Add rules to check sshd drop in permissions to 5.1.1

Mab879 · Mab879 · commit f0c0f936bdb0 · 2025-10-30T07:24:03.000-05:00
diff --git a/controls/cis_rhel10.yml b/controls/cis_rhel10.yml
@@ -1583,6 +1583,8 @@ controls:
           - file_groupowner_sshd_config
           - file_owner_sshd_config
           - file_permissions_sshd_config
+          - directory_permissions_sshd_config_d
+          - file_permissions_sshd_drop_in_config
 
     - id: 5.1.2
       title: Ensure access to SSH private host key files is configured (Automated)
diff --git a/tests/data/profile_stability/rhel10/cis.profile b/tests/data/profile_stability/rhel10/cis.profile
@@ -124,6 +124,7 @@ dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
 dir_perms_world_writable_sticky_bits
+directory_permissions_sshd_config_d
 directory_permissions_var_log_audit
 disable_host_auth
 disable_users_coredumps
@@ -217,6 +218,7 @@ file_permissions_etc_shells
 file_permissions_grub2_cfg
 file_permissions_home_directories
 file_permissions_sshd_config
+file_permissions_sshd_drop_in_config
 file_permissions_sshd_private_key
 file_permissions_sshd_pub_key
 file_permissions_unauthorized_world_writable
diff --git a/tests/data/profile_stability/rhel10/cis_server_l1.profile b/tests/data/profile_stability/rhel10/cis_server_l1.profile
@@ -56,6 +56,7 @@ dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
 dir_perms_world_writable_sticky_bits
+directory_permissions_sshd_config_d
 disable_host_auth
 disable_users_coredumps
 ensure_gpgcheck_globally_activated
@@ -140,6 +141,7 @@ file_permissions_etc_shells
 file_permissions_grub2_cfg
 file_permissions_home_directories
 file_permissions_sshd_config
+file_permissions_sshd_drop_in_config
 file_permissions_sshd_private_key
 file_permissions_sshd_pub_key
 file_permissions_unauthorized_world_writable
diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
@@ -54,6 +54,7 @@ dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
 dir_perms_world_writable_sticky_bits
+directory_permissions_sshd_config_d
 disable_host_auth
 disable_users_coredumps
 ensure_gpgcheck_globally_activated
@@ -138,6 +139,7 @@ file_permissions_etc_shells
 file_permissions_grub2_cfg
 file_permissions_home_directories
 file_permissions_sshd_config
+file_permissions_sshd_drop_in_config
 file_permissions_sshd_private_key
 file_permissions_sshd_pub_key
 file_permissions_unauthorized_world_writable
diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
@@ -124,6 +124,7 @@ dconf_gnome_screensaver_lock_delay
 dconf_gnome_screensaver_user_locks
 dconf_gnome_session_idle_user_locks
 dir_perms_world_writable_sticky_bits
+directory_permissions_sshd_config_d
 directory_permissions_var_log_audit
 disable_host_auth
 disable_users_coredumps
@@ -217,6 +218,7 @@ file_permissions_etc_shells
 file_permissions_grub2_cfg
 file_permissions_home_directories
 file_permissions_sshd_config
+file_permissions_sshd_drop_in_config
 file_permissions_sshd_private_key
 file_permissions_sshd_pub_key
 file_permissions_unauthorized_world_writable
