Do not use the sshd service disabled OVAL in sshd_set_max_auth_tries

[ggbecker]

Description:

• Do not use the sshd service disabled OVAL in sshd_set_max_auth_tries.
  • The OVAL doesn't work in offline mode and it was the last rule that was
    still using this extended check. All other templated rules check if the
    package is installed instead.

Rationale:

• Fixes Set SSH authentication attempt limit errors out in offline mode #9343

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

OVAL definition oval:ssg-sshd_set_max_auth_tries:def:1 differs:
--- old datastream
+++ new datastream
- extend_definition oval:ssg-service_sshd_disabled:def:1
+ criteria AND
+ extend_definition oval:ssg-sshd_not_required_or_unset:def:1
+ extend_definition oval:ssg-package_openssh-server_removed:def:1
+ criteria AND
+ extend_definition oval:ssg-sshd_required_or_unset:def:1
+ extend_definition oval:ssg-package_openssh-server_installed:def:1

[codeclimate]

Code Climate has analyzed commit c865809 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 42.7% (0.0% change).

View more on Code Climate.

[openshift-ci]

@ggbecker: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-rhcos4-moderate	c865809	link	true	/test e2e-aws-rhcos4-moderate
ci/prow/e2e-aws-rhcos4-high	c865809	link	true	/test e2e-aws-rhcos4-high

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[jan-cerny]

The reason of the problem of Ansible remediation is that the generated playbook contains tests for container environment and the tasks are skipped if the tests are run in container and we use container back ends in our GitHub Actions jobs. When I execute the tests locally they pass:

[jcerny@thinkpad scap-security-guide{pr/9344}]$ python3 tests/automatus.py rule --remediate-using ansible --libvirt qemu:///system ssgts_rhel8 sshd_set_max_auth_tries
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2022-08-16-0933/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_value_less_than.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK