Fix / invert the logic of OVAL rule for '3.4.3.g. Disable SSH Root Login'
XCCDF rule.
On default RHEL-6 system there's no uncommented 'PermitRootLogin yes'
present in /etc/ssh/sshd_config configuration file (from the header of the
config:
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
>From sshd_config(5):
PermitRootLogin
Specifies whether root can log in using ssh(1).
The argument must be “yes”, “without-password”, “forced-commands-only”, or “no”.
The default is “yes”.
Therefore the default RHEL-6's sshd config is missing explicit PermitRootLogin
yes, but defaulting to it. Former implementation (incorrectly) returned 'pass'
as result of the scan, even when root login via SSH was allowed (can be
tested on former implementation via SSH root attempt).
The proposal modifies the implementation the scan check to succeed only in
case there's explicit 'PermitRootLogin no' in /etc/ssh/sshd_config, and
allows possible comments behinds that definition (since it's valid config
form too).
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team