Hello Rui, folks, as correctly observed by Rui Pedro Bernardino in [*]: [1] https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-December/004711.html [2] https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-December/004715.html
current implementation of sshd related remediation scripts for RHEL-6 SSG content does't handle presence of Match block directive present in sshd config correctly. Attached patch is a prototype solution, which should deal with this problem. It is proposed to be a shared remediation script (since the same would affect Fedora). Couple of notes: * while it looks overly / more complex against the original version: [3] https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/fixes/bash/sshd_disable_root_login.sh actually it shouldn't be that bad. While actions for selected (sub)cases are identical ( -- examples: - when there isn't Match block and already one PermitRootLogin directive present in sshd config with case when there are Match block and PermitRootLogin (PRL) directives present in sshd config already, and PRL is sooner than Match block or, - in case when there's Match block present, no PRL yet with case when there's Match block present, PRL present too, and PRL is placed after first Match block directive), and therefore corresponding if statements could be merged, I would prefer to keep this version (including the comments), as it's straightforward / visible in each case what the remediation (sub)action would look like. * I am aware this "Match block issue" isn't problem just of 'sshd disable root login' rule, but problem of RHEL-6's sshd remediation scripts in general => have created upstream ticket: [4] https://fedorahosted.org/scap-security-guide/ticket/429 to track this, took it, and will gradually propose (shared) patches, taking this into account during the process / as adding them for Fedora SCAP content. * Besides that noticed another issue - search for whitespace (other than space character itself) prefixed directives wouldn't succeed, thus we would end up adding new directive at the end of sshd config, resulting into situation the remediation wouldn't actually correct the configuration. Example case for the former implementation wouldn't work being: ^\t*PermitRootLogin yes present in sshd config. Have filed another ticket: [5] https://fedorahosted.org/scap-security-guide/ticket/430 to track this deficiency across RHEL-6's sshd remediation scripts. The attached patch deals also with this situation for the case of 'sshd disable root login' rule. For the remaining rules, took the [5] ticket, and will provide (shared) patches gradually aligned with as I will provide sshd remediation fixes for Fedora. * The above proposal has been tested against following subcases: -- no PRL, no MB present in sshd config, -- PRL present, no MB present in sshd config, -- MB present, no PRL present yet in sshd config, -- MB present, PRL present before MB directive in sshd config, and finally on sample Fedora sshd configuration and seems to be working. Would appreciate further testing / any objections though. * Last but not least the current proposal intentionally doesn't apply the remediation for 'PermitRootLogin' directive being present within Match block directive (since I am taking presence of MB as some kind of exception case). Example - considering sshd config: # PermitRootLogin not yet in sshd config Match Address some_IP PermitRootLogin yes it would transform it into: # PermitRootLogin not yet in sshd config PermitRootLogin no Match Address some_IP PermitRootLogin yes IOW any occurrence of PRL within Match block would be kept intact. If this should be changed too, let me know (and we can adjust in subsequent version). Please review / test the proposal (since it should work for both of RHEL-6 and Fedora, and if acceptable could be used as prototype for remediation scripts also for other sshd rules). Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team [*] Thank you again for opening this (sub)case, Rui. P.S.: Apologize for such a long post, but too much information to share.
From d24d4501ade05beb43b1c8cee168d4d539b905e8 Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Thu, 19 Dec 2013 14:38:46 +0100 Subject: [PATCH] [Shared] Add shared remediation script for sshd disable root login rule Signed-off-by: Jan Lieskovsky <[email protected]> --- Fedora/input/fixes/bash/sshd_disable_root_login.sh | 1 + Fedora/scap-security-guide.spec | 7 ++- shared/fixes/bash/sshd_disable_root_login.sh | 55 ++++++++++++++++++++++ 3 files changed, 61 insertions(+), 2 deletions(-) create mode 120000 Fedora/input/fixes/bash/sshd_disable_root_login.sh create mode 100755 shared/fixes/bash/sshd_disable_root_login.sh diff --git a/Fedora/input/fixes/bash/sshd_disable_root_login.sh b/Fedora/input/fixes/bash/sshd_disable_root_login.sh new file mode 120000 index 0000000..fcd7168 --- /dev/null +++ b/Fedora/input/fixes/bash/sshd_disable_root_login.sh @@ -0,0 +1 @@ +../../../../shared/fixes/bash/sshd_disable_root_login.sh \ No newline at end of file diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec index e29fa1c..15deb4a 100644 --- a/Fedora/scap-security-guide.spec +++ b/Fedora/scap-security-guide.spec @@ -5,7 +5,7 @@ # file one level up - in the main scap-security-guide directory (instead of # this one). -%global fedorassgversion 4.rc14 +%global fedorassgversion 4.rc15 Name: scap-security-guide Version: 0.1.%{fedorassgversion} @@ -54,7 +54,10 @@ cp -a Fedora/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man %doc Fedora/LICENSE Fedora/output/ssg-fedora-guide.html %changelog -* Mon Dec 16 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4-rc14-1 +* Thu Dec 19 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc15-1 +- Shared remediation for sshd disable root login + +* Mon Dec 16 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc14-1 - OVAL check for sshd disable root login - Fix typo in OVAL check for sshd disable empty passwords diff --git a/shared/fixes/bash/sshd_disable_root_login.sh b/shared/fixes/bash/sshd_disable_root_login.sh new file mode 100755 index 0000000..5b05d53 --- /dev/null +++ b/shared/fixes/bash/sshd_disable_root_login.sh @@ -0,0 +1,55 @@ + +SSHD_CONFIG='/etc/ssh/sshd_config' + +# Obtain line number of first uncommented case-insensitive occurrence of Match +# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG +FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG) + +# Obtain line number of first uncommented case-insensitive occurence of +# PermitRootLogin directive (possibly prefixed with whitespace) present in +# $SSHD_CONFIG +FIRST_PERMIT_ROOT_LOGIN=$(sed -n '/^[[:space:]]*PermitRootLogin[^\n]*/I{=;q}' $SSHD_CONFIG) + +# Case: Match block directive not present in $SSHD_CONFIG +if [ -z "$FIRST_MATCH_BLOCK" ] +then + + # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ] + then + # Append 'PermitRootLogin no' at the end of $SSHD_CONFIG + echo -e "\nPermitRootLogin no" >> $SSHD_CONFIG + + # Case: PermitRootLogin directive present in $SSHD_CONFIG already + else + # Replace first uncommented case-insensitive occurrence + # of PermitRootLogin directive + sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG + fi + +# Case: Match block directive present in $SSHD_CONFIG +else + + # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ] + then + # Prepend 'PermitRootLogin no' before first uncommented + # case-insensitive occurrence of Match block directive + sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG + + # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed + # before first Match block directive + elif [ "$FIRST_PERMIT_ROOT_LOGIN" -lt "$FIRST_MATCH_BLOCK" ] + then + # Replace first uncommented case-insensitive occurrence + # of PermitRootLogin directive + sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG + + # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed + # after first Match block directive + else + # Prepend 'PermitRootLogin no' before first uncommented + # case-insensitive occurrence of Match block directive + sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG + fi +fi -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
