-
Notifications
You must be signed in to change notification settings - Fork 706
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve remediation for SSH global settings #11032
Improve remediation for SSH global settings #11032
Conversation
In case the desired parameter is not yet present in sshd_config file, a new line needs to be included. However, this line cannot be included at the end of the file if there is already any "Match" conditional. In that case, global parameters needs to be inserted before the "Match" conditional. The former regex was causing issues in specific cases where more than one line was matching the regex. This commit updates the regex to ensure new lines are inserted at the beggining of the file.
Use more appropriated macro for Bash remediation in sshd_disable_compression.
New lines targeting global settings in sshd_config will be inserted at the beginning of the file instead of end of file or using "Match" as reference.
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "ClientAliveCountMax 0" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "ClientAliveCountMax 0" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "ClientAliveCountMax 0" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
@@ -26,7 +26,7 @@
regexp: (?i)^\s*ClientAliveCountMax\s+
line: ClientAliveCountMax 0
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive
@@ -14,17 +14,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "ClientAliveCountMax $var_sshd_set_keepalive" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "ClientAliveCountMax $var_sshd_set_keepalive" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "ClientAliveCountMax $var_sshd_set_keepalive" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive
@@ -32,7 +32,7 @@
regexp: (?i)^\s*ClientAliveCountMax\s+
line: ClientAliveCountMax {{ var_sshd_set_keepalive }}
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
+++ xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
@@ -14,17 +14,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "ClientAliveInterval $sshd_idle_timeout_value" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "ClientAliveInterval $sshd_idle_timeout_value" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "ClientAliveInterval $sshd_idle_timeout_value" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
+++ xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
@@ -32,7 +32,7 @@
regexp: (?i)^\s*ClientAliveInterval\s+
line: ClientAliveInterval {{ sshd_idle_timeout_value }}
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when:
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
bash remediation for rule 'xccdf_org.ssgproject.content_rule_disable_host_auth' differs.
--- xccdf_org.ssgproject.content_rule_disable_host_auth
+++ xccdf_org.ssgproject.content_rule_disable_host_auth
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "HostbasedAuthentication no" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "HostbasedAuthentication no" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "HostbasedAuthentication no" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_disable_host_auth' differs.
--- xccdf_org.ssgproject.content_rule_disable_host_auth
+++ xccdf_org.ssgproject.content_rule_disable_host_auth
@@ -26,7 +26,7 @@
regexp: (?i)^\s*HostbasedAuthentication\s+
line: HostbasedAuthentication no
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2' differs.
--- xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
+++ xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
@@ -26,7 +26,7 @@
regexp: (?i)^\s*Protocol\s+
line: Protocol 2
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_compression' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_compression
+++ xccdf_org.ssgproject.content_rule_sshd_disable_compression
@@ -4,27 +4,22 @@
var_sshd_disable_compression=''
-# Strip any search characters in the key arg so that the key can be replaced without
-# adding any search characters to the config file.
-stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^Compression")
-# shellcheck disable=SC2059
-printf -v formatted_output "%s %s" "$stripped_key" "$var_sshd_disable_compression"
+if [ -e "/etc/ssh/sshd_config" ] ; then
+
+ LC_ALL=C sed -i "/^\s*Compression\s\+/Id" "/etc/ssh/sshd_config"
+else
+ touch "/etc/ssh/sshd_config"
+fi
+# make sure file has newline at the end
+sed -i -e '$a\' "/etc/ssh/sshd_config"
-# If the key exists, change it. Otherwise, add it to the config_file.
-# We search for the key string followed by a word boundary (matched by \>),
-# so if we search for 'setting', 'setting2' won't match.
-if LC_ALL=C grep -q -m 1 -i -e "^Compression\\>" "/etc/ssh/sshd_config"; then
- escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- LC_ALL=C sed -i --follow-symlinks "s/^Compression\\>.*/$escaped_formatted_output/gi" "/etc/ssh/sshd_config"
-else
- if [[ -s "/etc/ssh/sshd_config" ]] && [[ -n "$(tail -c 1 -- "/etc/ssh/sshd_config" || true)" ]]; then
- LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/ssh/sshd_config"
- fi
- cce="CCE-80895-6"
- printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/ssh/sshd_config" >> "/etc/ssh/sshd_config"
- printf '%s\n' "$formatted_output" >> "/etc/ssh/sshd_config"
-fi
+cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
+# Insert at the beginning of the file
+printf '%s\n' "Compression $var_sshd_disable_compression" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
+# Clean up after ourselves.
