Blame SOURCES/scap-security-guide-0.1.51-parametrize-ssh-PR5788.patch

540324
From 604f70aa2d0cce64aed5d699178394523969ba37 Mon Sep 17 00:00:00 2001
540324
From: Vojtech Polasek <vpolasek@redhat.com>
540324
Date: Wed, 27 May 2020 14:34:50 +0200
540324
Subject: [PATCH 01/11] add rule, variables, check, remediations
540324
540324
---
540324
 .../ssh_client_rekey_limit/ansible/shared.yml |  8 ++++
540324
 .../ssh_client_rekey_limit/bash/shared.sh     |  8 ++++
540324
 .../ssh_client_rekey_limit/oval/shared.xml    | 39 +++++++++++++++++++
540324
 .../crypto/ssh_client_rekey_limit/rule.yml    | 34 ++++++++++++++++
540324
 .../var_ssh_client_rekey_limit_size.var       | 15 +++++++
540324
 .../var_ssh_client_rekey_limit_time.var       | 14 +++++++
540324
 shared/references/cce-redhat-avail.txt        |  1 -
540324
 7 files changed, 118 insertions(+), 1 deletion(-)
540324
 create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
540324
 create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
540324
 create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
540324
 create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
540324
 create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
540324
 create mode 100644 linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
540324
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
540324
new file mode 100644
540324
index 0000000000..6d2bcbbd44
540324
--- /dev/null
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
540324
@@ -0,0 +1,8 @@
540324
+# platform = multi_platform_all                                                                                                                                                                                                                                                                                        [0/453]
540324
+# reboot = false
540324
+# strategy = configure
540324
+# complexity = low
540324
+# disruption = low
540324
+{{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
540324
+
540324
+{{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}}
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
540324
new file mode 100644
540324
index 0000000000..43d0971ffc
540324
--- /dev/null
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
540324
@@ -0,0 +1,8 @@
540324
+# platform = multi_platform_all
540324
+
540324
+# Include source function library.
540324
+. /usr/share/scap-security-guide/remediation_functions
540324
+
540324
+{{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
540324
+
540324
+{{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}}
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
540324
new file mode 100644
540324
index 0000000000..2412763e3f
540324
--- /dev/null
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
540324
@@ -0,0 +1,39 @@
540324
+{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}}
540324
+
540324
+
540324
+<def-group>
540324
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
540324
+    <metadata>
540324
+      <title>{{{ rule_title }}}</title>
540324
+      {{{- oval_affected(products) }}}
540324
+      <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
540324
+    </metadata>
540324
+    <criteria comment="RekeyLimit is correctly configured for ssh client">
540324
+      {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
540324
+    </criteria>
540324
+  </definition>
540324
+
540324
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the  file" id="test_ssh_client_rekey_limit" version="1">
540324
+     <ind:object object_ref="obj_ssh_client_rekey_limit"/>
540324
+  </ind:textfilecontent54_test>
540324
+
540324
+  <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit" version="1">
540324
+     <ind:filepath>{{{ filepath }}}</ind:filepath>
540324
+     <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
540324
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
540324
+  </ind:textfilecontent54_object>
540324
+
540324
+  <local_variable id="ssh_client_line_regex" datatype="string" comment="The regex of the directive" version="1">
540324
+    <concat>
540324
+      <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
540324
+      <variable_component var_ref="var_ssh_client_rekey_limit_size"/>
540324
+      <literal_component>[\s]+</literal_component>
540324
+      <variable_component var_ref="var_ssh_client_rekey_limit_time"/>
540324
+      <literal_component>[\s]*$</literal_component>
540324
+    </concat>
540324
+  </local_variable>
540324
+
540324
+  <external_variable comment="Size component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_size" version="1" />
540324
+  <external_variable comment="Time component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_time" version="1" />
540324
+</def-group>
540324
+
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
540324
new file mode 100644
540324
index 0000000000..a1b85b0ee5
540324
--- /dev/null
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
540324
@@ -0,0 +1,34 @@
540324
+documentation_complete: true
540324
+
540324
+prodtype: rhel8
540324
+
540324
+title: 'Configure session renegotiation for SSH client'
540324
+
540324
+description: |-
540324
+    The <tt>RekeyLimit</tt> parameter specifies how often
540324
+    the session key is renegotiated, both in terms of
540324
+    amount of data that may be transmitted and the time
540324
+    elapsed. To decrease the default limits, put line
540324
+    <tt>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.
540324
+
540324
+rationale: |-
540324
+    By decreasing the limit based on the amount of data and enabling
540324
+    time-based limit, effects of potential attacks against
540324
+    encryption keys are limited.
540324
+
540324
+severity: medium
540324
+
540324
+identifiers:
540324
+    cce@rhel8: 82880-6
540324
+
540324
+references:
540324
+    ospp: FCS_SSHS_EXT.1
540324
+
540324
+ocil_clause: 'it is commented out or is not set'
540324
+
540324
+ocil: |-
540324
+    To check if RekeyLimit is set correctly, run the
540324
+    following command:
540324
+    
$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf
540324
+    If configured properly, output should be
540324
+    
RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
540324
new file mode 100644
540324
index 0000000000..bcf051fd97
540324
--- /dev/null
540324
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
540324
@@ -0,0 +1,15 @@
540324
+documentation_complete: true
540324
+
540324
+title: 'SSH client RekeyLimit - size'
540324
+
540324
+description: 'Specify the size component of the rekey limit.'
540324
+
540324
+type: string
540324
+
540324
+operator: equals
540324
+
540324
+options:
540324
+    ssh_client_default: "default"
540324
+    default: "512M"
540324
+    "512M": "512M"
540324
+    "1G": "1G"
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
540324
new file mode 100644
540324
index 0000000000..31c76f9ab5
540324
--- /dev/null
540324
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
540324
@@ -0,0 +1,14 @@
540324
+documentation_complete: true
540324
+
540324
+title: 'SSH client RekeyLimit - size'
540324
+
540324
+description: 'Specify the size component of the rekey limit.'
540324
+
540324
+type: string
540324
+
540324
+operator: equals
540324
+
540324
+options:
540324
+    ssh_client_default: "none"
540324
+    default: "1h"
540324
+    "1hour": "1h"
540324
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
540324
index 45d03a2c1d..e060d2fb1c 100644
540324
--- a/shared/references/cce-redhat-avail.txt
540324
+++ b/shared/references/cce-redhat-avail.txt
540324
@@ -1,4 +1,3 @@
540324
-CCE-82880-6
540324
 CCE-82882-2
540324
 CCE-82883-0
540324
 CCE-82888-9
540324
540324
From a0d54462b9a1e65de3598d7fc262f61a8e3a06ea Mon Sep 17 00:00:00 2001
540324
From: Vojtech Polasek <vpolasek@redhat.com>
540324
Date: Wed, 27 May 2020 14:35:24 +0200
540324
Subject: [PATCH 02/11] add tests
540324
540324
---
540324
 .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh      | 4 ++++
540324
 .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh      | 4 ++++
540324
 .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh       | 3 +++
540324
 .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh  | 4 ++++
540324
 4 files changed, 15 insertions(+)
540324
 create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
540324
 create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
540324
 create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
540324
 create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
540324
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
540324
new file mode 100644
540324
index 0000000000..2ac0bbf350
540324
--- /dev/null
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
540324
@@ -0,0 +1,4 @@
540324
+# platform = multi_platform_all
540324
+
540324
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
540324
+echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
540324
new file mode 100644
540324
index 0000000000..fec859fe05
540324
--- /dev/null
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
540324
@@ -0,0 +1,4 @@
540324
+# platform = multi_platform_all
540324
+
540324
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
540324
+echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
540324
new file mode 100644
540324
index 0000000000..a6cd10163f
540324
--- /dev/null
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
540324
@@ -0,0 +1,3 @@
540324
+# platform = multi_platform_all
540324
+
540324
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
540324
new file mode 100644
540324
index 0000000000..a6a2ba7adf
540324
--- /dev/null
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
540324
@@ -0,0 +1,4 @@
540324
+# platform = multi_platform_all
540324
+
540324
+sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
540324
+echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
540324
540324
From 6ce9e9d55eab07f1c2a3a8d0b28f104d0b5992da Mon Sep 17 00:00:00 2001
540324
From: Vojtech Polasek <vpolasek@redhat.com>
540324
Date: Wed, 27 May 2020 14:35:43 +0200
540324
Subject: [PATCH 03/11] add rule to rhel8 ospp, update stable profiles
540324
540324
---
540324
 rhel8/profiles/ospp.profile                     | 5 +++++
540324
 tests/data/profile_stability/rhel8/ospp.profile | 3 +++
540324
 tests/data/profile_stability/rhel8/stig.profile | 3 +++
540324
 3 files changed, 11 insertions(+)
540324
540324
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
540324
index 0dca8350f9..07d32b814d 100644
540324
--- a/rhel8/profiles/ospp.profile
540324
+++ b/rhel8/profiles/ospp.profile
540324
@@ -410,3 +410,8 @@ selections:
540324
 
540324
     # Prevent Kerberos use by system daemons
540324
     - kerberos_disable_no_keytab
540324
+
540324
+    # set ssh client rekey limit
540324
+    - ssh_client_rekey_limit
540324
+    - var_ssh_client_rekey_limit_size=1G
540324
+    - var_ssh_client_rekey_limit_time=1hour
540324
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
540324
index 25f7922bf3..b0d7672c36 100644
540324
--- a/tests/data/profile_stability/rhel8/ospp.profile
540324
+++ b/tests/data/profile_stability/rhel8/ospp.profile
540324
@@ -240,4 +240,7 @@ selections:
540324
 - grub2_vsyscall_argument.severity=info
540324
 - sysctl_user_max_user_namespaces.role=unscored
540324
 - sysctl_user_max_user_namespaces.severity=info
540324
+- ssh_client_rekey_limit
540324
+- var_ssh_client_rekey_limit_size=1G
540324
+- var_ssh_client_rekey_limit_time=1hour
540324
 title: Protection Profile for General Purpose Operating Systems
540324
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
540324
index 6c4270925f..330ecc7e1e 100644
540324
--- a/tests/data/profile_stability/rhel8/stig.profile
540324
+++ b/tests/data/profile_stability/rhel8/stig.profile
540324
@@ -269,4 +269,7 @@ selections:
540324
 - grub2_vsyscall_argument.severity=info
540324
 - sysctl_user_max_user_namespaces.role=unscored
540324
 - sysctl_user_max_user_namespaces.severity=info
540324
+- ssh_client_rekey_limit
540324
+- var_ssh_client_rekey_limit_size=1G
540324
+- var_ssh_client_rekey_limit_time=1hour
540324
 title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'
540324
540324
From 763a79e337eecb24c640d1ac189edf02d20e53ad Mon Sep 17 00:00:00 2001
540324
From: Vojtech Polasek <vpolasek@redhat.com>
540324
Date: Thu, 28 May 2020 14:25:41 +0200
540324
Subject: [PATCH 04/11] improve description of variables
540324
540324
---
540324
 .../crypto/var_ssh_client_rekey_limit_size.var       | 10 ++++++++--
540324
 .../crypto/var_ssh_client_rekey_limit_time.var       | 12 +++++++++---
540324
 2 files changed, 17 insertions(+), 5 deletions(-)
540324
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
540324
index bcf051fd97..4e20104cba 100644
540324
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
540324
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
540324
@@ -2,14 +2,20 @@ documentation_complete: true
540324
 
540324
 title: 'SSH client RekeyLimit - size'
540324
 
540324
-description: 'Specify the size component of the rekey limit.'
540324
+description: |-
540324
+    Specify the size component of the rekey limit. This limit signifies amount
540324
+    of data. After this amount of data is transferred through the connection,
540324
+    the session key is renegotiated. The number is followed by K, M or G for
540324
+    kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also
540324
+    configured according to ellabsed time.
540324
+
540324
+interactive: true
540324
 
540324
 type: string
540324
 
540324
 operator: equals
540324
 
540324
 options:
540324
-    ssh_client_default: "default"
540324
     default: "512M"
540324
     "512M": "512M"
540324
     "1G": "1G"
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
540324
index 31c76f9ab5..6143a5448c 100644
540324
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
540324
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
540324
@@ -1,14 +1,20 @@
540324
 documentation_complete: true
540324
 
540324
-title: 'SSH client RekeyLimit - size'
540324
+title: 'SSH client RekeyLimit - time'
540324
 
540324
-description: 'Specify the size component of the rekey limit.'
540324
+description: |-
540324
+    Specify the time component of the rekey limit. This limit signifies amount
540324
+    of data. The session key is renegotiated after the defined amount of time
540324
+    passes. The number is followed by units such as H or M for hours or minutes.
540324
+    Note that the RekeyLimit can be also configured according to amount of
540324
+    transfered data.
540324
+
540324
+interactive: true
540324
 
540324
 type: string
540324
 
540324
 operator: equals
540324
 
540324
 options:
540324
-    ssh_client_default: "none"
540324
     default: "1h"
540324
     "1hour": "1h"
540324
540324
From 0800fcaff037a1b012b75e59d6771f5e7763e1de Mon Sep 17 00:00:00 2001
540324
From: Vojtech Polasek <vpolasek@redhat.com>
540324
Date: Thu, 28 May 2020 14:26:12 +0200
540324
Subject: [PATCH 05/11] fix tests and ansible
540324
540324
---
540324
 .../crypto/ssh_client_rekey_limit/ansible/shared.yml         | 2 +-
540324
 .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh     | 4 ++--
540324
 .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh     | 4 ++--
540324
 .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh      | 2 +-
540324
 .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh | 5 +++--
540324
 5 files changed, 9 insertions(+), 8 deletions(-)
540324
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
540324
index 6d2bcbbd44..bb6544a0a0 100644
540324
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
540324
@@ -1,4 +1,4 @@
540324
-# platform = multi_platform_all                                                                                                                                                                                                                                                                                        [0/453]
540324
+# platform = multi_platform_all
540324
 # reboot = false
540324
 # strategy = configure
540324
 # complexity = low
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
540324
index 2ac0bbf350..22c465b08f 100644
540324
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
540324
@@ -1,4 +1,4 @@
540324
 # platform = multi_platform_all
540324
 
540324
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
540324
-echo "RekeyLimit 812M 1h" >> /etc/ssh/sshd_config
540324
+
540324
+echo "RekeyLimit 812M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
540324
index fec859fe05..0dc621b1da 100644
540324
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
540324
@@ -1,4 +1,4 @@
540324
 # platform = multi_platform_all
540324
 
540324
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
540324
-echo "RekeyLimit 512M 2h" >> /etc/ssh/sshd_config
540324
+
540324
+echo "RekeyLimit 512M 2h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
540324
index a6cd10163f..f6abf711da 100644
540324
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
540324
@@ -1,3 +1,3 @@
540324
 # platform = multi_platform_all
540324
 
540324
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
540324
+echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
540324
index a6a2ba7adf..e64e4191bc 100644
540324
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
540324
@@ -1,4 +1,5 @@
540324
 # platform = multi_platform_all
540324
 
540324
-sed -e '/RekeyLimit/d' /etc/ssh/sshd_config
540324
-echo "RekeyLimit 512M 1h" >> /etc/ssh/sshd_config
540324
+
540324
+rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf
540324
+echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
540324
540324
From 9451e6d91c9975a3e9ecd4c627cbb0f9afce4c92 Mon Sep 17 00:00:00 2001
540324
From: Vojtech Polasek <vpolasek@redhat.com>
540324
Date: Mon, 1 Jun 2020 14:29:47 +0200
540324
Subject: [PATCH 06/11] fix test to use default value, remove rule from stig
540324
540324
---
540324
 .../integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh    | 2 +-
540324
 rhel8/profiles/stig.profile                                     | 1 +
540324
 tests/data/profile_stability/rhel8/stig.profile                 | 1 -
540324
 3 files changed, 2 insertions(+), 2 deletions(-)
540324
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
540324
index e64e4191bc..89d7069687 100644
540324
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
540324
@@ -2,4 +2,4 @@
540324
 
