From a5cce64337e8b8617f3bf3ee1311e80d652754ea Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Thu, 14 Oct 2021 12:12:16 +0200

Subject: [PATCH] Set sshd priv keys permissions 600 for all products.

---

 .../file_permissions_sshd_private_key/rule.yml    | 15 +++------------

 .../tests/correct_value.pass.sh             |  8 +-------

 .../tests/multiple_keys.fail.sh                   |  2 +-

 4 files changed, 7 insertions(+), 21 deletions(-)

diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml

index bda7ae4d53b..ddda4075e21 100644

--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml

+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml

@@ -3,11 +3,7 @@ documentation_complete: true

 title: 'Verify Permissions on SSH Server Private *_key Key Files'

 description: |-

-    {{% if product in ['ubuntu1804','opensuse', 'sle12', 'sle15'] %}}

     {{{ describe_file_permissions(file="/etc/ssh/*_key", perms="0600") }}}

-    {{% else %}}

-    {{{ describe_file_permissions(file="/etc/ssh/*_key", perms="0640") }}}

-    {{% endif %}}

 rationale: |-

     If an unauthorized user obtains the private SSH host key file, the host could be

@@ -45,10 +41,10 @@ references:

     stigid@sle12: SLES-12-030220

     stigid@sle15: SLES-15-040250

-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms="-rw-r-----") }}}'

+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms="-rw-------") }}}'

 ocil: |-

-    {{{ ocil_file_permissions(file="/etc/ssh/*_key", perms="-rw-r-----") }}}

+    {{{ ocil_file_permissions(file="/etc/ssh/*_key", perms="-rw-------") }}}

 template:

     name: file_permissions

@@ -56,9 +52,4 @@ template:

         filepath: /etc/ssh/

         missing_file_pass: 'true'

         file_regex: ^.*_key$

-        filemode: '0640'

-        filemode@sle12: '0600'

-        filemode@sle15: '0600'

-        filemode@ubuntu1604: '0600'

-        filemode@ubuntu1804: '0600'

-        filemode@ubuntu2004: '0600'

+        filemode: '0600'

diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh

index 5790a48..f7cf8d9 100644

--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh

+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/correct_value.pass.sh

@@ -2,4 +2,4 @@

 #

 FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key)

-chmod 0640 /etc/ssh/*_key

+chmod 0600 /etc/ssh/*_key

diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh

index 6df9d61b715..7c0d6019702 100644

--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh

+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/tests/multiple_keys.fail.sh

@@ -4,4 +4,4 @@

 FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key)

 chmod 0777 $FAKE_KEY

 FAKE_KEY2=$(mktemp -p /etc/ssh/ XXXX_key)

-chmod 0640 $FAKE_KEY2

+chmod 0600 $FAKE_KEY2