Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSHD config tasks not as complete as they could be #66

Open
PrymalInstynct opened this issue Nov 26, 2024 · 1 comment
Open

SSHD config tasks not as complete as they could be #66

PrymalInstynct opened this issue Nov 26, 2024 · 1 comment
Assignees
Labels
bug Something isn't working

Comments

@PrymalInstynct
Copy link
Contributor

Describe the Issue
The sshd related tasks rely on the rhel9stig_sshd_config_file variable which is set to /etc/ssh/sshd_config by default to apply all of the appropriate sshd settings. However, there is a file /etc/ssh/sshd_config.d/50-redhat.conf which is installed as a part of the openssh-server package that contains the GSSAPIAuthentication and X11Forwarding sshd settings.

The file /etc/ssh/sshd_config.d/50-redhat.conf is added as an Include to the overall sshd_config because of RHEL-09-255055 which means the two settings from that file are taken into account for the overall sshd system configuration. Which means the two STIGs associated with those settings to technically be left open when checked using the STIG check text.

Expected Behavior
I expect every instance of GSSAPIAuthentication and X11Forwarding to be set to the appropriate value

Actual Behavior
The GSSAPIAuthentication and X11Forwarding settings are configured correctly in /etc/ssh/sshd_config but not in /etc/ssh/sshd_config.d/50-redhat.conf

Control(s) Affected

  • RHEL-09-255055
  • RHEL-09-255135
  • RHEL-09-255155

Environment (please complete the following information):

  • branch being used: devel
  • Ansible Version: 2.17.5
  • Host Python Version: 3.9.18
  • Ansible Server Python Version: 3.12.7
  • Additional Details:

Additional Notes
None

Possible Solution

  • Option 1) Create a Prelim tasks that searches for all possible sshd configuration files on the system and uses that variable as a way to loop through all found files to apply the settings
  • Option 2) Assume the user has their sshd configs in the default directories and create secondary tasks for each sshd_config related task that applies the PATCH to /etc/ssh/sshd_config.d/50-redhat.conf
@PrymalInstynct PrymalInstynct added the bug Something isn't working label Nov 26, 2024
@uk-bolly uk-bolly self-assigned this Jan 14, 2025
@uk-bolly
Copy link
Member

hi @PrymalInstynct

Thank you as always for raising the issues along with exact information, it really does assist us to indentify and work on things much quicker.
Looking at this issue in particular, i am addressing prelim as expected but the second part in a slightly different way. I am replacing all instance of the settings to be preceded with # except the file that its set to update. That way the setting should only exist in the file that have been specified. Still allows user to set where they would like the setting to exist.

I hope that makes sense, i hope to have the PR raised over the next couple of day for this.

many thanks

uk-bolly

uk-bolly added a commit that referenced this issue Jan 21, 2025
Signed-off-by: Mark Bolwell <[email protected]>
uk-bolly added a commit that referenced this issue Jan 21, 2025
Signed-off-by: Mark Bolwell <[email protected]>
uk-bolly added a commit that referenced this issue Jan 21, 2025
Signed-off-by: Mark Bolwell <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants