----- Original Message ----- > From: "Maura Dailey" <[email protected]> > To: [email protected] > Sent: Monday, December 16, 2013 6:10:57 PM > Subject: Re: [PATCH] [Fedora] Fix typo in OVAL check for sshd disable empty > passwords > > On 12/16/2013 11:45 AM, Shawn Wells wrote: > > On 12/16/13, 10:09 AM, Jan Lieskovsky wrote: > >> - <ind:pattern operation="pattern > >> match">^(?i)(?:(?!\s+PermitEmptyPasswords\s+yes).)*(\n\s*PermitEmptyPasswords\s+no)(.*)$</ind:pattern> > >> + <ind:pattern operation="pattern > >> match">^(?i)(?:(?!\n\s*PermitEmptyPasswords\s+yes).)*(\n\s*PermitEmptyPasswords\s+no)(.*)$</ind:pattern> > > > > > > This is likely in the RHEL6 content too. To address both Fedora & > > RHEL, could this check be moved to shared/ and symlinked?
Not in RHEL-6 yet. This is complete rewrite for the OVAL check for Fedora (would move to shared once have had chance to further test on RHEL-6 too). > > _______________________________________________ > > scap-security-guide mailing list > > [email protected] > > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > The pattern operation line is completely different in the RHEL version: > > <ind:pattern operation="pattern > match">^[\s]*(?i)PermitEmptyPasswords[\s]+no[\s]*$</ind:pattern> Yes, but unfortunately this check is not sufficient. Returns PASS also for case like: PermitEmptyPasswords yes PermitEmptyPasswords no being present in /etc/ssh/sshd_config (IOW it's not sufficient to check if there's "PermitEmptyPasswords no" setting in the config, but it's also necessary to check if it isn't prefixed / preceded by another "PermitEmptyPasswords yes" in the config). Or yet IOW if "(?i)PermitEmptyPasswords no" has been provided as the first option in sshd config. That's why the rewrite. Another example / case of such issue is: https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/checks/sshd_disable_root_login.xml (example case when it isn't working is the default configuration having: # PermitRootLogin yes in config. Remote SSH root login is allowed [can be verified by making a root connection], while the test returns PASS) rewritten by: https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-December/004676.html (implemented by check for explicit presence of 'PermitRootLogin no' not preceded by sooner 'PermitRootLogin' yes). Will move to /shared directory and symlink for RHEL-6 too, as soon as I gave it more testing on RHEL-6 too (IOW confirmed it returns proper results for each of the different cases [that's why they are in Fedora first :)). Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > - Maura Dailey > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
