These patches fix some OVAL false positives for SSH configuration checks that were showing that they had passed even when they were not configured in sshd_config.
Thanks, Gabe
Gabe (3): [bugfix] - disable_host_auth OVAL false positive [bugfix] - sshd_disable_rhosts OVAL false positive [bugfix] - sshd_disable_root_login OVAL false positive
shared/oval/disable_host_auth.xml | 4 ++-- shared/oval/sshd_disable_rhosts.xml | 4 ++-- shared/oval/sshd_disable_root_login.xml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-)
- fix false positive for SSH host-based authentication check in sshd_config
Signed-off-by: Gabe redhatrises@gmail.com --- shared/oval/disable_host_auth.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/shared/oval/disable_host_auth.xml b/shared/oval/disable_host_auth.xml index 6f4eb9d..de51fd7 100644 --- a/shared/oval/disable_host_auth.xml +++ b/shared/oval/disable_host_auth.xml @@ -14,7 +14,7 @@ <extend_definition comment="sshd service is disabled" definition_ref="service_sshd_disabled" /> <criterion comment="Check HostbasedAuthentication in /etc/ssh/sshd_config" - test_ref="test_sshd_hostbasedauthentication" /> + negate="true" test_ref="test_sshd_hostbasedauthentication" /> </criteria> </definition> <ind:textfilecontent54_test check="all" check_existence="none_exist" @@ -24,7 +24,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="object_sshd_hostbasedauthentication" version="2"> ind:filepath/etc/ssh/sshd_config</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group>
On 7/29/14, 8:43 PM, Gabe wrote:
- fix false positive for SSH host-based authentication check in sshd_config
Signed-off-by: Gabe redhatrises@gmail.com
shared/oval/disable_host_auth.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/shared/oval/disable_host_auth.xml b/shared/oval/disable_host_auth.xml index 6f4eb9d..de51fd7 100644 --- a/shared/oval/disable_host_auth.xml +++ b/shared/oval/disable_host_auth.xml @@ -14,7 +14,7 @@ <extend_definition comment="sshd service is disabled" definition_ref="service_sshd_disabled" /> <criterion comment="Check HostbasedAuthentication in /etc/ssh/sshd_config"
test_ref="test_sshd_hostbasedauthentication" />
negate="true" test_ref="test_sshd_hostbasedauthentication" /> </criteria>
</definition> <ind:textfilecontent54_test check="all" check_existence="none_exist"
@@ -24,7 +24,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="object_sshd_hostbasedauthentication" version="2"> ind:filepath/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
</def-group>
The negate properly will fail you if HostbasedAuthentication != no, but I'm not getting the false positive. Can you share how to reproduce?
this passes as expected: $ sudo grep ^HostbasedAuthentication /etc/ssh/sshd_config HostbasedAuthentication no $ sudo ./testcheck.py disable_host_auth.xml Evaluating with OVAL tempfile : /tmp/disable_host_authaoRDFL.xml Writing results to : /tmp/disable_host_authaoRDFL.xml-results Definition oval:scap-security-guide.testing:def:103: false Definition oval:scap-security-guide.testing:def:101: false Definition oval:scap-security-guide.testing:def:100: true Evaluation done.
fails as expected: $ sudo sed -i 's/HostbasedAuthentication no/HostbasedAuthentication yes/g' /etc/ssh/sshd_config $ sudo grep ^HostbasedAuthentication /etc/ssh/sshd_config HostbasedAuthentication yes $ sudo ./testcheck.py disable_host_auth.xml Evaluating with OVAL tempfile : /tmp/disable_host_auth2Vo5qy.xml Writing results to : /tmp/disable_host_auth2Vo5qy.xml-results Definition oval:scap-security-guide.testing:def:103: false Definition oval:scap-security-guide.testing:def:101: false Definition oval:scap-security-guide.testing:def:100: false Evaluation done.
Hi Shawn,
At least on RHEL6.5 if I run the scap scan (using oscap) with the scap-security-guide without configuring sshd_config at all, the scan tells me that I pass the 'Disable Host-Based Authentication' when in fact it is not configured. Same thing goes for the other ignoring rhosts, and disabling root login checks.
Thanks,
Gabe
On Fri, Aug 1, 2014 at 2:10 PM, Shawn Wells shawn@redhat.com wrote:
On 7/29/14, 8:43 PM, Gabe wrote:
- fix false positive for SSH host-based authentication check in
sshd_config
Signed-off-by: Gabe redhatrises@gmail.com
shared/oval/disable_host_auth.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/shared/oval/disable_host_auth.xml b/shared/oval/disable_host_auth.xml index 6f4eb9d..de51fd7 100644 --- a/shared/oval/disable_host_auth.xml +++ b/shared/oval/disable_host_auth.xml @@ -14,7 +14,7 @@ <extend_definition comment="sshd service is disabled" definition_ref="service_sshd_disabled" /> <criterion comment="Check HostbasedAuthentication in /etc/ssh/sshd_config"
test_ref="test_sshd_hostbasedauthentication" />
negate="true" test_ref="test_sshd_hostbasedauthentication" /> </criteria>
</definition> <ind:textfilecontent54_test check="all" check_existence="none_exist"
@@ -24,7 +24,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="object_sshd_hostbasedauthentication" version="2"> ind:filepath/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)
HostbasedAuthentication(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*(?i)
HostbasedAuthentication(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
</def-group>
The negate properly will fail you if HostbasedAuthentication != no, but I'm not getting the false positive. Can you share how to reproduce?
this passes as expected: $ sudo grep ^HostbasedAuthentication /etc/ssh/sshd_config HostbasedAuthentication no $ sudo ./testcheck.py disable_host_auth.xml Evaluating with OVAL tempfile : /tmp/disable_host_authaoRDFL.xml Writing results to : /tmp/disable_host_authaoRDFL.xml-results Definition oval:scap-security-guide.testing:def:103: false Definition oval:scap-security-guide.testing:def:101: false Definition oval:scap-security-guide.testing:def:100: true Evaluation done.
fails as expected: $ sudo sed -i 's/HostbasedAuthentication no/HostbasedAuthentication yes/g' /etc/ssh/sshd_config $ sudo grep ^HostbasedAuthentication /etc/ssh/sshd_config HostbasedAuthentication yes $ sudo ./testcheck.py disable_host_auth.xml Evaluating with OVAL tempfile : /tmp/disable_host_auth2Vo5qy.xml Writing results to : /tmp/disable_host_auth2Vo5qy.xml-results Definition oval:scap-security-guide.testing:def:103: false Definition oval:scap-security-guide.testing:def:101: false Definition oval:scap-security-guide.testing:def:100: false Evaluation done.
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
On 8/5/14, 9:35 AM, Gabe Alford wrote:
Hi Shawn,
At least on RHEL6.5 if I run the scap scan (using oscap) with the scap-security-guide without configuring sshd_config at all, the scan tells me that I pass the 'Disable Host-Based Authentication' when in fact it is not configured. Same thing goes for the other ignoring rhosts, and disabling root login checks.
Thanks,
Gabe
Ah, yes, this is expected. The default for HostbasedAuthentication is disabled, so the absence of explicit "HostbasedAuthentication no" is still a pass.