+rm "/etc/ssh/sshd_config.bak"
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_compression' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_compression
+++ xccdf_org.ssgproject.content_rule_sshd_disable_compression
@@ -32,7 +32,7 @@
regexp: (?i)^\s*Compression\s+
line: Compression {{ var_sshd_disable_compression }}
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
+++ xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "PermitEmptyPasswords no" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "PermitEmptyPasswords no" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "PermitEmptyPasswords no" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
+++ xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
@@ -26,7 +26,7 @@
regexp: (?i)^\s*PermitEmptyPasswords\s+
line: PermitEmptyPasswords no
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "GSSAPIAuthentication no" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "GSSAPIAuthentication no" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "GSSAPIAuthentication no" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
@@ -26,7 +26,7 @@
regexp: (?i)^\s*GSSAPIAuthentication\s+
line: GSSAPIAuthentication no
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "KerberosAuthentication no" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "KerberosAuthentication no" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "KerberosAuthentication no" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
@@ -26,7 +26,7 @@
regexp: (?i)^\s*KerberosAuthentication\s+
line: KerberosAuthentication no
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "PubkeyAuthentication no" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "PubkeyAuthentication no" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "PubkeyAuthentication no" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
@@ -26,7 +26,7 @@
regexp: (?i)^\s*PubkeyAuthentication\s+
line: PubkeyAuthentication no
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "IgnoreRhosts yes" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "IgnoreRhosts yes" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "IgnoreRhosts yes" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
@@ -26,7 +26,7 @@
regexp: (?i)^\s*IgnoreRhosts\s+
line: IgnoreRhosts yes
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa
+++ xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa
@@ -26,7 +26,7 @@
regexp: (?i)^\s*RhostsRSAAuthentication\s+
line: RhostsRSAAuthentication no
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_login
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "PermitRootLogin no" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "PermitRootLogin no" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "PermitRootLogin no" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_login
@@ -26,7 +26,7 @@
regexp: (?i)^\s*PermitRootLogin\s+
line: PermitRootLogin no
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "PermitRootLogin prohibit-password" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "PermitRootLogin prohibit-password" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "PermitRootLogin prohibit-password" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
@@ -26,7 +26,7 @@
regexp: (?i)^\s*PermitRootLogin\s+
line: PermitRootLogin prohibit-password
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "AllowTcpForwarding no" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "AllowTcpForwarding no" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "AllowTcpForwarding no" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
@@ -26,7 +26,7 @@
regexp: (?i)^\s*AllowTcpForwarding\s+
line: AllowTcpForwarding no
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "IgnoreUserKnownHosts yes" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "IgnoreUserKnownHosts yes" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "IgnoreUserKnownHosts yes" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
@@ -26,7 +26,7 @@
regexp: (?i)^\s*IgnoreUserKnownHosts\s+
line: IgnoreUserKnownHosts yes
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "X11Forwarding no" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "X11Forwarding no" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "X11Forwarding no" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
@@ -26,7 +26,7 @@
regexp: (?i)^\s*X11Forwarding\s+
line: X11Forwarding no
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env' differs.
--- xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
+++ xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "PermitUserEnvironment no" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "PermitUserEnvironment no" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "PermitUserEnvironment no" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env' differs.
--- xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
+++ xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
@@ -26,7 +26,7 @@
regexp: (?i)^\s*PermitUserEnvironment\s+
line: PermitUserEnvironment no
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "GSSAPIAuthentication yes" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "GSSAPIAuthentication yes" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "GSSAPIAuthentication yes" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
@@ -26,7 +26,7 @@
regexp: (?i)^\s*GSSAPIAuthentication\s+
line: GSSAPIAuthentication yes
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pam' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pam
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pam
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "UsePAM yes" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "UsePAM yes" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "UsePAM yes" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pam' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pam
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pam
@@ -26,7 +26,7 @@
regexp: (?i)^\s*UsePAM\s+
line: UsePAM yes
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "PubkeyAuthentication yes" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "PubkeyAuthentication yes" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "PubkeyAuthentication yes" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
@@ -26,7 +26,7 @@
regexp: (?i)^\s*PubkeyAuthentication\s+
line: PubkeyAuthentication yes
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
+++ xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "StrictModes yes" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "StrictModes yes" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "StrictModes yes" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
+++ xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
@@ -26,7 +26,7 @@
regexp: (?i)^\s*StrictModes\s+
line: StrictModes yes
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
+++ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "Banner /etc/issue" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "Banner /etc/issue" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "Banner /etc/issue" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
+++ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
@@ -26,7 +26,7 @@
regexp: (?i)^\s*Banner\s+
line: Banner /etc/issue
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net
+++ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "Banner /etc/issue.net" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "Banner /etc/issue.net" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "Banner /etc/issue.net" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net
+++ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net
@@ -26,7 +26,7 @@
regexp: (?i)^\s*Banner\s+
line: Banner /etc/issue.net
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "X11Forwarding yes" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "X11Forwarding yes" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "X11Forwarding yes" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
@@ -26,7 +26,7 @@
regexp: (?i)^\s*X11Forwarding\s+
line: X11Forwarding yes
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_print_last_log' differs.
--- xccdf_org.ssgproject.content_rule_sshd_print_last_log
+++ xccdf_org.ssgproject.content_rule_sshd_print_last_log
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "PrintLastLog yes" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "PrintLastLog yes" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "PrintLastLog yes" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_print_last_log' differs.
--- xccdf_org.ssgproject.content_rule_sshd_print_last_log
+++ xccdf_org.ssgproject.content_rule_sshd_print_last_log
@@ -26,7 +26,7 @@
regexp: (?i)^\s*PrintLastLog\s+
line: PrintLastLog yes
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_rekey_limit' differs.
--- xccdf_org.ssgproject.content_rule_sshd_rekey_limit
+++ xccdf_org.ssgproject.content_rule_sshd_rekey_limit
@@ -17,17 +17,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "RekeyLimit $var_rekey_limit_size $var_rekey_limit_time" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "RekeyLimit $var_rekey_limit_size $var_rekey_limit_time" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "RekeyLimit $var_rekey_limit_size $var_rekey_limit_time" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_rekey_limit' differs.
--- xccdf_org.ssgproject.content_rule_sshd_rekey_limit
+++ xccdf_org.ssgproject.content_rule_sshd_rekey_limit
@@ -37,7 +37,7 @@
regexp: (?i)^\s*RekeyLimit\s+
line: RekeyLimit {{ var_rekey_limit_size }} {{ var_rekey_limit_time }}
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
+++ xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
@@ -14,17 +14,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "LoginGraceTime $var_sshd_set_login_grace_time" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "LoginGraceTime $var_sshd_set_login_grace_time" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "LoginGraceTime $var_sshd_set_login_grace_time" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
+++ xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
@@ -32,7 +32,7 @@
regexp: (?i)^\s*LoginGraceTime\s+
line: LoginGraceTime {{ var_sshd_set_login_grace_time }}
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "LogLevel INFO" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "LogLevel INFO" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "LogLevel INFO" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
