update rule sles-15-040250

linux_os/guide/services/ssh/file_permissions_sshd_private_key/ansible/shared.yml

@@ -7,8 +7,16 @@
 {{% set find_command_base = 'find -H /etc/ssh/ -maxdepth 1 -user root -regex ".*_key$" -type f' %}}
 {{% set dedicated_ssh_groupname = groups.get("dedicated_ssh_keyowner", {}).get("name") %}}
 
+{{% if product in ["sle12", "sle15"] %}}
+{{% set find_command = find_command_base + ' -group root -perm /u+xs,g+xws,o+xwrt' %}}
+{{% set permissions_mode = 'u-xs,g-xws,o-xwrt' %}}
+{{% else %}}
+{{% set find_command = find_command_base + ' -group root -perm /u+xs,g+xwrs,o+xwrt' %}}
+{{% set permissions_mode = 'u-xs,g-xwrs,o-xwrt' %}}
+{{% endif %}}
+
 - name: Find root:root-owned keys
-  command: '{{{ find_command_base }}} -group root -perm /u+xs,g+xwrs,o+xwrt'
+  command: '{{{ find_command }}}'
   register: root_owned_keys
   changed_when: False
   failed_when: False
@@ -17,7 +25,7 @@
 - name: Set permissions for root:root-owned keys
   file:
     path: "{{ item }}"
-    mode: "u-xs,g-xwrs,o-xwrt"
+    mode: '{{{ permissions_mode }}}'
     state: file
   with_items:
     - "{{ root_owned_keys.stdout_lines }}"

linux_os/guide/services/ssh/file_permissions_sshd_private_key/bash/shared.sh

@@ -8,7 +8,11 @@ test root:{{{ groupname }}} = "$(stat -c "%U:%G" "$keyfile")"
 for keyfile in /etc/ssh/*_key; do
     test -f "$keyfile" || continue
     if {{{ keyfile_owned_by("root") }}}; then
+    {{% if product in ["sle12", "sle15"] %}}
+	chmod u-xs,g-xws,o-xwrt "$keyfile"
+    {{% else %}}
 	chmod u-xs,g-xwrs,o-xwrt "$keyfile"
+    {{% endif %}}
     {{% if dedicated_ssh_groupname -%}}
     elif {{{ keyfile_owned_by(dedicated_ssh_groupname) }}}; then
 	chmod u-xs,g-xws,o-xwrt "$keyfile"

linux_os/guide/services/ssh/file_permissions_sshd_private_key/oval/shared.xml

@@ -58,8 +58,12 @@
       {{# intentionally not considered: <unix:uread datatype="boolean">true</unix:uread> #}}
       {{# intentionally not considered: <unix:uwrite datatype="boolean">true</unix:uwrite> #}}
       <unix:uexec datatype="boolean">false</unix:uexec>
-
+
+      {{% if product in ["sle12", "sle15"] -%}}
+      {{# intentionally not considered: <unix:gread datatype="boolean">true</unix:gread> #}}
+      {{%- else %}}
       <unix:gread datatype="boolean">false</unix:gread>
+      {{%- endif %}}
       <unix:gwrite datatype="boolean">false</unix:gwrite>
       <unix:gexec datatype="boolean">false</unix:gexec>
 

linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml

@@ -4,7 +4,7 @@ title: 'Verify Permissions on SSH Server Private *_key Key Files'
 
 {{% set dedicated_ssh_groupname = groups.get("dedicated_ssh_keyowner", {}).get("name") %}}
 
-{{% if product == 'rhcos4' %}}
+{{% if product in ["rhcos4", "sle12", "sle15"] %}}
 {{# CoreOS is special - it is immutable, so it is more predictable, and it uses the dedicated group as key owner by default #}}
 {{% set perms = "-rw-r-----" %}}
 {{% set perms_num = "0640" %}}
@@ -67,6 +67,6 @@ ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms=perm
 ocil: |-
     {{{ ocil_file_permissions(file="/etc/ssh/*_key", perms=perms) }}}
 
-fixtext: '{{{ srg_requirement_file_permission(file="/etc/ssh/*_key", mode="0600") }}}'
+fixtext: '{{{ srg_requirement_file_permission(file="/etc/ssh/*_key", mode=perms_num) }}}'
 
-srg_requirement: 'The {{{ full_namne }}} SSH private host key files must have mode 0600 or less permissive.'
+srg_requirement: 'The {{{ full_namne }}} SSH private host key files must have mode {{{ perms_num }}} or less permissive.'