SSH host keys don't exist at bootable container build time

Add warnings to rules configuring SSH host keys permissions and ownership that remediation is not possible at bootable container build time because SSH host keys are generated post-deployment (only once bootable container is booted).
ComplianceAsCode · Dec 19, 2024 · 0709b7c · 0709b7c
1 parent b4a4053
commit 0709b7c
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 0 deletions.
diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_groupownership_sshd_private_key/rule.yml
@@ -31,3 +31,8 @@ template:
         file_regex:
             - ^.*_key$
         gid_or_name: '{{{ dedicated_ssh_groupname if dedicated_ssh_groupname else '0' }}}'
+
+warnings:
+    - general: |-
+        Remediation is not possible at bootable container build time because SSH host
+        keys are generated post-deployment.
diff --git a/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_groupownership_sshd_pub_key/rule.yml
@@ -30,3 +30,8 @@ template:
         file_regex:
             - ^.*\.pub$
         gid_or_name: '0'
+
+warnings:
+    - general: |-
+        Remediation is not possible at bootable container build time because SSH host
+        keys are generated post-deployment.
diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_ownership_sshd_private_key/rule.yml
@@ -29,3 +29,8 @@ template:
         file_regex:
             - ^.*_key$
         fileuid: '0'
+
+warnings:
+    - general: |-
+        Remediation is not possible at bootable container build time because SSH host
+        keys are generated post-deployment.
diff --git a/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_ownership_sshd_pub_key/rule.yml
@@ -30,3 +30,8 @@ template:
         file_regex:
             - ^.*\.pub$
         fileuid: '0'
+
+warnings:
+    - general: |-
+        Remediation is not possible at bootable container build time because SSH host
+        keys are generated post-deployment.
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
@@ -66,3 +66,8 @@ ocil: |-
 fixtext: '{{{ srg_requirement_file_permission(file="/etc/ssh/*_key", mode=perms_num) }}}'
 
 srg_requirement: 'The {{{ full_namne }}} SSH private host key files must have mode {{{ perms_num }}} or less permissive.'
+
+warnings:
+    - general: |-
+        Remediation is not possible at bootable container build time because SSH host
+        keys are generated post-deployment.
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
@@ -57,3 +57,8 @@ template:
         filepath: /etc/ssh/
         file_regex: ^.*\.pub$
         filemode: '0644'
+
+warnings:
+    - general: |-
+        Remediation is not possible at bootable container build time because SSH host
+        keys are generated post-deployment.