Blob Blame History Raw
From ea37df6b736d22f32fd0d64457d731aa76b656c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Wed, 18 Aug 2021 16:17:15 +0200
Subject: [PATCH 1/2] Come up with a better basename

On Red Hat systems, there is 50-redhat.conf, so
60-complianceascode.conf seems to be a generally good fit.
---
 shared/templates/sshd_lineinfile/bash.template | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/shared/templates/sshd_lineinfile/bash.template b/shared/templates/sshd_lineinfile/bash.template
index eac758e310b..e15ab9521b8 100644
--- a/shared/templates/sshd_lineinfile/bash.template
+++ b/shared/templates/sshd_lineinfile/bash.template
@@ -11,8 +11,9 @@ mkdir -p /etc/ssh/sshd_config.d
 touch /etc/ssh/sshd_config.d/hardening
 {{{ lineinfile_absent("/etc/ssh/sshd_config", line_regex, insensitive=true) }}}
 {{{ lineinfile_absent_in_directory("/etc/ssh/sshd_config.d", line_regex, insensitive=true) }}}
+{{%- set hardening_config_basename = "00-complianceascode-hardening.conf" %}}
 {{{ set_config_file(
-        path="/etc/ssh/sshd_config.d/hardening",
+        path="/etc/ssh/sshd_config.d/" ~ hardening_config_basename,
         parameter=PARAMETER,
         value=VALUE,
         create=true,

From 9fc6f549d9494730c4d973330a24a5a2a209b1c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Wed, 18 Aug 2021 17:51:17 +0200
Subject: [PATCH 2/2] Fix the sshd directory config check

The check should consider only files matching .*\.conf
---
 .../sshd_disable_pubkey_auth/tests/conflict.fail.sh           | 4 ++--
 .../tests/correct_value_directory.pass.sh                     | 2 +-
 shared/macros-oval.jinja                                      | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
index 177a99e0b82..6e064ffc739 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/conflict.fail.sh
@@ -11,5 +11,5 @@ else
 	echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config
 fi
 
-echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/good_config
-echo "PubkeyAuthentication yes" > /etc/ssh/sshd_config.d/rogue_config
+echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/good_config.conf
+echo "PubkeyAuthentication yes" > /etc/ssh/sshd_config.d/rogue_config.conf
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
index 0aa2e775dbe..acb650915fe 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_pubkey_auth/tests/correct_value_directory.pass.sh
@@ -11,4 +11,4 @@ else
 	echo "# PubkeyAuthentication no" >> /etc/ssh/sshd_config
 fi
 
-echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/correct
+echo "PubkeyAuthentication no" > /etc/ssh/sshd_config.d/correct.conf
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
index 87e0fd7d87d..f2fa7d79fc8 100644
--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
@@ -227,7 +227,7 @@
 {{%- endmacro %}}
 
 {{%- macro oval_line_in_directory_object(path='', section='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', missing_parameter_pass=false, multi_value=false) -%}}
-{{{- oval_line_in_file_object(path=path, section=section, prefix_regex=prefix_regex, parameter=parameter, separator_regex=separator_regex, missing_parameter_pass=missing_parameter_pass, multi_value=multi_value, filepath_regex=".*", id_stem=rule_id ~ "_config_dir") -}}}
+{{{- oval_line_in_file_object(path=path, section=section, prefix_regex=prefix_regex, parameter=parameter, separator_regex=separator_regex, missing_parameter_pass=missing_parameter_pass, multi_value=multi_value, filepath_regex=".*\.conf$", id_stem=rule_id ~ "_config_dir") -}}}
 {{%- endmacro %}}
 
 {{%- macro oval_line_in_directory_state(value='', multi_value='', quotes='') -%}}