On 29/08/18 19:00, Dhanushka Parakrama wrote:
Guys
Hello Dhanushka,
The "anssi_np_nt28_high profile" extends "anssi_np_nt28_restrictive",
which "extends anssi_np_nt28_average".
And "average" Profile sets value "sshd_idle_timeout_value=5_minutes",
i.e. 300.
So value 400 for ClientAliveInterval correctly fails the scan, as the
value configured should be between zero and "sshd_idle_timeout_value".
For the scan to pass with "ClientAliveInterval 400" you need to create a
tailoring and change the value for "sshd_idle_timeout_value".
Unfortunately, there is no preset value for 400, you check them here:
https://github.com/OpenSCAP/scap-security-guide/blob/master/linux_os/guide/services/ssh/sshd_idle_timeout_value.var
In Debian 8 i have configured the settings as below for ssh client timeout
ClientAliveInterval 400
but seems like scan is not picking it up ,
Version scap-security-guide-0.1.40
*oscap-ssh --sudo wso2@192.168.8.150 <mailto:wso2@192.168.8.150> 22
xccdf eval --profile
xccdf_org.ssgproject.content_profile_anssi_np_nt28_high --report
abc.html ssg-debian8-ds.xml
*
and still shows output as below
*Title Set SSH Idle Timeout Interval*
*Rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout*
*Result fail*
_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
--
Watson Sato
Security Technologies | Red Hat, Inc
_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list