540324
 
540324
 rm -f /etc/ssh/ssh_config.d/02-rekey-limit.conf
540324
-echo "RekeyLimit 1G 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
540324
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
540324
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
540324
index 2bb81cf9dc..8f12852e26 100644
540324
--- a/rhel8/profiles/stig.profile
540324
+++ b/rhel8/profiles/stig.profile
540324
@@ -44,3 +44,4 @@ selections:
540324
     - package_rsyslog-gnutls_installed
540324
     - rsyslog_remote_tls
540324
     - rsyslog_remote_tls_cacert
540324
+    - "!ssh_client_rekey_limit"
540324
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
540324
index 330ecc7e1e..9b164eb5c2 100644
540324
--- a/tests/data/profile_stability/rhel8/stig.profile
540324
+++ b/tests/data/profile_stability/rhel8/stig.profile
540324
@@ -269,7 +269,6 @@ selections:
540324
 - grub2_vsyscall_argument.severity=info
540324
 - sysctl_user_max_user_namespaces.role=unscored
540324
 - sysctl_user_max_user_namespaces.severity=info
540324
-- ssh_client_rekey_limit
540324
 - var_ssh_client_rekey_limit_size=1G
540324
 - var_ssh_client_rekey_limit_time=1hour
540324
 title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8'
540324
540324
From bd47b1145f17c97de719c887db6146d5e7b59616 Mon Sep 17 00:00:00 2001
540324
From: Vojtech Polasek <vpolasek@redhat.com>
540324
Date: Wed, 3 Jun 2020 12:38:19 +0200
540324
Subject: [PATCH 07/11] rewrite oval to check for multiple locations
540324
540324
---
540324
 .../ssh_client_rekey_limit/oval/shared.xml    | 42 ++++++++++++-------
540324
 1 file changed, 26 insertions(+), 16 deletions(-)
540324
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
540324
index 2412763e3f..41fa0497ae 100644
540324
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
540324
@@ -1,28 +1,17 @@
540324
-{{% set filepath = "/etc/ssh/ssh_config.d/02-rekey-limit.conf" -%}}
540324
-
540324
 
540324
 <def-group>
540324
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
540324
     <metadata>
540324
       <title>{{{ rule_title }}}</title>
540324
       {{{- oval_affected(products) }}}
540324
-      <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
540324
+      <description>Ensure 'RekeyLimit' is configured with the correct value in /etc/ssh/ssh_config and /etc/ssh/ssh_config.d/*.conf</description>
540324
     </metadata>
540324
-    <criteria comment="RekeyLimit is correctly configured for ssh client">
540324
-      {{{- oval_line_in_file_criterion(filepath, "RekeyLimit") }}}
540324
+    <criteria comment="RekeyLimit is correctly configured for ssh client" operator="AND">
540324
+      <criterion comment="check that RekeyLimit is not configured in /etc/ssh/ssh_config" test_ref="test_ssh_client_rekey_limit_main_config" negate="true" />
540324
+      <criterion comment="check correct RekeyLimit configuration in /etc/ssh/ssh_config.d/*.conf" test_ref="test_ssh_client_rekey_limit_include_configs" />
540324
     </criteria>
540324
   </definition>
540324
 
540324
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the  file" id="test_ssh_client_rekey_limit" version="1">
540324
-     <ind:object object_ref="obj_ssh_client_rekey_limit"/>
540324
-  </ind:textfilecontent54_test>
540324
-
540324
-  <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit" version="1">
540324
-     <ind:filepath>{{{ filepath }}}</ind:filepath>
540324
-     <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
540324
-     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
540324
-  </ind:textfilecontent54_object>
540324
-
540324
   <local_variable id="ssh_client_line_regex" datatype="string" comment="The regex of the directive" version="1">
540324
     <concat>
540324
       <literal_component>^[\s]*RekeyLimit[\s]+</literal_component>
540324
@@ -35,5 +24,26 @@
540324
 
540324
   <external_variable comment="Size component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_size" version="1" />
540324
   <external_variable comment="Time component of the rekey limit" datatype="string" id="var_ssh_client_rekey_limit_time" version="1" />
540324
-</def-group>
540324
 
540324
+
540324
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config file" id="test_ssh_client_rekey_limit_main_config" version="1">
540324
+     <ind:object object_ref="obj_ssh_client_rekey_limit_main_config"/>
540324
+  </ind:textfilecontent54_test>
540324
+
540324
+  <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_main_config" version="1">
540324
+     <ind:filepath>/etc/ssh/ssh_config</ind:filepath>
540324
+     <ind:pattern operation="pattern match">^[\s]*RekeyLimit.*$</ind:pattern>
540324
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
540324
+  </ind:textfilecontent54_object>
540324
+
540324
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config.d/*.conf" id="test_ssh_client_rekey_limit_include_configs" version="1">
540324
+     <ind:object object_ref="obj_ssh_client_rekey_limit_include_configs"/>
540324
+  </ind:textfilecontent54_test>
540324
+
540324
+  <ind:textfilecontent54_object id="obj_ssh_client_rekey_limit_include_configs" version="1">
540324
+     <ind:filepath operation="pattern match">^/etc/ssh/ssh_config\.d/.*\.conf$</ind:filepath>
540324
+     <ind:pattern var_ref="ssh_client_line_regex" operation="pattern match"></ind:pattern>
540324
+     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
540324
+  </ind:textfilecontent54_object>
540324
+
540324
+</def-group>
540324
540324
From c090301ab1cf43a83994b654ccb2ab0b967d05b4 Mon Sep 17 00:00:00 2001
540324
From: Vojtech Polasek <vpolasek@redhat.com>
540324
Date: Thu, 4 Jun 2020 08:24:54 +0200
540324
Subject: [PATCH 08/11] reqrite remediations
540324
540324
---
540324
 .../ssh_client_rekey_limit/ansible/shared.yml    | 16 ++++++++++++++++
540324
 .../crypto/ssh_client_rekey_limit/bash/shared.sh | 13 +++++++++++++
540324
 2 files changed, 29 insertions(+)
540324
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
540324
index bb6544a0a0..36de503806 100644
540324
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/ansible/shared.yml
540324
@@ -5,4 +5,20 @@
540324
 # disruption = low
540324
 {{{ ansible_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
540324
 
540324
+{{{ ansible_lineinfile(msg='Ensure RekeyLimit is not configured in /etc/ssh/ssh_config', path='/etc/ssh/ssh_config', regex='^\s*RekeyLimit.*$', create='no', state='absent') }}}
540324
+
540324
+- name: Collect all include config files for ssh client which configure RekeyLimit
540324
+  find:
540324
+    paths: "/etc/ssh/ssh_config.d/"
540324
+    contains: '^[\s]*RekeyLimit.*$'
540324
+    patterns: "*.config"
540324
+  register: ssh_config_include_files
540324
+
540324
+- name: Remove all occurences of RekeyLimit configuration from include config files of ssh client
540324
+  lineinfile:
540324
+    path: "{{ item }}"
540324
+    regexp: '^[\s]*RekeyLimit.*$'
540324
+    state: "absent"
540324
+  loop: "{{ ssh_config_include_files.files }}"
540324
+
540324
 {{{ ansible_lineinfile(msg='Ensure that rekey limit is set to {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }} in /etc/ssh/ssh_config.d/02-rekey-limit.conf', path='/etc/ssh/ssh_config.d/02-rekey-limit.conf', regex='^\s*RekeyLimit.*$', new_line='RekeyLimit {{ var_ssh_client_rekey_limit_size }} {{ var_ssh_client_rekey_limit_time }}', create='yes', state='present') }}}
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
540324
index 43d0971ffc..99f6f63c92 100644
540324
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/bash/shared.sh
540324
@@ -5,4 +5,17 @@
540324
 
540324
 {{{ bash_instantiate_variables("var_ssh_client_rekey_limit_size", "var_ssh_client_rekey_limit_time") }}}
540324
 
540324
+main_config="/etc/ssh/ssh_config"
540324
+include_directory="/etc/ssh/ssh_config.d"
540324
+
540324
+if grep -q '^[\s]*RekeyLimit.*$' "$main_config"; then
540324
+  sed -i '/^[\s]*RekeyLimit.*/d' "$main_config"
540324
+fi
540324
+
540324
+for file in "$include_directory"/*.conf; do
540324
+  if grep -q '^[\s]*RekeyLimit.*$' "$file"; then
540324
+    sed -i '/^[\s]*RekeyLimit.*/d' "$file"
540324
+  fi
540324
+done
540324
+
540324
 {{{ set_config_file(path="/etc/ssh/ssh_config.d/02-rekey-limit.conf", parameter="RekeyLimit", value='$var_ssh_client_rekey_limit_size $var_ssh_client_rekey_limit_time', create=true, insert_before="", insert_after="", insensitive=false, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") }}}
540324
540324
From 22b8cb067cfc9d6d48065233973d1dba223ef5a4 Mon Sep 17 00:00:00 2001
540324
From: Vojtech Polasek <vpolasek@redhat.com>
540324
Date: Thu, 4 Jun 2020 08:25:14 +0200
540324
Subject: [PATCH 09/11] add more tests
540324
540324
---
540324
 .../tests/bad_main_config_good_include_config.fail.sh         | 4 ++++
540324
 .../ssh_client_rekey_limit/tests/line_in_main_config.fail.sh  | 4 ++++
540324
 .../tests/ok_different_config_file.pass.sh                    | 3 +++
540324
 3 files changed, 11 insertions(+)
540324
 create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
540324
 create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
540324
 create mode 100644 linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
540324
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
540324
new file mode 100644
540324
index 0000000000..90314712af
540324
--- /dev/null
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
540324
@@ -0,0 +1,4 @@
540324
+#!/bin/basdh
540324
+
540324
+echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config
540324
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
540324
new file mode 100644
540324
index 0000000000..9ba20b0290
540324
--- /dev/null
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/line_in_main_config.fail.sh
540324
@@ -0,0 +1,4 @@
540324
+#!/bin/bash
540324
+
540324
+rm -rf /etc/ssh/ssh_config.d/*
540324
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
540324
new file mode 100644
540324
index 0000000000..f725f6936f
540324
--- /dev/null
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok_different_config_file.pass.sh
540324
@@ -0,0 +1,3 @@
540324
+#!/bin/bash
540324
+
540324
+echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/05-some-file.conf
540324
540324
From 78904a0cc4461cc26786289095fd76e8ce15843e Mon Sep 17 00:00:00 2001
540324
From: Vojtech Polasek <vpolasek@redhat.com>
540324
Date: Thu, 4 Jun 2020 08:25:29 +0200
540324
Subject: [PATCH 10/11] extend description and ocil
540324
540324
---
540324
 .../crypto/ssh_client_rekey_limit/rule.yml    | 19 ++++++++++++++-----
540324
 1 file changed, 14 insertions(+), 5 deletions(-)
540324
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
540324
index a1b85b0ee5..76f5f84090 100644
540324
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
540324
@@ -10,6 +10,12 @@ description: |-
540324
     amount of data that may be transmitted and the time
540324
     elapsed. To decrease the default limits, put line
540324
     <tt>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.
540324
+    Make sure that there is no other <tt>RekeyLimit</tt> configuration preceding
540324
+    the <tt>include</tt> directive in the main config file
540324
+    <tt>/etc/ssh/ssh_config</tt>. Check also other files in
540324
+    <tt>/etc/ssh/ssh_config.d</tt> directory. Files are processed according to
540324
+    their names. Make sure that there is no file processed before
540324
+    <tt>02-rekey-limit.conf</tt> containing definition of <tt>RekeyLimit</tt>.
540324
 
540324
 rationale: |-
540324
     By decreasing the limit based on the amount of data and enabling
540324
@@ -27,8 +33,11 @@ references:
540324
 ocil_clause: 'it is commented out or is not set'
540324
 
540324
 ocil: |-
540324
-    To check if RekeyLimit is set correctly, run the
540324
-    following command:
540324
-    
$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/02-rekey-limit.conf
540324
-    If configured properly, output should be
540324
-    
RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}
540324
+    To check if RekeyLimit is set correctly, run the following command: 
$
540324
+    sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf If configured
540324
+    properly, output should be 
/etc/ssh/ssh_config.d/02-rekey-limit.conf:
540324
+    RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{
540324
+    sub_var_value("var_ssh_client_rekey_limit_time") }}} Check also the
540324
+    main configuration file with the following command: 
sudo grep
540324
+    RekeyLimit /etc/ssh/ssh_config The command should not return any
540324
+    output.
540324
540324
From 854d5c9d1e1a44e97fe59aeaace687adcff620d5 Mon Sep 17 00:00:00 2001
540324
From: Vojtech Polasek <vpolasek@redhat.com>
540324
Date: Mon, 8 Jun 2020 11:44:44 +0200
540324
Subject: [PATCH 11/11] fix typos and wording
540324
540324
---
540324
 .../integrity/crypto/ssh_client_rekey_limit/rule.yml     | 5 +++--
540324
 .../tests/bad_main_config_good_include_config.fail.sh    | 2 +-
540324
 .../crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh | 1 +
540324
 .../crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh | 1 +
540324
 .../crypto/ssh_client_rekey_limit/tests/no_line.fail.sh  | 1 +
540324
 .../crypto/ssh_client_rekey_limit/tests/ok.pass.sh       | 1 +
540324
 .../integrity/crypto/var_ssh_client_rekey_limit_size.var | 2 +-
540324
 .../integrity/crypto/var_ssh_client_rekey_limit_time.var | 9 ++++-----
540324
 8 files changed, 13 insertions(+), 9 deletions(-)
540324
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
540324
index 76f5f84090..b054d9d221 100644
540324
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
540324
@@ -14,8 +14,9 @@ description: |-
540324
     the <tt>include</tt> directive in the main config file
540324
     <tt>/etc/ssh/ssh_config</tt>. Check also other files in
540324
     <tt>/etc/ssh/ssh_config.d</tt> directory. Files are processed according to
540324
-    their names. Make sure that there is no file processed before
540324
-    <tt>02-rekey-limit.conf</tt> containing definition of <tt>RekeyLimit</tt>.
540324
+    lexicographical order of file names. Make sure that there is no file
540324
+    processed before <tt>02-rekey-limit.conf</tt> containing definition of
540324
+    <tt>RekeyLimit</tt>.
540324
 
