RE: Remediations involving sshd_config

[Rui Pedro Bernardino]

Hi,

I have exactly the same results but that’s not the point. This is what I get on 
a system without a ‘Banner’ but with a 'Match' group:
        [root@seis64 ~]# ssh localhost
        root@localhost's password:                    
        [root@seis64 ~]# sshd_enable_warning_banner.sh
        [root@seis64 ~]# /etc/init.d/sshd restart
        Stopping sshd:                                             [  OK  ]
        Starting sshd:                                             [  OK  ]
        [root@seis64 ~]# ssh localhost
        root@localhost's password:

Still no banner. 

This is because the ‘Banner’ was appended to the end of sshd_config and got 
‘absorved’ by the Match rules (that use anything following 'Match' until EOF or 
another 'Match'):
        [root@seis64 ~]# tail -5 /etc/ssh/sshd_config
        # Rules for sftponly group
        Match group sftponly
        X11Forwarding no
        AllowTcpForwarding no
        Banner /etc/issue

This applies to all SSG's sshd_config fixes. Note not all configuration 
primitives are acceptable on the “Match” blocks, meaning starting sshd will 
fail.

Bottom line, new primitives must be inserted *before* Match blocks.


Regards

--
Rui Pedro Bernardino
CTE2/Tecnologias e Desenvolvimento
PT Inovação

From: scap-security-guide-boun...@lists.fedorahosted.org 
[mailto:scap-security-guide-boun...@lists.fedorahosted.org] On Behalf Of Shawn 
Wells
Sent: sexta-feira, 4 de Outubro de 2013 04:17
To: scap-security-guide@lists.fedorahosted.org
Subject: Re: Remediations involving sshd_config

On 10/3/13 10:08 AM, Rui Pedro Bernardino wrote:
Hi all,

The remediation won't work if it appends the new option to the end of file AND 
there are 'Match' rules (from sshd_config's: "If all of the criteria on the 
Match line are satisfied, the keywords on the following lines override those 
set in the global section of the config file, until either another Match line 
or the end of the file."). 

Although commented, 'Match' rules are in the default sshd_config.

For example, for "sshd_enable_warning_banner.sh", my suggestion would be:
==================================
grep -q ^Banner /etc/ssh/sshd_config && \
  sed -i "s/Banner.*/Banner \/etc\/issue/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    ed -s /etc/ssh/sshd_config <<'EOF'
/Match/
?^[A-Z]?
+
i
Banner /etc/issue
.
w
q
EOF
fi
==================================
This will add a new line, after the last keyword before the first 'Match' block 
(including comments). I'm ashamed to say I couldn't do it with 'sed' :(

Does it sound reasonable?

This situation *should* be taken care of. Are you experiencing something 
different than the situation below?

1) Testing file with no Banner value set:

[shawn@SSG-RHEL6 checks]$ sudo grep Banner /etc/ssh/sshd_config 
#Banner none

[shawn@SSG-RHEL6 checks]$ sudo ./testcheck.py sshd_enable_warning_banner.xml 
Evaluating with OVAL tempfile : /tmp/sshd_enable_warning_bannerzkgnCU.xml
Writing results to : /tmp/sshd_enable_warning_bannerzkgnCU.xml-results
Definition oval:scap-security-guide.testing:def:129: false
Definition oval:scap-security-guide.testing:def:127: false
Definition oval:scap-security-guide.testing:def:126: false
Evaluation done.

[shawn@SSG-RHEL6 checks]$ sudo bash ../fixes/bash/sshd_enable_warning_banner.sh 
[shawn@SSG-RHEL6 checks]$ sudo grep Banner /etc/ssh/sshd_config 
#Banner none
Banner /etc/issue

[shawn@SSG-RHEL6 checks]$ sudo ./testcheck.py sshd_enable_warning_banner.xml 
Evaluating with OVAL tempfile : /tmp/sshd_enable_warning_banner43kR1V.xml
Writing results to : /tmp/sshd_enable_warning_banner43kR1V.xml-results
Definition oval:scap-security-guide.testing:def:129: false
Definition oval:scap-security-guide.testing:def:127: false
Definition oval:scap-security-guide.testing:def:126: true
Evaluation done.

2) Testing if incorrect Banner value set

[shawn@SSG-RHEL6 checks]$ sudo grep Banner /etc/ssh/sshd_config 
#Banner none
Banner /totally/wrong/path

[shawn@SSG-RHEL6 checks]$ sudo ./testcheck.py sshd_enable_warning_banner.xml 
Evaluating with OVAL tempfile : /tmp/sshd_enable_warning_banneryFifQw.xml
Writing results to : /tmp/sshd_enable_warning_banneryFifQw.xml-results
Definition oval:scap-security-guide.testing:def:129: false
Definition oval:scap-security-guide.testing:def:127: false
Definition oval:scap-security-guide.testing:def:126: false
Evaluation done.

[shawn@SSG-RHEL6 checks]$ sudo bash ../fixes/bash/sshd_enable_warning_banner.sh 
[shawn@SSG-RHEL6 checks]$ sudo grep Banner /etc/ssh/sshd_config 
#Banner /etc/issue
Banner /etc/issue

[shawn@SSG-RHEL6 checks]$ sudo ./testcheck.py sshd_enable_warning_banner.xml 
Evaluating with OVAL tempfile : /tmp/sshd_enable_warning_bannervMyGwb.xml
Writing results to : /tmp/sshd_enable_warning_bannervMyGwb.xml-results
Definition oval:scap-security-guide.testing:def:129: false
Definition oval:scap-security-guide.testing:def:127: false
Definition oval:scap-security-guide.testing:def:126: true
Evaluation done.






_______________________________________________
scap-security-guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide