>From c1e9108bd02e637f6602ae3b96001e500f495f62 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Thu, 23 Jan 2014 00:59:25 -0500 Subject: [PATCH 03/10] Moved sshd_disable_rhosts to shared/
- Tested on RHEL7, updated CPE - Created symlinks - Added to RHEL7 rht-ccp profile --- RHEL/6/input/checks/sshd_disable_rhosts.xml | 32 +---------------------------- RHEL/7/input/checks/sshd_disable_rhosts.xml | 1 + RHEL/7/input/profiles/rht-ccp.xml | 2 +- shared/oval/sshd_disable_rhosts.xml | 32 +++++++++++++++++++++++++++++ 4 files changed, 35 insertions(+), 32 deletions(-) mode change 100644 => 120000 RHEL/6/input/checks/sshd_disable_rhosts.xml create mode 120000 RHEL/7/input/checks/sshd_disable_rhosts.xml create mode 100644 shared/oval/sshd_disable_rhosts.xml diff --git a/RHEL/6/input/checks/sshd_disable_rhosts.xml b/RHEL/6/input/checks/sshd_disable_rhosts.xml deleted file mode 100644 index 29db641..0000000 --- a/RHEL/6/input/checks/sshd_disable_rhosts.xml +++ /dev/null @@ -1,31 +0,0 @@ -<def-group> - <definition class="compliance" id="sshd_disable_rhosts" version="1"> - <metadata> - <title>Disable .rhosts Files</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>Emulation of the rsh command through the ssh server should - be disabled (and dependencies are met)</description> - <reference source="MED" ref_id="20130813" ref_url="test_attestation" /> - </metadata> - <criteria comment="SSH is not being used or conditions are met" - operator="OR"> - <extend_definition comment="sshd service is disabled" - definition_ref="service_sshd_disabled" /> - <criterion comment="Check IgnoreRhosts in /etc/ssh/sshd_config" - test_ref="test_sshd_rsh_emulation_disabled" /> - </criteria> - </definition> - <ind:textfilecontent54_test check="all" check_existence="none_exist" - comment="Tests the value of the IgnoreRhosts[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file" - id="test_sshd_rsh_emulation_disabled" version="1"> - <ind:object object_ref="obj_sshd_rsh_emulation_disabled" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="obj_sshd_rsh_emulation_disabled" - version="1"> - <ind:filepath>/etc/ssh/sshd_config</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*(?i)IgnoreRhosts[\s]+no[\s]*$</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/RHEL/6/input/checks/sshd_disable_rhosts.xml b/RHEL/6/input/checks/sshd_disable_rhosts.xml new file mode 120000 index 0000000..4b87bc5 --- /dev/null +++ b/RHEL/6/input/checks/sshd_disable_rhosts.xml @@ -0,0 +1 @@ +../../../../shared/oval/sshd_disable_rhosts.xml \ No newline at end of file diff --git a/RHEL/7/input/checks/sshd_disable_rhosts.xml b/RHEL/7/input/checks/sshd_disable_rhosts.xml new file mode 120000 index 0000000..4b87bc5 --- /dev/null +++ b/RHEL/7/input/checks/sshd_disable_rhosts.xml @@ -0,0 +1 @@ +../../../../shared/oval/sshd_disable_rhosts.xml \ No newline at end of file diff --git a/RHEL/7/input/profiles/rht-ccp.xml b/RHEL/7/input/profiles/rht-ccp.xml index a01f7a8..eaf801a 100644 --- a/RHEL/7/input/profiles/rht-ccp.xml +++ b/RHEL/7/input/profiles/rht-ccp.xml @@ -127,8 +127,8 @@ SSH / REMOTE ACCESS CHECKS <select idref="sshd_allow_only_protocol2" selected="true"/> --> <select idref="sshd_set_idle_timeout" selected="true"/> <select idref="sshd_set_keepalive" selected="true"/> -<!-- <select idref="sshd_disable_rhosts" selected="true"/> +<!-- <select idref="disable_host_auth" selected="true"/> <select idref="sshd_disable_root_login" selected="true"/> <select idref="sshd_disable_empty_passwords" selected="true"/> diff --git a/shared/oval/sshd_disable_rhosts.xml b/shared/oval/sshd_disable_rhosts.xml new file mode 100644 index 0000000..62d9e44 --- /dev/null +++ b/shared/oval/sshd_disable_rhosts.xml @@ -0,0 +1,32 @@ +<def-group> + <definition class="compliance" id="sshd_disable_rhosts" version="1"> + <metadata> + <title>Disable .rhosts Files</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description>Emulation of the rsh command through the ssh server should + be disabled (and dependencies are met)</description> + <reference source="MED" ref_id="20130813" ref_url="test_attestation" /> + </metadata> + <criteria comment="SSH is not being used or conditions are met" + operator="OR"> + <extend_definition comment="sshd service is disabled" + definition_ref="service_sshd_disabled" /> + <criterion comment="Check IgnoreRhosts in /etc/ssh/sshd_config" + test_ref="test_sshd_rsh_emulation_disabled" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" check_existence="none_exist" + comment="Tests the value of the IgnoreRhosts[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file" + id="test_sshd_rsh_emulation_disabled" version="1"> + <ind:object object_ref="obj_sshd_rsh_emulation_disabled" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="obj_sshd_rsh_emulation_disabled" + version="1"> + <ind:filepath>/etc/ssh/sshd_config</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*(?i)IgnoreRhosts[\s]+no[\s]*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
