Merge pull request #9903 from marcusburghardt/issue_9830_master

Update the sshd_set_keepalive regarding ClientAliveCountMax

controls/stig_rhel8.yml

@@ -192,7 +192,8 @@ controls:
             SSH traffic are terminated at the end of the session or after 10 minutes of inactivity,
             except to fulfill documented and validated mission requirements.
         rules:
-            - sshd_set_keepalive_0
+            - sshd_set_keepalive
+            - var_sshd_set_keepalive=1
         status: automated
     -   id: RHEL-08-010210
         levels:

linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml

@@ -1,73 +1,75 @@
 <def-group>
-  <definition class="compliance" id="sshd_set_keepalive" version="1">
-    {{{ oval_metadata("The SSH ClientAliveCountMax should be set to an appropriate
-      value (and dependencies are met)") }}}
-    <criteria comment="SSH is configured correctly or is not installed"
-    operator="OR">
-      <criteria comment="sshd is not installed" operator="AND">
-        <extend_definition comment="sshd is not required or requirement is unset"
-        definition_ref="sshd_not_required_or_unset" />
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("The SSH ClientAliveCountMax should be set to an appropriate value (and
+      dependencies are met)") }}}
+    <criteria operator="OR" comment="SSH is configured correctly or is not installed">
+      <criteria operator="AND" comment="sshd is not required and not installed">
+        <extend_definition definition_ref="sshd_not_required_or_unset"
+          comment="sshd is not required or requirement is unset"/>
         {{% if product in ['opensuse', 'sle12'] %}}
-        <extend_definition comment="rpm package openssh removed"
-        definition_ref="package_openssh_removed" />
+        <extend_definition definition_ref="package_openssh_removed"
+          comment="rpm package openssh removed"/>
         {{% else %}}
-        <extend_definition comment="rpm package openssh-server removed"
-        definition_ref="package_openssh-server_removed" />
+        <extend_definition definition_ref="package_openssh-server_removed"
+          comment="rpm package openssh-server removed"/>
         {{% endif %}}
       </criteria>
-      <criteria comment="sshd is installed and configured" operator="AND">
-        <extend_definition comment="sshd is required or requirement is unset"
-        definition_ref="sshd_required_or_unset" />
+      <criteria operator="AND" comment="sshd is installed and configured">
+        <extend_definition definition_ref="sshd_required_or_unset"
+          comment="sshd is required or requirement is unset"/>
         {{% if product in ['opensuse', 'sle12'] %}}
-        <extend_definition comment="rpm package openssh installed"
-        definition_ref="package_openssh_installed" />
+        <extend_definition definition_ref="package_openssh_installed"
+          comment="rpm package openssh installed"/>
         {{% else %}}
-        <extend_definition comment="rpm package openssh-server installed"
-        definition_ref="package_openssh-server_installed" />
+        <extend_definition definition_ref="package_openssh-server_installed"
+          comment="rpm package openssh-server installed"/>
         {{% endif %}}
-        <criteria comment="sshd is configured" operator="OR">
-          <criterion comment="Check ClientAliveCountMax in /etc/ssh/sshd_config"
-          test_ref="test_sshd_clientalivecountmax" />
+        <criteria operator="OR" comment="sshd is configured">
+          <criterion test_ref="test_sshd_set_keepalive_clientalivecountmax"
+            comment="Check ClientAliveCountMax in /etc/ssh/sshd_config"/>
           {{%- if sshd_distributed_config == "true" %}}
-          <criterion comment="Check ClientAliveCountMax in /etc/ssh/sshd_config.d/ files"
-          test_ref="test_sshd_clientalivecountmax_dir" />
+          <criterion test_ref="test_sshd_set_keepalive_clientalivecountmax_dir"
+            comment="Check ClientAliveCountMax in /etc/ssh/sshd_config.d/ files"/>
           {{%- endif %}}
         </criteria>
       </criteria>
     </criteria>
   </definition>
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-  comment="Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file"
-  id="test_sshd_clientalivecountmax" version="1">
-    <ind:object object_ref="obj_sshd_clientalivecountmax" />
-    <ind:state state_ref="state_sshd_clientalivecountmax" />
+
+  <ind:textfilecontent54_test id="test_sshd_set_keepalive_clientalivecountmax" version="2"
+    check="all" check_existence="all_exist"
+    comment="Check the value of ClientAliveCountMax setting in the /etc/ssh/sshd_config file">
+    <ind:object object_ref="object_sshd_set_keepalive_clientalivecountmax"/>
+    <ind:state state_ref="state_sshd_set_keepalive_clientalivecountmax"/>
   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_state id="state_sshd_clientalivecountmax" version="1">
-    <ind:subexpression datatype="int" operation="less than or equal" var_check="all"
-    var_ref="var_sshd_set_keepalive" />
-  </ind:textfilecontent54_state>
-  <ind:textfilecontent54_object id="obj_sshd_clientalivecountmax" version="2">
+
+  <ind:textfilecontent54_object id="object_sshd_set_keepalive_clientalivecountmax" version="2">
     <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
     <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:#.*)?$</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="state_sshd_set_keepalive_clientalivecountmax" version="2">
+    <ind:subexpression var_check="all" datatype="int"
+      operation="equals" var_ref="var_sshd_set_keepalive"/>
+  </ind:textfilecontent54_state>
+
   {{%- if sshd_distributed_config == "true" %}}
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-  comment="Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config.d/ files"
-  id="test_sshd_clientalivecountmax_dir" version="1">
-    <ind:object object_ref="obj_sshd_clientalivecountmax_dir" />
-    <ind:state state_ref="state_sshd_clientalivecountmax" />
+  <ind:textfilecontent54_test id="test_sshd_set_keepalive_clientalivecountmax_dir" version="2"
+    check="all" check_existence="all_exist"
+    comment="Check the value of ClientAliveCountMax setting in /etc/ssh/sshd_config.d/ files">
+    <ind:object object_ref="object_sshd_set_keepalive_clientalivecountmax_dir"/>
+    <ind:state state_ref="state_sshd_set_keepalive_clientalivecountmax"/>
   </ind:textfilecontent54_test>
 
-  <ind:textfilecontent54_object id="obj_sshd_clientalivecountmax_dir" version="1">
+  <ind:textfilecontent54_object id="object_sshd_set_keepalive_clientalivecountmax_dir" version="2">
     <ind:path>/etc/ssh/sshd_config.d</ind:path>
     <ind:filename operation="pattern match">.*\.conf$</ind:filename>
     <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:#.*)?$</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
   {{%- endif %}}
 
-  <external_variable comment="ClientAliveCountMax value" datatype="int"
-  id="var_sshd_set_keepalive" version="1" />
-
+  <external_variable datatype="int" id="var_sshd_set_keepalive" version="2"
+    comment="ClientAliveCountMax value"/>
 </def-group>

linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/policy/stig/shared.yml

@@ -9,20 +9,20 @@ vuldiscussion: |-
     {{{ full_name }}} utilizes /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" are used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.
 
 checktext: |-
-    Verify that the "ClientAliveCountMax" is set to "0" by performing the following command:
+    Verify that the "ClientAliveCountMax" is set to "{{{ xccdf_value("var_sshd_set_keepalive") }}}" by performing the following command:
 
     $ sudo grep -i countmax /etc/ssh/sshd_config
 
-    ClientAliveCountMax 0
+    ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}
 
-    If "ClientAliveCountMax" do not exist, is not set to a value of "0" in "/etc/ssh/sshd_config", or is commented out, this is a finding.
+    If "ClientAliveCountMax" do not exist, is not set to a value of "{{{ xccdf_value("var_sshd_set_keepalive") }}}" in "/etc/ssh/sshd_config", or is commented out, this is a finding.
 
 fixtext: |-
     Configure {{{ full_name }}} to automatically terminate all network connections associated with SSH traffic at the end of a session or after 10 minutes of inactivity.
 
     Modify or append the following lines in the "/etc/ssh/sshd_config" file:
 
-    ClientAliveCountMax 0
+    ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}
 
     In order for the changes to take effect, the SSH daemon must be restarted.
 

linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/comment.fail.sh

@@ -1,8 +1,10 @@
 #!/bin/bash
+# variables = var_sshd_set_keepalive=1
+
 SSHD_CONFIG="/etc/ssh/sshd_config"
 
 if grep -q "^ClientAliveCountMax" $SSHD_CONFIG; then
-	sed -i "s/^ClientAliveCountMax.*/# ClientAliveCountMax 0/" $SSHD_CONFIG
+	sed -i "s/^ClientAliveCountMax.*/# ClientAliveCountMax 1/" $SSHD_CONFIG
 else
-	echo "# ClientAliveCountMax 0" >> $SSHD_CONFIG
+	echo "# ClientAliveCountMax 1" >> $SSHD_CONFIG
 fi

linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/correct_value.pass.sh

@@ -1,8 +1,10 @@
 #!/bin/bash
+# variables = var_sshd_set_keepalive=1
+
 SSHD_CONFIG="/etc/ssh/sshd_config"
 
 if grep -q "^ClientAliveCountMax" $SSHD_CONFIG; then
-	sed -i "s/^ClientAliveCountMax.*/ClientAliveCountMax 0/" $SSHD_CONFIG
+	sed -i "s/^ClientAliveCountMax.*/ClientAliveCountMax 1/" $SSHD_CONFIG
 else
-	echo "ClientAliveCountMax 0" >> $SSHD_CONFIG
+	echo "ClientAliveCountMax 1" >> $SSHD_CONFIG
 fi

linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/correct_value_dot_dir.pass.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
-# variables = var_sshd_set_keepalive=0
-# platform = Red Hat Enterprise Linux 9
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
+# variables = var_sshd_set_keepalive=1
 
 SSHD_CONFIG="/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
 
@@ -13,4 +13,4 @@ if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d
 	sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
 fi
 
-assert_directive_in_file "$SSHD_CONFIG" ClientAliveCountMax "ClientAliveCountMax 0"
+assert_directive_in_file "$SSHD_CONFIG" ClientAliveCountMax "ClientAliveCountMax 1"

linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/line_not_there.fail.sh

@@ -1,3 +1,4 @@
 #!/bin/bash
+# variables = var_sshd_set_keepalive=1
 
 sed -i "/^ClientAliveCountMax.*/d" /etc/ssh/sshd_config

linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict.fail.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+# variables = var_sshd_set_keepalive=1
 
 mkdir -p /etc/ssh/sshd_config.d
 touch /etc/ssh/sshd_config.d/nothing

linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/param_conflict_directory.fail.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
-
 # platform = multi_platform_fedora,Red Hat Enterprise Linux 9
+# variables = var_sshd_set_keepalive=1
 
 mkdir -p /etc/ssh/sshd_config.d
 touch /etc/ssh/sshd_config.d/nothing
@@ -9,5 +9,5 @@ if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d
 	sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
 fi
 
-echo "ClientAliveCountMax 0" > /etc/ssh/sshd_config.d/good_config.conf
-echo "ClientAliveCountMax 1" > /etc/ssh/sshd_config.d/bad_config.conf
+echo "ClientAliveCountMax 1" > /etc/ssh/sshd_config.d/good_config.conf
+echo "ClientAliveCountMax 0" > /etc/ssh/sshd_config.d/bad_config.conf

linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/wrong_value.fail.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+# variables = var_sshd_set_keepalive=1
+
 SSHD_CONFIG="/etc/ssh/sshd_config"
 
 if grep -q "^ClientAliveCountMax" $SSHD_CONFIG; then

linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/tests/wrong_value_dot_dir.fail.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
-# variables = var_sshd_set_keepalive=0
-# platform = Red Hat Enterprise Linux 9
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 9
+# variables = var_sshd_set_keepalive=1
 
 SSHD_CONFIG="/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
 
@@ -13,4 +13,4 @@ if grep -q "^\s*ClientAliveCountMax" /etc/ssh/sshd_config /etc/ssh/sshd_config.d
 	sed -i "/^\s*ClientAliveCountMax.*/Id" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
 fi
 
-assert_directive_in_file "$SSHD_CONFIG" ClientAliveCountMax "ClientAliveCountMax 3"
+assert_directive_in_file "$SSHD_CONFIG" ClientAliveCountMax "ClientAliveCountMax 0"