Skip to content

Commit

Permalink
Merge pull request #10683 from vojtapolasek/stabilization_revert_ssh_…
Browse files Browse the repository at this point in the history 
…key_rules

[Stabilization] revert modifications to file_groupownership template and respective rules
  • Loading branch information
@jan-cerny
jan-cerny authored Jun 6, 2023
2 parents 983f7c3 + ca91455 commit 5d417c3
Show file tree
Hide file tree
Showing 12 changed files with 7 additions and 159 deletions.
7 changes: 3 additions & 4 deletions controls/cis_rhel7.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1763,22 +1763,21 @@ controls:
levels:
- l1_server
- l1_workstation
status: automated
status: partial # missing rule for group ownership
rules:
- file_permissions_sshd_private_key
- file_ownership_sshd_private_key
- file_groupownership_sshd_private_key

- id: 5.3.3
title: Ensure permissions on SSH public host key files are configured (Automated)
levels:
- l1_server
- l1_workstation
status: automated
status: partial # missing rule for group ownership
rules:
- file_permissions_sshd_pub_key
- file_ownership_sshd_pub_key
- file_groupownership_sshd_pub_key


- id: 5.3.4
title: Ensure SSH access is limited (Automated)
Expand Down
6 changes: 2 additions & 4 deletions controls/cis_rhel8.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1978,22 +1978,20 @@ controls:
levels:
- l1_server
- l1_workstation
status: automated
status: partial # missing rule for group ownership
rules:
- file_permissions_sshd_private_key
- file_ownership_sshd_private_key
- file_groupownership_sshd_private_key

- id: 5.2.3
title: Ensure permissions on SSH public host key files are configured (Automated)
levels:
- l1_server
- l1_workstation
status: automated
status: partial # missing rule for group ownership
rules:
- file_permissions_sshd_pub_key
- file_ownership_sshd_pub_key
- file_groupownership_sshd_pub_key

- id: 5.2.4
title: Ensure SSH access is limited (Automated)
Expand Down
6 changes: 2 additions & 4 deletions controls/cis_rhel9.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1826,22 +1826,20 @@ controls:
levels:
- l1_server
- l1_workstation
status: automated
status: partial # missing rule for group ownership
rules:
- file_permissions_sshd_private_key
- file_ownership_sshd_private_key
- file_groupownership_sshd_private_key

- id: 5.2.3
title: Ensure permissions on SSH public host key files are configured (Automated)
levels:
- l1_server
- l1_workstation
status: automated
status: partial # missing rule for group ownership
rules:
- file_permissions_sshd_pub_key
- file_ownership_sshd_pub_key
- file_groupownership_sshd_pub_key

- id: 5.2.4
title: Ensure SSH access is limited (Automated)
Expand Down
38 changes: 0 additions & 38 deletions linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml
View file

This file was deleted.

5 changes: 0 additions & 5 deletions .../guide/services/ssh/file_groupownership_sshd_private_key/tests/correct_groupowner.pass.sh
View file

This file was deleted.

8 changes: 0 additions & 8 deletions ...uide/services/ssh/file_groupownership_sshd_private_key/tests/incorrect_groupowner.fail.sh
View file

This file was deleted.

11 changes: 0 additions & 11 deletions linux_os/guide/services/ssh/file_groupownership_sshd_private_key/tests/multiple_keys.fail.sh
View file

This file was deleted.

38 changes: 0 additions & 38 deletions linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml
View file

This file was deleted.

5 changes: 0 additions & 5 deletions ...x_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/correct_groupowner.pass.sh
View file

This file was deleted.

8 changes: 0 additions & 8 deletions ...os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/incorrect_groupowner.fail.sh
View file

This file was deleted.

11 changes: 0 additions & 11 deletions linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/tests/multiple_keys.fail.sh
View file

This file was deleted.

23 changes: 0 additions & 23 deletions shared/templates/file_groupowner/oval.template
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,34 +38,11 @@
</unix:file_object>

<unix:file_state id="state_file_groupowner{{{ FILEID }}}_gid_{{{ FILEGID }}}_{{{ loop.index0 }}}" version="1">
{{%- if FILEGID == '0' %}}
<unix:group_id datatype="int">{{{ FILEGID }}}</unix:group_id>
{{%- else %}}
<unix:group_id datatype="int" var_ref="var_dedicated_groupowner{{{ FILEID }}}_uid_{{{ FILEGID }}}"></unix:group_id>
{{%- endif %}}
</unix:file_state>
{{% endfor %}}

<unix:file_state id="symlink_file_groupowner{{{ FILEID }}}_uid_{{{ FILEGID }}}" version="1">
<unix:type operation="equals">symbolic link</unix:type>
</unix:file_state>

{{%- if FILEGID != '0' %}}
<ind:textfilecontent54_object id="obj_dedicated_groupowner{{{ FILEID }}}_uid_{{{ FILEGID }}}" version="1" comment="gid of the dedicated {{{ FILEGID }}} group">
{{%- if product != 'rhcos4' -%}}
<ind:filepath>/etc/group</ind:filepath>
{{%- else %}}
{{# CoreOS doesn't list all groups in /etc/group - that's probably related to the FS immutability #}}
<ind:filepath>/usr/lib/group</ind:filepath>
{{%- endif %}}
<ind:pattern operation="pattern match">^{{{ FILEGID }}}:\w+:(\w+):.*</ind:pattern>
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>

<!-- variable storing count of all group names - including duplicates -->
<local_variable id="var_dedicated_groupowner{{{ FILEID }}}_uid_{{{ FILEGID }}}" datatype="int" version="1"
comment="Count of all group names (including duplicates if any)">
<object_component item_field="subexpression" object_ref="obj_dedicated_groupowner{{{ FILEID }}}_uid_{{{ FILEGID }}}"/>
</local_variable>
{{%- endif %}}
</def-group>

0 comments on commit 5d417c3

Please sign in to comment.