----- Original Message ----- > From: "Shawn Wells" <[email protected]> > To: [email protected] > Sent: Monday, December 16, 2013 8:25:42 PM > Subject: Re: [PATCH] [Fedora] Fix typo in OVAL check for sshd disable empty > passwords > > On 12/16/13, 12:51 PM, Jan Lieskovsky wrote: > > ----- Original Message ----- > >> >From: "Maura Dailey"<[email protected]> > >> >To:[email protected] > >> >Sent: Monday, December 16, 2013 6:10:57 PM > >> >Subject: Re: [PATCH] [Fedora] Fix typo in OVAL check for sshd disable > >> >empty passwords > >> > > >> >On 12/16/2013 11:45 AM, Shawn Wells wrote: > >>> > >On 12/16/13, 10:09 AM, Jan Lieskovsky wrote: > >>>> > >>- <ind:pattern operation="pattern > >>>> > >>match">^(?i)(?:(?!\s+PermitEmptyPasswords\s+yes).)*(\n\s*PermitEmptyPasswords\s+no)(.*)$</ind:pattern> > >>>> > >>+ <ind:pattern operation="pattern > >>>> > >>match">^(?i)(?:(?!\n\s*PermitEmptyPasswords\s+yes).)*(\n\s*PermitEmptyPasswords\s+no)(.*)$</ind:pattern> > >>> > > > >>> > > > >>> > >This is likely in the RHEL6 content too. To address both Fedora & > >>> > >RHEL, could this check be moved to shared/ and symlinked? > > Not in RHEL-6 yet. This is complete rewrite for the OVAL check for Fedora > > (would move to shared once have had chance to further test on RHEL-6 too). > > > >>> > >_______________________________________________ > >>> > >scap-security-guide mailing list > >>> > >[email protected] > >>> > >https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > >> > > >> >The pattern operation line is completely different in the RHEL version: > >> > > >> ><ind:pattern operation="pattern > >> >match">^[\s]*(?i)PermitEmptyPasswords[\s]+no[\s]*$</ind:pattern> > > Yes, but unfortunately this check is not sufficient. Returns PASS > > also for case like: > > > > PermitEmptyPasswords yes > > PermitEmptyPasswords no > > > > being present in /etc/ssh/sshd_config (IOW it's not sufficient to > > check if there's "PermitEmptyPasswords no" setting in the config, > > but it's also necessary to check if it isn't prefixed / preceded > > by another "PermitEmptyPasswords yes" in the config). > > > > Or yet IOW if "(?i)PermitEmptyPasswords no" has been provided > > as the first option in sshd config. That's why the rewrite. > > > > Another example / case of such issue is: > > > > https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/checks/sshd_disable_root_login.xml > > > > (example case when it isn't working is the default configuration > > having: > > > > # PermitRootLogin yes > > > > in config. Remote SSH root login is allowed [can be verified by > > making a root connection], while the test returns PASS) > > > > rewritten by: > > > > https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-December/004676.html > > > > (implemented by check for explicit presence of 'PermitRootLogin no' > > not preceded by sooner 'PermitRootLogin' yes). > > > > Will move to /shared directory and symlink for RHEL-6 too, as soon > > as I gave it more testing on RHEL-6 too (IOW confirmed it returns > > proper results for each of the different cases [that's why they > > are in Fedora first :)). > > This makes sense. Ack.
Thank you. Two short ideas related with RHEL-7: * would it be possible to note / track conclusion that have been agreed upon already on that RHEL-7 proposals related meeting publicly somewhere? At SSG wiki pages in form of meeting minutes hopefully? * next time there will be a RHEL-7 (or other topic related) SSG meeting hold, would it be possible to send the notification a bit sooner? (two working days ahead would be sufficient, but last time it was too quick for people working in different time zones) Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies > > FWIW, I'm working on adding the RHEL7 directory and skeleton content > now, which includes utilization of shared/. Hope to send patch up in the > next day. > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
