ComplianceAsCode · jan-cerny · Aug 13, 2019 · Aug 12, 2019 · Aug 12, 2019
diff --git a/fedora/profiles/ospp.profile b/fedora/profiles/ospp.profile
@@ -103,6 +103,7 @@ selections:
     - login_banner_text=usgcb_default
     - sshd_enable_warning_banner
     - banner_etc_issue
+    - sshd_rekey_limit
     - dconf_gnome_banner_enabled
     - dconf_gnome_login_banner_text
     - audit_rules_login_events_faillock

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+title: 'Force frequent session key renegotiation'
+
+description: |-
+    The <tt>RekeyLimit</tt> parameter specifies how often
+    the session key of the is renegotiated, both in terms of
+    amount of data that may be transmitted and the time
+    elapsed. To decrease the default limits, put line
+    <tt>RekeyLimit 512M 1h</tt> to file <tt>/etc/ssh/sshd_config</tt>.
+
+rationale: |-
+    By decreasing the limit based on the amount of data and enabling
+    time-based limit, effects of potential attacks against
+    encryption keys are limited.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: 82177-7
+
+references:
+    ospp: FCS_SSHS_EXT.1
+
+ocil_clause: 'it is commented out or is not set'
+
+ocil: |-
+    To check if RekeyLimit is set correctly, run the
+    following command:
+    <pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config</pre>
+    If configured properly, output should be
+    <pre>RekeyLimit 512M 1h</pre>
diff --git a/ol8/profiles/ospp.profile b/ol8/profiles/ospp.profile
@@ -100,6 +100,7 @@ selections:
     - login_banner_text=usgcb_default
     - sshd_enable_warning_banner
     - banner_etc_issue
+    - sshd_rekey_limit
     - dconf_gnome_banner_enabled
     - dconf_gnome_login_banner_text
     - audit_rules_login_events_faillock

diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
@@ -996,8 +996,8 @@ selections:
     ## TO DO: https://github.com/ComplianceAsCode/content/issues/4466
     #sed -i "/ed25519/s/HostKey/#HostKey/" $CONFIG
 
-    ## TO DO: https://github.com/ComplianceAsCode/content/issues/4467
-    #sed -i "s/#RekeyLimit default none/RekeyLimit 512M/" $CONFIG
+    ## Force frequent session key renegotiation
+    - sshd_rekey_limit
 
     ## Disable SSH Root Login
     - sshd_disable_root_login

diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
@@ -130,7 +130,7 @@
 {{%- if multi_value -%}}
 {{%- set group_regex = "([^#]*).*$" -%}}
 {{%- else -%}}
-{{%- set group_regex = "(\S*)[ \\t]*(?:|(?:#.*))?$" -%}}
+{{%- set group_regex = "(.+?)[ \\t]*(?:$|#)" -%}}
 {{%- endif -%}}
 {{%- if section %}}
 {{%- set common_regex = "^\s*\["+section+"\].*(?:\\n\s*[^[\s].*)*\\n"+prefix_regex+parameter+separator_regex -%}}

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -9,7 +9,6 @@ CCE-82172-8
 CCE-82173-6
 CCE-82174-4
 CCE-82175-1
-CCE-82177-7
 CCE-82178-5
 CCE-82179-3
 CCE-82180-1

diff --git a/shared/templates/csv/sshd_lineinfile.csv b/shared/templates/csv/sshd_lineinfile.csv
@@ -14,3 +14,4 @@ sshd_enable_x11_forwarding,X11Forwarding,yes,false
 sshd_print_last_log,PrintLastLog,yes,true
 sshd_set_loglevel_info,LogLevel,INFO,true
 sshd_use_priv_separation,UsePrivilegeSeparation,sandbox,false
+sshd_rekey_limit,RekeyLimit,512M 1h,false