Skip to content

SLE16 check permissions /usr/etc/ssh/sshd_config#14439

Open
teacup-on-rockingchair wants to merge 4 commits into
ComplianceAsCode:masterfrom
teacup-on-rockingchair:sle16_file_permissions_sshd_config
Open

SLE16 check permissions /usr/etc/ssh/sshd_config#14439
teacup-on-rockingchair wants to merge 4 commits into
ComplianceAsCode:masterfrom
teacup-on-rockingchair:sle16_file_permissions_sshd_config

Conversation

@teacup-on-rockingchair
Copy link
Copy Markdown
Contributor

@teacup-on-rockingchair teacup-on-rockingchair commented Feb 23, 2026

Description:

  • Vanilla installation of sshd on sle16 might have only /usr/etc/ssh/sshd_config configuration file

Rationale:

  • Make sure oval check handles permissions of /usr/etc/ssh/sshd_config file, together with /etc/ssh/sshd_config

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Feb 23, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Feb 23, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@teacup-on-rockingchair teacup-on-rockingchair added SLES SUSE Linux Enterprise Server product related. Update Template Issues or pull requests related to Templates updates. Update Rule Issues or pull requests related to Rules updates. and removed Update Template Issues or pull requests related to Templates updates. labels Feb 23, 2026
@teacup-on-rockingchair teacup-on-rockingchair added this to the 0.1.81 milestone Feb 23, 2026
@svet-se svet-se self-assigned this Feb 24, 2026
@teacup-on-rockingchair teacup-on-rockingchair marked this pull request as ready for review February 26, 2026 04:55
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Feb 26, 2026
@teacup-on-rockingchair teacup-on-rockingchair force-pushed the sle16_file_permissions_sshd_config branch from de0d35d to 5d7ac3a Compare March 16, 2026 10:16
@Arden97 Arden97 modified the milestones: 0.1.81, 0.1.82 May 20, 2026
@teacup-on-rockingchair teacup-on-rockingchair force-pushed the sle16_file_permissions_sshd_config branch from 5d7ac3a to 4b2936b Compare May 24, 2026 07:32
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 24, 2026
edited
Loading

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_cron_logging' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_cron_logging
+++ xccdf_org.ssgproject.content_rule_rsyslog_cron_logging
@@ -170,6 +170,24 @@
   - no_reboot_needed
   - rsyslog_cron_logging
 
+- name: Ensure cron Is Logging To Rsyslog - Check if /etc/rsyslog.conf exists
+  ansible.builtin.stat:
+    path: /etc/rsyslog.conf
+  register: _config_file_exists
+  when:
+  - '"kernel-core" in ansible_facts.packages'
+  - '"rsyslog" in ansible_facts.packages'
+  tags:
+  - CCE-80859-2
+  - DISA-STIG-RHEL-08-030010
+  - NIST-800-53-CM-6(a)
+  - configure_strategy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - rsyslog_cron_logging
+
 - name: Ensure cron Is Logging To Rsyslog - Check if the parameter cron.* is configured
     correctly in /etc/rsyslog.conf
   ansible.builtin.lineinfile:
@@ -182,6 +200,7 @@
   when:
   - '"kernel-core" in ansible_facts.packages'
   - '"rsyslog" in ansible_facts.packages'
+  - _config_file_exists.stat.exists
   tags:
   - CCE-80859-2
   - DISA-STIG-RHEL-08-030010
@@ -257,6 +276,7 @@
   when:
   - '"kernel-core" in ansible_facts.packages'
   - '"rsyslog" in ansible_facts.packages'
+  - _config_file_correctly is not skipped
   - (_config_file_correctly.found == 0 and _config_dir_correctly.matched == 0) or
     ((_config_file_has_parameter.found | int) + (_config_dir_has_parameter.matched
     | int)) != 1

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode
+++ xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode
@@ -134,6 +134,25 @@
   - no_reboot_needed
   - rsyslog_encrypt_offload_actionsendstreamdriverauthmode
 
+- name: Ensure Rsyslog Authenticates Off-Loaded Audit Records - Check if /etc/rsyslog.conf
+    exists
+  ansible.builtin.stat:
+    path: /etc/rsyslog.conf
+  register: _config_file_exists
+  when:
+  - '"kernel-core" in ansible_facts.packages'
+  - '"rsyslog" in ansible_facts.packages'
+  tags:
+  - CCE-86339-9
+  - DISA-STIG-RHEL-08-030720
+  - NIST-800-53-AU-4(1)
+  - configure_strategy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - rsyslog_encrypt_offload_actionsendstreamdriverauthmode
+
 - name: Ensure Rsyslog Authenticates Off-Loaded Audit Records - Check if the parameter
     $ActionSendStreamDriverAuthMode is configured correctly in /etc/rsyslog.conf
   ansible.builtin.lineinfile:
@@ -146,6 +165,7 @@
   when:
   - '"kernel-core" in ansible_facts.packages'
   - '"rsyslog" in ansible_facts.packages'
+  - _config_file_exists.stat.exists
   tags:
   - CCE-86339-9
   - DISA-STIG-RHEL-08-030720
@@ -221,6 +241,7 @@
   when:
   - '"kernel-core" in ansible_facts.packages'
   - '"rsyslog" in ansible_facts.packages'
+  - _config_file_correctly is not skipped
   - (_config_file_correctly.found == 0 and _config_dir_correctly.matched == 0) or
     ((_config_file_has_parameter.found | int) + (_config_dir_has_parameter.matched
     | int)) != 1

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode
+++ xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode
@@ -134,6 +134,25 @@
   - no_reboot_needed
   - rsyslog_encrypt_offload_actionsendstreamdrivermode
 
+- name: Ensure Rsyslog Encrypts Off-Loaded Audit Records - Check if /etc/rsyslog.conf
+    exists
+  ansible.builtin.stat:
+    path: /etc/rsyslog.conf
+  register: _config_file_exists
+  when:
+  - '"kernel-core" in ansible_facts.packages'
+  - '"rsyslog" in ansible_facts.packages'
+  tags:
+  - CCE-86098-1
+  - DISA-STIG-RHEL-08-030710
+  - NIST-800-53-AU-4(1)
+  - configure_strategy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - rsyslog_encrypt_offload_actionsendstreamdrivermode
+
 - name: Ensure Rsyslog Encrypts Off-Loaded Audit Records - Check if the parameter
     $ActionSendStreamDriverMode is configured correctly in /etc/rsyslog.conf
   ansible.builtin.lineinfile:
@@ -146,6 +165,7 @@
   when:
   - '"kernel-core" in ansible_facts.packages'
   - '"rsyslog" in ansible_facts.packages'
+  - _config_file_exists.stat.exists
   tags:
   - CCE-86098-1
   - DISA-STIG-RHEL-08-030710
@@ -221,6 +241,7 @@
   when:
   - '"kernel-core" in ansible_facts.packages'
   - '"rsyslog" in ansible_facts.packages'
+  - _config_file_correctly is not skipped
   - (_config_file_correctly.found == 0 and _config_dir_correctly.matched == 0) or
     ((_config_file_has_parameter.found | int) + (_config_dir_has_parameter.matched
     | int)) != 1

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver
+++ xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver
@@ -134,6 +134,25 @@
   - no_reboot_needed
   - rsyslog_encrypt_offload_defaultnetstreamdriver
 
+- name: Ensure Rsyslog Encrypts Off-Loaded Audit Records - Check if /etc/rsyslog.conf
+    exists
+  ansible.builtin.stat:
+    path: /etc/rsyslog.conf
+  register: _config_file_exists
+  when:
+  - '"kernel-core" in ansible_facts.packages'
+  - '"rsyslog" in ansible_facts.packages'
+  tags:
+  - CCE-85992-6
+  - DISA-STIG-RHEL-08-030710
+  - NIST-800-53-AU-4(1)
+  - configure_strategy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - no_reboot_needed
+  - rsyslog_encrypt_offload_defaultnetstreamdriver
+
 - name: Ensure Rsyslog Encrypts Off-Loaded Audit Records - Check if the parameter
     $DefaultNetstreamDriver is configured correctly in /etc/rsyslog.conf
   ansible.builtin.lineinfile:
@@ -146,6 +165,7 @@
   when:
   - '"kernel-core" in ansible_facts.packages'
   - '"rsyslog" in ansible_facts.packages'
+  - _config_file_exists.stat.exists
   tags:
   - CCE-85992-6
   - DISA-STIG-RHEL-08-030710
@@ -221,6 +241,7 @@
   when:
   - '"kernel-core" in ansible_facts.packages'
   - '"rsyslog" in ansible_facts.packages'
+  - _config_file_correctly is not skipped
   - (_config_file_correctly.found == 0 and _config_dir_correctly.matched == 0) or
     ((_config_file_has_parameter.found | int) + (_config_dir_has_parameter.matched
     | int)) != 1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_kex' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_strong_kex
+++ xccdf_org.ssgproject.content_rule_sshd_use_strong_kex
@@ -2,6 +2,9 @@
 if rpm --quiet -q kernel-core; then
 
 sshd_strong_kex=''
+
+
+
 
 if [ -e "/etc/ssh/sshd_config" ] ; then
     LC_ALL=C sed -i "/^\s*KexAlgorithms\s\+/Id" "/etc/ssh/sshd_config"

@teacup-on-rockingchair
Make sure that distro delivered config in /usr/etc/ssh/sshd_config is…
8794c72 
… also checked for permissions
@teacup-on-rockingchair
Simplify SLE16 handling in SSH rules
3cda908 
- sle16 OVAL is removed and test for checking main config file exist is added
- tests checking /usr/etc/ssh stuff are removed and tests use sshd_main_config_file and sshd_config_dir
@teacup-on-rockingchair
Add sed separator changes as in PR#14698
798483b
@teacup-on-rockingchair
Update sshd_lineinfile template to better fit SLE16 platform
f2d2f82 
- ansible copy distro defaults and remove Include /usr/etc/ssh/sshd_config.d/*.conf from main config
- bash copy distro defaults and remove Include /usr/etc/ssh/sshd_config.d/*.conf from main config
- removed no longer needed tests checking /usr/etc/ssh stuff
- tests now use sshd_main_config_file and sshd_config_dir(oracle specific test remain unchanged)
@teacup-on-rockingchair teacup-on-rockingchair force-pushed the sle16_file_permissions_sshd_config branch from 4b2936b to f2d2f82 Compare May 27, 2026 08:22
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented May 27, 2026

@teacup-on-rockingchair: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance f2d2f82 link true /test e2e-aws-openshift-node-compliance
ci/prow/e2e-aws-openshift-platform-compliance f2d2f82 link true /test e2e-aws-openshift-platform-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@svet-se svet-se Awaiting requested review from svet-se

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@Mab879 Mab879 Awaiting requested review from Mab879 Mab879 is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

@jan-cerny jan-cerny Awaiting requested review from jan-cerny jan-cerny is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@svet-se svet-se

Labels

SLES SUSE Linux Enterprise Server product related. Update Rule Issues or pull requests related to Rules updates.

Projects

None yet

Milestone

0.1.82

Development

Successfully merging this pull request may close these issues.

3 participants

@teacup-on-rockingchair @Arden97 @svet-se