For SSGID Set SSH Idle Timeout Interval - (CCE-26919-1), with the usgcb-rhel6-server profile selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine. The STIG value is 900. The SSG content “Description” also states a value of 900. However the SSG content state requirement is “subexpression must be less than or equal to '300'” See the following report output: Set SSH Idle Timeout Interval ID: sshd_set_idle_timeout Result: Fail Identities: CCE-26919-1 Description: SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows: ClientAliveInterval interval The timeout interval is given in seconds. To have a timeout of 15 minutes, set interval to 900. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle. Fix Text: Severity: low Weight: Reference: 879 1133 Definitions: ID: oval:ssg:def:474 Result: false Title: Set OpenSSH Idle Timeout Interval Description: The SSH idle timeout interval should be set to an appropriate value. Class: compliance Tests:
false (One or more item-state comparisons may be true.) false (timeout is configured) false (One or more item-state comparisons may be true.) false (All item-state comparisons must be true.) true (Runlevel test) true (Runlevel test) false (Runlevel test) false (Runlevel test) false (Runlevel test) false (Runlevel test) true (Runlevel test) false (All item-state comparisons must be true.) false (package openssh-server is removed) Tests: Test ID: oval:ssg:tst:475 Result: false Title: timeout is configured Check Existence: All collected items must exist. Check: All collected items must match the given state(s). State Operator: All item-state comparisons must be true. Object ID: oval:ssg:obj:1546 Object Requirements: filepath must be equal to '/etc/ssh/sshd_config' pattern must match the pattern '^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*$' instance must be equal to '1' State ID: oval:ssg:ste:1547 State Requirements: subexpression must be less than or equal to '300' Collected Item Properties: filepath equals '/etc/ssh/sshd_config' path equals '/etc/ssh' filename equals 'sshd_config' pattern equals '^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*$' instance equals '1' text equals 'ClientAliveInterval 900' subexpression equals '900' Additional Information: Collected items did not meet the check requirement. _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
