Set the sshd_set_keepalive rule to set the option to zero.

matejak · redhatrises · commit 5ab82b482aca · 2020-11-03T16:20:00.000-07:00
All other values don't make any sense from the security POV,
so the parametrization has been removed.
Thanks to that, the rule may now use a template.
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml
@@ -27,7 +27,7 @@
         {{% endif %}}
         <criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config"
         test_ref="test_sshd_idle_timeout" />
-        <extend_definition comment="The SSH ClientAliveCountMax is set to zero" definition_ref="sshd_set_keepalive_0" />
+        <extend_definition comment="The SSH ClientAliveCountMax is set to zero" definition_ref="sshd_set_keepalive" />
       </criteria>
     </criteria>
   </definition>
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
@@ -8,7 +8,7 @@ description: |-
     <br /><br />
     To set an idle timeout interval, edit the following line in <tt>/etc/ssh/sshd_config</tt> as
     follows:
-    <pre>ClientAliveInterval <b>{{{ xccdf_value("sshd_idle_timeout_value") }}}</b></pre>.
+    <pre>ClientAliveInterval <b>{{{ xccdf_value("sshd_idle_timeout_value") }}}</b></pre>
     <br/><br/>
     The timeout <b>interval</b> is given in seconds. For example, have a timeout
     of 10 minutes, set <b>interval</b> to 600.
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
@@ -12,11 +12,7 @@ description: |-
     
     To ensure the SSH idle timeout occurs precisely when the
     <tt>ClientAliveInterval</tt> is set, set the <tt>ClientAliveCountMax</tt> to
-    value of <tt>0</tt>. This profile sets <tt>ClientAliveCountMax</tt> to
-    <tt>{{{ xccdf_value("var_sshd_set_keepalive") }}}</tt>. To modify the
-    <tt>ClientAliveCountMax</tt> option, edit <tt>/etc/ssh/sshd_config</tt> as
-    follows:
-    <pre>ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}</pre>
+    value of <tt>0</tt>.
 
 rationale: |-
     This ensures a user login will be terminated as soon as the <tt>ClientAliveInterval</tt>
@@ -59,8 +55,15 @@ ocil: |-
     To ensure <tt>ClientAliveInterval</tt> is set correctly, run the following command:
     <pre>$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config</pre>
     If properly configured, the output should be:
-    <pre>ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}</pre>
-    If the option is set to <tt>0</tt>, then the SSH idle timeout occurs precisely when
+    <pre>ClientAliveCountMax 0</pre>
+
+    In this case, the SSH idle timeout occurs precisely when
     the <tt>ClientAliveInterval</tt> is set.
-    If the option is set to a number greater than <tt>0</tt>, then the idle session will be disconnected after
-    <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds.
+
+template:
+  name: sshd_lineinfile
+  vars:
+    parameter: "ClientAliveCountMax"
+    value: "0"
+    missing_parameter_pass: "false"
+    kubernetes: "off"
diff --git a/ol8/profiles/ospp.profile b/ol8/profiles/ospp.profile
@@ -54,7 +54,6 @@ selections:
     - sshd_disable_empty_passwords
     - sshd_disable_kerb_auth
     - sshd_disable_gssapi_auth
-    - var_sshd_set_keepalive=0
     - sshd_set_keepalive
     - sshd_enable_warning_banner
     - sshd_rekey_limit
diff --git a/rhcos4/profiles/moderate.profile b/rhcos4/profiles/moderate.profile
@@ -76,7 +76,6 @@ selections:
     #- sshd_disable_empty_passwords
     #- sshd_disable_kerb_auth
     #- sshd_disable_gssapi_auth
-    #- var_sshd_set_keepalive=0
     # AC-2(5)
     - sshd_set_keepalive
     #- sshd_enable_warning_banner
diff --git a/rhcos4/profiles/ncp.profile b/rhcos4/profiles/ncp.profile
@@ -77,7 +77,6 @@ selections:
     #- sshd_disable_empty_passwords
     #- sshd_disable_kerb_auth
     #- sshd_disable_gssapi_auth
-    #- var_sshd_set_keepalive=0
     #- sshd_set_keepalive
     #- sshd_enable_warning_banner
     #- sshd_rekey_limit
diff --git a/rhel7/profiles/rhelh-stig.profile b/rhel7/profiles/rhelh-stig.profile
@@ -211,7 +211,6 @@ selections:
     - sshd_do_not_permit_user_env
     - sshd_enable_strictmodes
     - sshd_enable_warning_banner
-    - var_sshd_set_keepalive=3
     - sshd_set_keepalive
     - sshd_use_approved_ciphers
     - sshd_use_approved_macs
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
@@ -827,7 +827,6 @@ selections:
     - sshd_set_idle_timeout
 
     # ClientAliveCountMax 0
-    - var_sshd_set_keepalive=0
     - sshd_set_keepalive
 
     ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
@@ -63,7 +63,6 @@ selections:
     - sshd_disable_empty_passwords
     - sshd_disable_kerb_auth
     - sshd_disable_gssapi_auth
-    - var_sshd_set_keepalive=0
     - sshd_set_keepalive
     - sshd_enable_warning_banner
     - sshd_rekey_limit
diff --git a/rhv4/profiles/rhvh-stig.profile b/rhv4/profiles/rhvh-stig.profile
@@ -210,7 +210,6 @@ selections:
     - sshd_do_not_permit_user_env
     - sshd_enable_strictmodes
     - sshd_enable_warning_banner
-    - var_sshd_set_keepalive=3
     - sshd_set_keepalive
     - sshd_use_priv_separation
     - var_system_crypto_policy=fips_ospp
diff --git a/shared/templates/extra_ovals.yml b/shared/templates/extra_ovals.yml
@@ -43,11 +43,3 @@ service_sssd_disabled:
   vars:
     servicename: sssd
     packagename: sssd-common
-
-
-sshd_set_keepalive_0:
-  name: sshd_lineinfile
-  vars:
-    parameter: "ClientAliveCountMax"
-    value: "0"
-    missing_parameter_pass: "false"
diff --git a/sle15/profiles/cis.profile b/sle15/profiles/cis.profile
@@ -693,7 +693,6 @@ selections:
     - sshd_set_idle_timeout
 
     # ClientAliveCountMax 0
-    - var_sshd_set_keepalive=0
     - sshd_set_keepalive
 
     ### 5.2.17 Ensure SSH LoginGraceTime is set to one minute
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
@@ -228,7 +228,6 @@ selections:
 - zipl_page_poison_argument
 - zipl_slub_debug_argument
 - zipl_vsyscall_argument
-- var_sshd_set_keepalive=0
 - var_rekey_limit_size=1G
 - var_rekey_limit_time=1hour
 - var_accounts_user_umask=027
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
@@ -243,7 +243,6 @@ selections:
 - timer_dnf-automatic_enabled
 - usbguard_allow_hid_and_hub
 - use_pam_wheel_for_su
-- var_sshd_set_keepalive=0
 - var_rekey_limit_size=1G
 - var_rekey_limit_time=1hour
 - var_accounts_user_umask=027
diff --git a/ubuntu1804/profiles/cis.profile b/ubuntu1804/profiles/cis.profile
@@ -709,7 +709,6 @@ selections:
     - sshd_set_idle_timeout
 
     # ClientAliveCountMax 0
-    - var_sshd_set_keepalive=0
     - sshd_set_keepalive
 
     ### 5.2.13 Ensure SSH LoginGraceTime is set to one minute
