[Fedora] Fix typo in OVAL check for sshd disable empty passwords
When searching for 'PermitEmptyPasswords yes' regex in previous
version was too liberal (even case like:
# PermitEmptyPasswords yes
permitemptypasswords no
would match the \s+ expression, meaning corresponding OVAL object
wouldn't be found in the system, and test failed even in case it
should pass) =>
FAIL only in case there's explicit '(?i)\n\s*PermitEmptyPasswords\s+yes'
in /etc/ssh/sshd_config.
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
From 7d0be90db010468b663ea248cc2acc9249633a31 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <[email protected]>
Date: Mon, 16 Dec 2013 15:57:48 +0100
Subject: [PATCH] [Fedora] Fix typo in OVAL check for sshd disable empty
passwords
Signed-off-by: Jan Lieskovsky <[email protected]>
---
Fedora/input/checks/sshd_disable_empty_passwords.xml | 3 +--
Fedora/scap-security-guide.spec | 1 +
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Fedora/input/checks/sshd_disable_empty_passwords.xml b/Fedora/input/checks/sshd_disable_empty_passwords.xml
index 590d051..5a979e5 100644
--- a/Fedora/input/checks/sshd_disable_empty_passwords.xml
+++ b/Fedora/input/checks/sshd_disable_empty_passwords.xml
@@ -46,7 +46,6 @@
comment="SSH login via empty passwords forbidden in sshd config"
id="test_sshd_permit_empty_passwords_not_enabled_before_disabled"
version="1" >
-
<ind:object object_ref="obj_sshd_permit_empty_passwords_not_enabled_before_disabled" />
</ind:textfilecontent54_test>
@@ -61,7 +60,7 @@
<!-- Case-insensitively search sshd config in singleline mode for uncommented
occurrence of 'PermitEmptyPasswords no', which is not prefixed / preceded by
'PermitEmptyPasswords yes' [*] -->
- <ind:pattern operation="pattern match">^(?i)(?:(?!\s+PermitEmptyPasswords\s+yes).)*(\n\s*PermitEmptyPasswords\s+no)(.*)$</ind:pattern>
+ <ind:pattern operation="pattern match">^(?i)(?:(?!\n\s*PermitEmptyPasswords\s+yes).)*(\n\s*PermitEmptyPasswords\s+no)(.*)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec
index 6527db8..e29fa1c 100644
--- a/Fedora/scap-security-guide.spec
+++ b/Fedora/scap-security-guide.spec
@@ -56,6 +56,7 @@ cp -a Fedora/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man
%changelog
* Mon Dec 16 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4-rc14-1
- OVAL check for sshd disable root login
+- Fix typo in OVAL check for sshd disable empty passwords
* Fri Dec 13 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc13-1
- OVAL check for sshd disable empty passwords
--
1.8.3.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