@@ -26,7 +26,7 @@
regexp: (?i)^\s*LogLevel\s+
line: LogLevel INFO
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "LogLevel VERBOSE" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "LogLevel VERBOSE" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "LogLevel VERBOSE" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
@@ -26,7 +26,7 @@
regexp: (?i)^\s*LogLevel\s+
line: LogLevel VERBOSE
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
@@ -14,17 +14,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "MaxAuthTries $sshd_max_auth_tries_value" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "MaxAuthTries $sshd_max_auth_tries_value" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "MaxAuthTries $sshd_max_auth_tries_value" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
@@ -32,7 +32,7 @@
regexp: (?i)^\s*MaxAuthTries\s+
line: MaxAuthTries {{ sshd_max_auth_tries_value }}
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_sessions' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
@@ -14,17 +14,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "MaxSessions $var_sshd_max_sessions" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "MaxSessions $var_sshd_max_sessions" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "MaxSessions $var_sshd_max_sessions" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_sessions' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
@@ -32,7 +32,7 @@
regexp: (?i)^\s*MaxSessions\s+
line: MaxSessions {{ var_sshd_max_sessions }}
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_maxstartups' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
+++ xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
@@ -14,17 +14,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "MaxStartups $var_sshd_set_maxstartups" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "MaxStartups $var_sshd_set_maxstartups" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "MaxStartups $var_sshd_set_maxstartups" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_maxstartups' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
+++ xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
@@ -32,7 +32,7 @@
regexp: (?i)^\s*MaxStartups\s+
line: MaxStartups {{ var_sshd_set_maxstartups }}
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
+++ xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
@@ -14,17 +14,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "UsePrivilegeSeparation $var_sshd_priv_separation" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "UsePrivilegeSeparation $var_sshd_priv_separation" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "UsePrivilegeSeparation $var_sshd_priv_separation" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
+++ xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
@@ -32,7 +32,7 @@
regexp: (?i)^\s*UsePrivilegeSeparation\s+
line: UsePrivilegeSeparation {{ var_sshd_priv_separation }}
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost' differs.
--- xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
+++ xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
@@ -11,17 +11,9 @@
sed -i -e '$a\' "/etc/ssh/sshd_config"
cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "X11UseLocalhost yes" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "X11UseLocalhost yes" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
+# Insert at the beginning of the file
+printf '%s\n' "X11UseLocalhost yes" > "/etc/ssh/sshd_config"
+cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost' differs.
--- xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
+++ xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
@@ -26,7 +26,7 @@
regexp: (?i)^\s*X11UseLocalhost\s+
line: X11UseLocalhost yes
state: present
- insertbefore: ^[#\s]*Match
+ insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags: |
Code Climate has analyzed commit af2ab73 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.3% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have seen that in AutoMatus GitHub actions jobs most of the people are evaluated as notapplicable. So I run the tests locally with a virtual machine used as a back end.
[jcerny@fedora scap-security-guide{pr/11032}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel8 sshd_disable_rhosts_rsa,sshd_use_approved_macs,sshd_use_strong_ciphers,sshd_set_max_auth_tries,sshd_use_priv_separation,sshd_use_strong_macs,sshd_set_idle_timeout,sshd_set_keepalive,sshd_set_max_sessions,sshd_allow_only_protocol2,sshd_use_strong_kex,sshd_set_maxstartups,sshd_disable_compression,sshd_rekey_limit,sshd_use_approved_ciphers,sshd_set_login_grace_time
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-08-29-1313/test_suite.log
WARNING - Rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_ciphers' isn't present in benchmark 'xccdf_org.ssgproject.content_benchmark_RHEL-8' in '/tmp/ssgts-ds-hxux0ug4'
WARNING - Rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs' isn't present in benchmark 'xccdf_org.ssgproject.content_benchmark_RHEL-8' in '/tmp/ssgts-ds-hxux0ug4'
WARNING - Rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_kex' isn't present in benchmark 'xccdf_org.ssgproject.content_benchmark_RHEL-8' in '/tmp/ssgts-ds-hxux0ug4'
WARNING - Script openssh-6.6-configured.pass.sh is not applicable on given platform
WARNING - Script openssh-6.6.fail.sh is not applicable on given platform
WARNING - Script openssh-7.4.pass.sh is not applicable on given platform
WARNING - Script param_conflict_directory.fail.sh is not applicable on given platform
WARNING - Script bad_size_directory.fail.sh is not applicable on given platform
WARNING - Script bad_time_directory.fail.sh is not applicable on given platform
WARNING - Script no_line_directory.fail.sh is not applicable on given platform
WARNING - Script param_conflict_directory.fail.sh is not applicable on given platform
WARNING - Script rhel7.ok.pass.sh is not applicable on given platform
WARNING - Script rhel9_ospp_ok.pass.sh is not applicable on given platform
WARNING - Script correct_value_directory.pass.sh is not applicable on given platform
WARNING - Script other_comment.fail.sh is not applicable on given platform
WARNING - Script other_line_not_there.fail.sh is not applicable on given platform
WARNING - Script other_wrong_value.fail.sh is not applicable on given platform
WARNING - Script param_conflict_directory.fail.sh is not applicable on given platform
WARNING - Script wrong_value_directory.fail.sh is not applicable on given platform
WARNING - Script correct_value_dot_dir.pass.sh is not applicable on given platform
WARNING - Script param_conflict_directory.fail.sh is not applicable on given platform
WARNING - Script wrong_value_dot_dir.fail.sh is not applicable on given platform
WARNING - Script rhel7_correct_value.pass.sh is not applicable on given platform
WARNING - Script cis_rhel7_correct_value_full.pass.sh is not applicable on given platform
WARNING - Script cis_rhel7_wrong_value.fail.sh is not applicable on given platform
WARNING - Script rhel7_correct_value.pass.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_sshd_disable_compression
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script param_conflict.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_rekey_limit
INFO - Script bad_size.fail.sh using profile (all) OK
INFO - Script bad_time.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script duplicated_param.pass.sh using profile (all) OK
INFO - Script param_conflict.fail.sh using profile (all) OK
INFO - Script rhel8_ospp_ok.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp OK
INFO - Script no_line.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
WARNING - Script wrong_value.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout evaluation resulted in notapplicable
WARNING - Script comment.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout evaluation resulted in notapplicable
WARNING - Script correct_value.pass.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout evaluation resulted in notapplicable
WARNING - Script line_not_there.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout evaluation resulted in notapplicable
WARNING - Script param_conflict.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout evaluation resulted in notapplicable
INFO - xccdf_org.ssgproject.content_rule_sshd_set_keepalive
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script param_conflict.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_value_less_than.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
INFO - Script comment.fail.sh using profile (all) OK
WARNING - No remediation is available for rule 'xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers'.
INFO - Script correct_reduced_list.pass.sh using profile (all) OK
INFO - Script correct_scrambled.pass.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_value_full.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
WARNING - No remediation is available for rule 'xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers'.
INFO - Script wrong_value.fail.sh using profile (all) OK
WARNING - No remediation is available for rule 'xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers'.
INFO - Script correct_variable.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_use_approved_macs
INFO - Script default_correct_value.pass.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
WARNING - No remediation is available for rule 'xccdf_org.ssgproject.content_rule_sshd_use_approved_macs'.
INFO - xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script nothing.fail.sh using profile (all) OK
INFO - Script wrong_value_no.fail.sh using profile (all) OK
INFO - Script wrong_value_yes.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script lower_bound.pass.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script no_limit.fail.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script too_high.fail.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
INFO - Script comment.fail.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script line_not_there.fail.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script nothing.fail.sh using profile xccdf_org.ssgproject.content_profile_cis OK
[jcerny@fedora scap-security-guide{pr/11032}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel8 --remediate-using ansible sshd_disable_rhosts_rsa,sshd_use_approved_macs,sshd_use_strong_ciphers,sshd_set_max_auth_tries,sshd_use_priv_separation,sshd_use_strong_macs,sshd_set_idle_timeout,sshd_set_keepalive,sshd_set_max_sessions,sshd_allow_only_protocol2,sshd_use_strong_kex,sshd_set_maxstartups,sshd_disable_compression,sshd_rekey_limit,sshd_use_approved_ciphers,sshd_set_login_grace_time
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-08-29-1344/test_suite.log
WARNING - Rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_ciphers' isn't present in benchmark 'xccdf_org.ssgproject.content_benchmark_RHEL-8' in '/tmp/ssgts-ds-yq6r0les'
WARNING - Rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs' isn't present in benchmark 'xccdf_org.ssgproject.content_benchmark_RHEL-8' in '/tmp/ssgts-ds-yq6r0les'
WARNING - Rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_kex' isn't present in benchmark 'xccdf_org.ssgproject.content_benchmark_RHEL-8' in '/tmp/ssgts-ds-yq6r0les'
WARNING - Script openssh-6.6-configured.pass.sh is not applicable on given platform
WARNING - Script openssh-6.6.fail.sh is not applicable on given platform
WARNING - Script openssh-7.4.pass.sh is not applicable on given platform
WARNING - Script param_conflict_directory.fail.sh is not applicable on given platform
WARNING - Script bad_size_directory.fail.sh is not applicable on given platform
WARNING - Script bad_time_directory.fail.sh is not applicable on given platform
WARNING - Script no_line_directory.fail.sh is not applicable on given platform
WARNING - Script param_conflict_directory.fail.sh is not applicable on given platform
WARNING - Script rhel7.ok.pass.sh is not applicable on given platform
WARNING - Script rhel9_ospp_ok.pass.sh is not applicable on given platform
WARNING - Script correct_value_directory.pass.sh is not applicable on given platform
WARNING - Script other_comment.fail.sh is not applicable on given platform
WARNING - Script other_line_not_there.fail.sh is not applicable on given platform
WARNING - Script other_wrong_value.fail.sh is not applicable on given platform
WARNING - Script param_conflict_directory.fail.sh is not applicable on given platform
WARNING - Script wrong_value_directory.fail.sh is not applicable on given platform
WARNING - Script correct_value_dot_dir.pass.sh is not applicable on given platform
WARNING - Script param_conflict_directory.fail.sh is not applicable on given platform
WARNING - Script wrong_value_dot_dir.fail.sh is not applicable on given platform
WARNING - Script rhel7_correct_value.pass.sh is not applicable on given platform
WARNING - Script cis_rhel7_correct_value_full.pass.sh is not applicable on given platform
WARNING - Script cis_rhel7_wrong_value.fail.sh is not applicable on given platform
WARNING - Script rhel7_correct_value.pass.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_sshd_disable_compression
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script param_conflict.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_rekey_limit
INFO - Script bad_size.fail.sh using profile (all) OK
INFO - Script bad_time.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script duplicated_param.pass.sh using profile (all) OK
INFO - Script param_conflict.fail.sh using profile (all) OK
INFO - Script rhel8_ospp_ok.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp OK
INFO - Script no_line.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
WARNING - Script wrong_value.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout evaluation resulted in notapplicable
WARNING - Script comment.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout evaluation resulted in notapplicable
WARNING - Script correct_value.pass.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout evaluation resulted in notapplicable
WARNING - Script line_not_there.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout evaluation resulted in notapplicable
WARNING - Script param_conflict.fail.sh using profile (all) notapplicable
WARNING - Rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout evaluation resulted in notapplicable
INFO - xccdf_org.ssgproject.content_rule_sshd_set_keepalive
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script param_conflict.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_value_less_than.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
INFO - Script comment.fail.sh using profile (all) OK
WARNING - No remediation is available for rule 'xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers'.
INFO - Script correct_reduced_list.pass.sh using profile (all) OK
INFO - Script correct_scrambled.pass.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_value_full.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
WARNING - No remediation is available for rule 'xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers'.
INFO - Script wrong_value.fail.sh using profile (all) OK
WARNING - No remediation is available for rule 'xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers'.
INFO - Script correct_variable.pass.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_use_approved_macs
INFO - Script default_correct_value.pass.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
WARNING - No remediation is available for rule 'xccdf_org.ssgproject.content_rule_sshd_use_approved_macs'.
INFO - xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script nothing.fail.sh using profile (all) OK
INFO - Script wrong_value_no.fail.sh using profile (all) OK
INFO - Script wrong_value_yes.fail.sh using profile (all) OK
INFO - xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script lower_bound.pass.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script no_limit.fail.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script too_high.fail.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
INFO - Script comment.fail.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script line_not_there.fail.sh using profile xccdf_org.ssgproject.content_profile_cis OK
INFO - Script nothing.fail.sh using profile xccdf_org.ssgproject.content_profile_cis OK
Description:
When new lines need to be inserted in
sshd_config
file to define global settings, these lines must be inserted before anyMatch
conditional. However, usingMatch
lines as reference during the remediation is not robust enough specially when multipleMatch
lines are present.Since there is no ordering restrictions to Global Settings, it is safer to include new lines at the beginning of the file.
Rationale:
Review Hints:
Automatus tests should be enough.