Hi all,
The remediation won't work if it appends the new option to the end of file AND
there are 'Match' rules (from sshd_config's: "If all of the criteria on the
Match line are satisfied, the keywords on the following lines override those
set in the global section of the config file, until either another Match line
or the end of the file.").
Although commented, 'Match' rules are in the default sshd_config.
For example, for "sshd_enable_warning_banner.sh", my suggestion would be:
==================================
grep -q ^Banner /etc/ssh/sshd_config && \
sed -i "s/Banner.*/Banner \/etc\/issue/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
ed -s /etc/ssh/sshd_config <<'EOF'
/Match/
?^[A-Z]?
+
i
Banner /etc/issue
.
w
q
EOF
fi
==================================
This will add a new line, after the last keyword before the first 'Match' block
(including comments). I'm ashamed to say I couldn't do it with 'sed' :(
Does it sound reasonable?
Thanks
--
Rui Pedro Bernardino
CTE2/Tecnologias e Desenvolvimento
PT Inovação
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