Ref manpage @ http://rc.quest.com/man.php?id=sshd_config(5) (do a find on "HostbasedAuthentication")
On Fri, Aug 1, 2014 at 2:10 PM, Shawn Wells <shawn@redhat.com mailto:shawn@redhat.com> wrote:
On 7/29/14, 8:43 PM, Gabe wrote: - fix false positive for SSH host-based authentication check in sshd_config Signed-off-by: Gabe <redhatrises@gmail.com <mailto:redhatrises@gmail.com>> --- shared/oval/disable_host_auth.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/oval/disable_host_auth.xml b/shared/oval/disable_host_auth.xml index 6f4eb9d..de51fd7 100644 --- a/shared/oval/disable_host_auth.xml +++ b/shared/oval/disable_host_auth.xml @@ -14,7 +14,7 @@ <extend_definition comment="sshd service is disabled" definition_ref="service_sshd_disabled" /> <criterion comment="Check HostbasedAuthentication in /etc/ssh/sshd_config" - test_ref="test_sshd_hostbasedauthentication" /> + negate="true" test_ref="test_sshd_hostbasedauthentication" /> </criteria> </definition> <ind:textfilecontent54_test check="all" check_existence="none_exist" @@ -24,7 +24,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="object_sshd_hostbasedauthentication" version="2"> <ind:filepath>/etc/ssh/sshd_config</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group> The negate properly will fail you if HostbasedAuthentication != no, but I'm not getting the false positive. Can you share how to reproduce? this passes as expected: $ sudo grep ^HostbasedAuthentication /etc/ssh/sshd_config HostbasedAuthentication no $ sudo ./testcheck.py disable_host_auth.xml Evaluating with OVAL tempfile : /tmp/disable_host_authaoRDFL.xml Writing results to : /tmp/disable_host_authaoRDFL.xml-results Definition oval:scap-security-guide.testing:def:103: false Definition oval:scap-security-guide.testing:def:101: false Definition oval:scap-security-guide.testing:def:100: true Evaluation done. fails as expected: $ sudo sed -i 's/HostbasedAuthentication no/HostbasedAuthentication yes/g' /etc/ssh/sshd_config $ sudo grep ^HostbasedAuthentication /etc/ssh/sshd_config HostbasedAuthentication yes $ sudo ./testcheck.py disable_host_auth.xml Evaluating with OVAL tempfile : /tmp/disable_host_auth2Vo5qy.xml Writing results to : /tmp/disable_host_auth2Vo5qy.xml-results Definition oval:scap-security-guide.testing:def:103: false Definition oval:scap-security-guide.testing:def:101: false Definition oval:scap-security-guide.testing:def:100: false Evaluation done. -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Got it. So if the default behavior is disabled, then the scan passes. Ignore this patch and the disable_rhosts patch then.
On Tue, Aug 5, 2014 at 12:27 PM, Shawn Wells shawn@redhat.com wrote:
On 8/5/14, 9:35 AM, Gabe Alford wrote:
Hi Shawn,
At least on RHEL6.5 if I run the scap scan (using oscap) with the scap-security-guide without configuring sshd_config at all, the scan tells me that I pass the 'Disable Host-Based Authentication' when in fact it is not configured. Same thing goes for the other ignoring rhosts, and disabling root login checks.
Thanks,
Gabe
Ah, yes, this is expected. The default for HostbasedAuthentication is disabled, so the absence of explicit "HostbasedAuthentication no" is still a pass.
Ref manpage @ http://rc.quest.com/man.php?id=sshd_config(5) (do a find on "HostbasedAuthentication")
On Fri, Aug 1, 2014 at 2:10 PM, Shawn Wells shawn@redhat.com wrote:
On 7/29/14, 8:43 PM, Gabe wrote:
- fix false positive for SSH host-based authentication check in
sshd_config
Signed-off-by: Gabe redhatrises@gmail.com
shared/oval/disable_host_auth.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/shared/oval/disable_host_auth.xml b/shared/oval/disable_host_auth.xml index 6f4eb9d..de51fd7 100644 --- a/shared/oval/disable_host_auth.xml +++ b/shared/oval/disable_host_auth.xml @@ -14,7 +14,7 @@ <extend_definition comment="sshd service is disabled" definition_ref="service_sshd_disabled" /> <criterion comment="Check HostbasedAuthentication in /etc/ssh/sshd_config"
test_ref="test_sshd_hostbasedauthentication" />
negate="true" test_ref="test_sshd_hostbasedauthentication" /> </criteria>
</definition> <ind:textfilecontent54_test check="all" check_existence="none_exist"
@@ -24,7 +24,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="object_sshd_hostbasedauthentication" version="2"> ind:filepath/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern>
- <ind:pattern operation="pattern
match">^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
</def-group>
The negate properly will fail you if HostbasedAuthentication != no, but I'm not getting the false positive. Can you share how to reproduce?