540324
 rationale: |-
540324
     By decreasing the limit based on the amount of data and enabling
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
540324
index 90314712af..58befb0107 100644
540324
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_main_config_good_include_config.fail.sh
540324
@@ -1,4 +1,4 @@
540324
-#!/bin/basdh
540324
+#!/bin/bash
540324
 
540324
 echo "RekeyLimit 2G 1h" >> /etc/ssh/ssh_config
540324
 echo "RekeyLimit 512M 1h" >> /etc/ssh/ssh_config.d/02-rekey-limit.conf
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
540324
index 22c465b08f..1803c26629 100644
540324
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_size.fail.sh
540324
@@ -1,3 +1,4 @@
540324
+#!/bin/bash
540324
 # platform = multi_platform_all
540324
 
540324
 
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
540324
index 0dc621b1da..2c9e839255 100644
540324
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/bad_time.fail.sh
540324
@@ -1,3 +1,4 @@
540324
+#!/bin/bash
540324
 # platform = multi_platform_all
540324
 
540324
 
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
540324
index f6abf711da..7de108eafd 100644
540324
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/no_line.fail.sh
540324
@@ -1,3 +1,4 @@
540324
+#!/bin/bash
540324
 # platform = multi_platform_all
540324
 
540324
 echo "some line" > /etc/ssh/ssh_config.d/02-rekey-limit.conf
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
540324
index 89d7069687..4c047ed179 100644
540324
--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
540324
+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/tests/ok.pass.sh
540324
@@ -1,3 +1,4 @@
540324
+#!/bin/bash
540324
 # platform = multi_platform_all
540324
 
540324
 
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
540324
index 4e20104cba..c8dd8ef10e 100644
540324
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
540324
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_size.var
540324
@@ -7,7 +7,7 @@ description: |-
540324
     of data. After this amount of data is transferred through the connection,
540324
     the session key is renegotiated. The number is followed by K, M or G for
540324
     kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also
540324
-    configured according to ellabsed time.
540324
+    configured according to elapsed time.
540324
 
540324
 interactive: true
540324
 
540324
diff --git a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
540324
index 6143a5448c..6223e8e38f 100644
540324
--- a/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
540324
+++ b/linux_os/guide/system/software/integrity/crypto/var_ssh_client_rekey_limit_time.var
540324
@@ -3,11 +3,10 @@ documentation_complete: true
540324
 title: 'SSH client RekeyLimit - time'
540324
 
540324
 description: |-
540324
-    Specify the time component of the rekey limit. This limit signifies amount
540324
-    of data. The session key is renegotiated after the defined amount of time
540324
-    passes. The number is followed by units such as H or M for hours or minutes.
540324
-    Note that the RekeyLimit can be also configured according to amount of
540324
-    transfered data.
540324
+    Specify the time component of the rekey limit. The session key is
540324
+    renegotiated after the defined amount of time passes. The number is followed
540324
+    by units such as H or M for hours or minutes. Note that the RekeyLimit can
540324
+    be also configured according to amount of transfered data.
540324
 
540324
 interactive: true
540324