[PATCH] [RHEL6] Fix OVAL check for '3.4.3.g. Disable SSH Root Login' rule

Thu, 21 Nov 2013 10:48:06 -0800 

Fix / invert the logic of OVAL rule for '3.4.3.g. Disable SSH Root Login'
XCCDF rule.

On default RHEL-6 system there's no uncommented 'PermitRootLogin yes'
present in /etc/ssh/sshd_config configuration file (from the header of the
config:

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

>From sshd_config(5): 

     PermitRootLogin
             Specifies whether root can log in using ssh(1).
             The argument must be “yes”, “without-password”, 
“forced-commands-only”, or “no”.
             The default is “yes”.

Therefore the default RHEL-6's sshd config is missing explicit PermitRootLogin
yes, but defaulting to it. Former implementation (incorrectly) returned 'pass'
as result of the scan, even when root login via SSH was allowed (can be
tested on former implementation via SSH root attempt).

The proposal modifies the implementation the scan check to succeed only in
case there's explicit 'PermitRootLogin no' in /etc/ssh/sshd_config, and
allows possible comments behinds that definition (since it's valid config
form too).

Please review.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team

From f702488e6d343671c540386585b1abe7f013e9c4 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <[email protected]>
Date: Thu, 21 Nov 2013 16:48:46 +0100
Subject: [PATCH] [RHEL6] Fix OVAL check for '3.4.3.g. Disable SSH Root Login'
 rule

Signed-off-by: Jan Lieskovsky <[email protected]>
---
 RHEL6/input/checks/sshd_disable_root_login.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/RHEL6/input/checks/sshd_disable_root_login.xml b/RHEL6/input/checks/sshd_disable_root_login.xml
index 58e52a3..d29989d 100644
--- a/RHEL6/input/checks/sshd_disable_root_login.xml
+++ b/RHEL6/input/checks/sshd_disable_root_login.xml
@@ -17,14 +17,14 @@
       test_ref="test_sshd_permitrootlogin_no" />
     </criteria>
   </definition>
-  <ind:textfilecontent54_test check="all" check_existence="none_exist"
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
   comment="Tests the value of the PermitRootLogin[\s]*(&lt;:nocomment:&gt;*) setting in the /etc/ssh/sshd_config file"
   id="test_sshd_permitrootlogin_no" version="1">
     <ind:object object_ref="obj_sshd_permitrootlogin_no" />
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="obj_sshd_permitrootlogin_no" version="1">
     <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*(?i)PermitRootLogin[\s]+yes[\s]*$</ind:pattern>
+    <ind:pattern operation="pattern match">^[\s]*(?i)PermitRootLogin[\s]+no[\s]*(#.*)$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 </def-group>
-- 
1.8.3.1


_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Reply via email to