sshd.config.params does not correctly parse the config file

[mbainter]

Describe the bug

You can have directives that apply contextually in the sshd config. The way cnspec parses this file can result in false positives or false negatives.

To Reproduce
Steps to reproduce the behavior:

1. In the sshd_config file comment out the PermitRootLogin line
2. At the end of the file add this:
   Match Group games
   PermitRootLogin no
3. run cnspec shell, and query with: sshd.config.params[PermitRootLogin]
4. Observe the output being:
   sshd.config.params[PermitRootLogin]: "no"

Expected behavior
It should report the configuration as empty, or better yet - the default of prohibit-password, like you'd get from sshd -T:

$ sudo sshd -f /etc/ssh/sshd_config -T | grep -i PermitRootLogin
permitrootlogin without-password

Another problem here is that if you uncomment the main configuration option you get this:

cnspec> sshd.config.params["PermitRootLogin"]
sshd.config.params[PermitRootLogin]: "no,no"

So if you have a test for =="no" like linux-security does, then it fails even though it should pass.

Desktop (please complete the following information):

• OS: Linux/PopOS
• OS Version: 22.x

[arlimus]

Closing this in favor of the other issue you opened @mbainter in mondoohq/cnspec-policies#340

The changes will be done to providers in the cnquery repo and to the policy in the cnspec-policies repo, which is why I thought the above issue nails it :D