Hello folks, just FYI have pushed this patch to master (would like to make new Fedora releases before Christmas yet).
Should there be some issues found, I will fix them later. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team ----- Original Message ----- > From: "Jan Lieskovsky" <[email protected]> > To: [email protected], "Rui Pedro Bernardino" > <[email protected]> > Sent: Thursday, December 19, 2013 3:12:10 PM > Subject: [PATCH] [Shared] Add shared remediation script for sshd disable root > login rule > > Hello Rui, folks, > > as correctly observed by Rui Pedro Bernardino in [*]: > [1] > > https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-December/004711.html > [2] > > https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-December/004715.html > > current implementation of sshd related remediation scripts for RHEL-6 SSG > content > does't handle presence of Match block directive present in sshd config > correctly. > > Attached patch is a prototype solution, which should deal with this problem. > It is proposed to be a shared remediation script (since the same would affect > Fedora). > > Couple of notes: > * while it looks overly / more complex against the original version: > [3] > > https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/fixes/bash/sshd_disable_root_login.sh > > actually it shouldn't be that bad. While actions for selected (sub)cases > are identical ( -- examples: > - when there isn't Match block and already one PermitRootLogin directive > present > in sshd config with case when there are Match block and PermitRootLogin > (PRL) directives > present in sshd config already, and PRL is sooner than Match block or, > - in case when there's Match block present, no PRL yet with case when > there's Match block present, PRL present too, and PRL is placed after > first Match block directive), > > and therefore corresponding if statements could be merged, I would prefer > to keep this version (including the comments), as it's straightforward / > visible in each case what the remediation (sub)action would look like. > > * I am aware this "Match block issue" isn't problem just of 'sshd disable > root > login' rule, but problem of RHEL-6's sshd remediation scripts in general => > have created upstream ticket: > [4] https://fedorahosted.org/scap-security-guide/ticket/429 > > to track this, took it, and will gradually propose (shared) patches, > taking this into account during the process / as adding them for Fedora > SCAP > content. > > * Besides that noticed another issue - search for whitespace (other than > space character itself) prefixed directives wouldn't succeed, thus we would > end up adding new directive at the end of sshd config, resulting into > situation the remediation wouldn't actually correct the configuration. > > Example case for the former implementation wouldn't work being: > > ^\t*PermitRootLogin yes > > present in sshd config. Have filed another ticket: > [5] https://fedorahosted.org/scap-security-guide/ticket/430 > > to track this deficiency across RHEL-6's sshd remediation scripts. > > The attached patch deals also with this situation for the case of > 'sshd disable root login' rule. For the remaining rules, took the [5] > ticket, > and will provide (shared) patches gradually aligned with as I will provide > sshd remediation fixes for Fedora. > > * The above proposal has been tested against following subcases: > -- no PRL, no MB present in sshd config, > -- PRL present, no MB present in sshd config, > -- MB present, no PRL present yet in sshd config, > -- MB present, PRL present before MB directive in sshd config, and finally > > on sample Fedora sshd configuration and seems to be working. Would > appreciate > further testing / any objections though. > > * Last but not least the current proposal intentionally doesn't apply the > remediation for 'PermitRootLogin' directive being present within Match > block directive > (since I am taking presence of MB as some kind of exception case). > > Example - considering sshd config: > > # PermitRootLogin not yet in sshd config > Match Address some_IP > PermitRootLogin yes > > it would transform it into: > > # PermitRootLogin not yet in sshd config > PermitRootLogin no > Match Address some_IP > PermitRootLogin yes > > IOW any occurrence of PRL within Match block would be kept intact. If this > should > be changed too, let me know (and we can adjust in subsequent version). > > > Please review / test the proposal (since it should work for both > of RHEL-6 and Fedora, and if acceptable could be used as prototype for > remediation scripts also for other sshd rules). > > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Technologies Team > > [*] Thank you again for opening this (sub)case, Rui. > > > P.S.: Apologize for such a long post, but too much information to share. > > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
