>From b91c8aba9731a0848397411c32e072622e5e5da8 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Thu, 23 Jan 2014 01:18:59 -0500 Subject: [PATCH 08/10] Moved sshd_do_not_permit_user_env to shared/
- Tested on RHEL7, updated CPE - Symlinks - Added to rhel7 rht-ccp profile --- .../6/input/checks/sshd_do_not_permit_user_env.xml | 30 +--------------------- .../7/input/checks/sshd_do_not_permit_user_env.xml | 1 + RHEL/7/input/profiles/rht-ccp.xml | 2 +- shared/oval/sshd_do_not_permit_user_env.xml | 30 ++++++++++++++++++++++ 4 files changed, 33 insertions(+), 30 deletions(-) mode change 100644 => 120000 RHEL/6/input/checks/sshd_do_not_permit_user_env.xml create mode 120000 RHEL/7/input/checks/sshd_do_not_permit_user_env.xml create mode 100644 shared/oval/sshd_do_not_permit_user_env.xml diff --git a/RHEL/6/input/checks/sshd_do_not_permit_user_env.xml b/RHEL/6/input/checks/sshd_do_not_permit_user_env.xml deleted file mode 100644 index 592c00a..0000000 --- a/RHEL/6/input/checks/sshd_do_not_permit_user_env.xml +++ /dev/null @@ -1,29 +0,0 @@ -<def-group> - <definition class="compliance" id="sshd_do_not_permit_user_env" version="1"> - <metadata> - <title>Do Not Allow Users to Set Environment Options</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>PermitUserEnvironment should be disabled</description> - <reference source="MED" ref_id="20130813" ref_url="test_attestation" /> - </metadata> - <criteria comment="SSH is not being used or conditions are met" - operator="OR"> - <extend_definition comment="sshd service is disabled" - definition_ref="service_sshd_disabled" /> - <criterion comment="Check PermitUserEnvironment in /etc/ssh/sshd_config" - negate="true" test_ref="test_sshd_no_user_envset" /> - </criteria> - </definition> - <ind:textfilecontent54_test check="all" check_existence="none_exist" - comment="Check value of PermitUserEnvironment in /etc/ssh/sshd_config" - id="test_sshd_no_user_envset" version="1"> - <ind:object object_ref="obj_sshd_no_user_envset" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="obj_sshd_no_user_envset" version="1"> - <ind:filepath>/etc/ssh/sshd_config</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*(?i)PermitUserEnvironment[\s]+no[\s]*$</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/RHEL/6/input/checks/sshd_do_not_permit_user_env.xml b/RHEL/6/input/checks/sshd_do_not_permit_user_env.xml new file mode 120000 index 0000000..65b74ec --- /dev/null +++ b/RHEL/6/input/checks/sshd_do_not_permit_user_env.xml @@ -0,0 +1 @@ +../../../../shared/oval/sshd_do_not_permit_user_env.xml \ No newline at end of file diff --git a/RHEL/7/input/checks/sshd_do_not_permit_user_env.xml b/RHEL/7/input/checks/sshd_do_not_permit_user_env.xml new file mode 120000 index 0000000..65b74ec --- /dev/null +++ b/RHEL/7/input/checks/sshd_do_not_permit_user_env.xml @@ -0,0 +1 @@ +../../../../shared/oval/sshd_do_not_permit_user_env.xml \ No newline at end of file diff --git a/RHEL/7/input/profiles/rht-ccp.xml b/RHEL/7/input/profiles/rht-ccp.xml index cc14c81..7abca8a 100644 --- a/RHEL/7/input/profiles/rht-ccp.xml +++ b/RHEL/7/input/profiles/rht-ccp.xml @@ -132,8 +132,8 @@ SSH / REMOTE ACCESS CHECKS <select idref="sshd_disable_root_login" selected="true"/> <select idref="sshd_disable_empty_passwords" selected="true"/> <select idref="sshd_enable_warning_banner" selected="true"/> -<!-- <select idref="sshd_do_not_permit_user_env" selected="true"/> +<!-- <select idref="sshd_use_approved_ciphers" selected="true"/> --> </Profile> diff --git a/shared/oval/sshd_do_not_permit_user_env.xml b/shared/oval/sshd_do_not_permit_user_env.xml new file mode 100644 index 0000000..1d12591 --- /dev/null +++ b/shared/oval/sshd_do_not_permit_user_env.xml @@ -0,0 +1,30 @@ +<def-group> + <definition class="compliance" id="sshd_do_not_permit_user_env" version="1"> + <metadata> + <title>Do Not Allow Users to Set Environment Options</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description>PermitUserEnvironment should be disabled</description> + <reference source="MED" ref_id="20130813" ref_url="test_attestation" /> + </metadata> + <criteria comment="SSH is not being used or conditions are met" + operator="OR"> + <extend_definition comment="sshd service is disabled" + definition_ref="service_sshd_disabled" /> + <criterion comment="Check PermitUserEnvironment in /etc/ssh/sshd_config" + negate="true" test_ref="test_sshd_no_user_envset" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" check_existence="none_exist" + comment="Check value of PermitUserEnvironment in /etc/ssh/sshd_config" + id="test_sshd_no_user_envset" version="1"> + <ind:object object_ref="obj_sshd_no_user_envset" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="obj_sshd_no_user_envset" version="1"> + <ind:filepath>/etc/ssh/sshd_config</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*(?i)PermitUserEnvironment[\s]+no[\s]*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
