Improve remediation for SSH global settings #11032

marcusburghardt · 2023-08-28T15:56:31Z

Description:

When new lines need to be inserted in sshd_config file to define global settings, these lines must be inserted before any Match conditional. However, using Match lines as reference during the remediation is not robust enough specially when multiple Match lines are present.

Since there is no ordering restrictions to Global Settings, it is safer to include new lines at the beginning of the file.

Rationale:

More robust remediation for SSH
Fixes RedHatOfficial.rhel7_stig Ansible role inserts settings in the wrong location when multiple "Match User" entries exist in /etc/ssh/sshd_config #5118

Review Hints:

Automatus tests should be enough.

In case the desired parameter is not yet present in sshd_config file, a new line needs to be included. However, this line cannot be included at the end of the file if there is already any "Match" conditional. In that case, global parameters needs to be inserted before the "Match" conditional. The former regex was causing issues in specific cases where more than one line was matching the regex. This commit updates the regex to ensure new lines are inserted at the beggining of the file.

Use more appropriated macro for Bash remediation in sshd_disable_compression.

New lines targeting global settings in sshd_config will be inserted at the beginning of the file instead of end of file or using "Match" as reference.

github-actions · 2023-08-28T15:58:51Z

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

github-actions · 2023-08-28T16:02:45Z

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "ClientAliveCountMax 0" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "ClientAliveCountMax 0" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "ClientAliveCountMax 0" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*ClientAliveCountMax\s+
       line: ClientAliveCountMax 0
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive
@@ -14,17 +14,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "ClientAliveCountMax $var_sshd_set_keepalive" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "ClientAliveCountMax $var_sshd_set_keepalive" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "ClientAliveCountMax $var_sshd_set_keepalive" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive
@@ -32,7 +32,7 @@
       regexp: (?i)^\s*ClientAliveCountMax\s+
       line: ClientAliveCountMax {{ var_sshd_set_keepalive }}
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
+++ xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
@@ -14,17 +14,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "ClientAliveInterval $sshd_idle_timeout_value" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "ClientAliveInterval $sshd_idle_timeout_value" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "ClientAliveInterval $sshd_idle_timeout_value" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
+++ xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
@@ -32,7 +32,7 @@
       regexp: (?i)^\s*ClientAliveInterval\s+
       line: ClientAliveInterval {{ sshd_idle_timeout_value }}
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when:
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

bash remediation for rule 'xccdf_org.ssgproject.content_rule_disable_host_auth' differs.
--- xccdf_org.ssgproject.content_rule_disable_host_auth
+++ xccdf_org.ssgproject.content_rule_disable_host_auth
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "HostbasedAuthentication no" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "HostbasedAuthentication no" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "HostbasedAuthentication no" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_disable_host_auth' differs.
--- xccdf_org.ssgproject.content_rule_disable_host_auth
+++ xccdf_org.ssgproject.content_rule_disable_host_auth
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*HostbasedAuthentication\s+
       line: HostbasedAuthentication no
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2' differs.
--- xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
+++ xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*Protocol\s+
       line: Protocol 2
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_compression' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_compression
+++ xccdf_org.ssgproject.content_rule_sshd_disable_compression
@@ -4,27 +4,22 @@
 var_sshd_disable_compression=''
 
 
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^Compression")
 
-# shellcheck disable=SC2059
-printf -v formatted_output "%s %s" "$stripped_key" "$var_sshd_disable_compression"
+if [ -e "/etc/ssh/sshd_config" ] ; then
+    
+    LC_ALL=C sed -i "/^\s*Compression\s\+/Id" "/etc/ssh/sshd_config"
+else
+    touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
 
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^Compression\\>" "/etc/ssh/sshd_config"; then
-    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
-    LC_ALL=C sed -i --follow-symlinks "s/^Compression\\>.*/$escaped_formatted_output/gi" "/etc/ssh/sshd_config"
-else
-    if [[ -s "/etc/ssh/sshd_config" ]] && [[ -n "$(tail -c 1 -- "/etc/ssh/sshd_config" || true)" ]]; then
-        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/ssh/sshd_config"
-    fi
-    cce="CCE-80895-6"
-    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/ssh/sshd_config" >> "/etc/ssh/sshd_config"
-    printf '%s\n' "$formatted_output" >> "/etc/ssh/sshd_config"
-fi
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert at the beginning of the file
+printf '%s\n' "Compression $var_sshd_disable_compression" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_compression' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_compression
+++ xccdf_org.ssgproject.content_rule_sshd_disable_compression
@@ -32,7 +32,7 @@
       regexp: (?i)^\s*Compression\s+
       line: Compression {{ var_sshd_disable_compression }}
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
+++ xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "PermitEmptyPasswords no" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "PermitEmptyPasswords no" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "PermitEmptyPasswords no" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
+++ xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*PermitEmptyPasswords\s+
       line: PermitEmptyPasswords no
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "GSSAPIAuthentication no" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "GSSAPIAuthentication no" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "GSSAPIAuthentication no" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*GSSAPIAuthentication\s+
       line: GSSAPIAuthentication no
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "KerberosAuthentication no" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "KerberosAuthentication no" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "KerberosAuthentication no" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*KerberosAuthentication\s+
       line: KerberosAuthentication no
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "PubkeyAuthentication no" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "PubkeyAuthentication no" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "PubkeyAuthentication no" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*PubkeyAuthentication\s+
       line: PubkeyAuthentication no
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "IgnoreRhosts yes" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "IgnoreRhosts yes" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "IgnoreRhosts yes" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*IgnoreRhosts\s+
       line: IgnoreRhosts yes
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa
+++ xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*RhostsRSAAuthentication\s+
       line: RhostsRSAAuthentication no
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_login
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "PermitRootLogin no" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "PermitRootLogin no" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "PermitRootLogin no" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_login
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*PermitRootLogin\s+
       line: PermitRootLogin no
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "PermitRootLogin prohibit-password" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "PermitRootLogin prohibit-password" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "PermitRootLogin prohibit-password" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*PermitRootLogin\s+
       line: PermitRootLogin prohibit-password
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "AllowTcpForwarding no" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "AllowTcpForwarding no" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "AllowTcpForwarding no" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*AllowTcpForwarding\s+
       line: AllowTcpForwarding no
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "IgnoreUserKnownHosts yes" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "IgnoreUserKnownHosts yes" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "IgnoreUserKnownHosts yes" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*IgnoreUserKnownHosts\s+
       line: IgnoreUserKnownHosts yes
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "X11Forwarding no" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "X11Forwarding no" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "X11Forwarding no" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*X11Forwarding\s+
       line: X11Forwarding no
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env' differs.
--- xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
+++ xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "PermitUserEnvironment no" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "PermitUserEnvironment no" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "PermitUserEnvironment no" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env' differs.
--- xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
+++ xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*PermitUserEnvironment\s+
       line: PermitUserEnvironment no
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "GSSAPIAuthentication yes" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "GSSAPIAuthentication yes" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "GSSAPIAuthentication yes" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*GSSAPIAuthentication\s+
       line: GSSAPIAuthentication yes
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pam' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pam
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pam
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "UsePAM yes" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "UsePAM yes" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "UsePAM yes" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pam' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pam
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pam
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*UsePAM\s+
       line: UsePAM yes
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "PubkeyAuthentication yes" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "PubkeyAuthentication yes" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "PubkeyAuthentication yes" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*PubkeyAuthentication\s+
       line: PubkeyAuthentication yes
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
+++ xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "StrictModes yes" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "StrictModes yes" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "StrictModes yes" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
+++ xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*StrictModes\s+
       line: StrictModes yes
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
+++ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "Banner /etc/issue" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "Banner /etc/issue" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "Banner /etc/issue" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
+++ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*Banner\s+
       line: Banner /etc/issue
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net
+++ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "Banner /etc/issue.net" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "Banner /etc/issue.net" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "Banner /etc/issue.net" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net
+++ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*Banner\s+
       line: Banner /etc/issue.net
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "X11Forwarding yes" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "X11Forwarding yes" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "X11Forwarding yes" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*X11Forwarding\s+
       line: X11Forwarding yes
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_print_last_log' differs.
--- xccdf_org.ssgproject.content_rule_sshd_print_last_log
+++ xccdf_org.ssgproject.content_rule_sshd_print_last_log
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "PrintLastLog yes" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "PrintLastLog yes" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "PrintLastLog yes" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_print_last_log' differs.
--- xccdf_org.ssgproject.content_rule_sshd_print_last_log
+++ xccdf_org.ssgproject.content_rule_sshd_print_last_log
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*PrintLastLog\s+
       line: PrintLastLog yes
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_rekey_limit' differs.
--- xccdf_org.ssgproject.content_rule_sshd_rekey_limit
+++ xccdf_org.ssgproject.content_rule_sshd_rekey_limit
@@ -17,17 +17,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "RekeyLimit $var_rekey_limit_size $var_rekey_limit_time" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "RekeyLimit $var_rekey_limit_size $var_rekey_limit_time" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "RekeyLimit $var_rekey_limit_size $var_rekey_limit_time" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_rekey_limit' differs.
--- xccdf_org.ssgproject.content_rule_sshd_rekey_limit
+++ xccdf_org.ssgproject.content_rule_sshd_rekey_limit
@@ -37,7 +37,7 @@
       regexp: (?i)^\s*RekeyLimit\s+
       line: RekeyLimit {{ var_rekey_limit_size }} {{ var_rekey_limit_time }}
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
+++ xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
@@ -14,17 +14,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "LoginGraceTime $var_sshd_set_login_grace_time" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "LoginGraceTime $var_sshd_set_login_grace_time" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "LoginGraceTime $var_sshd_set_login_grace_time" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
+++ xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
@@ -32,7 +32,7 @@
       regexp: (?i)^\s*LoginGraceTime\s+
       line: LoginGraceTime {{ var_sshd_set_login_grace_time }}
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "LogLevel INFO" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "LogLevel INFO" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "LogLevel INFO" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*LogLevel\s+
       line: LogLevel INFO
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "LogLevel VERBOSE" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "LogLevel VERBOSE" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "LogLevel VERBOSE" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*LogLevel\s+
       line: LogLevel VERBOSE
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
@@ -14,17 +14,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "MaxAuthTries $sshd_max_auth_tries_value" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "MaxAuthTries $sshd_max_auth_tries_value" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "MaxAuthTries $sshd_max_auth_tries_value" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
@@ -32,7 +32,7 @@
       regexp: (?i)^\s*MaxAuthTries\s+
       line: MaxAuthTries {{ sshd_max_auth_tries_value }}
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_sessions' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
@@ -14,17 +14,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "MaxSessions $var_sshd_max_sessions" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "MaxSessions $var_sshd_max_sessions" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "MaxSessions $var_sshd_max_sessions" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_sessions' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
@@ -32,7 +32,7 @@
       regexp: (?i)^\s*MaxSessions\s+
       line: MaxSessions {{ var_sshd_max_sessions }}
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_maxstartups' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
+++ xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
@@ -14,17 +14,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "MaxStartups $var_sshd_set_maxstartups" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "MaxStartups $var_sshd_set_maxstartups" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "MaxStartups $var_sshd_set_maxstartups" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_maxstartups' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
+++ xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
@@ -32,7 +32,7 @@
       regexp: (?i)^\s*MaxStartups\s+
       line: MaxStartups {{ var_sshd_set_maxstartups }}
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
+++ xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
@@ -14,17 +14,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "UsePrivilegeSeparation $var_sshd_priv_separation" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "UsePrivilegeSeparation $var_sshd_priv_separation" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "UsePrivilegeSeparation $var_sshd_priv_separation" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
+++ xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
@@ -32,7 +32,7 @@
       regexp: (?i)^\s*UsePrivilegeSeparation\s+
       line: UsePrivilegeSeparation {{ var_sshd_priv_separation }}
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost' differs.
--- xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
+++ xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
@@ -11,17 +11,9 @@
 sed -i -e '$a\' "/etc/ssh/sshd_config"
 
 cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "X11UseLocalhost yes" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "X11UseLocalhost yes" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "X11UseLocalhost yes" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
 # Clean up after ourselves.
 rm "/etc/ssh/sshd_config.bak"
 

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost' differs.
--- xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
+++ xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
@@ -26,7 +26,7 @@
       regexp: (?i)^\s*X11UseLocalhost\s+
       line: X11UseLocalhost yes
       state: present
-      insertbefore: ^[#\s]*Match
+      insertbefore: BOF
       validate: /usr/sbin/sshd -t -f %s
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
   tags:

codeclimate · 2023-08-28T16:17:23Z

Code Climate has analyzed commit af2ab73 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.3% (0.0% change).

View more on Code Climate.

jan-cerny

I have seen that in AutoMatus GitHub actions jobs most of the people are evaluated as notapplicable. So I run the tests locally with a virtual machine used as a back end.

[jcerny@fedora scap-security-guide{pr/11032}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel8 sshd_disable_rhosts_rsa,sshd_use_approved_macs,sshd_use_strong_ciphers,sshd_set_max_auth_tries,sshd_use_priv_separation,sshd_use_strong_macs,sshd_set_idle_timeout,sshd_set_keepalive,sshd_set_max_sessions,sshd_allow_only_protocol2,sshd_use_strong_kex,sshd_set_maxstartups,sshd_disable_compression,sshd_rekey_limit,sshd_use_approved_ciphers,sshd_set_login_grace_time
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-08-29-1313/test_suite.log
WARNING - Rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_ciphers' isn't present in benchmark 'xccdf_org.ssgproject.content_benchmark_RHEL-8' in '/tmp/ssgts-ds-hxux0ug4'
WARNING - Rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs' isn't present in benchmark 'xccdf_org.ssgproject.content_benchmark_RHEL-8' in '/tmp/ssgts-ds-hxux0ug4'
WARNING - Rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_kex' isn't present in benchmark 'xccdf_org.ssgproject.content_benchmark_RHEL-8' in '/tmp/ssgts-ds-hxux0ug4'
WARNING - Script openssh-6.6-configured.pass.sh is not applicable on given platform
WARNING - Script openssh-6.6.fail.sh is not applicable on given platform
WARNING - Script openssh-7.4.pass.sh is not applicable on given platform
WARNING - Script param_conflict_directory.fail.sh is not applicable on given platform
WARNING - Script bad_size_directory.fail.sh is not applicable on given platform
WARNING - Script bad_time_directory.fail.sh is not applicable on given platform
WARNING - Script no_line_directory.fail.sh is not applicable on given platform
WARNING - Script param_conflict_directory.fail.sh is not applicable on given platform
WARNING - Script rhel7.ok.pass.sh is not applicable on given platform
WARNING - Script rhel9_ospp_ok.pass.sh is not applicable on given platform
WARNING - Script correct_value_directory.pass.sh is not applicable on given platform
WARNING - Script other_comment.fail.sh is not applicable on given platform
WARNING - Script other_line_not_there.fail.sh is not applicable on given platform
WARNING - Script other_wrong_value.fail.sh is not applicable on given platform
WARNING - Script param_conflict_directory.fail.sh is not applicable on given platform
WARNING - Script wrong_value_directory.fail.sh is not applicable on given platform
WARNING - Script correct_value_dot_dir.pass.sh is not applicable on given platform
WARNING - Script param_conflict_directory.fail.sh is not applicable on given platform
WARNING - Script wrong_value_dot_dir.fail.sh is not applicable on given platform
WARNING - Script rhel7_correct_value.pass.sh is not applicable on given platform
WARNING - Script cis_rhel7_correct_value_full.pass.sh is not applicable on given platform
WARNING - Script cis_rhel7_wrong_value.fail.sh is not applicable on given platform
WARNING - Script rhel7_correct_value.pass.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_sshd_disable_compression
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script param_conflict.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_rekey_limit
INFO - Script bad_size.fail.sh using profile (all) OK
INFO - Script bad_time.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script duplicated_param.pass.sh using profile (all) OK
INFO - Script param_conflict.fail.sh using profile (all) OK
INFO - Script rhel8_ospp_ok.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp OK
INFO - Script no_line.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
WARNING - Script wrong_value.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout evaluation resulted in notapplicable
WARNING - Script comment.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout evaluation resulted in notapplicable
WARNING - Script correct_value.pass.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout evaluation resulted in notapplicable
WARNING - Script line_not_there.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout evaluation resulted in notapplicable
WARNING - Script param_conflict.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout evaluation resulted in notapplicable
INFO - xccdf_org.ssgproject.content_rule_sshd_set_keepalive
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script param_conflict.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_value_less_than.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
INFO - Script comment.fail.sh using profile (all) OK
WARNING - No remediation is available for rule 'xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers'.
INFO - Script correct_reduced_list.pass.sh using profile (all) OK
INFO - Script correct_scrambled.pass.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_value_full.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
WARNING - No remediation is available for rule 'xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers'.
INFO - Script wrong_value.fail.sh using profile (all) OK
WARNING - No remediation is available for rule 'xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers'.
INFO - Script correct_variable.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_use_approved_macs
INFO - Script default_correct_value.pass.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
WARNING - No remediation is available for rule 'xccdf_org.ssgproject.content_rule_sshd_use_approved_macs'.
INFO - xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script nothing.fail.sh using profile (all) OK
INFO - Script wrong_value_no.fail.sh using profile (all) OK
INFO - Script wrong_value_yes.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script lower_bound.pass.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script no_limit.fail.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script too_high.fail.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
INFO - Script comment.fail.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script line_not_there.fail.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script nothing.fail.sh using profile xccdf_org.ssgproject.content_profile_cis OK
[jcerny@fedora scap-security-guide{pr/11032}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel8 --remediate-using ansible sshd_disable_rhosts_rsa,sshd_use_approved_macs,sshd_use_strong_ciphers,sshd_set_max_auth_tries,sshd_use_priv_separation,sshd_use_strong_macs,sshd_set_idle_timeout,sshd_set_keepalive,sshd_set_max_sessions,sshd_allow_only_protocol2,sshd_use_strong_kex,sshd_set_maxstartups,sshd_disable_compression,sshd_rekey_limit,sshd_use_approved_ciphers,sshd_set_login_grace_time
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-08-29-1344/test_suite.log
WARNING - Rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_ciphers' isn't present in benchmark 'xccdf_org.ssgproject.content_benchmark_RHEL-8' in '/tmp/ssgts-ds-yq6r0les'
WARNING - Rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs' isn't present in benchmark 'xccdf_org.ssgproject.content_benchmark_RHEL-8' in '/tmp/ssgts-ds-yq6r0les'
WARNING - Rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_kex' isn't present in benchmark 'xccdf_org.ssgproject.content_benchmark_RHEL-8' in '/tmp/ssgts-ds-yq6r0les'
WARNING - Script openssh-6.6-configured.pass.sh is not applicable on given platform
WARNING - Script openssh-6.6.fail.sh is not applicable on given platform
WARNING - Script openssh-7.4.pass.sh is not applicable on given platform
WARNING - Script param_conflict_directory.fail.sh is not applicable on given platform
WARNING - Script bad_size_directory.fail.sh is not applicable on given platform
WARNING - Script bad_time_directory.fail.sh is not applicable on given platform
WARNING - Script no_line_directory.fail.sh is not applicable on given platform
WARNING - Script param_conflict_directory.fail.sh is not applicable on given platform
WARNING - Script rhel7.ok.pass.sh is not applicable on given platform
WARNING - Script rhel9_ospp_ok.pass.sh is not applicable on given platform
WARNING - Script correct_value_directory.pass.sh is not applicable on given platform
WARNING - Script other_comment.fail.sh is not applicable on given platform
WARNING - Script other_line_not_there.fail.sh is not applicable on given platform
WARNING - Script other_wrong_value.fail.sh is not applicable on given platform
WARNING - Script param_conflict_directory.fail.sh is not applicable on given platform
WARNING - Script wrong_value_directory.fail.sh is not applicable on given platform
WARNING - Script correct_value_dot_dir.pass.sh is not applicable on given platform
WARNING - Script param_conflict_directory.fail.sh is not applicable on given platform
WARNING - Script wrong_value_dot_dir.fail.sh is not applicable on given platform
WARNING - Script rhel7_correct_value.pass.sh is not applicable on given platform
WARNING - Script cis_rhel7_correct_value_full.pass.sh is not applicable on given platform
WARNING - Script cis_rhel7_wrong_value.fail.sh is not applicable on given platform
WARNING - Script rhel7_correct_value.pass.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_sshd_disable_compression
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script param_conflict.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_rekey_limit
INFO - Script bad_size.fail.sh using profile (all) OK
INFO - Script bad_time.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script duplicated_param.pass.sh using profile (all) OK
INFO - Script param_conflict.fail.sh using profile (all) OK
INFO - Script rhel8_ospp_ok.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp OK
INFO - Script no_line.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
WARNING - Script wrong_value.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout evaluation resulted in notapplicable
WARNING - Script comment.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout evaluation resulted in notapplicable
WARNING - Script correct_value.pass.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout evaluation resulted in notapplicable
WARNING - Script line_not_there.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout evaluation resulted in notapplicable
WARNING - Script param_conflict.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout evaluation resulted in notapplicable
INFO - xccdf_org.ssgproject.content_rule_sshd_set_keepalive
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script param_conflict.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_value_less_than.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
INFO - Script comment.fail.sh using profile (all) OK
WARNING - No remediation is available for rule 'xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers'.
INFO - Script correct_reduced_list.pass.sh using profile (all) OK
INFO - Script correct_scrambled.pass.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_value_full.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
WARNING - No remediation is available for rule 'xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers'.
INFO - Script wrong_value.fail.sh using profile (all) OK
WARNING - No remediation is available for rule 'xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers'.
INFO - Script correct_variable.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_use_approved_macs
INFO - Script default_correct_value.pass.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
WARNING - No remediation is available for rule 'xccdf_org.ssgproject.content_rule_sshd_use_approved_macs'.
INFO - xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script nothing.fail.sh using profile (all) OK
INFO - Script wrong_value_no.fail.sh using profile (all) OK
INFO - Script wrong_value_yes.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script lower_bound.pass.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script no_limit.fail.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script too_high.fail.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
INFO - Script comment.fail.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script line_not_there.fail.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script nothing.fail.sh using profile xccdf_org.ssgproject.content_profile_cis OK

marcusburghardt added 4 commits August 28, 2023 16:29

Minor OVAL improvements in sshd_disable_compression

38f926b

Update Bash remediation to use better macro

79642b8

Use more appropriated macro for Bash remediation in sshd_disable_compression.

Aling Bash and Ansible remediation

af2ab73

New lines targeting global settings in sshd_config will be inserted at the beginning of the file instead of end of file or using "Match" as reference.

marcusburghardt changed the title ~~Sshd disable compression~~ Improve remediation for SSH global settings Aug 28, 2023

marcusburghardt added this to the 0.1.70 milestone Aug 28, 2023

marcusburghardt added bugfix Fixes to reported bugs. Ansible Ansible remediation update. Bash Bash remediation update. labels Aug 28, 2023

marcusburghardt requested review from jan-cerny and ggbecker August 29, 2023 08:42

jan-cerny self-assigned this Aug 29, 2023

jan-cerny approved these changes Aug 29, 2023

View reviewed changes

jan-cerny merged commit 1ae43d3 into ComplianceAsCode:master Aug 29, 2023
37 of 38 checks passed

marcusburghardt deleted the sshd_disable_compression branch August 29, 2023 19:55

marcusburghardt mentioned this pull request Sep 6, 2023

RedHatOfficial.rhel7_stig, leaves /etc/ssh/sshd_config in a state where sshd.service will not start, if Match sections are present. #11049

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Improve remediation for SSH global settings #11032

Improve remediation for SSH global settings #11032

marcusburghardt commented Aug 28, 2023

github-actions bot commented Aug 28, 2023

github-actions bot commented Aug 28, 2023

codeclimate bot commented Aug 28, 2023

jan-cerny left a comment

Improve remediation for SSH global settings #11032

Improve remediation for SSH global settings #11032

Conversation

marcusburghardt commented Aug 28, 2023

Description:

Rationale:

Review Hints:

github-actions bot commented Aug 28, 2023

github-actions bot commented Aug 28, 2023

codeclimate bot commented Aug 28, 2023

jan-cerny left a comment

Choose a reason for hiding this comment