Describe the Issue
Control 4.2.12 gets a "FAIL" result from CIS, because it does not comply to its requirements.
Expected Behavior
In its "Assessment" section CIS checks the compliance of this rule with a script and by looking at certain files. The files that are checked by CIS are the /etc/ssh/sshd_config file and all of the files ending in .conf from this path: /etc/ssh/sshd_config.d/. If all of these files are edited accordingly, the rule passes.
Actual Behavior
The rule edits only the file mentioned in the amzn2023cis_sshd_config_file variable. In this case it only edits the /etc/ssh/sshd_config file, leading to the failing of the rule!
Control(s) Affected
4.2.12 Ensure SSH X11 forwarding is disabled
Environment (please complete the following information):
branch being used: [e.g. devel]
Additional Notes
The fix provided for this control can be applied to all of the rules from section 4.2.x, that have the same assessment method!
Possible Solution
As a solution, two preliminary tasks can be created. One that identifies .conf files from /etc/ssh/sshd_config.d/ and one that identifies the main configuration file. Both of these tasks are registering the files found. Based on these registers the rule's task can be rewritten to ensure that the needed line is added in all of the files checked by CIS.
This solution will be presented in a PR.
Describe the Issue Control 4.2.12 gets a "FAIL" result from CIS, because it does not comply to its requirements.
Expected Behavior In its "Assessment" section CIS checks the compliance of this rule with a script and by looking at certain files. The files that are checked by CIS are the
/etc/ssh/sshd_configfile and all of the files ending in.conffrom this path:/etc/ssh/sshd_config.d/. If all of these files are edited accordingly, the rule passes.Actual Behavior The rule edits only the file mentioned in the
amzn2023cis_sshd_config_filevariable. In this case it only edits the/etc/ssh/sshd_configfile, leading to the failing of the rule!Control(s) Affected 4.2.12
Ensure SSH X11 forwarding is disabledEnvironment (please complete the following information):
Additional Notes The fix provided for this control can be applied to all of the rules from section 4.2.x, that have the same assessment method!
Possible Solution As a solution, two preliminary tasks can be created. One that identifies
.conffiles from/etc/ssh/sshd_config.d/and one that identifies the main configuration file. Both of these tasks are registering the files found. Based on these registers the rule's task can be rewritten to ensure that the needed line is added in all of the files checked by CIS. This solution will be presented in a PR.