Add rules to check sshd drop in permissions and ownership to 5.1.1

Mab879 · Mab879 · commit 12fdee195caa · 2025-10-30T11:52:11.000-05:00
diff --git a/controls/cis_rhel10.yml b/controls/cis_rhel10.yml
@@ -1583,6 +1583,12 @@ controls:
           - file_groupowner_sshd_config
           - file_owner_sshd_config
           - file_permissions_sshd_config
+          - directory_permissions_sshd_config_d
+          - file_permissions_sshd_drop_in_config
+          - directory_groupowner_sshd_config_d
+          - directory_owner_sshd_config_d
+          - file_groupowner_sshd_drop_in_config
+          - file_owner_sshd_drop_in_config
 
     - id: 5.1.2
       title: Ensure access to SSH private host key files is configured (Automated)
diff --git a/tests/data/profile_stability/rhel10/cis.profile b/tests/data/profile_stability/rhel10/cis.profile
@@ -124,6 +124,9 @@ dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
 dir_perms_world_writable_sticky_bits
+directory_groupowner_sshd_config_d
+directory_owner_sshd_config_d
+directory_permissions_sshd_config_d
 directory_permissions_var_log_audit
 disable_host_auth
 disable_users_coredumps
@@ -157,6 +160,7 @@ file_groupowner_etc_shadow
 file_groupowner_etc_shells
 file_groupowner_grub2_cfg
 file_groupowner_sshd_config
+file_groupowner_sshd_drop_in_config
 file_groupowner_user_cfg
 file_groupownership_audit_binaries
 file_groupownership_audit_configuration
@@ -184,6 +188,7 @@ file_owner_etc_shadow
 file_owner_etc_shells
 file_owner_grub2_cfg
 file_owner_sshd_config
+file_owner_sshd_drop_in_config
 file_owner_user_cfg
 file_ownership_audit_binaries
 file_ownership_audit_configuration
@@ -217,6 +222,7 @@ file_permissions_etc_shells
 file_permissions_grub2_cfg
 file_permissions_home_directories
 file_permissions_sshd_config
+file_permissions_sshd_drop_in_config
 file_permissions_sshd_private_key
 file_permissions_sshd_pub_key
 file_permissions_unauthorized_world_writable
diff --git a/tests/data/profile_stability/rhel10/cis_server_l1.profile b/tests/data/profile_stability/rhel10/cis_server_l1.profile
@@ -56,6 +56,9 @@ dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
 dir_perms_world_writable_sticky_bits
+directory_groupowner_sshd_config_d
+directory_owner_sshd_config_d
+directory_permissions_sshd_config_d
 disable_host_auth
 disable_users_coredumps
 ensure_gpgcheck_globally_activated
@@ -87,6 +90,7 @@ file_groupowner_etc_shadow
 file_groupowner_etc_shells
 file_groupowner_grub2_cfg
 file_groupowner_sshd_config
+file_groupowner_sshd_drop_in_config
 file_groupowner_user_cfg
 file_groupownership_sshd_private_key
 file_groupownership_sshd_pub_key
@@ -112,6 +116,7 @@ file_owner_etc_shadow
 file_owner_etc_shells
 file_owner_grub2_cfg
 file_owner_sshd_config
+file_owner_sshd_drop_in_config
 file_owner_user_cfg
 file_ownership_home_directories
 file_ownership_sshd_private_key
@@ -140,6 +145,7 @@ file_permissions_etc_shells
 file_permissions_grub2_cfg
 file_permissions_home_directories
 file_permissions_sshd_config
+file_permissions_sshd_drop_in_config
 file_permissions_sshd_private_key
 file_permissions_sshd_pub_key
 file_permissions_unauthorized_world_writable
diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
@@ -54,6 +54,9 @@ dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
 dir_perms_world_writable_sticky_bits
+directory_groupowner_sshd_config_d
+directory_owner_sshd_config_d
+directory_permissions_sshd_config_d
 disable_host_auth
 disable_users_coredumps
 ensure_gpgcheck_globally_activated
@@ -85,6 +88,7 @@ file_groupowner_etc_shadow
 file_groupowner_etc_shells
 file_groupowner_grub2_cfg
 file_groupowner_sshd_config
+file_groupowner_sshd_drop_in_config
 file_groupowner_user_cfg
 file_groupownership_sshd_private_key
 file_groupownership_sshd_pub_key
@@ -110,6 +114,7 @@ file_owner_etc_shadow
 file_owner_etc_shells
 file_owner_grub2_cfg
 file_owner_sshd_config
+file_owner_sshd_drop_in_config
 file_owner_user_cfg
 file_ownership_home_directories
 file_ownership_sshd_private_key
@@ -138,6 +143,7 @@ file_permissions_etc_shells
 file_permissions_grub2_cfg
 file_permissions_home_directories
 file_permissions_sshd_config
+file_permissions_sshd_drop_in_config
 file_permissions_sshd_private_key
 file_permissions_sshd_pub_key
 file_permissions_unauthorized_world_writable
diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
@@ -124,6 +124,9 @@ dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
 dir_perms_world_writable_sticky_bits
+directory_groupowner_sshd_config_d
+directory_owner_sshd_config_d
+directory_permissions_sshd_config_d
 directory_permissions_var_log_audit
 disable_host_auth
 disable_users_coredumps
@@ -157,6 +160,7 @@ file_groupowner_etc_shadow
 file_groupowner_etc_shells
 file_groupowner_grub2_cfg
 file_groupowner_sshd_config
+file_groupowner_sshd_drop_in_config
 file_groupowner_user_cfg
 file_groupownership_audit_binaries
 file_groupownership_audit_configuration
@@ -184,6 +188,7 @@ file_owner_etc_shadow
 file_owner_etc_shells
 file_owner_grub2_cfg
 file_owner_sshd_config
+file_owner_sshd_drop_in_config
 file_owner_user_cfg
 file_ownership_audit_binaries
 file_ownership_audit_configuration
@@ -217,6 +222,7 @@ file_permissions_etc_shells
 file_permissions_grub2_cfg
 file_permissions_home_directories
 file_permissions_sshd_config
+file_permissions_sshd_drop_in_config
 file_permissions_sshd_private_key
 file_permissions_sshd_pub_key
 file_permissions_unauthorized_world_writable
