Merge branch 'matejak-fix_sshd_timeout' into master

Author: redhatrises

docs/manual/developer_guide.adoc

@@ -1525,7 +1525,7 @@ auditd_lineinfile::
 * Parameters:
 ** *parameter* - auditd configuration item
 ** *value* - the value of configuration item specified by parameter
-** *missing_parameter_pass* - effective only in OVAL checks, if set to `"true"` and the parameter is not present in the configuration file the OVAL check will return true.
+** *missing_parameter_pass* - effective only in OVAL checks, if set to `"false"` and the parameter is not present in the configuration file, the OVAL check will return `false`.
 * Languages: Ansible, Bash, OVAL
 
 audit_rules_dac_modification::

linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh

@@ -1,5 +1,7 @@
-# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_all
+
 . /usr/share/scap-security-guide/remediation_functions
+
 {{{ bash_instantiate_variables("sshd_idle_timeout_value") }}}
 
-replace_or_append '/etc/ssh/sshd_config' '^ClientAliveInterval' $sshd_idle_timeout_value '@CCENUM@' '%s %s'
+{{{ bash_sshd_config_set("ClientAliveInterval", "$sshd_idle_timeout_value") }}}

linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml

@@ -27,6 +27,7 @@
         {{% endif %}}
         <criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config"
         test_ref="test_sshd_idle_timeout" />
+        <extend_definition comment="The SSH ClientAliveCountMax is set to zero" definition_ref="sshd_set_keepalive" />
       </criteria>
     </criteria>
   </definition>

linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml

@@ -70,3 +70,9 @@ warnings:
     - dependency: |-
         SSH disconnecting idle clients will not have desired effect without also
         configuring ClientAliveCountMax in the SSH service configuration.
+    - general: |-
+        Following conditions may prevent the SSH session to time out:
+        <ul>
+        <li>Remote processes on the remote machine generates output. As the output has to be transferred over the network to the client, the timeout is reset every time such transfer happens.</li>
+        <li>Any <tt>scp</tt> or <tt>sftp</tt> activity by the same user to the host resets the timeout.</li>
+        </ul>

linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/comment.fail.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+# remediation = none
+
+# The rule doesn't remediate the ClientAliveCountMax setting, we have another rule for that.
+
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+. "$SHARED/utilities.sh"
+
+assert_directive_in_file "$SSHD_CONFIG" ClientAliveInterval "ClientAliveInterval 10"
+assert_directive_in_file "$SSHD_CONFIG" ClientAliveCountMax "# ClientAliveCountMax 0"

linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/correct_value.pass.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+. "$SHARED/utilities.sh"
+
+assert_directive_in_file "$SSHD_CONFIG" ClientAliveInterval "ClientAliveInterval 10"
+assert_directive_in_file "$SSHD_CONFIG" ClientAliveCountMax "ClientAliveCountMax 0"

linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/line_not_there.fail.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# remediation = none
+
+# The rule doesn't remediate the ClientAliveCountMax setting, we have another rule for that.
+
+sed -i "/^ClientAliveCountMax.*/d" /etc/ssh/sshd_config

linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/other_comment.fail.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+. "$SHARED/utilities.sh"
+
+assert_directive_in_file "$SSHD_CONFIG" ClientAliveInterval "# ClientAliveInterval 10"
+assert_directive_in_file "$SSHD_CONFIG" ClientAliveCountMax "ClientAliveCountMax 0"
+

linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/other_line_not_there.fail.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+# remediation = none
+
+# The rule doesn't remediate the ClientAliveCountMax setting, we have another rule for that.
+
+sed -i "/^ClientAliveInterval.*/d" /etc/ssh/sshd_config
+

linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/other_wrong_value.fail.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# remediation = none
+
+# The rule doesn't remediate the ClientAliveCountMax setting, we have another rule for that.
+
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+. "$SHARED/utilities.sh"
+
+assert_directive_in_file "$SSHD_CONFIG" ClientAliveInterval "ClientAliveInterval 10"
+assert_directive_in_file "$SSHD_CONFIG" ClientAliveCountMax "ClientAliveCountMax 1"
+

linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/tests/wrong_value.fail.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+. "$SHARED/utilities.sh"
+
+assert_directive_in_file "$SSHD_CONFIG" ClientAliveInterval "ClientAliveInterval 6000"
+assert_directive_in_file "$SSHD_CONFIG" ClientAliveCountMax "ClientAliveCountMax 0"

linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml

@@ -12,11 +12,7 @@ description: |-
     
     To ensure the SSH idle timeout occurs precisely when the
     <tt>ClientAliveInterval</tt> is set, set the <tt>ClientAliveCountMax</tt> to
-    value of <tt>0</tt>. This profile sets <tt>ClientAliveCountMax</tt> to
-    <tt>{{{ xccdf_value("var_sshd_set_keepalive") }}}</tt>. To modify the
-    <tt>ClientAliveCountMax</tt> option, edit <tt>/etc/ssh/sshd_config</tt> as
-    follows:
-    <pre>ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}</pre>
+    value of <tt>0</tt>.
 
 rationale: |-
     This ensures a user login will be terminated as soon as the <tt>ClientAliveInterval</tt>
@@ -59,8 +55,15 @@ ocil: |-
     To ensure <tt>ClientAliveInterval</tt> is set correctly, run the following command:
     <pre>$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config</pre>
     If properly configured, the output should be:
-    <pre>ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}</pre>
-    If the option is set to <tt>0</tt>, then the SSH idle timeout occurs precisely when
+    <pre>ClientAliveCountMax 0</pre>
+
+    In this case, the SSH idle timeout occurs precisely when
     the <tt>ClientAliveInterval</tt> is set.
-    If the option is set to a number greater than <tt>0</tt>, then the idle session will be disconnected after
-    <tt>ClientAliveInterval * ClientAliveCountMax</tt> seconds.
+
+template:
+  name: sshd_lineinfile
+  vars:
+    parameter: "ClientAliveCountMax"
+    value: "0"
+    missing_parameter_pass: "false"
+    kubernetes: "off"

linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh

@@ -54,7 +54,6 @@ selections:
     - sshd_disable_empty_passwords
     - sshd_disable_kerb_auth
     - sshd_disable_gssapi_auth
-    - var_sshd_set_keepalive=0
     - sshd_set_keepalive
     - sshd_enable_warning_banner
     - sshd_rekey_limit

linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml

@@ -76,7 +76,6 @@ selections:
     #- sshd_disable_empty_passwords
     #- sshd_disable_kerb_auth
     #- sshd_disable_gssapi_auth
-    #- var_sshd_set_keepalive=0
     # AC-2(5)
     - sshd_set_keepalive
     #- sshd_enable_warning_banner

linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml

@@ -77,7 +77,6 @@ selections:
     #- sshd_disable_empty_passwords
     #- sshd_disable_kerb_auth
     #- sshd_disable_gssapi_auth
-    #- var_sshd_set_keepalive=0
     #- sshd_set_keepalive
     #- sshd_enable_warning_banner
     #- sshd_rekey_limit

ol8/profiles/ospp.profile

@@ -211,7 +211,6 @@ selections:
     - sshd_do_not_permit_user_env
     - sshd_enable_strictmodes
     - sshd_enable_warning_banner
-    - var_sshd_set_keepalive=3
     - sshd_set_keepalive
     - sshd_use_approved_ciphers
     - sshd_use_approved_macs

rhcos4/profiles/moderate.profile

@@ -827,7 +827,6 @@ selections:
     - sshd_set_idle_timeout
 
     # ClientAliveCountMax 0
-    - var_sshd_set_keepalive=0
     - sshd_set_keepalive
 
     ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute

rhcos4/profiles/ncp.profile

@@ -63,7 +63,6 @@ selections:
     - sshd_disable_empty_passwords
     - sshd_disable_kerb_auth
     - sshd_disable_gssapi_auth
-    - var_sshd_set_keepalive=0
     - sshd_set_keepalive
     - sshd_enable_warning_banner
     - sshd_rekey_limit

rhel7/profiles/rhelh-stig.profile

@@ -210,7 +210,6 @@ selections:
     - sshd_do_not_permit_user_env
     - sshd_enable_strictmodes
     - sshd_enable_warning_banner
-    - var_sshd_set_keepalive=3
     - sshd_set_keepalive
     - sshd_use_priv_separation
     - var_system_crypto_policy=fips_ospp

rhel8/profiles/cis.profile

@@ -693,7 +693,6 @@ selections:
     - sshd_set_idle_timeout
 
     # ClientAliveCountMax 0
-    - var_sshd_set_keepalive=0
     - sshd_set_keepalive
 
     ### 5.2.17 Ensure SSH LoginGraceTime is set to one minute

rhel8/profiles/ospp.profile

@@ -228,7 +228,6 @@ selections:
 - zipl_page_poison_argument
 - zipl_slub_debug_argument
 - zipl_vsyscall_argument
-- var_sshd_set_keepalive=0
 - var_rekey_limit_size=1G
 - var_rekey_limit_time=1hour
 - var_accounts_user_umask=027

rhv4/profiles/rhvh-stig.profile

@@ -243,7 +243,6 @@ selections:
 - timer_dnf-automatic_enabled
 - usbguard_allow_hid_and_hub
 - use_pam_wheel_for_su
-- var_sshd_set_keepalive=0
 - var_rekey_limit_size=1G
 - var_rekey_limit_time=1hour
 - var_accounts_user_umask=027

sle15/profiles/cis.profile

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# $1: Config file
+# $2: The directive beginning, e.g. ClientAliveCountMax
+# $3: The whole directive beginning, e.g. "ClientAliveCountMax 0". Escape slashes - the argument is used in sed.
+function assert_directive_in_file {
+	if grep -q "^$2" "$1"; then
+		sed -i "s/^$2.*/$3/" "$1"
+	else
+		echo "$3" >> "$1"
+	fi
+}

tests/data/profile_stability/rhel8/ospp.profile

@@ -709,7 +709,6 @@ selections:
     - sshd_set_idle_timeout
 
     # ClientAliveCountMax 0
-    - var_sshd_set_keepalive=0
     - sshd_set_keepalive
 
     ### 5.2.13 Ensure SSH LoginGraceTime is set to one minute