this passes as expected: $ sudo grep ^HostbasedAuthentication /etc/ssh/sshd_config HostbasedAuthentication no $ sudo ./testcheck.py disable_host_auth.xml Evaluating with OVAL tempfile : /tmp/disable_host_authaoRDFL.xml Writing results to : /tmp/disable_host_authaoRDFL.xml-results Definition oval:scap-security-guide.testing:def:103: false Definition oval:scap-security-guide.testing:def:101: false Definition oval:scap-security-guide.testing:def:100: true Evaluation done.
fails as expected: $ sudo sed -i 's/HostbasedAuthentication no/HostbasedAuthentication yes/g' /etc/ssh/sshd_config $ sudo grep ^HostbasedAuthentication /etc/ssh/sshd_config HostbasedAuthentication yes $ sudo ./testcheck.py disable_host_auth.xml Evaluating with OVAL tempfile : /tmp/disable_host_auth2Vo5qy.xml Writing results to : /tmp/disable_host_auth2Vo5qy.xml-results Definition oval:scap-security-guide.testing:def:103: false Definition oval:scap-security-guide.testing:def:101: false Definition oval:scap-security-guide.testing:def:100: false Evaluation done.
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- SCAP Security Guide mailing listscap-security-guide@lists.fedorahosted.orghttps://lists.fedorahosted.org/mailman/listinfo/scap-security-guidehttps://g...
-- Shawn Wells Director, Innovation Programsshawn@redhat.com | 443.534.0130 @shawndwells
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
On 8/5/14, 2:36 PM, Gabe Alford wrote:
Got it. So if the default behavior is disabled, then the scan passes. Ignore this patch and the disable_rhosts patch then.
General question though: Are sites failing manual checks by IV&E-type staff if these things are not explicitly configured? Technically the OCIL should highlight failure conditions, but we could look at elaborating the rule descriptions to reenforce such things are default behaviors (and thus need not be explicitly configured).
Elaborating the rule descriptions to reenforce default behaviors would be very beneficial at my sites at least. The manual checks are being failed by the IV&E-type staff if disabled settings are not explicitly configured as they either don't understand that the default configuration settings are disabled or they really like having the explicit configuration settings.
On Tue, Aug 5, 2014 at 12:39 PM, Shawn Wells shawn@redhat.com wrote:
On 8/5/14, 2:36 PM, Gabe Alford wrote:
Got it. So if the default behavior is disabled, then the scan passes. Ignore this patch and the disable_rhosts patch then.
General question though: Are sites failing manual checks by IV&E-type
staff if these things are not explicitly configured? Technically the OCIL should highlight failure conditions, but we could look at elaborating the rule descriptions to reenforce such things are default behaviors (and thus need not be explicitly configured).
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
On 8/5/14, 2:57 PM, Gabe Alford wrote:
Elaborating the rule descriptions to reenforce default behaviors would be very beneficial at my sites at least. The manual checks are being failed by the IV&E-type staff if disabled settings are not explicitly configured as they either don't understand that the default configuration settings are disabled or they really like having the explicit configuration settings.
How is the guide being used? Are they reading through the prose guide (rhel6-guide.html), or using one of the CTP tables (e.g. table-rhel6-stig.html)?
On 8/5/14, 6:54 PM, Shawn Wells wrote:
On 8/5/14, 2:57 PM, Gabe Alford wrote:
Elaborating the rule descriptions to reenforce default behaviors would be very beneficial at my sites at least. The manual checks are being failed by the IV&E-type staff if disabled settings are not explicitly configured as they either don't understand that the default configuration settings are disabled or they really like having the explicit configuration settings.
How is the guide being used? Are they reading through the prose guide (rhel6-guide.html), or using one of the CTP tables (e.g. table-rhel6-stig.html)?
Part of the reason for the question: the prose guides contain *all* rules, whereas the tables reflect only a single profile.
