ComplianceAsCode · Mab879 · May 11, 2023 · May 11, 2023 · May 11, 2023 · May 11, 2023
diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml
@@ -1763,16 +1763,22 @@ controls:
     levels:
     - l1_server
     - l1_workstation
-    automated: no # rule missing (we have similar)
+    status: automated
+    rules:
+      - file_permissions_sshd_private_key
+      - file_ownership_sshd_private_key
+      - file_groupownership_sshd_private_key
 
   - id: 5.3.3
     title: Ensure permissions on SSH public host key files are configured (Automated)
     levels:
     - l1_server
     - l1_workstation
-    status: partial # missing rules for ownership
+    status: automated
     rules:
     - file_permissions_sshd_pub_key
+    - file_ownership_sshd_pub_key
+    - file_groupownership_sshd_pub_key
 
   - id: 5.3.4
     title: Ensure SSH access is limited (Automated)

@@ -1956,28 +1956,27 @@ controls:
       - file_owner_sshd_config
       - file_permissions_sshd_config
 
-  # NEEDS RULE
-  # Missing rules for owner and group-owner.
-  # https://github.com/ComplianceAsCode/content/issues/7334
   - id: 5.2.2
     title: Ensure permissions on SSH private host key files are configured (Automated)
     levels:
       - l1_server
       - l1_workstation
-    status: partial
+    status: automated
     rules:
       - file_permissions_sshd_private_key
+      - file_ownership_sshd_private_key
+      - file_groupownership_sshd_private_key
 
-  # TODO
-  # Missing rules for owner and group-owner.
   - id: 5.2.3
     title: Ensure permissions on SSH public host key files are configured (Automated)
     levels:
       - l1_server
       - l1_workstation
-    status: partial
+    status: automated
     rules:
       - file_permissions_sshd_pub_key
+      - file_ownership_sshd_pub_key
+      - file_groupownership_sshd_pub_key
 
   - id: 5.2.4
     title: Ensure SSH access is limited (Automated)

@@ -1800,28 +1800,27 @@ controls:
       - file_owner_sshd_config
       - file_permissions_sshd_config
 
-  # NEEDS RULE
-  # Missing rules for owner and group-owner.
-  # https://github.com/ComplianceAsCode/content/issues/7334
   - id: 5.2.2
     title: Ensure permissions on SSH private host key files are configured (Automated)
     levels:
       - l1_server
       - l1_workstation
-    status: partial
+    status: automated
     rules:
       - file_permissions_sshd_private_key
+      - file_ownership_sshd_private_key
+      - file_groupownership_sshd_private_key
 
-  # TODO
-  # Missing rules for owner and group-owner.
   - id: 5.2.3
     title: Ensure permissions on SSH public host key files are configured (Automated)
     levels:
       - l1_server
       - l1_workstation
-    status: partial
+    status: automated
     rules:
       - file_permissions_sshd_pub_key
+      - file_ownership_sshd_pub_key
+      - file_groupownership_sshd_pub_key
 
   - id: 5.2.4
     title: Ensure SSH access is limited (Automated)

diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml
@@ -0,0 +1,39 @@
+documentation_complete: true
+
+title: 'Verify Group Ownership on SSH Server Private *_key Key Files'
+
+{{% set dedicated_ssh_groupname = groups.get("dedicated_ssh_keyowner", {}).get("name") %}}
+{{% set dedicated_ssh_groupid = groups.get("dedicated_ssh_keyowner", {}).get("id") %}}
+
+description: |-
+    SSH server private keys, files that match the <code>/etc/ssh/*_key</code> glob, must be
+    group-owned by <code>{{{ dedicated_ssh_groupname if dedicated_ssh_groupname else 'root' }}}</code> group.
+
+rationale: |-
+    If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-86125-2
+    cce@rhel8: CCE-86126-0
+    cce@rhel9: CCE-86127-8
+
+references:
+    cis@rhel7: 5.3.2
+    cis@rhel8: 5.2.2
+    cis@rhel9: 5.2.2
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/ssh/*_key", group="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_group_owner(file="/etc/ssh/*_key", group="root") }}}
+
+template:
+    name: file_groupowner
+    vars:
+        filepath:
+            - /etc/ssh/
+        file_regex:
+            - ^.*_key$
+        filegid: '{{{ dedicated_ssh_groupid if dedicated_ssh_groupid else '0' }}}'
diff --git a/.../guide/services/ssh/file_groupownership_sshd_private_key/tests/correct_groupowner.pass.sh b/.../guide/services/ssh/file_groupownership_sshd_private_key/tests/correct_groupowner.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+
+FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key)
+chgrp ssh_keys "$FAKE_KEY"
diff --git a/...uide/services/ssh/file_groupownership_sshd_private_key/tests/incorrect_groupowner.fail.sh b/...uide/services/ssh/file_groupownership_sshd_private_key/tests/incorrect_groupowner.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+
+test_group="cac_testgroup"
+groupadd $test_group
+
+FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key)
+chgrp $test_group "$FAKE_KEY"
diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/multiple_keys.fail.sh b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/multiple_keys.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+
+test_group="cac_testgroup"
+groupadd $test_group
+
+FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key)
+chgrp ssh_keys "$FAKE_KEY"
+
+FAKE_KEY2=$(mktemp -p /etc/ssh/ XXXX_key)
+chgrp $test_group "$FAKE_KEY2"
diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml
@@ -0,0 +1,38 @@
+documentation_complete: true
+
+title: 'Verify Group Ownership on SSH Server Public *.pub Key Files'
+
+description: |-
+    SSH server public keys, files that match the <code>/etc/ssh/*.pub</code> glob, must be
+    group-owned by <code>root</code> group.
+
+rationale: |-
+    If a public host key file is modified by an unauthorized user, the SSH service
+    may be compromised.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-86132-8
+    cce@rhel8: CCE-86133-6
+    cce@rhel9: CCE-86136-9
+
+references:
+    cis@rhel7: 5.3.3
+    cis@rhel8: 5.2.3
+    cis@rhel9: 5.2.3
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/ssh/*.pub", group="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_group_owner(file="/etc/ssh/*.pub", group="root") }}}
+
+template:
+    name: file_groupowner
+    vars:
+        filepath:
+            - /etc/ssh/
+        file_regex:
+            - ^.*\.pub$
+        filegid: '0'
+        missing_file_pass: 'true'
diff --git a/...x_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/correct_groupowner.pass.sh b/...x_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/correct_groupowner.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+
+FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX.pub)
+chgrp root "$FAKE_KEY"
diff --git a/...os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/incorrect_groupowner.fail.sh b/...os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/incorrect_groupowner.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+
+test_group="cac_testgroup"
+groupadd $test_group
+
+FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX.pub)
+chgrp $test_group "$FAKE_KEY"
diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/multiple_keys.fail.sh b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/multiple_keys.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+
+test_group="cac_testgroup"
+groupadd $test_group
+
+FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX.pub)
+chgrp ssh_keys "$FAKE_KEY"
+
+FAKE_KEY2=$(mktemp -p /etc/ssh/ XXXX.pub)
+chgrp $test_group "$FAKE_KEY2"
diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+title: 'Verify Ownership on SSH Server Private *_key Key Files'
+
+description: |-
+    SSH server private keys, files that match the <code>/etc/ssh/*_key</code> glob, must be owned
+    by <code>root</code> user.
+
+rationale: |-
+    If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-86117-9
+    cce@rhel8: CCE-86118-7
+    cce@rhel9: CCE-86119-5
+
+references:
+    cis@rhel7: 5.3.2
+    cis@rhel8: 5.2.2
+    cis@rhel9: 5.2.2
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/ssh/*_key", owner="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_owner(file="/etc/ssh/*_key", owner="root") }}}
+
+template:
+    name: file_owner
+    vars:
+        filepath:
+            - /etc/ssh/
+        file_regex:
+            - ^.*_key$
+        fileuid: '0'
diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/correct_owner.pass.sh b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/correct_owner.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+
+FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key)
+chown root "$FAKE_KEY"
diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/incorrect_owner.fail.sh b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/incorrect_owner.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+
+test_user="cac_testuser"
+useradd $test_user
+
+FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key)
+chown $test_user "$FAKE_KEY"
diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/multiple_keys.fail.sh b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/tests/multiple_keys.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+
+test_user="cac_testuser"
+useradd $test_user
+
+FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX_key)
+chown root "$FAKE_KEY"
+
+FAKE_KEY2=$(mktemp -p /etc/ssh/ XXXX_key)
+chown $test_user "$FAKE_KEY2"
diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml
@@ -0,0 +1,38 @@
+documentation_complete: true
+
+title: 'Verify Ownership on SSH Server Public *.pub Key Files'
+
+description: |-
+    SSH server public keys, files that match the <code>/etc/ssh/*.pub</code> glob, must be owned
+    by <code>root</code> user.
+
+rationale: |-
+    If a public host key file is modified by an unauthorized user, the SSH service
+    may be compromised.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-86128-6
+    cce@rhel8: CCE-86129-4
+    cce@rhel9: CCE-86130-2
+
+references:
+    cis@rhel7: 5.3.3
+    cis@rhel8: 5.2.3
+    cis@rhel9: 5.2.3
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/ssh/*.pub", owner="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_owner(file="/etc/ssh/*.pub", owner="root") }}}
+
+template:
+    name: file_owner
+    vars:
+        filepath:
+            - /etc/ssh/
+        file_regex:
+            - ^.*\.pub$
+        fileuid: '0'
+        missing_file_pass: 'true'
diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/correct_owner.pass.sh b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/correct_owner.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+
+FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX.pub)
+chown root "$FAKE_KEY"
diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/incorrect_owner.fail.sh b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/incorrect_owner.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+
+test_user="cac_testuser"
+useradd $test_user
+
+FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX.pub)
+chown $test_user "$FAKE_KEY"
diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/multiple_keys.fail.sh b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/tests/multiple_keys.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+
+test_user="cac_testuser"
+useradd $test_user
+
+FAKE_KEY=$(mktemp -p /etc/ssh/ XXXX.pub)
+chown root "$FAKE_KEY"
+
+FAKE_KEY2=$(mktemp -p /etc/ssh/ XXXX.pub)
+chown $test_user "$FAKE_KEY2"
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
@@ -37,6 +37,7 @@ references:
     anssi: BP28(R36)
     cis-csc: 12,13,14,15,16,18,3,5
     cis@alinux2: 5.2.3
+    cis@rhel7: 5.3.2
     cis@rhel8: 5.2.2
     cis@rhel9: 5.2.2
     cis@sle12: 5.2.2

diff --git a/products/rhel7/product.yml b/products/rhel7/product.yml
@@ -27,6 +27,7 @@ audisp_conf_path: "/etc/audisp"
 groups:
   dedicated_ssh_keyowner:
     name: ssh_keys
+    id: "997"
 
 cpes_root: "../../shared/applicability"
 cpes:

diff --git a/products/rhel8/product.yml b/products/rhel8/product.yml
@@ -27,6 +27,7 @@ grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
 groups:
   dedicated_ssh_keyowner:
     name: ssh_keys
+    id: "995"
 
 faillock_path: "/var/log/faillock"
 

diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml
@@ -18,6 +18,7 @@ grub2_uefi_boot_path: "/boot/grub2"
 groups:
   dedicated_ssh_keyowner:
     name: ssh_keys
+    id: "996"
 
 sshd_distributed_config: "true"