[CMP-3916] Test purpose only

linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/ansible/shared.yml

@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_sshd_remediation(parameter="GSSAPIAuthentication", value="no", config_is_distributed=false) }}}

linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/bash/shared.sh

@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ bash_sshd_remediation(parameter="GSSAPIAuthentication", value="no", config_is_distributed="false") }}}

linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/kubernetes/shared.yml

@@ -0,0 +1,15 @@
+# platform = multi_platform_ocp,multi_platform_rhcos
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+# Remove any old dropin configs that may have been created
+{{{ kubernetes_sshd_remove_dropin('00-complianceascode-GSSAPIAuthentication.conf') }}}
+---
+{{{ kubernetes_sshd_remove_dropin('01-complianceascode-reinforce-os-defaults.conf') }}}
+---
+{{{ kubernetes_sshd_remove_dropin('75-complianceascode-sshd_disable_gssapi_auth.conf') }}}
+---
+# Modify the main sshd_config file directly (no version restriction)
+{{{ kubernetes_sshd_set(ocp_version_range='') }}}

linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/oval/shared.xml

@@ -0,0 +1,68 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    <metadata>
+      <title>Disable GSSAPI Authentication</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <description>Ensure 'GSSAPIAuthentication' is configured with value 'no' in /etc/ssh/sshd_config</description>
+    </metadata>
+    <criteria comment="sshd is configured correctly or is not installed" operator="OR">
+      <criteria comment="sshd is not installed" operator="AND">
+        <extend_definition comment="sshd is not required or requirement is unset"
+          definition_ref="sshd_not_required_or_unset" />
+        {{% if product == "sle12" %}}
+        <extend_definition definition_ref="package_openssh_removed"
+          comment="rpm package openssh removed"/>
+        {{% else %}}
+        <extend_definition comment="rpm package openssh-server removed"
+          definition_ref="package_openssh-server_removed" />
+        {{% endif %}}
+      </criteria>
+      <criteria comment="sshd is installed and configured" operator="AND">
+        <extend_definition comment="sshd is required or requirement is unset"
+          definition_ref="sshd_required_or_unset" />
+        {{% if product == "sle12" %}}
+        <extend_definition comment="rpm package openssh installed"
+          definition_ref="package_openssh_installed" />
+        {{% else %}}
+        <extend_definition comment="rpm package openssh-server installed"
+          definition_ref="package_openssh-server_installed" />
+        {{% endif %}}
+        <criteria comment="sshd is configured correctly" operator="AND">
+          <criteria comment="the configuration is correct if it exists" operator="AND">
+            <criterion comment="Check the GSSAPIAuthentication in /etc/ssh/sshd_config"
+              test_ref="test_{{{ rule_id }}}" />
+          </criteria>
+          <criterion comment="the configuration exists" test_ref="test_GSSAPIAuthentication_present_{{{ rule_id }}}" />
+        </criteria>
+      </criteria>
+    </criteria>
+  </definition>
+
+  <!-- Main test: Check /etc/ssh/sshd_config only -->
+  <ind:textfilecontent54_test check="all" check_existence="any_exist"
+    comment="tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file"
+    id="test_{{{ rule_id }}}" version="1">
+    <ind:object object_ref="obj_{{{ rule_id }}}" />
+    <ind:state state_ref="state_{{{ rule_id }}}" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
+    <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+    <ind:pattern operation="pattern match">^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="state_{{{ rule_id }}}" version="1">
+    <ind:subexpression datatype="string" operation="pattern match">^no$</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+  <!-- Test that configuration exists -->
+  <ind:textfilecontent54_test id="test_GSSAPIAuthentication_present_{{{ rule_id }}}" version="1"
+    check="all" check_existence="at_least_one_exists"
+    comment="Verify that the value of GSSAPIAuthentication is present">
+    <ind:object object_ref="obj_{{{ rule_id }}}" />
+  </ind:textfilecontent54_test>
+
+</def-group>

linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml

@@ -47,11 +47,3 @@ fixtext: |-
     {{{ fixtext_sshd_lineinfile("GSSAPIAuthentication", "no") }}}
 
 srg_requirement: 'The {{{ full_name }}} SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.'
-
-template:
-    name: sshd_lineinfile
-    vars:
-        parameter: GSSAPIAuthentication
-        value: 'no'
-        datatype: string
-        is_default_value: 'true'

shared/macros/10-kubernetes.jinja

@@ -248,6 +248,34 @@ spec:
 {{{ kubernetes_machine_config_file(path='/etc/ssh/sshd_config.d/' + config_basename, file_permissions_mode='0600', source=sshd_dropin_content, ocp_version_range=ocp_version_range) }}}
 {{%- endmacro -%}}
 
+{{#
+  High level macro to generate Kubernetes remediation to remove SSH daemon configuration drop-in files.
+  This is used to clean up old or incorrectly named drop-in files.
+  Parameters:
+    config_basename: Basename of the drop-in file to remove (e.g., '00-complianceascode-GSSAPIAuthentication.conf')
+    ocp_version_range: Optional OpenShift version range (default: '>=4.13.0')
+#}}
+{{%- macro kubernetes_sshd_remove_dropin(config_basename, ocp_version_range='>=4.13.0') -%}}
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+{{%- if ocp_version_range|length > 0 %}}
+metadata:
+  annotations:
+    complianceascode.io/ocp-version: '{{{ ocp_version_range }}}'
+{{%- endif %}}
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - path: /etc/ssh/sshd_config.d/{{{ config_basename }}}
+        overwrite: true
+        contents:
+          source: data:,
+        mode: 0600
+{{%- endmacro -%}}
+
 
 {{% macro usbguard_config_source() %}}
 #