Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce support for the distributed SSHd configuration #6926

Merged
merged 6 commits into from
Aug 3, 2021
Merged

Introduce support for the distributed SSHd configuration #6926

merged 6 commits into from
Aug 3, 2021

Conversation

matejak
Copy link
Member

@matejak matejak commented Apr 30, 2021

As we can see in recent Fedora versions, the sshd configuration is not contained in the config file, but the config file just includes whatever is in the /etc/ssh/sshd_config.d/ directory.

This PR adds this mechanics for Fedora and the RHEL9 products, and it introduces a rule that makes sure that such directive exists in the main /etc/ssh/sshd_config file.

@matejak matejak added this to the 0.1.56 milestone Apr 30, 2021
@openscap-ci
Copy link
Collaborator

openscap-ci commented Apr 30, 2021
edited
Loading

Changes identified:
Rules:
 sshd_use_directory_configuration
 ntpd_configure_restrictions
 grub2_no_removeable_media
Macros:
 set_config_file
 lineinfile_absent
 lineinfile_present
 oval_line_in_file_criterion
 oval_line_in_file_test
 oval_line_in_file_object
 oval_line_in_file_state
Others:
 Changes in Python files.

Show details

Rule sshd_use_directory_configuration:
 The rule doesn't occur in any profile nor product.
 OVAL check is newly added.
 Bash remediation is newly added.
Rule ntpd_configure_restrictions:
 The rule doesn't occur in any profile nor product.
 Found change in bash remediation.
Rule grub2_no_removeable_media:
 Template usage changed in OVAL check.
Macro set_config_file:
 In Ansible remediation for accounts_have_homedir_login_defs.
 In Bash remediation for coredump_disable_backtraces.
 In Bash remediation for sshd_use_strong_macs.
 In Ansible remediation for configure_openssl_tls_crypto_policy.
 In Bash remediation for sshd_set_max_auth_tries.
 In Bash remediation for ntpd_configure_restrictions.
 In Bash remediation for sshd_set_idle_timeout.
 In Bash remediation for sshd_use_priv_separation.
 In Bash remediation for sshd_set_keepalive.
 In Bash remediation for sshd_use_strong_ciphers.
 In Bash remediation for accounts_have_homedir_login_defs.
 In Bash remediation for selinux_state.
 In Bash remediation for selinux_policytype.
 In Bash remediation for configure_usbguard_auditbackend.
 In Bash remediation for postfix_network_listening_disabled.
 In Bash remediation for ssh_client_rekey_limit.
 In Bash remediation for sshd_rekey_limit.
 In Bash remediation for configure_openssl_tls_crypto_policy.
 In Bash remediation for coredump_disable_storage.
 In Bash remediation for sudoers_validate_passwd.
 In Bash remediation for sshd_set_max_sessions.
 In Ansible remediation for accounts_tmout.
Macro lineinfile_absent:
 In Ansible remediation for accounts_have_homedir_login_defs.
 In Bash remediation for coredump_disable_backtraces.
 In Bash remediation for sshd_use_strong_macs.
 In Ansible remediation for configure_openssl_tls_crypto_policy.
 In Bash remediation for sshd_set_max_auth_tries.
 In Bash remediation for ntpd_configure_restrictions.
 In Bash remediation for sshd_set_idle_timeout.
 In Bash remediation for sshd_use_priv_separation.
 In Bash remediation for sshd_set_keepalive.
 In Bash remediation for sshd_use_strong_ciphers.
 In Bash remediation for accounts_have_homedir_login_defs.
 In Bash remediation for selinux_state.
 In Bash remediation for selinux_policytype.
 In Bash remediation for configure_usbguard_auditbackend.
 In Bash remediation for postfix_network_listening_disabled.
 In Bash remediation for ssh_client_rekey_limit.
 In Bash remediation for sshd_rekey_limit.
 In Bash remediation for configure_openssl_tls_crypto_policy.
 In Bash remediation for coredump_disable_storage.
 In Bash remediation for sudoers_validate_passwd.
 In Bash remediation for sshd_set_max_sessions.
 In Ansible remediation for accounts_tmout.
Macro lineinfile_present:
 In Ansible remediation for accounts_have_homedir_login_defs.
 In Bash remediation for coredump_disable_backtraces.
 In Bash remediation for sshd_use_strong_macs.
 In Ansible remediation for configure_openssl_tls_crypto_policy.
 In Bash remediation for sshd_set_max_auth_tries.
 In Bash remediation for ntpd_configure_restrictions.
 In Bash remediation for sshd_set_idle_timeout.
 In Bash remediation for sshd_use_priv_separation.
 In Bash remediation for sshd_set_keepalive.
 In Bash remediation for sshd_use_strong_ciphers.
 In Bash remediation for accounts_have_homedir_login_defs.
 In Bash remediation for selinux_state.
 In Bash remediation for selinux_policytype.
 In Bash remediation for configure_usbguard_auditbackend.
 In Bash remediation for postfix_network_listening_disabled.
 In Bash remediation for ssh_client_rekey_limit.
 In Bash remediation for sshd_rekey_limit.
 In Bash remediation for configure_openssl_tls_crypto_policy.
 In Bash remediation for coredump_disable_storage.
 In Bash remediation for sudoers_validate_passwd.
 In Bash remediation for sshd_set_max_sessions.
 In Ansible remediation for accounts_tmout.
Macro oval_line_in_file_criterion:
 In OVAL check for harden_ssh_client_crypto_policy.
 In OVAL check for sshd_rekey_limit.
 In OVAL check for sshd_use_directory_configuration.
Macro oval_line_in_file_test:
 In OVAL check for sshd_use_priv_separation.
 In OVAL check for chronyd_run_as_chrony_user.
 In OVAL check for postfix_prevent_unrestricted_relay.
 In OVAL check for harden_openssl_crypto_policy.
 In OVAL check for sshd_use_strong_macs.
 In OVAL check for gnome_gdm_disable_xdmcp.
 In OVAL check for configure_openssl_tls_crypto_policy.
 In OVAL check for grub2_no_removeable_media.
 In OVAL check for dnf-automatic_apply_updates.
 In OVAL check for sshd_disable_compression.
 In OVAL check for dnf-automatic_security_updates_only.
 In OVAL check for harden_ssh_client_crypto_policy.
 In OVAL check for coredump_disable_backtraces.
 In OVAL check for sshd_use_strong_ciphers.
 In OVAL check for harden_sshd_crypto_policy.
 In OVAL check for configure_usbguard_auditbackend.
 In OVAL check for grub2_nousb_argument.
 In OVAL check for configure_etc_hosts_deny.
 In OVAL check for coredump_disable_storage.
 In OVAL check for sshd_use_directory_configuration.
Macro oval_line_in_file_object:
 In OVAL check for sshd_use_priv_separation.
 In OVAL check for chronyd_run_as_chrony_user.
 In OVAL check for postfix_prevent_unrestricted_relay.
 In OVAL check for harden_openssl_crypto_policy.
 In OVAL check for sshd_use_strong_macs.
 In OVAL check for gnome_gdm_disable_xdmcp.
 In OVAL check for configure_openssl_tls_crypto_policy.
 In OVAL check for grub2_no_removeable_media.
 In OVAL check for dnf-automatic_apply_updates.
 In OVAL check for sshd_disable_compression.
 In OVAL check for dnf-automatic_security_updates_only.
 In OVAL check for harden_ssh_client_crypto_policy.
 In OVAL check for coredump_disable_backtraces.
 In OVAL check for sshd_use_strong_ciphers.
 In OVAL check for harden_sshd_crypto_policy.
 In OVAL check for configure_usbguard_auditbackend.
 In OVAL check for grub2_nousb_argument.
 In OVAL check for configure_etc_hosts_deny.
 In OVAL check for coredump_disable_storage.
 In OVAL check for sshd_use_directory_configuration.
Macro oval_line_in_file_state:
 In OVAL check for coredump_disable_backtraces.
 In OVAL check for dnf-automatic_apply_updates.
 In OVAL check for sshd_use_strong_ciphers.
 In OVAL check for harden_sshd_crypto_policy.
 In OVAL check for sshd_use_strong_macs.
 In OVAL check for chronyd_run_as_chrony_user.
 In OVAL check for configure_usbguard_auditbackend.
 In OVAL check for grub2_nousb_argument.
 In OVAL check for dnf-automatic_security_updates_only.
 In OVAL check for postfix_prevent_unrestricted_relay.
 In OVAL check for harden_ssh_client_crypto_policy.
 In OVAL check for gnome_gdm_disable_xdmcp.
 In OVAL check for configure_openssl_tls_crypto_policy.
 In OVAL check for coredump_disable_storage.
 In OVAL check for configure_etc_hosts_deny.
 In OVAL check for harden_openssl_crypto_policy.
 In OVAL check for grub2_no_removeable_media.
Others:
 Python abstract syntax tree change found in ssg/jinja.py.

Recommended tests to execute:
 build_product rhel7
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using bash --datastream build/ssg-rhel7-ds.xml grub2_no_removeable_media
 (cd build && cmake ../ && ctest -j4)

JAORMX
JAORMX approved these changes Apr 30, 2021
View reviewed changes
Copy link
Contributor

@JAORMX JAORMX left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

awesomeness!! Wish we had this in RHCOS already

cipherboy
cipherboy previously requested changes Apr 30, 2021
View reviewed changes
Copy link
Contributor

@cipherboy cipherboy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sometimes I really dislike the Match syntax of SSH config files but at least it is consistent... :-)

I like the intent of this though!

linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml Outdated Show resolved Hide resolved
@JAORMX
Copy link
Contributor

JAORMX commented Apr 30, 2021

Huh, there seem to be some regressions. This is from the ci/prow/e2e-aws-rhcos4-e8 job:

 INFO[2021-04-30T11:18:09Z]     helpers.go:695: Result - Name: e2e-e8-master-sshd-disable-rhosts - Status: FAIL - Severity: medium 
INFO[2021-04-30T11:18:09Z]     helpers.go:698: E2E-FAILURE: The expected result for the sshd_disable_rhosts rule didn't match. Expected 'PASS', Got 'FAIL'

@JAORMX
Copy link
Contributor

JAORMX commented Apr 30, 2021

The same failure appears in the moderate job.

@matejak
Copy link
Member Author

matejak commented May 4, 2021

There are some mysterious failures - the rule should work exactly the same on other products than Fedora and RHEL9, and it also fails to build (presumably on Python2 systems) with a really weird error message.
I will investigate those.

@matejak matejak force-pushed the sshd_directory_config branch 2 times, most recently from 517c06c to 2fbaeff Compare May 10, 2021 17:55
@vojtapolasek vojtapolasek modified the milestones: 0.1.56, 0.1.57 May 11, 2021
@matejak matejak force-pushed the sshd_directory_config branch 2 times, most recently from 8efe401 to ff74aaa Compare May 12, 2021 07:44
@openshift-ci openshift-ci bot added the needs-rebase Used by openshift-ci bot. label Jun 28, 2021
@openshift-ci openshift-ci bot removed the needs-rebase Used by openshift-ci bot. label Jul 13, 2021
@matejak matejak added the RHEL9 Red Hat Enterprise Linux 9 product related. label Jul 13, 2021
@openshift-ci openshift-ci bot added the needs-rebase Used by openshift-ci bot. label Jul 25, 2021
@openshift-ci openshift-ci bot removed the needs-rebase Used by openshift-ci bot. label Jul 27, 2021
@yuumasato
Copy link
Member

There are some mysterious failures - the rule should work exactly the same on other products than Fedora and RHEL9, and it also fails to build (presumably on Python2 systems) with a really weird error message.
I will investigate those.

@matejak Was there any conclusion on the mysterious failures?

@yuumasato yuumasato self-assigned this Jul 27, 2021
yuumasato
yuumasato reviewed Jul 29, 2021
View reviewed changes
Copy link
Member

@yuumasato yuumasato left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@matejak Sorry, my mistake I made a comment but did not finish the review.

linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/bash/shared.sh Outdated Show resolved Hide resolved
@matejak
Updated checks and remediations of the sshd template.
b951a89 
Configuration of sshd moves from one config file to a config directory.
Therefore, checks should consider all those files, and the remediation should aim
to deliver fixes to one of those files in the config directory.

Tests that interact with this behavior have been added and are applicable for Fedora and RHEL9 products.
@matejak
Improved the lineinfile template.
b0f86c1 
It now escapes the text contents if parts of them could be incorrectly interpreted as regexes.
@matejak
Introduced the sshd_use_directory_configuration rule.
6953f74 
The rule makes sure that the sshd configuration is distributed in the
/etc/ssh/sshd_config.d/ directory, and therefore it makes sense to scan that directory
in another rules.
@matejak
Improved error reporting related to macros.
d7fcab7
@matejak
Removed devault values that are variables from Jinja
df45c3f 
Support in older jinja2 packages is not in a good shape.
@matejak
Copy link
Member Author

matejak commented Jul 30, 2021

@matejak Was there any conclusion on the mysterious failures?

Yes, they were related to Jinja constructs that were not supported everywhere, and they were fixed.

@matejak matejak force-pushed the sshd_directory_config branch 2 times, most recently from ad3845b to 6c97b0f Compare August 3, 2021 14:51
@matejak
Don't remediate when it is inappropriate
a3ec49f 
Don't remediate when the config file already contains the include
directive.
@yuumasato yuumasato modified the milestones: 0.1.57, 0.1.58 Aug 3, 2021
@yuumasato yuumasato added New Rule Issues or pull requests related to new Rules. Update Rule Issues or pull requests related to Rules updates. labels Aug 3, 2021
@yuumasato yuumasato dismissed cipherboy’s stale review August 3, 2021 15:43

I believe Alex's concerns were addressed

@yuumasato yuumasato merged commit 3183866 into ComplianceAsCode:master Aug 3, 2021
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cipherboy cipherboy cipherboy left review comments

@jan-cerny jan-cerny jan-cerny left review comments

@JAORMX JAORMX JAORMX approved these changes

@yuumasato yuumasato yuumasato approved these changes

Assignees

@yuumasato yuumasato

Labels
New Rule Issues or pull requests related to new Rules. RHEL9 Red Hat Enterprise Linux 9 product related. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.58
Development

Successfully merging this pull request may close these issues.
7 participants
@matejak @openscap-ci @JAORMX @yuumasato @cipherboy @jan-cerny @vojtapolasek