[PATCH] [Fedora] Add OVAL check for sshd disable root login

[Jan Lieskovsky]

Add Fedora OVAL test to check if SSH login for root user is allowed
(re-implementation of RHEL-6 check).


Please review.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
From 43ed9f12112945cd2a6ec16bc4b92f8393360575 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <jlies...@redhat.com>
Date: Mon, 16 Dec 2013 15:14:48 +0100
Subject: [PATCH] [Fedora] Add OVAL check for sshd disable root login

Signed-off-by: Jan Lieskovsky <jlies...@redhat.com>
---
 Fedora/input/checks/sshd_disable_root_login.xml | 44 +++++++++++++++++++++++++
 Fedora/input/services/ssh.xml                   |  2 +-
 Fedora/scap-security-guide.spec                 |  5 ++-
 3 files changed, 49 insertions(+), 2 deletions(-)
 create mode 100644 Fedora/input/checks/sshd_disable_root_login.xml

diff --git a/Fedora/input/checks/sshd_disable_root_login.xml b/Fedora/input/checks/sshd_disable_root_login.xml
new file mode 100644
index 0000000..e987d5a
--- /dev/null
+++ b/Fedora/input/checks/sshd_disable_root_login.xml
@@ -0,0 +1,44 @@
+<def-group>
+  <definition class="compliance" id="sshd_disable_root_login" version="1">
+    <metadata>
+      <title>Disable root Login via SSH</title>
+      <affected family="unix">
+        <platform>Fedora 19</platform>
+      </affected>
+      <description>
+        Root login via SSH should be disabled (and dependencies are met)
+      </description>
+    </metadata>
+    <!-- Test to succeed only if some of the following is met, fail otherwise -->
+    <criteria comment="SSH is not being used or conditions are met" operator="OR">
+      <!-- * case: sshd service is disabled -->
+      <extend_definition comment="sshd service is disabled"
+      definition_ref="service_sshd_disabled" />
+      <!-- * case: At least one 'PermitRootLogin no' present in
+             /etc/ssh/sshd_config not preceded by 'PermitRootLogin yes' -->
+      <criterion comment="SSH login for root user forbidden in sshd config"
+      test_ref="test_sshd_permit_root_login_not_enabled_before_disabled" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
+   comment="SSH login for root user forbidden in sshd config"
+   id="test_sshd_permit_root_login_not_enabled_before_disabled"
+   version="1" >
+   <ind:object object_ref="obj_sshd_permit_root_login_not_enabled_before_disabled" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object
+   id="obj_sshd_permit_root_login_not_enabled_before_disabled"
+   version="1">
+   <!-- Read whole /etc/ssh/sshd_config at once (as single line) -->
+   <ind:behaviors singleline="true" />
+   <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+   <!-- Case insensitively search /etc/ssh/sshd_config for uncommented
+        occurrence of at least one 'PermitRootLogin no' directive, which
+        is not preceded by (uncommented) occurence of 'PermitRootLogin yes' -->
+   <ind:pattern operation="pattern match">^(?i)(?:(?!\n\s*PermitRootLogin\s+yes).)*(\n\s*PermitRootLogin\s+no)(.*)$</ind:pattern>
+   <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/Fedora/input/services/ssh.xml b/Fedora/input/services/ssh.xml
index 843aeef..ce289b1 100644
--- a/Fedora/input/services/ssh.xml
+++ b/Fedora/input/services/ssh.xml
@@ -37,7 +37,7 @@ Permitting direct root login reduces auditable information about who ran
 privileged commands on the system and also allows direct attack attempts on
 root's password.
 </rationale>
-<!-- <oval id="sshd_disable_root_login" /> -->
+<oval id="sshd_disable_root_login" />
 <ref nist="AC-6(2),IA-2(1)" disa="770" />
 </Rule>
 
diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec
index 67a6c14..6527db8 100644
--- a/Fedora/scap-security-guide.spec
+++ b/Fedora/scap-security-guide.spec
@@ -5,7 +5,7 @@
 # file one level up - in the main scap-security-guide directory (instead of
 # this one).
 
-%global	fedorassgversion	4.rc13
+%global	fedorassgversion	4.rc14
 
 Name:		scap-security-guide
 Version:	0.1.%{fedorassgversion}
@@ -54,6 +54,9 @@ cp -a Fedora/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man
 %doc Fedora/LICENSE Fedora/output/ssg-fedora-guide.html
 
 %changelog
+* Mon Dec 16 2013 Jan iankko Lieskovsky <jlies...@redhat.com> 0.1.4-rc14-1
+- OVAL check for sshd disable root login
+
 * Fri Dec 13 2013 Jan iankko Lieskovsky <jlies...@redhat.com> 0.1.4.rc13-1
 - OVAL check for sshd disable empty passwords
 - Unselect no shelllogin for systemaccounts rule from being run by default
-- 
1.8.3.1


_______________________________________________
scap-security-guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide