From b43e0965aac15ee27148af2601623a76d7f7e3e9 Mon Sep 17 00:00:00 2001
From: Thomas H Jones II <github@xanthia.com>
Date: Tue, 24 Oct 2023 08:02:37 -0400
Subject: [PATCH 1/3] Add handler for RHEL-08-010201

Closes #465
---
 .../el8/STIGbyID/cat2/RHEL-08-010201.sls      | 59 +++++++++++++++++++
 .../el8/STIGbyID/cat2/files/RHEL-08-010201.sh | 35 +++++++++++
 2 files changed, 94 insertions(+)
 create mode 100644 ash-linux/el8/STIGbyID/cat2/RHEL-08-010201.sls
 create mode 100644 ash-linux/el8/STIGbyID/cat2/files/RHEL-08-010201.sh

diff --git a/ash-linux/el8/STIGbyID/cat2/RHEL-08-010201.sls b/ash-linux/el8/STIGbyID/cat2/RHEL-08-010201.sls
new file mode 100644
index 000000000..19d10de75
--- /dev/null
+++ b/ash-linux/el8/STIGbyID/cat2/RHEL-08-010201.sls
@@ -0,0 +1,59 @@
+# Ref Doc:    STIG - RHEL 8 v1r11
+# Finding ID: V-244525
+# Rule ID:    SV-244525r917886_rule
+# STIG ID:    RHEL-08-010201
+# SRG ID:     SRG-OS-000163-GPOS-00072
+#             SRG-OS-000126-GPOS-00066
+#             SRG-OS-000279-GPOS-00109
+#
+# Finding Level: medium
+#
+# Rule Summary:
+#       RHEL 8 be configured so that all network connections associated with SSH
+#       traffic are terminated after 10 minutes of becoming unresponsive.
+#
+# References:
+#   CCI:
+#     - CCI-001133
+#   NIST SP 800-53 :: SC-10
+#   NIST SP 800-53A :: SC-10.1 (ii)
+#   NIST SP 800-53 Revision 4 :: SC-10
+#
+###########################################################################
+{%- set stig_id = 'RHEL-08-010201' %}
+{%- set helperLoc = 'ash-linux/el8/STIGbyID/cat2/files' %}
+{%- set skipIt = salt.pillar.get('ash-linux:lookup:skip-stigs', []) %}
+{%- set svcName = 'sshd' %}
+{%- set cfgFile = '/etc/ssh/sshd_config' %}
+{%- set cfgParm = 'ClientAliveInterval' %}
+{%- set cfgValue = '600' %}
+
+script_{{ stig_id }}-describe:
+  cmd.script:
+    - source: salt://{{ helperLoc }}/{{ stig_id }}.sh
+    - cwd: /root
+
+{%- if stig_id in skipIt %}
+notify_{{ stig_id }}-skipSet:
+  cmd.run:
+    - name: 'printf "\nchanged=no comment=''Handler for {{ stig_id }} has been selected for skip.''\n"'
+    - stateful: True
+    - cwd: /root
+{%- else %}
+Fix/set sshd {{ cfgParm }} value:
+  file.replace:
+    - name: '{{ cfgFile }}'
+    - append_if_not_found: True
+    - not_found_content: |-
+
+        # Inserted per STIG {{ stig_id }}
+        {{ cfgParm }} {{ cfgValue }}
+    - pattern: '^(|#)\s*{{ cfgParm }}.*'
+    - repl: '{{ cfgParm }} {{ cfgValue }}'
+
+service_sshd:
+  service.running:
+    - name: '{{ svcName }}'
+    - watch:
+      - file: 'Fix/set sshd {{ cfgParm }} value'
+{%- endif %}
diff --git a/ash-linux/el8/STIGbyID/cat2/files/RHEL-08-010201.sh b/ash-linux/el8/STIGbyID/cat2/files/RHEL-08-010201.sh
new file mode 100644
index 000000000..3de95bfbf
--- /dev/null
+++ b/ash-linux/el8/STIGbyID/cat2/files/RHEL-08-010201.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+#
+# Ref Doc:    STIG - RHEL 8 v1r11
+# Finding ID: V-244525
+# Rule ID:    SV-244525r917886_rule
+# STIG ID:    RHEL-08-010201
+# SRG ID:     SRG-OS-000163-GPOS-00072
+#             SRG-OS-000126-GPOS-00066
+#             SRG-OS-000279-GPOS-00109
+#
+# Finding Level: medium
+#
+# Rule Summary:
+#       RHEL 8 be configured so that all network connections associated with SSH
+#       traffic are terminated after 10 minutes of becoming unresponsive.
+#
+# References:
+#   CCI:
+#     - CCI-001133
+#   NIST SP 800-53 :: SC-10
+#   NIST SP 800-53A :: SC-10.1 (ii)
+#   NIST SP 800-53 Revision 4 :: SC-10
+#
+###########################################################################
+# Standard outputter function
+diag_out() {
+   echo "${1}"
+}
+
+diag_out "--------------------------------------"
+diag_out "STIG Finding ID: V-244525"
+diag_out "     The OS must terminate all SSH"
+diag_out "     sessions ater 10 minutes of"
+diag_out "     becoming unresponsive"
+diag_out "--------------------------------------"

From 3666d91a5979e4b9cfa4f98533d60d580f365823 Mon Sep 17 00:00:00 2001
From: Thomas H Jones II <github@xanthia.com>
Date: Tue, 24 Oct 2023 08:03:36 -0400
Subject: [PATCH 2/3] Ensure RHEL-08-010201 gets called

---
 ash-linux/el8/STIGbyID/cat2/init.sls | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ash-linux/el8/STIGbyID/cat2/init.sls b/ash-linux/el8/STIGbyID/cat2/init.sls
index 7b9fd25b3..a0075943d 100644
--- a/ash-linux/el8/STIGbyID/cat2/init.sls
+++ b/ash-linux/el8/STIGbyID/cat2/init.sls
@@ -3,6 +3,7 @@ include:
   - ash-linux.el8.STIGbyID.cat2.OL08-00-010160
   - ash-linux.el8.STIGbyID.cat2.RHEL-08-010161
   - ash-linux.el8.STIGbyID.cat2.RHEL-08-010200
+  - ash-linux.el8.STIGbyID.cat2.RHEL-08-010201
   - ash-linux.el8.STIGbyID.cat2.RHEL-08-010490
   - ash-linux.el8.STIGbyID.cat2.RHEL-08-010571
   - ash-linux.el8.STIGbyID.cat2.RHEL-08-010671

From a43a453580da82bc5a69536d2374e606f856ac69 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 25 Oct 2023 20:15:23 +0000
Subject: [PATCH 3/3] Bump centos/centos from `f240057` to `b1f6889` in
 /tests/docker/centos8

Bumps centos/centos from `f240057` to `b1f6889`.

---
updated-dependencies:
- dependency-name: centos/centos
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 tests/docker/centos8/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/docker/centos8/Dockerfile b/tests/docker/centos8/Dockerfile
index 2d7e4bd25..4d398308b 100644
--- a/tests/docker/centos8/Dockerfile
+++ b/tests/docker/centos8/Dockerfile
@@ -1,4 +1,4 @@
-FROM quay.io/centos/centos:stream8@sha256:f24005786295703fc65e5cd74ab90497a05479fac780790a43eab5729f9e098f
+FROM quay.io/centos/centos:stream8@sha256:b1f6889548eda34b2ddc8c2f50a49bf9924164814308e41e90a07e3b30e0db7f
 
 
 CMD ["/bin/bash"]