From a3a2b43121d7a01fcb02e5246481817b677d586b Mon Sep 17 00:00:00 2001
From: Adrian Mlodzianowski <amlodzianowski@logicworks.net>
Date: Fri, 8 Jan 2021 13:43:10 -0800
Subject: [PATCH] fix(5.2.2): ensured correct host key permissions are checked
 on RedHat systems

on-behalf-of: @Logicworks <amlodzianowski@logicworks.net>
Signed-off-by: Adrian Mlodzianowski <amlodzianowski@logicworks.net>
---
 controls/5_2_ssh_server_configuration.rb | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/controls/5_2_ssh_server_configuration.rb b/controls/5_2_ssh_server_configuration.rb
index 224a590..14cb4d8 100644
--- a/controls/5_2_ssh_server_configuration.rb
+++ b/controls/5_2_ssh_server_configuration.rb
@@ -59,15 +59,16 @@
   tag cis: 'distribution-independent-linux:5.2.2'
   tag level: 1
 
+  expected_gid = 0
+  expected_gid = 995 if os.redhat?
+
+  expected_perms = '0600'
+  expected_perms = '0640' if os.redhat?
+
   command('find /etc/ssh -xdev -type f -name "ssh_host_*_key"').stdout.split.each do |f|
     describe file(f) do
-      it { should_not be_readable.by 'group' }
-      it { should_not be_writable.by 'group' }
-      it { should_not be_executable.by 'group' }
-      it { should_not be_readable.by 'other' }
-      it { should_not be_writable.by 'other' }
-      it { should_not be_executable.by 'other' }
-      its('gid') { should cmp 0 }
+      it { should_not be_more_permissive_than(expected_perms) }
+      its('gid') { should cmp expected_gid }
       its('uid') { should cmp 0 }
     end
   end