From 364fa47cf4460a00f44e550d727d331e9d3a144e Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Wed, 4 Dec 2024 09:06:19 +0100 Subject: [PATCH 1/2] Add rules and vars to ubuntu2404 CIS control 5.1.16 --- controls/cis_ubuntu2404.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index a2f073cd94c..eca4dba6185 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -1684,11 +1684,10 @@ controls: levels: - l1_server - l1_workstation - related_rules: + rules: - sshd_max_auth_tries_value=4 - sshd_set_max_auth_tries - status: planned - notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/5.2.18. + status: automated - id: 5.1.17 title: Ensure sshd MaxSessions is configured (Automated) From ee5a620d4ac2e368189ac354d3d8a307382b5192 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Wed, 4 Dec 2024 09:07:26 +0100 Subject: [PATCH 2/2] Extend tests for sshd_set_max_auth_tries Rule is not using the template oval because it requires checking if value is in interval. Tests for this logic were missing. --- .../tests/correct_value_equals.pass.sh | 9 +++++++++ .../tests/wrong_value_less_than_0.fail.sh | 9 +++++++++ .../tests/wrong_value_more_than.fail.sh | 9 +++++++++ 3 files changed, 27 insertions(+) create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_equals.pass.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_less_than_0.fail.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_more_than.fail.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_equals.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_equals.pass.sh new file mode 100644 index 00000000000..e417df94d3d --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/correct_value_equals.pass.sh @@ -0,0 +1,9 @@ +# platform = multi_platform_all +# variables = sshd_max_auth_tries_value=4 +SSHD_CONFIG="/etc/ssh/sshd_config" + +if grep -q "^MaxAuthTries" $SSHD_CONFIG; then + sed -i "s/^MaxAuthTries.*/MaxAuthTries 4/" $SSHD_CONFIG +else + echo "MaxAuthTries 4" >> $SSHD_CONFIG +fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_less_than_0.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_less_than_0.fail.sh new file mode 100644 index 00000000000..e4f53b46b09 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_less_than_0.fail.sh @@ -0,0 +1,9 @@ +# platform = multi_platform_all +# variables = sshd_max_auth_tries_value=4 +SSHD_CONFIG="/etc/ssh/sshd_config" + +if grep -q "^MaxAuthTries" $SSHD_CONFIG; then + sed -i "s/^MaxAuthTries.*/MaxAuthTries 0/" $SSHD_CONFIG +else + echo "MaxAuthTries 0" >> $SSHD_CONFIG +fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_more_than.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_more_than.fail.sh new file mode 100644 index 00000000000..625197228b5 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/tests/wrong_value_more_than.fail.sh @@ -0,0 +1,9 @@ +# platform = multi_platform_all +# variables = sshd_max_auth_tries_value=4 +SSHD_CONFIG="/etc/ssh/sshd_config" + +if grep -q "^MaxAuthTries" $SSHD_CONFIG; then + sed -i "s/^MaxAuthTries.*/MaxAuthTries 1000/" $SSHD_CONFIG +else + echo "MaxAuthTries 1000" >> $SSHD_CONFIG +fi