This patch adds OVAL check for sshd's Idle Timeout Interval / ClientAliveInterval rule for Fedora.
Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
From 1d800bcb0f18e2f33e16f8636b0b157cf232b76a Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Fri, 29 Nov 2013 19:06:35 +0100 Subject: [PATCH] [Fedora] Add OVAL check for 'Set SSH Idle Timeout Interval' rule Signed-off-by: Jan Lieskovsky <[email protected]> --- Fedora/input/checks/sshd_set_idle_timeout.xml | 33 +++++++++++++++++++++++++++ Fedora/input/profiles/common.xml | 1 + Fedora/input/services/ssh.xml | 11 ++++++++- Fedora/scap-security-guide.spec | 1 + 4 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 Fedora/input/checks/sshd_set_idle_timeout.xml diff --git a/Fedora/input/checks/sshd_set_idle_timeout.xml b/Fedora/input/checks/sshd_set_idle_timeout.xml new file mode 100644 index 0000000..df3336a --- /dev/null +++ b/Fedora/input/checks/sshd_set_idle_timeout.xml @@ -0,0 +1,33 @@ +<def-group> + <definition class="compliance" id="sshd_set_idle_timeout" version="1"> + <metadata> + <title>Set OpenSSH Idle Timeout Interval</title> + <affected family="unix"> + <platform>Fedora 19</platform> + </affected> + <description>The SSH idle timeout interval should be set to an appropriate value.</description> + </metadata> + <criteria comment="SSH is not being used or conditions are met" operator="OR"> + <extend_definition comment="sshd service is disabled" definition_ref="service_sshd_disabled" /> + <criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config" test_ref="test_sshd_idle_timeout" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="timeout is configured" id="test_sshd_idle_timeout" version="1"> + <ind:object object_ref="object_sshd_idle_timeout" /> + <ind:state state_ref="state_timeout_value" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_sshd_idle_timeout" version="1"> + <ind:filepath>/etc/ssh/sshd_config</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_state comment="ClientAliveInterval in seconds" id="state_timeout_value" version="1"> + <ind:subexpression datatype="int" operation="less than or equal" var_check="all" var_ref="sshd_idle_timeout_value" /> + </ind:textfilecontent54_state> + + <external_variable comment="timeout value" datatype="int" id="sshd_idle_timeout_value" version="1" /> + +</def-group> diff --git a/Fedora/input/profiles/common.xml b/Fedora/input/profiles/common.xml index e8bc78d..5d1be55 100644 --- a/Fedora/input/profiles/common.xml +++ b/Fedora/input/profiles/common.xml @@ -48,6 +48,7 @@ <!-- SSH Server --> <select idref="sshd_disable_root_login" selected="true"/> <select idref="sshd_disable_empty_passwords" selected="true"/> + <refine-value idref="sshd_idle_timeout_value" selector="5_minutes"/> <select idref="sshd_set_idle_timeout" selected="true"/> <select idref="sshd_set_keepalive" selected="true"/> diff --git a/Fedora/input/services/ssh.xml b/Fedora/input/services/ssh.xml index d01e090..dee9899 100644 --- a/Fedora/input/services/ssh.xml +++ b/Fedora/input/services/ssh.xml @@ -8,6 +8,15 @@ and more detailed documentation is available from its website, http://www.openssh.org. Its server program is called <tt>sshd</tt> and provided by the RPM package <tt>openssh-server</tt>.</description> +<Value id="sshd_idle_timeout_value" type="number" operator="equals" interactive="0"> +<title>SSH session Idle time</title> +<description>Specify duration of allowed idle time.</description> +<value selector="">300</value> +<value selector="5_minutes">300</value> +<value selector="10_minutes">600</value> +<value selector="15_minutes">900</value> +</Value> + <Group id="ssh_server"> <title>Configure OpenSSH Server if Necessary</title> <description>If the system needs to act as an SSH server, then certain changes @@ -69,7 +78,7 @@ SSH from correctly detecting that the user is idle. Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another. </rationale> -<!-- <oval id="sshd_set_idle_timeout" value="sshd_idle_timeout_value"/> --> +<oval id="sshd_set_idle_timeout" value="sshd_idle_timeout_value"/> <ref disa="879,1133"/> </Rule> diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec index b38ea04..75876b3 100644 --- a/Fedora/scap-security-guide.spec +++ b/Fedora/scap-security-guide.spec @@ -56,6 +56,7 @@ cp -a Fedora/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man %changelog * Fri Nov 29 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc8-1 - OVAL check and remediation for sshd's ClientAliveCountMax rule +- OVAL check for sshd's ClientAliveInterval rule * Thu Nov 28 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc7-1 - Include descriptions for permissions section, and rules for checking -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