They are using the prose guides. Looking at the CTP tables for the the RHEL6 stig, the language for default values may also need to be stronger or reworded as well.
On Tue, Aug 5, 2014 at 4:55 PM, Shawn Wells shawn@redhat.com wrote:
On 8/5/14, 6:54 PM, Shawn Wells wrote:
On 8/5/14, 2:57 PM, Gabe Alford wrote:
Elaborating the rule descriptions to reenforce default behaviors would be very beneficial at my sites at least. The manual checks are being failed by the IV&E-type staff if disabled settings are not explicitly configured as they either don't understand that the default configuration settings are disabled or they really like having the explicit configuration settings.
How is the guide being used? Are they reading through the prose guide (rhel6-guide.html), or using one of the CTP tables (e.g. table-rhel6-stig.html)?
Part of the reason for the question: the prose guides contain *all* rules, whereas the tables reflect only a single profile.
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
On 8/6/14, 9:09 AM, Gabe Alford wrote:
They are using the prose guides. Looking at the CTP tables for the the RHEL6 stig, the language for default values may also need to be stronger or reworded as well.
Patches welcome.
Does it make sense to include OCIL in the prose guide itself? Would many people find this useful?
- fix false positive for IgnoreRhosts check in sshd_config
Signed-off-by: Gabe redhatrises@gmail.com --- shared/oval/sshd_disable_rhosts.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/shared/oval/sshd_disable_rhosts.xml b/shared/oval/sshd_disable_rhosts.xml index cb59a1f..5d3eeb1 100644 --- a/shared/oval/sshd_disable_rhosts.xml +++ b/shared/oval/sshd_disable_rhosts.xml @@ -15,7 +15,7 @@ <extend_definition comment="sshd service is disabled" definition_ref="service_sshd_disabled" /> <criterion comment="Check IgnoreRhosts in /etc/ssh/sshd_config" - test_ref="test_sshd_rsh_emulation_disabled" /> + negate="true" test_ref="test_sshd_rsh_emulation_disabled" /> </criteria> </definition> <ind:textfilecontent54_test check="all" check_existence="none_exist" @@ -26,7 +26,7 @@ <ind:textfilecontent54_object id="obj_sshd_rsh_emulation_disabled" version="2"> ind:filepath/etc/ssh/sshd_config</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*(?i)IgnoreRhosts(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*(?i)IgnoreRhosts(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group>
On 7/29/14, 8:43 PM, Gabe wrote:
- fix false positive for IgnoreRhosts check in sshd_config
Signed-off-by: Gabe redhatrises@gmail.com
shared/oval/sshd_disable_rhosts.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/shared/oval/sshd_disable_rhosts.xml b/shared/oval/sshd_disable_rhosts.xml index cb59a1f..5d3eeb1 100644 --- a/shared/oval/sshd_disable_rhosts.xml +++ b/shared/oval/sshd_disable_rhosts.xml @@ -15,7 +15,7 @@ <extend_definition comment="sshd service is disabled" definition_ref="service_sshd_disabled" /> <criterion comment="Check IgnoreRhosts in /etc/ssh/sshd_config"
test_ref="test_sshd_rsh_emulation_disabled" />
negate="true" test_ref="test_sshd_rsh_emulation_disabled" /> </criteria>
</definition> <ind:textfilecontent54_test check="all" check_existence="none_exist"
@@ -26,7 +26,7 @@ <ind:textfilecontent54_object id="obj_sshd_rsh_emulation_disabled" version="2"> ind:filepath/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)IgnoreRhosts(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*(?i)IgnoreRhosts(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
</def-group>
The default behavior is to ignore, so this should pass if "IgnoreRhosts yes" is not present.
- fix false positive for PermitRootLogin check in sshd_config
Signed-off-by: Gabe redhatrises@gmail.com --- shared/oval/sshd_disable_root_login.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/shared/oval/sshd_disable_root_login.xml b/shared/oval/sshd_disable_root_login.xml index 73c4906..6f8cede 100644 --- a/shared/oval/sshd_disable_root_login.xml +++ b/shared/oval/sshd_disable_root_login.xml @@ -15,7 +15,7 @@ <extend_definition comment="sshd service is disabled" definition_ref="service_sshd_disabled" /> <criterion comment="Check PermitRootLogin in /etc/ssh/sshd_config" - test_ref="test_sshd_permitrootlogin_no" /> + negate="true" test_ref="test_sshd_permitrootlogin_no" /> </criteria> </definition> <ind:textfilecontent54_test check="all" check_existence="none_exist" @@ -25,7 +25,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_sshd_permitrootlogin_no" version="2"> ind:filepath/etc/ssh/sshd_config</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*(?i)PermitRootLogin(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*(?i)PermitRootLogin(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group>
On 7/29/14, 8:43 PM, Gabe wrote:
- fix false positive for PermitRootLogin check in sshd_config
Signed-off-by: Gaberedhatrises@gmail.com
shared/oval/sshd_disable_root_login.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/shared/oval/sshd_disable_root_login.xml b/shared/oval/sshd_disable_root_login.xml index 73c4906..6f8cede 100644 --- a/shared/oval/sshd_disable_root_login.xml +++ b/shared/oval/sshd_disable_root_login.xml @@ -15,7 +15,7 @@ <extend_definition comment="sshd service is disabled" definition_ref="service_sshd_disabled" /> <criterion comment="Check PermitRootLogin in /etc/ssh/sshd_config"
test_ref="test_sshd_permitrootlogin_no" />
negate="true" test_ref="test_sshd_permitrootlogin_no" /> </criteria>
</definition> <ind:textfilecontent54_test check="all" check_existence="none_exist"
@@ -25,7 +25,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_sshd_permitrootlogin_no" version="2"> ind:filepath/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)PermitRootLogin(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*(?i)PermitRootLogin(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
</def-group>
-- 2.0.0
The default for PermitRootLogin is yes [1], so this should fail if: - PermitRootLogin is left unconfigured - PermitRootLogin is set to yes
The existing rule had a failure only if "PermitRootLogin yes".... changing it to scan for "PermitRootLogin no," with your negate statement, is a much cleaner way to ensure proper checking.
Ack.
Thanks. Patch has been commited. Commit e354b3c45c87bffa250e32838d6632bacce9b423 https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=e354b3c45c87bffa250e32838d6632bacce9b423
On Tue, Aug 5, 2014 at 12:32 PM, Shawn Wells shawn@redhat.com wrote:
On 7/29/14, 8:43 PM, Gabe wrote:
- fix false positive for PermitRootLogin check in sshd_config
Signed-off-by: Gabe redhatrises@gmail.com redhatrises@gmail.com
shared/oval/sshd_disable_root_login.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/shared/oval/sshd_disable_root_login.xml b/shared/oval/sshd_disable_root_login.xml index 73c4906..6f8cede 100644 --- a/shared/oval/sshd_disable_root_login.xml +++ b/shared/oval/sshd_disable_root_login.xml @@ -15,7 +15,7 @@ <extend_definition comment="sshd service is disabled" definition_ref="service_sshd_disabled" /> <criterion comment="Check PermitRootLogin in /etc/ssh/sshd_config"
test_ref="test_sshd_permitrootlogin_no" />
negate="true" test_ref="test_sshd_permitrootlogin_no" />
</criteria> </definition> <ind:textfilecontent54_test check="all" check_existence="none_exist"
@@ -25,7 +25,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_sshd_permitrootlogin_no" version="2"> ind:filepath/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)PermitRootLogin(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*(?i)PermitRootLogin(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
</def-group> -- 2.0.0
The default for PermitRootLogin is yes [1], so this should fail if:
- PermitRootLogin is left unconfigured
- PermitRootLogin is set to yes
The existing rule had a failure only if "PermitRootLogin yes".... changing it to scan for "PermitRootLogin no," with your negate statement, is a much cleaner way to ensure proper checking.
Ack.
[1] http://rc.quest.com/man.php?id=sshd_config(5)
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
scap-security-guide@lists.fedorahosted.org