[PATCH] [RHEL6] Fix SSH remediation scripts to be case-insensitive

Jan Lieskovsky Mon, 16 Dec 2013 08:34:59 -0800

[RHEL6] Fix SSH remediation scripts to be case-insensitive

Current version of various SSH remediation scripts for RHEL-6
is searching (grep) and replacing (sed) particular /etc/ssh/sshd_config
configuration file's option in case-sensitive manner (searching
and replacing only strict matching exact case), therefore


having, e.g:

permitrootlogin yes

in /etc/ssh/sshd_config would end up (in current state) the 'PermitRootLogin no'
string to be appended at the end of the file, but keep the 
root logins allowed (since first option present in /etc/ssh/sshd_config
is honoured by sshd).

The proposal changes searches and replacements for various SSH daemon
remediations to be case-insensitive, fixing this problem.

Please review.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team

From 5033307ec5bc0759edcf455509b9208443356386 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <[email protected]>
Date: Mon, 16 Dec 2013 17:19:01 +0100
Subject: [PATCH] [RHEL6] Fix SSH remediation scripts to be case-insensitive

Signed-off-by: Jan Lieskovsky <[email protected]>
---
 RHEL6/input/fixes/bash/sshd_disable_empty_passwords.sh | 4 ++--
 RHEL6/input/fixes/bash/sshd_disable_rhosts.sh          | 4 ++--
 RHEL6/input/fixes/bash/sshd_disable_root_login.sh      | 4 ++--
 RHEL6/input/fixes/bash/sshd_do_not_permit_user_env.sh  | 4 ++--
 RHEL6/input/fixes/bash/sshd_enable_warning_banner.sh   | 4 ++--
 RHEL6/input/fixes/bash/sshd_set_idle_timeout.sh        | 4 ++--
 RHEL6/input/fixes/bash/sshd_set_keepalive.sh           | 4 ++--
 RHEL6/input/fixes/bash/sshd_use_approved_ciphers.sh    | 4 ++--
 8 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/RHEL6/input/fixes/bash/sshd_disable_empty_passwords.sh b/RHEL6/input/fixes/bash/sshd_disable_empty_passwords.sh
index f71fff1..c28fc77 100644
--- a/RHEL6/input/fixes/bash/sshd_disable_empty_passwords.sh
+++ b/RHEL6/input/fixes/bash/sshd_disable_empty_passwords.sh
@@ -1,5 +1,5 @@
-grep -q ^PermitEmptyPasswords /etc/ssh/sshd_config && \
-  sed -i "s/PermitEmptyPasswords.*/PermitEmptyPasswords no/g" /etc/ssh/sshd_config
+grep -qi ^PermitEmptyPasswords /etc/ssh/sshd_config && \
+  sed -i "s/PermitEmptyPasswords.*/PermitEmptyPasswords no/gI" /etc/ssh/sshd_config
 if ! [ $? -eq 0 ]; then
     echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config
 fi
diff --git a/RHEL6/input/fixes/bash/sshd_disable_rhosts.sh b/RHEL6/input/fixes/bash/sshd_disable_rhosts.sh
index 24d22db..e87e3c1 100644
--- a/RHEL6/input/fixes/bash/sshd_disable_rhosts.sh
+++ b/RHEL6/input/fixes/bash/sshd_disable_rhosts.sh
@@ -1,5 +1,5 @@
-grep -q ^IgnoreRhosts /etc/ssh/sshd_config && \
-  sed -i "s/IgnoreRhosts.*/IgnoreRhosts yes/g" /etc/ssh/sshd_config
+grep -qi ^IgnoreRhosts /etc/ssh/sshd_config && \
+  sed -i "s/IgnoreRhosts.*/IgnoreRhosts yes/gI" /etc/ssh/sshd_config
 if ! [ $? -eq 0 ]; then
     echo "IgnoreRhosts yes" >> /etc/ssh/sshd_config
 fi
diff --git a/RHEL6/input/fixes/bash/sshd_disable_root_login.sh b/RHEL6/input/fixes/bash/sshd_disable_root_login.sh
index ffd8262..e8b65aa 100644
--- a/RHEL6/input/fixes/bash/sshd_disable_root_login.sh
+++ b/RHEL6/input/fixes/bash/sshd_disable_root_login.sh
@@ -1,5 +1,5 @@
-grep -q ^PermitRootLogin /etc/ssh/sshd_config && \
-  sed -i "s/PermitRootLogin.*/PermitRootLogin no/g" /etc/ssh/sshd_config
+grep -qi ^PermitRootLogin /etc/ssh/sshd_config && \
+  sed -i "s/PermitRootLogin.*/PermitRootLogin no/gI" /etc/ssh/sshd_config
 if ! [ $? -eq 0 ]; then
     echo "PermitRootLogin "no >> /etc/ssh/sshd_config
 fi
diff --git a/RHEL6/input/fixes/bash/sshd_do_not_permit_user_env.sh b/RHEL6/input/fixes/bash/sshd_do_not_permit_user_env.sh
index b886e3c..fb3f545 100644
--- a/RHEL6/input/fixes/bash/sshd_do_not_permit_user_env.sh
+++ b/RHEL6/input/fixes/bash/sshd_do_not_permit_user_env.sh
@@ -1,5 +1,5 @@
-grep -q ^PermitUserEnvironment /etc/ssh/sshd_config && \
-  sed -i "s/PermitUserEnvironment.*/PermitUserEnvironment no/g" /etc/ssh/sshd_config
+grep -qi ^PermitUserEnvironment /etc/ssh/sshd_config && \
+  sed -i "s/PermitUserEnvironment.*/PermitUserEnvironment no/gI" /etc/ssh/sshd_config
 if ! [ $? -eq 0 ]; then
     echo "PermitUserEnvironment no" >> /etc/ssh/sshd_config
 fi
diff --git a/RHEL6/input/fixes/bash/sshd_enable_warning_banner.sh b/RHEL6/input/fixes/bash/sshd_enable_warning_banner.sh
index b1ad28f..24a385b 100644
--- a/RHEL6/input/fixes/bash/sshd_enable_warning_banner.sh
+++ b/RHEL6/input/fixes/bash/sshd_enable_warning_banner.sh
@@ -1,5 +1,5 @@
-grep -q ^Banner /etc/ssh/sshd_config && \
-  sed -i "s/Banner.*/Banner \/etc\/issue/g" /etc/ssh/sshd_config
+grep -qi ^Banner /etc/ssh/sshd_config && \
+  sed -i "s/Banner.*/Banner \/etc\/issue/gI" /etc/ssh/sshd_config
 if ! [ $? -eq 0 ]; then
     echo "Banner /etc/issue" >> /etc/ssh/sshd_config
 fi
diff --git a/RHEL6/input/fixes/bash/sshd_set_idle_timeout.sh b/RHEL6/input/fixes/bash/sshd_set_idle_timeout.sh
index 0a2d226..c491057 100644
--- a/RHEL6/input/fixes/bash/sshd_set_idle_timeout.sh
+++ b/RHEL6/input/fixes/bash/sshd_set_idle_timeout.sh
@@ -1,8 +1,8 @@
 source ./templates/support.sh
 populate sshd_idle_timeout_value
 
-grep -q ^ClientAliveInterval /etc/ssh/sshd_config && \
-  sed -i "s/ClientAliveInterval.*/ClientAliveInterval $sshd_idle_timeout_value/g" /etc/ssh/sshd_config
+grep -qi ^ClientAliveInterval /etc/ssh/sshd_config && \
+  sed -i "s/ClientAliveInterval.*/ClientAliveInterval $sshd_idle_timeout_value/gI" /etc/ssh/sshd_config
 if ! [ $? -eq 0 ]; then
     echo "ClientAliveInterval $sshd_idle_timeout_value" >> /etc/ssh/sshd_config
 fi
diff --git a/RHEL6/input/fixes/bash/sshd_set_keepalive.sh b/RHEL6/input/fixes/bash/sshd_set_keepalive.sh
index d54ba21..17b83ec 100644
--- a/RHEL6/input/fixes/bash/sshd_set_keepalive.sh
+++ b/RHEL6/input/fixes/bash/sshd_set_keepalive.sh
@@ -1,5 +1,5 @@
-grep -q ^ClientAliveCountMax /etc/ssh/sshd_config && \
-  sed -i "s/ClientAliveCountMax.*/ClientAliveCountMax 0/g" /etc/ssh/sshd_config
+grep -qi ^ClientAliveCountMax /etc/ssh/sshd_config && \
+  sed -i "s/ClientAliveCountMax.*/ClientAliveCountMax 0/gI" /etc/ssh/sshd_config
 if ! [ $? -eq 0 ]; then
     echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
 fi
diff --git a/RHEL6/input/fixes/bash/sshd_use_approved_ciphers.sh b/RHEL6/input/fixes/bash/sshd_use_approved_ciphers.sh
index a00eb95..264553f 100644
--- a/RHEL6/input/fixes/bash/sshd_use_approved_ciphers.sh
+++ b/RHEL6/input/fixes/bash/sshd_use_approved_ciphers.sh
@@ -1,5 +1,5 @@
-grep -q ^Ciphers /etc/ssh/sshd_config && \
-  sed -i "s/Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc/g" /etc/ssh/sshd_config
+grep -qi ^Ciphers /etc/ssh/sshd_config && \
+  sed -i "s/Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc/gI" /etc/ssh/sshd_config
 if ! [ $? -eq 0 ]; then
     echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc" >> /etc/ssh/sshd_config
 fi
-- 
1.8.3.1

_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

[PATCH] [RHEL6] Fix SSH remediation scripts to be case-insensitive

Reply via email to