Attached patch fixes remediation script for sshd set keepalive (ClientAliveCountMax) rule, since it has been reported to cause issues: [1] https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-December/004715.html
when Match block present in sshd config and moves it to /shared fixes directory. Tests succeeded for all four (sub)cases: * no ClientAliveCountMax and no Match block * ClientAliveCountMax already present, no Match block * ClientAliveCountMax not present, Match block present * both of ClientAliveCountMax and Match block directives present in sshd config. Pushed to master. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
From 070f80e51904a3bd157ca4897a3a7fc23de3b20c Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Fri, 20 Dec 2013 15:06:28 +0100 Subject: [PATCH] [Fedora] Fix remediation for sshd set keepalive (ClientAliveCountMax) and move it to /shared Signed-off-by: Jan Lieskovsky <[email protected]> --- Fedora/input/fixes/bash/sshd_set_keepalive.sh | 15 +------- Fedora/scap-security-guide.spec | 6 ++- shared/fixes/bash/sshd_set_keepalive.sh | 55 +++++++++++++++++++++++++++ 3 files changed, 61 insertions(+), 15 deletions(-) mode change 100644 => 120000 Fedora/input/fixes/bash/sshd_set_keepalive.sh create mode 100755 shared/fixes/bash/sshd_set_keepalive.sh diff --git a/Fedora/input/fixes/bash/sshd_set_keepalive.sh b/Fedora/input/fixes/bash/sshd_set_keepalive.sh deleted file mode 100644 index 100da61..0000000 --- a/Fedora/input/fixes/bash/sshd_set_keepalive.sh +++ /dev/null @@ -1,14 +0,0 @@ -# -# Configure proper ClientAliveCountMax sshd daemon value -# -grep -q ^ClientAliveCountMax /etc/ssh/sshd_config && \ -sed -i "s/ClientAliveCountMax.*/ClientAliveCountMax 0/g" /etc/ssh/sshd_config -if ! [ $? -eq 0 ] -then - echo -e "ClientAliveCountMax 0" >> /etc/ssh/sshd_config -fi - -# -# Restart the sshd service (new option to take effect) -# -systemctl restart sshd.service diff --git a/Fedora/input/fixes/bash/sshd_set_keepalive.sh b/Fedora/input/fixes/bash/sshd_set_keepalive.sh new file mode 120000 index 0000000..834cf15 --- /dev/null +++ b/Fedora/input/fixes/bash/sshd_set_keepalive.sh @@ -0,0 +1 @@ +../../../../shared/fixes/bash/sshd_set_keepalive.sh \ No newline at end of file diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec index b578279..c2bcf62 100644 --- a/Fedora/scap-security-guide.spec +++ b/Fedora/scap-security-guide.spec @@ -5,7 +5,7 @@ # file one level up - in the main scap-security-guide directory (instead of # this one). -%global fedorassgversion 4.rc15 +%global fedorassgversion 4.rc16 Name: scap-security-guide Version: 0.1.%{fedorassgversion} @@ -68,6 +68,10 @@ cp -a Fedora/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man %files compat %changelog +* Fri Dec 20 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc16-1 +- Fix remediation for sshd set keepalive (ClientAliveCountMax) and move + it to /shared + * Thu Dec 19 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc15-1 - Shared remediation for sshd disable root login - Add empty -compat subpackage to ensure backward-compatibility with diff --git a/shared/fixes/bash/sshd_set_keepalive.sh b/shared/fixes/bash/sshd_set_keepalive.sh new file mode 100755 index 0000000..35754da --- /dev/null +++ b/shared/fixes/bash/sshd_set_keepalive.sh @@ -0,0 +1,55 @@ + +SSHD_CONFIG='/etc/ssh/sshd_config' + +# Obtain line number of first uncommented case-insensitive occurrence of Match +# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG +FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG) + +# Obtain line number of first uncommented case-insensitive occurence of +# ClientAliveCountMax directive (possibly prefixed with whitespace) present in +# $SSHD_CONFIG +FIRST_CLIENT_ALIVE_COUNT_MAX=$(sed -n '/^[[:space:]]*ClientAliveCountMax[^\n]*/I{=;q}' $SSHD_CONFIG) + +# Case: Match block directive not present in $SSHD_CONFIG +if [ -z "$FIRST_MATCH_BLOCK" ] +then + + # Case: ClientAliveCountMax directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_CLIENT_ALIVE_COUNT_MAX" ] + then + # Append 'ClientAliveCountMax 0' at the end of $SSHD_CONFIG + echo -e "\nClientAliveCountMax 0" >> $SSHD_CONFIG + + # Case: ClientAliveCountMax directive present in $SSHD_CONFIG already + else + # Replace first uncommented case-insensitive occurrence + # of ClientAliveCountMax directive + sed -i "$FIRST_CLIENT_ALIVE_COUNT_MAX s/^[[:space:]]*ClientAliveCountMax.*$/ClientAliveCountMax 0/I" $SSHD_CONFIG + fi + +# Case: Match block directive present in $SSHD_CONFIG +else + + # Case: ClientAliveCountMax directive not present in $SSHD_CONFIG yet + if [ -z "$FIRST_CLIENT_ALIVE_COUNT_MAX" ] + then + # Prepend 'ClientAliveCountMax 0' before first uncommented + # case-insensitive occurrence of Match block directive + sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveCountMax 0\n\1/I" $SSHD_CONFIG + + # Case: ClientAliveCountMax directive present in $SSHD_CONFIG and placed + # before first Match block directive + elif [ "$FIRST_CLIENT_ALIVE_COUNT_MAX" -lt "$FIRST_MATCH_BLOCK" ] + then + # Replace first uncommented case-insensitive occurrence + # of ClientAliveCountMax directive + sed -i "$FIRST_CLIENT_ALIVE_COUNT_MAX s/^[[:space:]]*ClientAliveCountMax.*$/ClientAliveCountMax 0/I" $SSHD_CONFIG + + # Case: ClientAliveCountMax directive present in $SSHD_CONFIG and placed + # after first Match block directive + else + # Prepend 'ClientAliveCountMax 0' before first uncommented + # case-insensitive occurrence of Match block directive + sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveCountMax 0\n\1/I" $SSHD_CONFIG + fi +fi -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
