[Fedora] Fix typo in OVAL check for sshd disable empty passwords

When searching for 'PermitEmptyPasswords yes' regex in previous
version was too liberal (even case like:

# PermitEmptyPasswords yes
permitemptypasswords no

would match the \s+ expression, meaning corresponding OVAL object
wouldn't be found in the system, and test failed even in case it
should pass) =>

FAIL only in case there's explicit '(?i)\n\s*PermitEmptyPasswords\s+yes'
in /etc/ssh/sshd_config.

Please review.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
From 7d0be90db010468b663ea248cc2acc9249633a31 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <[email protected]>
Date: Mon, 16 Dec 2013 15:57:48 +0100
Subject: [PATCH] [Fedora] Fix typo in OVAL check for sshd disable empty
 passwords

Signed-off-by: Jan Lieskovsky <[email protected]>
---
 Fedora/input/checks/sshd_disable_empty_passwords.xml | 3 +--
 Fedora/scap-security-guide.spec                      | 1 +
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Fedora/input/checks/sshd_disable_empty_passwords.xml b/Fedora/input/checks/sshd_disable_empty_passwords.xml
index 590d051..5a979e5 100644
--- a/Fedora/input/checks/sshd_disable_empty_passwords.xml
+++ b/Fedora/input/checks/sshd_disable_empty_passwords.xml
@@ -46,7 +46,6 @@
    comment="SSH login via empty passwords forbidden in sshd config"
    id="test_sshd_permit_empty_passwords_not_enabled_before_disabled"
    version="1" >
-
     <ind:object object_ref="obj_sshd_permit_empty_passwords_not_enabled_before_disabled" />
   </ind:textfilecontent54_test>
 
@@ -61,7 +60,7 @@
     <!-- Case-insensitively search sshd config in singleline mode for uncommented
          occurrence of 'PermitEmptyPasswords no', which is not prefixed / preceded by
          'PermitEmptyPasswords yes' [*] -->
-    <ind:pattern operation="pattern match">^(?i)(?:(?!\s+PermitEmptyPasswords\s+yes).)*(\n\s*PermitEmptyPasswords\s+no)(.*)$</ind:pattern>
+    <ind:pattern operation="pattern match">^(?i)(?:(?!\n\s*PermitEmptyPasswords\s+yes).)*(\n\s*PermitEmptyPasswords\s+no)(.*)$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 
diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec
index 6527db8..e29fa1c 100644
--- a/Fedora/scap-security-guide.spec
+++ b/Fedora/scap-security-guide.spec
@@ -56,6 +56,7 @@ cp -a Fedora/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man
 %changelog
 * Mon Dec 16 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4-rc14-1
 - OVAL check for sshd disable root login
+- Fix typo in OVAL check for sshd disable empty passwords
 
 * Fri Dec 13 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc13-1
 - OVAL check for sshd disable empty passwords
-- 
1.8.3.1

_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Reply via email to