On 12/16/13, 12:51 PM, Jan Lieskovsky wrote:
----- Original Message -----
>From: "Maura Dailey"<[email protected]>
>To:[email protected]
>Sent: Monday, December 16, 2013 6:10:57 PM
>Subject: Re: [PATCH] [Fedora] Fix typo in OVAL check for sshd disable empty
passwords
>
>On 12/16/2013 11:45 AM, Shawn Wells wrote:
> >On 12/16/13, 10:09 AM, Jan Lieskovsky wrote:
> >>- <ind:pattern operation="pattern
>
>>match">^(?i)(?:(?!\s+PermitEmptyPasswords\s+yes).)*(\n\s*PermitEmptyPasswords\s+no)(.*)$</ind:pattern>
> >>+ <ind:pattern operation="pattern
>
>>match">^(?i)(?:(?!\n\s*PermitEmptyPasswords\s+yes).)*(\n\s*PermitEmptyPasswords\s+no)(.*)$</ind:pattern>
> >
> >
> >This is likely in the RHEL6 content too. To address both Fedora &
> >RHEL, could this check be moved to shared/ and symlinked?
Not in RHEL-6 yet. This is complete rewrite for the OVAL check for Fedora
(would move to shared once have had chance to further test on RHEL-6 too).
> >_______________________________________________
> >scap-security-guide mailing list
> >[email protected]
> >https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
>
>The pattern operation line is completely different in the RHEL version:
>
><ind:pattern operation="pattern
>match">^[\s]*(?i)PermitEmptyPasswords[\s]+no[\s]*$</ind:pattern>
Yes, but unfortunately this check is not sufficient. Returns PASS
also for case like:
PermitEmptyPasswords yes
PermitEmptyPasswords no
being present in /etc/ssh/sshd_config (IOW it's not sufficient to
check if there's "PermitEmptyPasswords no" setting in the config,
but it's also necessary to check if it isn't prefixed / preceded
by another "PermitEmptyPasswords yes" in the config).
Or yet IOW if "(?i)PermitEmptyPasswords no" has been provided
as the first option in sshd config. That's why the rewrite.
Another example / case of such issue is:
https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/checks/sshd_disable_root_login.xml
(example case when it isn't working is the default configuration
having:
# PermitRootLogin yes
in config. Remote SSH root login is allowed [can be verified by
making a root connection], while the test returns PASS)
rewritten by:
https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-December/004676.html
(implemented by check for explicit presence of 'PermitRootLogin no'
not preceded by sooner 'PermitRootLogin' yes).
Will move to /shared directory and symlink for RHEL-6 too, as soon
as I gave it more testing on RHEL-6 too (IOW confirmed it returns
proper results for each of the different cases [that's why they
are in Fedora first :)).
This makes sense. Ack.
FWIW, I'm working on adding the RHEL7 directory and skeleton content
now, which includes utilization of shared/. Hope to send patch up in the
next day.
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
