RE: [PATCH] [RHEL6] Fix OVAL check for '3.4.3.g. Disable SSH Root Login' rule

[Steinke, Leland J Sr CTR DISA FSO (US)]

Shouldn't the check_existence attribute be "at_least_one_exists" rather than 
"only_one_exists"?  Surprisingly, sshd does not complain about multiple 
PermitRootLogin lines in /etc/ssh/sshd_config.


Thanks,
Leland
--
Leland Steinke, Security+
DISA FSO Technical Support Contractor
tapestry technologies, Inc
717-267-5797 (DSN 570)
leland.j.steinke....@mail.mil (gov't)
lstei...@tapestrytech.com (com'l)


> -----Original Message-----
> From: scap-security-guide-boun...@lists.fedorahosted.org [mailto:scap-
> security-guide-boun...@lists.fedorahosted.org] On Behalf Of Jan
> Lieskovsky
> Sent: Thursday, November 21, 2013 11:27 AM
> To: scap-security-guide@lists.fedorahosted.org
> Subject: [PATCH] [RHEL6] Fix OVAL check for '3.4.3.g. Disable SSH Root
> Login' rule
> 
> 
> Fix / invert the logic of OVAL rule for '3.4.3.g. Disable SSH Root
> Login'
> XCCDF rule.
> 
> On default RHEL-6 system there's no uncommented 'PermitRootLogin yes'
> present in /etc/ssh/sshd_config configuration file (from the header of
> the
> config:
> 
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented. Uncommented options change a
> # default value.
> 
> From sshd_config(5):
> 
>      PermitRootLogin
>              Specifies whether root can log in using ssh(1).
>              The argument must be “yes”, “without-password”, “forced-
> commands-only”, or “no”.
>              The default is “yes”.
> 
> Therefore the default RHEL-6's sshd config is missing explicit
> PermitRootLogin
> yes, but defaulting to it. Former implementation (incorrectly) returned
> 'pass'
> as result of the scan, even when root login via SSH was allowed (can be
> tested on former implementation via SSH root attempt).
> 
> The proposal modifies the implementation the scan check to succeed only
> in
> case there's explicit 'PermitRootLogin no' in /etc/ssh/sshd_config, and
> allows possible comments behinds that definition (since it's valid
> config
> form too).
> 
> Please review.
> 
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Technologies Team

smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
scap-security-guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide