_rekey_limit_size=1G
|
|
|
540324 |
+- var_ssh_client_rekey_limit_time=1hour
|
|
|
540324 |
title: Protection Profile for General Purpose Operating Systems
|
|
|
540324 |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
540324 |
index 6c4270925f..330ecc7e1e 100644
|
|
|
540324 |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
540324 |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
540324 |
@@ -269,4 +269,7 @@ selections:
|
|
|
540324 |
- grub2_vsyscall_argument.severity=info
|
|
|
540324 |
- sysctl_user_max_user_namespaces.role=unscored
|
|
|
540324 |
- sysctl_user_max_user_namespaces.severity=info
|
|
|
540324 |
+- ssh_client_rekey_limit
|
|
|
540324 |
+- var_ssh_client_rekey_limit_size=1G
|
|
|
540324 |
+- var_ssh_client_rekey_limit_time=1hour
|
|
|
540324 |
title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'
|
|
|
540324 |
|
|
|
540324 |
From 763a79e337eecb24c640d1ac189edf02d20e53ad Mon Sep 17 00:00:00 2001
|
|
|
540324 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
540324 |
Date: Thu, 28 May 2020 14:25:41 +0200
|
|
|
540324 |
Subject: [PATCH 04/11] improve description of variables
|
|
|
540324 |
|
|
|
540324 |
---
|
|
|
540324 |
.../crypto/var_ssh_client_rekey_limit_size.var | 10 ++++++++--
|
|
|
540324 |
.../crypto/var_ssh_client_rekey_limit_time.var | 12 +++++++++---
|
|
|
540324 |
2 files changed, 17 insertions(+), 5 deletions(-)
|
|
|
540324 |
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
|
|
|
540324 |
index bcf051fd97..4e20104cba 100644
|
|
|
540324 |
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
|
|
|
540324 |
@@ -2,14 +2,20 @@ documentation_complete: true
|
|
|
540324 |
|
|
|
540324 |
title: 'SSH client RekeyLimit - size'
|
|
|
540324 |
|
|
|
540324 |
-description: 'Specify the size component of the rekey limit.'
|
|
|
540324 |
+description: |-
|
|
|
540324 |
+ Specify the size component of the rekey limit. This limit signifies amount
|
|
|
540324 |
+ of data. After this amount of data is transferred through the connection,
|
|
|
540324 |
+ the session key is renegotiated. The number is followed by K, M or G for
|
|
|
540324 |
+ kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also
|
|
|
540324 |
+ configured according to ellabsed time.
|
|
|
540324 |
+
|
|
|
540324 |
+interactive: true
|
|
|
540324 |
|
|
|
540324 |
type: string
|
|
|
540324 |
|
|
|
540324 |
operator: equals
|
|
|
540324 |
|
|
|
540324 |
options:
|
|
|
540324 |
- ssh_client_default: "default"
|
|
|
540324 |
default: "512M"
|
|
|
540324 |
"512M": "512M"
|
|
|
540324 |
"1G": "1G"
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
|
|
|
540324 |
index 31c76f9ab5..6143a5448c 100644
|
|
|
540324 |
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
|
|
|
540324 |
@@ -1,14 +1,20 @@
|
|
|
540324 |
documentation_complete: true
|
|
|
540324 |
|
|
|
540324 |
-title: 'SSH client RekeyLimit - size'
|
|
|
540324 |
+title: 'SSH client RekeyLimit - time'
|
|
|
540324 |
|
|
|
540324 |
-description: 'Specify the size component of the rekey limit.'
|
|
|
540324 |
+description: |-
|
|
|
540324 |
+ Specify the time component of the rekey limit. This limit signifies amount
|
|
|
540324 |
+ of data. The session key is renegotiated after the defined amount of time
|
|
|
540324 |
+ passes. The number is followed by units such as H or M for hours or minutes.
|
|
|
540324 |
+ Note that the RekeyLimit can be also configured according to amount of
|
|
|
540324 |
+ transfered data.
|
|
|
540324 |
+
|
|
|
540324 |
+interactive: true
|
|
|
540324 |
|
|
|
540324 |
type: string
|
|
|
540324 |
|
|
|
540324 |
operator: equals
|
|
|
540324 |
|
|
|
540324 |
options:
|
|
|
540324 |
- ssh_client_default: "none"
|
|
|
540324 |
default: "1h"
|
|
|
540324 |
"1hour": "1h"
|
|
|
540324 |
|
|
|
540324 |
From 0800fcaff037a1b012b75e59d6771f5e7763e1de Mon Sep 17 00:00:00 2001
|
|
|
540324 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
540324 |
Date: Thu, 28 May 2020 14:26:12 +0200
|
|
|
540324 |
Subject: [PATCH 05/11] fix tests and ansible
|
|
|
540324 |
|
|
|
540324 |
---
|
|
|
540324 |
.../crypto/ssh_client_rekey_limit/ansible/shared.yml | 2 +-
|
|
|
540324 |
.../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 4 ++--
|
|
|
540324 |
.../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 4 ++--
|
|
|
540324 |
.../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 2 +-
|
|
|
540324 |
.../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 5 +++--
|
|
|
540324 |
5 files changed, 9 insertions(+), 8 deletions(-)
|
|
|
540324 |
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
|
|
|
540324 |
index 6d2bcbbd44..bb6544a0a0 100644
|
|
|
540324 |
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
|
|
|
540324 |
@@ -1,4 +1,4 @@
|
|
|
540324 |
-# platform = multi_platform_all [0/453]
|
|
|
540324 |
+# platform = multi_platform_all
|
|
|
540324 |
# reboot = false
|
|
|
540324 |
# strategy = configure
|
|
|
540324 |
# complexity = low
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
|
|
|
540324 |
index 2ac0bbf350..22c465b08f 100644
|
|
|
540324 |
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
|
|
|
540324 |
@@ -1,4 +1,4 @@
|
|
|
540324 |
# platform = multi_platform_all
|
|
|
540324 |
|
|
|
540324 |
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
|
|
|
540324 |
-echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
|
|
|
540324 |
+
|
|
|
540324 |
+echo "RekeyLimit 812M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
|
|
|
540324 |
index fec859fe05..0dc621b1da 100644
|
|
|
540324 |
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
|
|
|
540324 |
@@ -1,4 +1,4 @@
|
|
|
540324 |
# platform = multi_platform_all
|
|
|
540324 |
|
|
|
540324 |
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
|
|
|
540324 |
-echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
|
|
|
540324 |
+
|
|
|
540324 |
+echo "RekeyLimit 512M 2h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
|
|
|
540324 |
index a6cd10163f..f6abf711da 100644
|
|
|
540324 |
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
|
|
|
540324 |
@@ -1,3 +1,3 @@
|
|
|
540324 |
# platform = multi_platform_all
|
|
|
540324 |
|
|
|
540324 |
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
|
|
|
540324 |
+echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
|
|
540324 |
index a6a2ba7adf..e64e4191bc 100644
|
|
|
540324 |
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
|
|
540324 |
@@ -1,4 +1,5 @@
|
|
|
540324 |
# platform = multi_platform_all
|
|
|
540324 |
|
|
|
540324 |
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
|
|
|
540324 |
-echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
|
|
|
540324 |
+
|
|
|
540324 |
+rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
|
|
540324 |
+echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
|
|
540324 |
|
|
|
540324 |
From 9451e6d91c9975a3e9ecd4c627cbb0f9afce4c92 Mon Sep 17 00:00:00 2001
|
|
|
540324 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
540324 |
Date: Mon, 1 Jun 2020 14:29:47 +0200
|
|
|
540324 |
Subject: [PATCH 06/11] fix test to use default value, remove rule from stig
|
|
|
540324 |
|
|
|
540324 |
---
|
|
|
540324 |
.../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 2 +-
|
|
|
540324 |
rhel8/profiles/stig.profile | 1 +
|
|
|
540324 |
tests/data/profile_stability/rhel8/stig.profile | 1 -
|
|
|
540324 |
3 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
540324 |
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
|
|
540324 |
index e64e4191bc..89d7069687 100644
|
|
|
540324 |
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
|
|
540324 |
@@ -2,4 +2,4 @@
|
|
|
540324 |
|
|
|
540324 |
|
|
|
540324 |
rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
|
|
540324 |
-echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
|
|
540324 |
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
|
|
540324 |
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
|
|
|
540324 |
index 2bb81cf9dc..8f12852e26 100644
|
|
|
540324 |
--- a/rhel8/profiles/stig.profile
|
|
|
540324 |
+++ b/rhel8/profiles/stig.profile
|
|
|
540324 |
@@ -44,3 +44,4 @@ selections:
|
|
|
540324 |
- package_rsyslog-gnutls_installed
|
|
|
540324 |
- rsyslog_remote_tls
|
|
|
540324 |
- rsyslog_remote_tls_cacert
|
|
|
540324 |
+ - "!ssh_client_rekey_limit"
|
|
|
540324 |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
540324 |
index 330ecc7e1e..9b164eb5c2 100644
|
|
|
540324 |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
540324 |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
540324 |
@@ -269,7 +269,6 @@ selections:
|
|
|
540324 |
- grub2_vsyscall_argument.severity=info
|
|
|
540324 |
- sysctl_user_max_user_namespaces.role=unscored
|
|
|
540324 |
- sysctl_user_max_user_namespaces.severity=info
|
|
|
540324 |
-- ssh_client_rekey_limit
|
|
|
540324 |
- var_ssh_client_rekey_limit_size=1G
|
|
|
540324 |
- var_ssh_client_rekey_limit_time=1hour
|
|
|
540324 |
title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'
|
|
|
540324 |
|
|
|
540324 |
From bd47b1145f17c97de719c887db6146d5e7b59616 Mon Sep 17 00:00:00 2001
|
|
|
540324 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
540324 |
Date: Wed, 3 Jun 2020 12:38:19 +0200
|
|
|
540324 |
Subject: [PATCH 07/11] rewrite oval to check for multiple locations
|
|
|
540324 |
|
|
|
540324 |
---
|
|
|
540324 |
.../ssh_client_rekey_limit/oval/shared.xml | 42 ++++++++++++-------
|
|
|
540324 |
1 file changed, 26 insertions(+), 16 deletions(-)
|
|
|
540324 |
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
|
|
|
540324 |
index 2412763e3f..41fa0497ae 100644
|
|
|
540324 |
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
|
|
|
540324 |
@@ -1,28 +1,17 @@
|
|
|
540324 |
-{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}}
|
|
|
540324 |
-
|
|
|
540324 |
|
|
|
540324 |
<def-group>
|
|
|
540324 |
<definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
540324 |
<metadata>
|
|
|
540324 |
<title>{{{ rule_title }}}</title>
|
|
|
540324 |
{{{- oval_affected(products) }}}
|
|
|
540324 |
- <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
|
|
|
540324 |
+ <description>Ensure 'RekeyLimit' is configured with the correct value in /etc/ssh/ssh_config and /etc/ssh/ssh_config.d/*.conf</description>
|
|
|
540324 |
</metadata>
|
|
|
540324 |
- <criteria comment="RekeyLimit is correctly configured for ssh client">
|
|
|
540324 |
- {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
|
|
|
540324 |
+ <criteria comment="RekeyLimit is correctly configured for ssh client" operator="AND">
|
|
|
540324 |
+ <criterion comment="check that RekeyLimit is not configured in /etc/ssh/ssh_config" test_ref="test_ssh_client_rekey_limit_main_config" negate="true" />
|
|
|
540324 |
+ <criterion comment="check correct RekeyLimit configuration in /etc/ssh/ssh_config.d/*.conf" test_ref="test_ssh_client_rekey_limit_include_configs" />
|
|
|
540324 |
</criteria>
|
|
|
540324 |
</definition>
|
|
|
540324 |
|
|
|
540324 |
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="test_ssh_client_rekey_limit" version="1">
|
|
|
540324 |
- <ind:object object_ref="obj_ssh_client_rekey_limit"/>
|
|
|
540324 |
- </ind:textfilecontent54_test>
|
|
|
540324 |
-
|
|
|
540324 |
- <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit" version="1">
|
|
|
540324 |
- <ind:filepath>{{{ filepath }}}</ind:filepath>
|
|
|
540324 |
- <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
|
|
|
540324 |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
540324 |
- </ind:textfilecontent54_object>
|
|
|
540324 |
-
|
|
|
540324 |
<local_variable id="ssh_client_line_regex" datatype="string" comment="The regex of the directive" version="1">
|
|
|
540324 |
<concat>
|
|
|
540324 |
<literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
|
|
|
540324 |
@@ -35,5 +24,26 @@
|
|
|
540324 |
|
|
|
540324 |
<external_variable comment="Size component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_size" version="1" />
|
|
|
540324 |
<external_variable comment="Time component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_time" version="1" />
|
|
|
540324 |
-</def-group>
|
|
|
540324 |
|
|
|
540324 |
+
|
|
|
540324 |
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config file" id="test_ssh_client_rekey_limit_main_config" version="1">
|
|
|
540324 |
+ <ind:object object_ref="obj_ssh_client_rekey_limit_main_config"/>
|
|
|
540324 |
+ </ind:textfilecontent54_test>
|
|
|
540324 |
+
|
|
|
540324 |
+ <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_main_config" version="1">
|
|
|
540324 |
+ <ind:filepath>/etc/ssh/ssh_config</ind:filepath>
|
|
|
540324 |
+ <ind:pattern operation="pattern match">^[\s]*RekeyLimit.*$</ind:pattern>
|
|
|
540324 |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
540324 |
+ </ind:textfilecontent54_object>
|
|
|
540324 |
+
|
|
|
540324 |
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config.d/*.conf" id="test_ssh_client_rekey_limit_include_configs" version="1">
|
|
|
540324 |
+ <ind:object object_ref="obj_ssh_client_rekey_limit_include_configs"/>
|
|
|
540324 |
+ </ind:textfilecontent54_test>
|
|
|
540324 |
+
|
|
|
540324 |
+ <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_include_configs" version="1">
|
|
|
540324 |
+ <ind:filepath operation="pattern match">^/etc/ssh/ssh_config\.d/.*\.conf$</ind:filepath>
|
|
|
540324 |
+ <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
|
|
|
540324 |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
540324 |
+ </ind:textfilecontent54_object>
|
|
|
540324 |
+
|
|
|
540324 |
+</def-group>
|
|
|
540324 |
|
|
|
540324 |
From c090301ab1cf43a83994b654ccb2ab0b967d05b4 Mon Sep 17 00:00:00 2001
|
|
|
540324 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
540324 |
Date: Thu, 4 Jun 2020 08:24:54 +0200
|
|
|
540324 |
Subject: [PATCH 08/11] reqrite remediations
|
|
|
540324 |
|
|
|
540324 |
---
|
|
|
540324 |
.../ssh_client_rekey_limit/ansible/shared.yml | 16 ++++++++++++++++
|
|
|
540324 |
.../crypto/ssh_client_rekey_limit/bash/shared.sh | 13 +++++++++++++
|
|
|
540324 |
2 files changed, 29 insertions(+)
|
|
|
540324 |
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
|
|
|
540324 |
index bb6544a0a0..36de503806 100644
|
|
|
540324 |
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
|
|
|
540324 |
@@ -5,4 +5,20 @@
|
|
|
540324 |
# disruption = low
|
|
|
540324 |
{{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
|
|
|
540324 |
|
|
|
540324 |
+{{{ ansible_lineinfile(msg='Ensure RekeyLimit is not configured in /etc/ssh/ssh_config', path='/etc/ssh/ssh_config', regex='^\s*RekeyLimit.*$', create='no', state='absent') }}}
|
|
|
540324 |
+
|
|
|
540324 |
+- name: Collect all include config files for ssh client which configure RekeyLimit
|
|
|
540324 |
+ find:
|
|
|
540324 |
+ paths: "/etc/ssh/ssh_config.d/"
|
|
|
540324 |
+ contains: '^[\s]*RekeyLimit.*$'
|
|
|
540324 |
+ patterns: "*.config"
|
|
|
540324 |
+ register: ssh_config_include_files
|
|
|
540324 |
+
|
|
|
540324 |
+- name: Remove all occurences of RekeyLimit configuration from include config files of ssh client
|
|
|
540324 |
+ lineinfile:
|
|
|
540324 |
+ path: "{{ item }}"
|
|
|
540324 |
+ regexp: '^[\s]*RekeyLimit.*$'
|
|
|
540324 |
+ state: "absent"
|
|
|
540324 |
+ loop: "{{ ssh_config_include_files.files }}"
|
|
|
540324 |
+
|
|
|
540324 |
{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}}
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
|
|
|
540324 |
index 43d0971ffc..99f6f63c92 100644
|
|
|
540324 |
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
|
|
|
540324 |
@@ -5,4 +5,17 @@
|
|
|
540324 |
|
|
|
540324 |
{{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
|
|
|
540324 |
|
|
|
540324 |
+main_config="/etc/ssh/ssh_config"
|
|
|
540324 |
+include_directory="/etc/ssh/ssh_config.d"
|
|
|
540324 |
+
|
|
|
540324 |
+if grep -q '^[\s]*RekeyLimit.*$' "$main_config"; then
|
|
|
540324 |
+ sed -i '/^[\s]*RekeyLimit.*/d' "$main_config"
|
|
|
540324 |
+fi
|
|
|
540324 |
+
|
|
|
540324 |
+for file in "$include_directory"/*.conf; do
|
|
|
540324 |
+ if grep -q '^[\s]*RekeyLimit.*$' "$file"; then
|
|
|
540324 |
+ sed -i '/^[\s]*RekeyLimit.*/d' "$file"
|
|
|
540324 |
+ fi
|
|
|
540324 |
+done
|
|
|
540324 |
+
|
|
|
540324 |
{{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}}
|
|
|
540324 |
|
|
|
540324 |
From 22b8cb067cfc9d6d48065233973d1dba223ef5a4 Mon Sep 17 00:00:00 2001
|
|
|
540324 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
540324 |
Date: Thu, 4 Jun 2020 08:25:14 +0200
|
|
|
540324 |
Subject: [PATCH 09/11] add more tests
|
|
|
540324 |
|
|
|
540324 |
---
|
|
|
540324 |
.../tests/bad_main_config_good_include_config.fail.sh | 4 ++++
|
|
|
540324 |
.../ssh_client_rekey_limit/tests/line_in_main_config.fail.sh | 4 ++++
|
|
|
540324 |
.../tests/ok_different_config_file.pass.sh | 3 +++
|
|
|
540324 |
3 files changed, 11 insertions(+)
|
|
|
540324 |
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
|
|
|
540324 |
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
|
|
|
540324 |
create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
|
|
|
540324 |
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
|
|
|
540324 |
new file mode 100644
|
|
|
540324 |
index 0000000000..90314712af
|
|
|
540324 |
--- /dev/null
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
|
|
|
540324 |
@@ -0,0 +1,4 @@
|
|
|
540324 |
+#!/bin/basdh
|
|
|
540324 |
+
|
|
|
540324 |
+echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config
|
|
|
540324 |
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
|
|
|
540324 |
new file mode 100644
|
|
|
540324 |
index 0000000000..9ba20b0290
|
|
|
540324 |
--- /dev/null
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
|
|
|
540324 |
@@ -0,0 +1,4 @@
|
|
|
540324 |
+#!/bin/bash
|
|
|
540324 |
+
|
|
|
540324 |
+rm -rf /etc/ssh/ssh_config.d/*
|
|
|
540324 |
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
|
|
|
540324 |
new file mode 100644
|
|
|
540324 |
index 0000000000..f725f6936f
|
|
|
540324 |
--- /dev/null
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
|
|
|
540324 |
@@ -0,0 +1,3 @@
|
|
|
540324 |
+#!/bin/bash
|
|
|
540324 |
+
|
|
|
540324 |
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/05-some-file.conf
|
|
|
540324 |
|
|
|
540324 |
From 78904a0cc4461cc26786289095fd76e8ce15843e Mon Sep 17 00:00:00 2001
|
|
|
540324 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
540324 |
Date: Thu, 4 Jun 2020 08:25:29 +0200
|
|
|
540324 |
Subject: [PATCH 10/11] extend description and ocil
|
|
|
540324 |
|
|
|
540324 |
---
|
|
|
540324 |
.../crypto/ssh_client_rekey_limit/rule.yml | 19 ++++++++++++++-----
|
|
|
540324 |
1 file changed, 14 insertions(+), 5 deletions(-)
|
|
|
540324 |
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
|
|
|
540324 |
index a1b85b0ee5..76f5f84090 100644
|
|
|
540324 |
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
|
|
|
540324 |
@@ -10,6 +10,12 @@ description: |-
|
|
|
540324 |
amount of data that may be transmitted and the time
|
|
|
540324 |
elapsed. To decrease the default limits, put line
|
|
|
540324 |
<tt>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.
|
|
|
540324 |
+ Make sure that there is no other <tt>RekeyLimit</tt> configuration preceding
|
|
|
540324 |
+ the <tt>include</tt> directive in the main config file
|
|
|
540324 |
+ <tt>/etc/ssh/ssh_config</tt>. Check also other files in
|
|
|
540324 |
+ <tt>/etc/ssh/ssh_config.d</tt> directory. Files are processed according to
|
|
|
540324 |
+ their names. Make sure that there is no file processed before
|
|
|
540324 |
+ <tt>02-rekey-limit.conf</tt> containing definition of <tt>RekeyLimit</tt>.
|
|
|
540324 |
|
|
|
540324 |
rationale: |-
|
|
|
540324 |
By decreasing the limit based on the amount of data and enabling
|
|
|
540324 |
@@ -27,8 +33,11 @@ references:
|
|
|
540324 |
ocil_clause: 'it is commented out or is not set'
|
|
|
540324 |
|
|
|
540324 |
ocil: |-
|
|
|
540324 |
- To check if RekeyLimit is set correctly, run the
|
|
|
540324 |
- following command:
|
|
|
540324 |
- $ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
|
|
540324 |
- If configured properly, output should be
|
|
|
540324 |
- RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}
|
|
|
540324 |
+ To check if RekeyLimit is set correctly, run the following command: $
|
|
|
540324 |
+ sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf If configured
|
|
|
540324 |
+ properly, output should be /etc/ssh/ssh_config.d/02-rekey-limit.conf:
|
|
|
540324 |
+ RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{
|
|
|
540324 |
+ sub_var_value("var_ssh_client_rekey_limit_time") }}} Check also the
|
|
|
540324 |
+ main configuration file with the following command: sudo grep
|
|
|
540324 |
+ RekeyLimit /etc/ssh/ssh_config The command should not return any
|
|
|
540324 |
+ output.
|
|
|
540324 |
|
|
|
540324 |
From 854d5c9d1e1a44e97fe59aeaace687adcff620d5 Mon Sep 17 00:00:00 2001
|
|
|
540324 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
540324 |
Date: Mon, 8 Jun 2020 11:44:44 +0200
|
|
|
540324 |
Subject: [PATCH 11/11] fix typos and wording
|
|
|
540324 |
|
|
|
540324 |
---
|
|
|
540324 |
.../integrity/crypto/ssh_client_rekey_limit/rule.yml | 5 +++--
|
|
|
540324 |
.../tests/bad_main_config_good_include_config.fail.sh | 2 +-
|
|
|
540324 |
.../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 1 +
|
|
|
540324 |
.../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 1 +
|
|
|
540324 |
.../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh | 1 +
|
|
|
540324 |
.../crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 1 +
|
|
|
540324 |
.../integrity/crypto/var_ssh_client_rekey_limit_size.var | 2 +-
|
|
|
540324 |
.../integrity/crypto/var_ssh_client_rekey_limit_time.var | 9 ++++-----
|
|
|
540324 |
8 files changed, 13 insertions(+), 9 deletions(-)
|
|
|
540324 |
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
|
|
|
540324 |
index 76f5f84090..b054d9d221 100644
|
|
|
540324 |
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
|
|
|
540324 |
@@ -14,8 +14,9 @@ description: |-
|
|
|
540324 |
the <tt>include</tt> directive in the main config file
|
|
|
540324 |
<tt>/etc/ssh/ssh_config</tt>. Check also other files in
|
|
|
540324 |
<tt>/etc/ssh/ssh_config.d</tt> directory. Files are processed according to
|
|
|
540324 |
- their names. Make sure that there is no file processed before
|
|
|
540324 |
- <tt>02-rekey-limit.conf</tt> containing definition of <tt>RekeyLimit</tt>.
|
|
|
540324 |
+ lexicographical order of file names. Make sure that there is no file
|
|
|
540324 |
+ processed before <tt>02-rekey-limit.conf</tt> containing definition of
|
|
|
540324 |
+ <tt>RekeyLimit</tt>.
|
|
|
540324 |
|
|
|
540324 |
rationale: |-
|
|
|
540324 |
By decreasing the limit based on the amount of data and enabling
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
|
|
|
540324 |
index 90314712af..58befb0107 100644
|
|
|
540324 |
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
|
|
|
540324 |
@@ -1,4 +1,4 @@
|
|
|
540324 |
-#!/bin/basdh
|
|
|
540324 |
+#!/bin/bash
|
|
|
540324 |
|
|
|
540324 |
echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config
|
|
|
540324 |
echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
|
|
|
540324 |
index 22c465b08f..1803c26629 100644
|
|
|
540324 |
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
|
|
|
540324 |
@@ -1,3 +1,4 @@
|
|
|
540324 |
+#!/bin/bash
|
|
|
540324 |
# platform = multi_platform_all
|
|
|
540324 |
|
|
|
540324 |
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
|
|
|
540324 |
index 0dc621b1da..2c9e839255 100644
|
|
|
540324 |
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
|
|
|
540324 |
@@ -1,3 +1,4 @@
|
|
|
540324 |
+#!/bin/bash
|
|
|
540324 |
# platform = multi_platform_all
|
|
|
540324 |
|
|
|
540324 |
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
|
|
|
540324 |
index f6abf711da..7de108eafd 100644
|
|
|
540324 |
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
|
|
|
540324 |
@@ -1,3 +1,4 @@
|
|
|
540324 |
+#!/bin/bash
|
|
|
540324 |
# platform = multi_platform_all
|
|
|
540324 |
|
|
|
540324 |
echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
|
|
540324 |
index 89d7069687..4c047ed179 100644
|
|
|
540324 |
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
|
|
|
540324 |
@@ -1,3 +1,4 @@
|
|
|
540324 |
+#!/bin/bash
|
|
|
540324 |
# platform = multi_platform_all
|
|
|
540324 |
|
|
|
540324 |
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
|
|
|
540324 |
index 4e20104cba..c8dd8ef10e 100644
|
|
|
540324 |
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
|
|
|
540324 |
@@ -7,7 +7,7 @@ description: |-
|
|
|
540324 |
of data. After this amount of data is transferred through the connection,
|
|
|
540324 |
the session key is renegotiated. The number is followed by K, M or G for
|
|
|
540324 |
kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also
|
|
|
540324 |
- configured according to ellabsed time.
|
|
|
540324 |
+ configured according to elapsed time.
|
|
|
540324 |
|
|
|
540324 |
interactive: true
|
|
|
540324 |
|
|
|
540324 |
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
|
|
|
540324 |
index 6143a5448c..6223e8e38f 100644
|
|
|
540324 |
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
|
|
|
540324 |
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
|
|
|
540324 |
@@ -3,11 +3,10 @@ documentation_complete: true
|
|
|
540324 |
title: 'SSH client RekeyLimit - time'
|
|
|
540324 |
|
|
|
540324 |
description: |-
|
|
|
540324 |
- Specify the time component of the rekey limit. This limit signifies amount
|
|
|
540324 |
- of data. The session key is renegotiated after the defined amount of time
|
|
|
540324 |
- passes. The number is followed by units such as H or M for hours or minutes.
|
|
|
540324 |
- Note that the RekeyLimit can be also configured according to amount of
|
|
|
540324 |
- transfered data.
|
|
|
540324 |
+ Specify the time component of the rekey limit. The session key is
|
|
|
540324 |
+ renegotiated after the defined amount of time passes. The number is followed
|
|
|
540324 |
+ by units such as H or M for hours or minutes. Note that the RekeyLimit can
|
|
|
540324 |
+ be also configured according to amount of transfered data.
|
|
|
540324 |
|
|
|
540324 |
interactive: true
|
|
|
540324 |
|