sshd_lineinfile - oval.template - issue

[rumch-se]

Hello @yuumasato

I found that you are creator of the oval template in sshd_lineinfile template, and for it you are using sshd_oval_check. I think that this template does not work as expected. You are re-suing the macro sshd_oval_check, created by @matejak
May you check this (for example you can use as a reference the rule sshd_set_keepalive_0)?
What is the problem:
When we have in the file /etc/ssh/sshd_config a row for example
# ClientAliveCountMax 3
the oval check will pass, but this is not correct because in front of the parameter we have a symbol which will be interpreted as comments. Please check this (https://linux.die.net/man/5/sshd_config). The oval check should fail.
The remediation part after should remove the symbol for comment or to add a line to a sshd_config with correct settings.
I think that all rules which use this template will be / are impacted.

Have a nice day
Rumen

[ggbecker]

In this case you need to provide the report with the OVAL results. It could a different condition in the OVAL that is making the rule to pass, for example:

   <criteria comment="sshd is configured correctly or is not installed" operator="OR">
     <criteria comment="sshd is not installed" operator="AND">
        <extend_definition comment="sshd is not required or requirement is unset"
          definition_ref="sshd_not_required_or_unset" />
        <extend_definition comment="rpm package openssh-server removed"
          definition_ref="package_openssh-server_removed" />
     </criteria>
     <criteria comment="sshd is installed and configured" operator="AND">
        <extend_definition comment="sshd is required or requirement is unset"
          definition_ref="sshd_required_or_unset" />
        <extend_definition comment="rpm package openssh-server installed"
          definition_ref="package_openssh-server_installed" />
        <criteria comment="sshd is configured correctly" operator="AND">
          <criteria comment="the configuration is correct if it exists" operator="AND"><criterion comment="Check the ClientAliveCountMax in /etc/ssh/sshd_configif any"
            test_ref="test_sshd_set_keepalive_0" /><criterion comment="Check the ClientAliveCountMax in /etc/ssh/sshd_config.dif any"
            test_ref="test_sshd_set_keepalive_0_config_dir" />
            
          </criteria>
          <criterion comment="the configuraton exists" test_ref="test_ClientAliveCountMax_present_sshd_set_keepalive_0" />
          
        </criteria>
      </criteria>
    </criteria>

[rumch-se]

Hello @ggbecker , @yuumasato and @matejak
This is a screenshot which presents the issue. Because I am facing this problem for a 1st time, how can I generate this report?
I have executed the command
oscap --verbose INFO xccdf eval .... and report is attached
Have a nice day
Rumen

report.txt

[ggbecker]

add --report report.html --oval-results to your command line. In the report.html there should be the OVAL results.

Consider also exporting the --results-arf results-arf.xml file.

[rumch-se]

Hello @ggbecker, @yuumasato and @matejak
Here are the generated reports.
Have a nice day

reports.zip

[ggbecker]

My initial guess is that this piece of jinja condition:

content/shared/macros/10-oval.jinja

Lines 611 to 617 in fa777d4

	{{% if product in ['opensuse', 'sle12', 'sle15'] %}}
	<extend_definition comment="rpm package openssh installed"
	definition_ref="package_openssh_installed" />
	{{% else %}}
	<extend_definition comment="rpm package openssh-server installed"
	definition_ref="package_openssh-server_installed" />
	{{% endif %}}

is missing in:

content/shared/macros/10-oval.jinja

Lines 929 to 934 in fa777d4

	<extend_definition comment="sshd is required or requirement is unset"
	definition_ref="sshd_required_or_unset" />
	<extend_definition comment="rpm package openssh-server installed"
	definition_ref="package_openssh-server_installed" />
	<criteria comment="sshd is configured correctly" operator="AND">
	<criteria comment="the configuration is correct if it exists" operator="AND">

here is the report generated using the oscap-report tool and the ARF file you provided.

(rename it to report.html)
report.txt

[rumch-se]

Hello @ggbecker
There is another rule which does not use template but it includes ansible, oval, bash, etc. The name of the rule is sshd_set_keepalive. You can see that his oval file section includes a similar check of the product. Again in this case there is a issue. Screen shot is provided.

And my concern is this regexp in the oval
<ind:pattern operation="pattern match">^[\s](?i)ClientAliveCountMax[\s]+([\d]+)[\s](?:#.*)?$</ind:pattern>

[ggbecker]

Can you check if there is no other configuration file under /etc/ssh/sshd_config.d/ that could contain the same configuration set?

You really need to learn how to use the reports and the results to understand exactly which OVAL criteria is failing and which is not. If you look at the report.html generated by the oscap command using --oval-results, you should be able to inspect the exact details of what OVAL criteria has passed and what not.

[ggbecker]

This should fix the problem for at least this rule: #10706

[rumch-se]

Hello @ggbecker
On my test machine I don't have any file in /etc/ssh/sshd_config.d/
here is ls
sles-15-sp2:/etc/ssh # ls -la
total 620
drwxr-xr-x 2 root root 4096 Jun 9 12:09 .
drwxr-xr-x 117 root root 12288 May 17 08:28 ..
-rw------- 1 root root 577388 Jun 6 2020 moduli
-rw-r--r-- 1 root root 2356 Jun 6 2020 ssh_config
-rw------- 1 root root 1381 Mar 16 09:30 ssh_host_dsa_key
-rw-r--r-- 1 root root 604 Mar 16 09:30 ssh_host_dsa_key.pub
-rw------- 1 root root 505 Mar 16 09:30 ssh_host_ecdsa_key
-rw-r--r-- 1 root root 176 Mar 16 09:30 ssh_host_ecdsa_key.pub
-rw------- 1 root root 411 Mar 16 09:30 ssh_host_ed25519_key
-rw-r--r-- 1 root root 96 Mar 16 09:30 ssh_host_ed25519_key.pub
-rw------- 1 root root 2602 Mar 16 09:30 ssh_host_rsa_key
-rw-r--r-- 1 root root 568 Mar 16 09:30 ssh_host_rsa_key.pub
-rw-r----- 1 root root 3909 Jun 9 12:13 sshd_config
sles-15-sp2:/etc/ssh #

[ggbecker]

in this case it might be the lack of sle15 in this line: https://github.com/ComplianceAsCode/content/pull/10706/files#diff-8134f071ec75dfb7c90732ea670fd6786c886445158db93fd330ac26ca7a6b39R9

[ggbecker]

I hope I gave you enough guidance here. There seems to have some inconsistencies across different files that need to be fixed for SLES products.

[rumch-se]

Hello @ggbecker
With this PR https://github.com/ComplianceAsCode/content/pull/10353/files#diff-bf0e6efb88d44f16036a42436119df578d5190733c6ac8711ebd7516fd58a2bc I was trying to be more precise in oval check
Have a nice day
Rumen