This patch adds shared remediation for sshd set idle timeout rule.
Tested on Fedora and pushed to master (it's the last one of the four
sshd remediation intended for new Fedora release).
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
From 2c81b86a6650a9e290d192ca0dc7bf3d9cd7ba9c Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <[email protected]>
Date: Fri, 20 Dec 2013 17:49:09 +0100
Subject: [PATCH] [Fedora] Add shared remediation for sshd set idle timeout
Signed-off-by: Jan Lieskovsky <[email protected]>
---
Fedora/input/fixes/bash/sshd_set_idle_timeout.sh | 1 +
Fedora/scap-security-guide.spec | 3 +-
shared/fixes/bash/sshd_set_idle_timeout.sh | 57 ++++++++++++++++++++++++
shared/fixes/bash/templates/output/.gitignore | 2 +
shared/fixes/bash/templates/support.sh | 9 ++++
5 files changed, 71 insertions(+), 1 deletion(-)
create mode 120000 Fedora/input/fixes/bash/sshd_set_idle_timeout.sh
create mode 100755 shared/fixes/bash/sshd_set_idle_timeout.sh
create mode 100644 shared/fixes/bash/templates/output/.gitignore
create mode 100644 shared/fixes/bash/templates/support.sh
diff --git a/Fedora/input/fixes/bash/sshd_set_idle_timeout.sh b/Fedora/input/fixes/bash/sshd_set_idle_timeout.sh
new file mode 120000
index 0000000..baba794
--- /dev/null
+++ b/Fedora/input/fixes/bash/sshd_set_idle_timeout.sh
@@ -0,0 +1 @@
+../../../../shared/fixes/bash/sshd_set_idle_timeout.sh
\ No newline at end of file
diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec
index 7aa5227..d34be2d 100644
--- a/Fedora/scap-security-guide.spec
+++ b/Fedora/scap-security-guide.spec
@@ -71,7 +71,8 @@ cp -a Fedora/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man
* Fri Dec 20 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc16-1
- Fix remediation for sshd set keepalive (ClientAliveCountMax) and move
it to /shared
-- Add shared remediation for sshd disable empty passwords
+- Add shared remediations for sshd disable empty passwords and
+ sshd set idle timeout
* Thu Dec 19 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc15-1
- Shared remediation for sshd disable root login
diff --git a/shared/fixes/bash/sshd_set_idle_timeout.sh b/shared/fixes/bash/sshd_set_idle_timeout.sh
new file mode 100755
index 0000000..306476c
--- /dev/null
+++ b/shared/fixes/bash/sshd_set_idle_timeout.sh
@@ -0,0 +1,57 @@
+source ./templates/support.sh
+populate sshd_idle_timeout_value
+
+SSHD_CONFIG='/etc/ssh/sshd_config'
+
+# Obtain line number of first uncommented case-insensitive occurrence of Match
+# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
+FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
+
+# Obtain line number of first uncommented case-insensitive occurence of
+# ClientAliveInterval directive (possibly prefixed with whitespace) present in
+# $SSHD_CONFIG
+FIRST_CLIENT_ALIVE_INTERVAL=$(sed -n '/^[[:space:]]*ClientAliveInterval[^\n]*/I{=;q}' $SSHD_CONFIG)
+
+# Case: Match block directive not present in $SSHD_CONFIG
+if [ -z "$FIRST_MATCH_BLOCK" ]
+then
+
+ # Case: ClientAliveInterval directive not present in $SSHD_CONFIG yet
+ if [ -z "$FIRST_CLIENT_ALIVE_INTERVAL" ]
+ then
+ # Append 'ClientAliveInterval $sshd_idle_timeout_value' at the end of $SSHD_CONFIG
+ echo -e "\nClientAliveInterval $sshd_idle_timeout_value" >> $SSHD_CONFIG
+
+ # Case: ClientAliveInterval directive present in $SSHD_CONFIG already
+ else
+ # Replace first uncommented case-insensitive occurrence
+ # of ClientAliveInterval directive
+ sed -i "$FIRST_CLIENT_ALIVE_INTERVAL s/^[[:space:]]*ClientAliveInterval.*$/ClientAliveInterval $sshd_idle_timeout_value/I" $SSHD_CONFIG
+ fi
+
+# Case: Match block directive present in $SSHD_CONFIG
+else
+
+ # Case: ClientAliveInterval directive not present in $SSHD_CONFIG yet
+ if [ -z "$FIRST_CLIENT_ALIVE_INTERVAL" ]
+ then
+ # Prepend 'ClientAliveInterval $sshd_idle_timeout_value' before first uncommented
+ # case-insensitive occurrence of Match block directive
+ sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveInterval $sshd_idle_timeout_value\n\1/I" $SSHD_CONFIG
+
+ # Case: ClientAliveInterval directive present in $SSHD_CONFIG and placed
+ # before first Match block directive
+ elif [ "$FIRST_CLIENT_ALIVE_INTERVAL" -lt "$FIRST_MATCH_BLOCK" ]
+ then
+ # Replace first uncommented case-insensitive occurrence
+ # of ClientAliveInterval directive
+ sed -i "$FIRST_CLIENT_ALIVE_INTERVAL s/^[[:space:]]*ClientAliveInterval.*$/ClientAliveInterval $sshd_idle_timeout_value/I" $SSHD_CONFIG
+
+ # Case: ClientAliveInterval directive present in $SSHD_CONFIG and placed
+ # after first Match block directive
+ else
+ # Prepend 'ClientAliveInterval $sshd_idle_timeout_value' before first uncommented
+ # case-insensitive occurrence of Match block directive
+ sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveInterval $sshd_idle_timeout_value\n\1/I" $SSHD_CONFIG
+ fi
+fi
diff --git a/shared/fixes/bash/templates/output/.gitignore b/shared/fixes/bash/templates/output/.gitignore
new file mode 100644
index 0000000..041cc36
--- /dev/null
+++ b/shared/fixes/bash/templates/output/.gitignore
@@ -0,0 +1,2 @@
+# files to ignore
+*.sh
diff --git a/shared/fixes/bash/templates/support.sh b/shared/fixes/bash/templates/support.sh
new file mode 100644
index 0000000..e25ce4d
--- /dev/null
+++ b/shared/fixes/bash/templates/support.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+function populate {
+# code to populate environment variables needed (for unit testing)
+if [ -z "${!1}" ]; then
+ echo "$1 is not defined. Exiting."
+ exit
+fi
+}
--
1.8.3.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
