Merge pull request #12419 from marcusburghardt/sshd_maxstartups

Review sshd_set_maxstartups rule

linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/oval/shared.xml

@@ -1,63 +1,96 @@
 <def-group>
-  <definition class="compliance" id="sshd_set_maxstartups" version="1">
-    {{{ oval_metadata("Ensure 'MaxStartups' is configured in
-      '/etc/ssh/sshd_config'") }}}
-    <criteria comment="sshd is configured correctly or is not installed" operator="OR">
-      <criteria comment="sshd is not installed" operator="AND">
-        <extend_definition comment="sshd is not required or requirement is unset"
-        definition_ref="sshd_not_required_or_unset" />
+  <definition class="compliance" id="{{{ rule_id }}}" version="2">
+    {{{ oval_metadata("Ensure 'MaxStartups' is properly configured in SSH configuration files.") }}}
+    <criteria operator="OR" comment="sshd MaxStartups parameter is properly configured if sshd is installed">
+      <criteria operator="AND" comment="sshd is not installed">
+        <extend_definition definition_ref="sshd_not_required_or_unset"
+          comment="sshd is not required or requirement is unset"/>
         {{% if product in ['opensuse', 'sle12', 'sle15'] %}}
-        <extend_definition comment="rpm package openssh removed"
-        definition_ref="package_openssh_removed" />
+        <extend_definition definition_ref="package_openssh_removed"
+          comment="rpm package openssh is removed"/>
         {{% else %}}
-        <extend_definition comment="rpm package openssh-server removed"
-        definition_ref="package_openssh-server_removed" />
+        <extend_definition definition_ref="package_openssh-server_removed"
+          comment="rpm package openssh-server is removed"/>
         {{% endif %}}
       </criteria>
       <criteria operator="AND">
-        <criterion test_ref="tst_maxstartups_start_parameter" comment="SSH MaxStartups start parameter is less than or equal to 10" />
-        <criterion test_ref="tst_maxstartups_rate_parameter" comment="SSH MaxStartups rate parameter is greater than or equal to 30" />
-        <criterion test_ref="tst_maxstartups_full_parameter" comment="SSH MaxStartups full parameter is less than or equal to 100" />
+        <criterion test_ref="tst_maxstartups_start_parameter" comment="SSH MaxStartups start parameter is less than or equal to 10"/>
+        <criterion test_ref="tst_maxstartups_rate_parameter" comment="SSH MaxStartups rate parameter is greater than or equal to 30"/>
+        <criterion test_ref="tst_maxstartups_full_parameter" comment="SSH MaxStartups full parameter is less than or equal to 100"/>
       </criteria>
     </criteria>
   </definition>
 
-  <ind:textfilecontent54_object id="obj_sshd_config_maxstartups_first_parameter" version="1">
-    <ind:filepath operation="equals">/etc/ssh/sshd_config</ind:filepath>
+  <ind:textfilecontent54_object id="obj_sshd_config_maxstartups_first_parameter" version="2">
+    <ind:path operation="pattern match">/etc/(ssh|ssh/sshd_config.d)</ind:path>
+    <ind:filename operation="pattern match">(sshd_config|.*\.conf)$</ind:filename>
     <ind:pattern operation="pattern match" datatype="string">(?i)^\s*MaxStartups\s+(\d+):\d+:\d+\s*$</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
-  <ind:textfilecontent54_object id="obj_sshd_config_maxstartups_second_parameter" version="1">
-    <ind:filepath operation="equals">/etc/ssh/sshd_config</ind:filepath>
+  <ind:textfilecontent54_object id="obj_sshd_config_maxstartups_second_parameter" version="2">
+    <ind:path operation="pattern match">/etc/(ssh|ssh/sshd_config.d)</ind:path>
+    <ind:filename operation="pattern match">(sshd_config|.*\.conf)$</ind:filename>
     <ind:pattern operation="pattern match" datatype="string">(?i)^\s*MaxStartups\s+\d+:(\d+):\d+\s*$</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
-  <ind:textfilecontent54_object id="obj_sshd_config_maxstartups_third_parameter" version="1">
-    <ind:filepath operation="equals">/etc/ssh/sshd_config</ind:filepath>
+  <ind:textfilecontent54_object id="obj_sshd_config_maxstartups_third_parameter" version="2">
+    <ind:path operation="pattern match">/etc/(ssh|ssh/sshd_config.d)</ind:path>
+    <ind:filename operation="pattern match">(sshd_config|.*\.conf)$</ind:filename>
     <ind:pattern operation="pattern match" datatype="string">(?i)^\s*MaxStartups\s+\d+:\d+:(\d+)\s*$</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
-  <ind:textfilecontent54_state id="ste_sshd_config_start_parameter_valid" version="1">
-    <ind:subexpression datatype="int" operation="less than or equal">10</ind:subexpression>
+  <external_variable id="var_sshd_set_maxstartups" version="1"
+    datatype="string" comment="Expected value for MaxStartups parameter"/>
+
+  <local_variable id="var_sshd_set_maxstartups_first" version="1" datatype="int"
+    comment="First number from MaxStartup parameter value.">
+    <regex_capture pattern="(\d+):\d+:\d+">
+      <variable_component var_ref="var_sshd_set_maxstartups"/>
+    </regex_capture>
+  </local_variable>
+  <local_variable id="var_sshd_set_maxstartups_second" version="1" datatype="int"
+    comment="Second number from MaxStartup parameter value.">
+    <regex_capture pattern="\d+:(\d+):\d+">
+      <variable_component var_ref="var_sshd_set_maxstartups"/>
+    </regex_capture>
+  </local_variable>
+  <local_variable id="var_sshd_set_maxstartups_third" version="1" datatype="int"
+    comment="Third number from MaxStartup parameter value.">
+    <regex_capture pattern="\d+:\d+:(\d+)">
+      <variable_component var_ref="var_sshd_set_maxstartups" />
+    </regex_capture>
+  </local_variable>
+
+  <ind:textfilecontent54_state id="ste_sshd_config_start_parameter_valid" version="2">
+    <ind:subexpression datatype="int" operation="less than or equal"
+      var_ref="var_sshd_set_maxstartups_first"/>
   </ind:textfilecontent54_state>
-  <ind:textfilecontent54_state id="ste_sshd_config_rate_parameter_valid" version="1">
-    <ind:subexpression datatype="int" operation="greater than or equal">30</ind:subexpression>
+  <ind:textfilecontent54_state id="ste_sshd_config_rate_parameter_valid" version="2">
+    <ind:subexpression datatype="int" operation="greater than or equal"
+      var_ref="var_sshd_set_maxstartups_second"/>
   </ind:textfilecontent54_state>
-  <ind:textfilecontent54_state id="ste_sshd_config_full_parameter_valid" version="1">
-    <ind:subexpression datatype="int" operation="less than or equal">100</ind:subexpression>
+  <ind:textfilecontent54_state id="ste_sshd_config_full_parameter_valid" version="2">
+    <ind:subexpression datatype="int" operation="less than or equal"
+      var_ref="var_sshd_set_maxstartups_third"/>
   </ind:textfilecontent54_state>
 
-  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" id="tst_maxstartups_start_parameter" version="1" comment="SSH MaxStartups start parameter is less than or equal to 10">
-    <ind:object object_ref="obj_sshd_config_maxstartups_first_parameter" />
-    <ind:state state_ref="ste_sshd_config_start_parameter_valid" />
+  <ind:textfilecontent54_test id="tst_maxstartups_start_parameter" version="2"
+    check="all" check_existence="at_least_one_exists"
+    comment="SSH MaxStartups start parameter is less than or equal to the expected value">
+    <ind:object object_ref="obj_sshd_config_maxstartups_first_parameter"/>
+    <ind:state state_ref="ste_sshd_config_start_parameter_valid"/>
   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" id="tst_maxstartups_rate_parameter" version="1" comment="SSH MaxStartups rate parameter is greater than or equal to 30">
-    <ind:object object_ref="obj_sshd_config_maxstartups_second_parameter" />
-    <ind:state state_ref="ste_sshd_config_rate_parameter_valid" />
+  <ind:textfilecontent54_test id="tst_maxstartups_rate_parameter" version="2"
+    check="all" check_existence="at_least_one_exists"
+    comment="SSH MaxStartups rate parameter is greater than or equal to the expected value">
+    <ind:object object_ref="obj_sshd_config_maxstartups_second_parameter"/>
+    <ind:state state_ref="ste_sshd_config_rate_parameter_valid"/>
   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" id="tst_maxstartups_full_parameter" version="1" comment="SSH MaxStartups full parameter is less than or equal to 100">
-    <ind:object object_ref="obj_sshd_config_maxstartups_third_parameter" />
-    <ind:state state_ref="ste_sshd_config_full_parameter_valid" />
+  <ind:textfilecontent54_test id="tst_maxstartups_full_parameter" version="2"
+    check="all" check_existence="at_least_one_exists"
+    comment="SSH MaxStartups full parameter is less than or equal to the expected value">
+    <ind:object object_ref="obj_sshd_config_maxstartups_third_parameter"/>
+    <ind:state state_ref="ste_sshd_config_full_parameter_valid"/>
   </ind:textfilecontent54_test>
 </def-group>

linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml

@@ -3,20 +3,16 @@ documentation_complete: true
 title: 'Ensure SSH MaxStartups is configured'
 
 description: |-
-    The MaxStartups parameter specifies the maximum number of concurrent
-    unauthenticated connections to the SSH daemon. Additional connections will be
-    dropped until authentication succeeds or the LoginGraceTime expires for a
-    connection. To confgure MaxStartups, you should add or correct the following
-    line in the
-    <tt>/etc/ssh/sshd_config</tt> file:
+    The MaxStartups parameter specifies the maximum number of concurrent unauthenticated
+    connections to the SSH daemon. Additional connections will be dropped until authentication
+    succeeds or the LoginGraceTime expires for a connection. To configure MaxStartups, you should
+    add or edit the following line in the <tt>/etc/ssh/sshd_config</tt> file:
     <pre>MaxStartups {{{ xccdf_value("var_sshd_set_maxstartups") }}}</pre>
-    CIS recommends a MaxStartups value of '10:30:60', or more restrictive where
-    dictated by site policy.
 
 rationale: |-
-    To protect a system from denial of service due to a large number of pending
-    authentication connection attempts, use the rate limiting function of MaxStartups
-    to protect availability of sshd logins and prevent overwhelming the daemon.
+    To protect a system from denial of service due to a large number of pending authentication
+    connection attempts, use the rate limiting function of MaxStartups to protect availability of
+    sshd logins and prevent overwhelming the daemon.
 
 severity: medium
 
@@ -37,5 +33,14 @@ ocil_clause: 'maxstartups is not configured'
 
 ocil: |-
     To check if MaxStartups is configured, run the following command:
-    <pre>$ sudo grep MaxStartups /etc/ssh/sshd_config</pre>
+    <pre>$ sudo grep -r ^[\s]*MaxStartups /etc/ssh/sshd_config*</pre>
     If configured, this command should output the configuration.
+
+template:
+    name: sshd_lineinfile
+    vars:
+        parameter: MaxStartups
+        xccdf_variable: var_sshd_set_maxstartups
+        datatype: string
+        backends:
+            oval: "off"

linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/correct_value.pass.sh → linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/lenient_value.fail.sh

@@ -1,9 +1,8 @@
 #!/bin/bash
-#
-# profiles = xccdf_org.ssgproject.content_profile_cis
+# variables = var_sshd_set_maxstartups=10:30:60
 
 if grep -q "^MaxStartups" /etc/ssh/sshd_config; then
 	sed -i "s/^MaxStartups.*/MaxStartups 10:30:60/" /etc/ssh/sshd_config
 else
-	echo "MaxStartups 10:30:60" >> /etc/ssh/sshd_config
+	echo "MaxStartups 20:40:60" >> /etc/ssh/sshd_config
 fi

linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/tests/stricter_value.pass.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+# variables = var_sshd_set_maxstartups=10:30:60
+
+if grep -q "^MaxStartups" /etc/ssh/sshd_config; then
+	sed -i "s/^MaxStartups.*/MaxStartups 10:30:60/" /etc/ssh/sshd_config
+else
+	echo "MaxStartups 5:60:30" >> /etc/ssh/sshd_config
+fi

shared/templates/sshd_lineinfile/template.py

@@ -13,8 +13,12 @@ def set_variables_for_test_scenarios(data):
     elif data["datatype"] == "string":
         if not data.get("value"):
             # this implies XCCDF variable is used
-            data["wrong_value"] = "wrong_value"
-            data["correct_value"] = "correct_value"
+            if data['xccdf_variable'] == 'var_sshd_set_maxstartups':
+                data["wrong_value"] = "30:10:110"
+                data["correct_value"] = "10:30:60"
+            else:
+                data["wrong_value"] = "wrong_value"
+                data["correct_value"] = "correct_value"
         else:
             data["wrong_value"] = "wrong_value"
             data["correct_value"] = str(data["value"])