[PATCH] [Fedora] Add remediation for sshd's ClientAliveCountMax rule

Fri, 29 Nov 2013 09:13:37 -0800 

This patch adds remediation for the sshd's ClientAliveCountMax rule.

Installing openssh-server package or enabling the sshd service isn't
necessary, since if:
* openssh-server isn't installed or
* sshd is disabled

the underlying OVAL check would pass.

Please review.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
From ade70f147982400d61147106b83188a959d71758 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <[email protected]>
Date: Fri, 29 Nov 2013 18:06:49 +0100
Subject: [PATCH] [Fedora] Add remediation for sshd's ClientAliveCountMax rule

Signed-off-by: Jan Lieskovsky <[email protected]>
---
 Fedora/input/fixes/bash/sshd_set_keepalive.sh | 14 ++++++++++++++
 Fedora/scap-security-guide.spec               |  2 +-
 2 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 Fedora/input/fixes/bash/sshd_set_keepalive.sh

diff --git a/Fedora/input/fixes/bash/sshd_set_keepalive.sh b/Fedora/input/fixes/bash/sshd_set_keepalive.sh
new file mode 100644
index 0000000..100da61
--- /dev/null
+++ b/Fedora/input/fixes/bash/sshd_set_keepalive.sh
@@ -0,0 +1,14 @@
+#
+# Configure proper ClientAliveCountMax sshd daemon value
+#
+grep -q ^ClientAliveCountMax /etc/ssh/sshd_config && \
+sed -i "s/ClientAliveCountMax.*/ClientAliveCountMax 0/g" /etc/ssh/sshd_config
+if ! [ $? -eq 0 ]
+then
+  echo -e "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
+fi
+
+#
+# Restart the sshd service (new option to take effect)
+#
+systemctl restart sshd.service
diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec
index 05ca9a6..b38ea04 100644
--- a/Fedora/scap-security-guide.spec
+++ b/Fedora/scap-security-guide.spec
@@ -55,7 +55,7 @@ cp -a Fedora/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man
 
 %changelog
 * Fri Nov 29 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc8-1
-- Add OVAL check for sshd's ClientAliveCountMax rule
+- OVAL check and remediation for sshd's ClientAliveCountMax rule
 
 * Thu Nov 28 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc7-1
 - Include descriptions for permissions section, and rules for checking
-- 
1.8.3.1


_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Reply via email to