[PATCH] [Fedora] Add shared remediation for sshd disable empty passwords

[Jan Lieskovsky]

This patch adds shared remediation for sshd disable empty passwords rule.

Pushed to master (again only because want to make new Fedora release today
yet).

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team 


From 481fff39e875d302cf53259cbffe240ef203ce4b Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <jlies...@redhat.com>
Date: Fri, 20 Dec 2013 16:50:13 +0100
Subject: [PATCH] [Fedora] Add shared remediation for sshd disable empty
 passwords

Signed-off-by: Jan Lieskovsky <jlies...@redhat.com>
---
 .../fixes/bash/sshd_disable_empty_passwords.sh     |  1 +
 Fedora/scap-security-guide.spec                    |  1 +
 shared/fixes/bash/sshd_disable_empty_passwords.sh  | 55 ++++++++++++++++++++++
 3 files changed, 57 insertions(+)
 create mode 120000 Fedora/input/fixes/bash/sshd_disable_empty_passwords.sh
 create mode 100755 shared/fixes/bash/sshd_disable_empty_passwords.sh

diff --git a/Fedora/input/fixes/bash/sshd_disable_empty_passwords.sh b/Fedora/input/fixes/bash/sshd_disable_empty_passwords.sh
new file mode 120000
index 0000000..d7d55b0
--- /dev/null
+++ b/Fedora/input/fixes/bash/sshd_disable_empty_passwords.sh
@@ -0,0 +1 @@
+../../../../shared/fixes/bash/sshd_disable_empty_passwords.sh
\ No newline at end of file
diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec
index c2bcf62..7aa5227 100644
--- a/Fedora/scap-security-guide.spec
+++ b/Fedora/scap-security-guide.spec
@@ -71,6 +71,7 @@ cp -a Fedora/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man
 * Fri Dec 20 2013 Jan iankko Lieskovsky <jlies...@redhat.com> 0.1.4.rc16-1
 - Fix remediation for sshd set keepalive (ClientAliveCountMax) and move
   it to /shared
+- Add shared remediation for sshd disable empty passwords
 
 * Thu Dec 19 2013 Jan iankko Lieskovsky <jlies...@redhat.com> 0.1.4.rc15-1
 - Shared remediation for sshd disable root login
diff --git a/shared/fixes/bash/sshd_disable_empty_passwords.sh b/shared/fixes/bash/sshd_disable_empty_passwords.sh
new file mode 100755
index 0000000..0a5adfa
--- /dev/null
+++ b/shared/fixes/bash/sshd_disable_empty_passwords.sh
@@ -0,0 +1,55 @@
+
+SSHD_CONFIG='/etc/ssh/sshd_config'
+
+# Obtain line number of first uncommented case-insensitive occurrence of Match
+# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
+FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
+
+# Obtain line number of first uncommented case-insensitive occurence of
+# PermitEmptyPasswords directive (possibly prefixed with whitespace) present in
+# $SSHD_CONFIG
+FIRST_PERMIT_EMPTY_PASSWORDS=$(sed -n '/^[[:space:]]*PermitEmptyPasswords[^\n]*/I{=;q}' $SSHD_CONFIG)
+
+# Case: Match block directive not present in $SSHD_CONFIG
+if [ -z "$FIRST_MATCH_BLOCK" ]
+then
+
+    # Case: PermitEmptyPasswords directive not present in $SSHD_CONFIG yet
+    if [ -z "$FIRST_PERMIT_EMPTY_PASSWORDS" ]
+    then
+        # Append 'PermitEmptyPasswords no' at the end of $SSHD_CONFIG
+        echo -e "\nPermitEmptyPasswords no" >> $SSHD_CONFIG
+
+    # Case: PermitEmptyPasswords directive present in $SSHD_CONFIG already
+    else
+        # Replace first uncommented case-insensitive occurrence
+        # of PermitEmptyPasswords directive
+        sed -i "$FIRST_PERMIT_EMPTY_PASSWORDS s/^[[:space:]]*PermitEmptyPasswords.*$/PermitEmptyPasswords no/I" $SSHD_CONFIG
+    fi
+
+# Case: Match block directive present in $SSHD_CONFIG
+else
+
+    # Case: PermitEmptyPasswords directive not present in $SSHD_CONFIG yet
+    if [ -z "$FIRST_PERMIT_EMPTY_PASSWORDS" ]
+    then
+        # Prepend 'PermitEmptyPasswords no' before first uncommented
+        # case-insensitive occurrence of Match block directive
+        sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitEmptyPasswords no\n\1/I" $SSHD_CONFIG
+
+    # Case: PermitEmptyPasswords directive present in $SSHD_CONFIG and placed
+    #       before first Match block directive
+    elif [ "$FIRST_PERMIT_EMPTY_PASSWORDS" -lt "$FIRST_MATCH_BLOCK" ]
+    then
+        # Replace first uncommented case-insensitive occurrence
+        # of PermitEmptyPasswords directive
+        sed -i "$FIRST_PERMIT_EMPTY_PASSWORDS s/^[[:space:]]*PermitEmptyPasswords.*$/PermitEmptyPasswords no/I" $SSHD_CONFIG
+
+    # Case: PermitEmptyPasswords directive present in $SSHD_CONFIG and placed
+    # after first Match block directive
+    else
+         # Prepend 'PermitEmptyPasswords no' before first uncommented
+         # case-insensitive occurrence of Match block directive
+         sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitEmptyPasswords no\n\1/I" $SSHD_CONFIG
+    fi
+fi
-- 
1.8.3.1


_______________________________________________
scap-security-guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide