* [Fedora] OVAL check for sshd disable empty passwords
------------------------------------------------------
Rewrite the rule checking if SSH logins from accounts
with empty passwords are allowed. Permit the rule to
succeed only if some of the following is met:
* sshd service is disabled,
* default sshd config is used (sshd defaults to 'PermitEmptyPasswords no'),
* in customized sshd config 'PermitEmptyPasswords no' (
disabling the access) is not preceded by (uncommented occurrence)
of 'PermitEmptyPasswords yes' (enabling access)
The comments were kept in the patch intentionally to:
* describe regular expressions used,
* mention sshd_config behaviour (so me / someone
else doesn't need to waste time on the format
in the future).
After testing at RHEL-6 could be probably moved to /shared dir.
* [Fedora] Unselect no shelllogin for systemaccounts rule from being run by
default
-----------------------------------------------------------------------------------
Since it has been found to cause / have some issues. See e.g.:
https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-December/004650.html
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
From 80b28559536d265d129bb1ae5b7792de0ba7cb14 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <[email protected]>
Date: Fri, 13 Dec 2013 20:12:13 +0100
Subject: [PATCH] [Fedora] OVAL check for sshd disable empty passwords [Fedora]
Unselect no shelllogin for systemaccounts rule from being run by default
Signed-off-by: Jan Lieskovsky <[email protected]>
---
.../input/checks/sshd_disable_empty_passwords.xml | 79 ++++++++++++++++++++++
Fedora/input/profiles/common.xml | 2 +-
Fedora/input/services/ssh.xml | 2 +-
Fedora/scap-security-guide.spec | 6 +-
4 files changed, 86 insertions(+), 3 deletions(-)
create mode 100644 Fedora/input/checks/sshd_disable_empty_passwords.xml
diff --git a/Fedora/input/checks/sshd_disable_empty_passwords.xml b/Fedora/input/checks/sshd_disable_empty_passwords.xml
new file mode 100644
index 0000000..2ab9c32
--- /dev/null
+++ b/Fedora/input/checks/sshd_disable_empty_passwords.xml
@@ -0,0 +1,79 @@
+<def-group>
+ <definition class="compliance" id="sshd_disable_empty_passwords" version="1">
+ <metadata>
+ <title>Disable Empty Passwords</title>
+ <affected family="unix">
+ <platform>Fedora 19</platform>
+ </affected>
+ <description>
+ Remote connections from accounts with empty passwords should be
+ disabled (and dependencies are met)
+ </description>
+ </metadata>
+ <!-- Test to succeed only if some of the following is met, fail otherwise -->
+ <criteria comment="sshd disabled or conditions are met" operator="OR">
+ <!-- * case: sshd service is disabled -->
+ <extend_definition comment="sshd service is disabled"
+ definition_ref="service_sshd_disabled" />
+ <!-- * case: default sshd config (defaults to empty passwords SSH login disabled -->
+ <criterion comment="default sshd config" test_ref="test_sshd_default_config" />
+ <!-- * case: 'PermitEmptyPasswords no' not preceded by 'PermitEmptyPasswords yes' -->
+ <criterion comment="SSH login via empty passwords forbidden in sshd config"
+ test_ref="test_sshd_permit_empty_passwords_not_enabled_before_disabled" />
+ </criteria>
+ </definition>
+
+ <!-- Check if system's /etc/ssh/sshd_config is in default form (safe case) -->
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
+ comment="check default sshd config" id="test_sshd_default_config"
+ version="1" >
+ <ind:object object_ref="obj_sshd_default_config" />
+ </ind:textfilecontent54_test>
+
+ <!-- For default sshd config ensure there aren't PermitEmptyPasswords [yes/no] rows -->
+ <ind:textfilecontent54_object id="obj_sshd_default_config" version="1">
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <!-- Case-insensitively search sshd config in multiline mode for uncommented
+ occurrence of either 'PermitEmptyPasswords yes' or
+ 'PermitEmptyPasswords no' -->
+ <ind:pattern operation="pattern match">^(?i)\s*PermitEmptyPasswords\s+(yes|no)\s*$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <!-- If system's /etc/ssh/sshd_config got modified, ensure empty password SSH
+ logins weren't enabled before there's option disabling it in the config -->
+ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
+ comment="SSH login via empty passwords forbidden in sshd config"
+ id="test_sshd_permit_empty_passwords_not_enabled_before_disabled"
+ version="1" >
+
+ <ind:object object_ref="obj_sshd_permit_empty_passwords_not_enabled_before_disabled" />
+ </ind:textfilecontent54_test>
+
+ <!-- For modified sshd config check there aren't 'PermitEmptyPasswords yes' row(s)
+ before first 'PermitEmptyPassword no' row -->
+ <ind:textfilecontent54_object
+ id="obj_sshd_permit_empty_passwords_not_enabled_before_disabled"
+ version="1">
+ <!-- Read whole /etc/ssh/sshd_config at one (as single line) -->
+ <ind:behaviors singleline="true" />
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+ <!-- Case-insensitively search sshd config in singleline mode for uncommented
+ occurrence of 'PermitEmptyPasswords no', which is not prefixed / preceded by
+ 'PermitEmptyPasswords yes' [*] -->
+ <ind:pattern operation="pattern match">^(?i)(?:(?!\s+PermitEmptyPasswords\s+yes).)*(\n\s*PermitEmptyPasswords\s+no)(.*)$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+<!--
+
+[*] sshd config observations:
+ - specifies default value where possible, but leave them commented,
+ - uncommented options override the default value,
+ - multiple occurrences of the same option are possible. In that case
+ value of the first (uncommented) one is honoured,
+ - option names (but not their values!) are parsed case-insensitively
+
+-->
+
+</def-group>
diff --git a/Fedora/input/profiles/common.xml b/Fedora/input/profiles/common.xml
index 5d1be55..f51177f 100644
--- a/Fedora/input/profiles/common.xml
+++ b/Fedora/input/profiles/common.xml
@@ -23,7 +23,7 @@
<select idref="securetty_root_login_console_only" selected="true"/>
<select idref="restrict_serial_port_logins" selected="true"/>
<!-- <select idref="no_root_webbrowsing" selected="true"/> -->
- <select idref="no_shelllogin_for_systemaccounts" selected="true"/>
+ <!-- <select idref="no_shelllogin_for_systemaccounts" selected="true"/> -->
<select idref="no_uidzero_except_root" selected="true"/>
<!-- <select idref="root_path_default" selected="true"/> -->
<!-- Verify Proper Storage and Existence of Password Hashes section rules -->
diff --git a/Fedora/input/services/ssh.xml b/Fedora/input/services/ssh.xml
index d0ed58f..843aeef 100644
--- a/Fedora/input/services/ssh.xml
+++ b/Fedora/input/services/ssh.xml
@@ -55,7 +55,7 @@ Configuring this setting for the SSH daemon provides additional assurance that
remote login via SSH will require a password, even in the event of
misconfiguration elsewhere.
</rationale>
-<!-- <oval id="sshd_disable_empty_passwords" /> -->
+<oval id="sshd_disable_empty_passwords" />
<ref disa="765,766"/>
</Rule>
diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec
index eb04b6a..67a6c14 100644
--- a/Fedora/scap-security-guide.spec
+++ b/Fedora/scap-security-guide.spec
@@ -5,7 +5,7 @@
# file one level up - in the main scap-security-guide directory (instead of
# this one).
-%global fedorassgversion 4.rc12
+%global fedorassgversion 4.rc13
Name: scap-security-guide
Version: 0.1.%{fedorassgversion}
@@ -54,6 +54,10 @@ cp -a Fedora/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man
%doc Fedora/LICENSE Fedora/output/ssg-fedora-guide.html
%changelog
+* Fri Dec 13 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc13-1
+- OVAL check for sshd disable empty passwords
+- Unselect no shelllogin for systemaccounts rule from being run by default
+
* Mon Dec 09 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc12-1
- Rename XCCDF rules
- Revert Set up Fedora release name and CPE based on build system properties
--
1.8.3.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
