Ok, I realize that this went through a while ago but has anyone actually lived with this setting enabled?
I've got a LOT of unhappy users that start to VI a file, walk away for a while (with their local screen locked) and come back to find their sessions dumped all over the floor. The default appears to be 5 minutes across the board which I find WAY too short since I might be looking at a man page in two windows for that amount of time or more. I would like to propose that the defaults be changed to something more sensible like 2, 4, or 8 hours. (Heck, meetings can go on for more than 2 hours sometimes) Thanks, Trevor On Mon, Feb 24, 2014 at 5:34 PM, Shawn Wells <[email protected]> wrote: > On 2/24/14, 12:06 PM, Jan Lieskovsky wrote: > > This improvement was originally proposed by Tomas Heinrich for USGCB content. > But it is applicable to SSG content too, therefore this post. > > Rationale: > ---------- > > When checking the system for underlying value of ClientAliveInterval sshd > config > variable it's not sufficient to check just for upper bound (if the present > value is > less than required maximum), but it is necessary to check also for lower > bound. Because > from the sshd_config manual page: > > ClientAliveInterval > Sets a timeout interval in seconds after which if no data has > been received from the client, sshd(8) will send a message through the > encrypted channel to request a response from the client. The > default is 0, indicating that these messages will not be sent to the > client. This option applies to protocol version 2 only. > > Conclusion: > ----------- > > The current form worked only for instances, not having ClientAliveInterval > at all in the > config. But having had that value set to zero, would still pass (which is > wrong, since as > mentioned above these messages would still not be sent). Thus this patch adds > also check > if actual value is greater than zero. > > Besides that it add some blank lines for better readability. Also removes > Fedora version > of sshd_set_idle_timeout.xml rule and links to shared one. > > Testing background: > ------------------- > > Has been tested on RHEL-7 & Fedora-20 and seems to be working properly. > > Please review. > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Technologies Team > > > 0001-shared-sshd_set_idle_timeout-when-doing-the-check-be.patch > > From b8419800dd27abad20a5f631ea71944ceb43664f Mon Sep 17 00:00:00 2001 > From: Jan Lieskovsky <[email protected]> <[email protected]> > Date: Mon, 24 Feb 2014 17:52:03 +0100 > Subject: [PATCH] [shared] sshd_set_idle_timeout - when doing the check be sure > to check also the lower bound of ClientAliveInterval value. > > Signed-off-by: Jan Lieskovsky <[email protected]> <[email protected]> > --- > Fedora/input/checks/sshd_set_idle_timeout.xml | 34 > +-------------------------- > shared/oval/sshd_set_idle_timeout.xml | 19 ++++++++++++--- > 2 files changed, 17 insertions(+), 36 deletions(-) > mode change 100644 => 120000 Fedora/input/checks/sshd_set_idle_timeout.xml > > diff --git a/Fedora/input/checks/sshd_set_idle_timeout.xml > b/Fedora/input/checks/sshd_set_idle_timeout.xml > deleted file mode 100644 > index df3336a..0000000 > --- a/Fedora/input/checks/sshd_set_idle_timeout.xml > +++ /dev/null > @@ -1,33 +0,0 @@ > -<def-group> > - <definition class="compliance" id="sshd_set_idle_timeout" version="1"> > - <metadata> > - <title>Set OpenSSH Idle Timeout Interval</title> > - <affected family="unix"> > - <platform>Fedora 19</platform> > - </affected> > - <description>The SSH idle timeout interval should be set to an > appropriate value.</description> > - </metadata> > - <criteria comment="SSH is not being used or conditions are met" > operator="OR"> > - <extend_definition comment="sshd service is disabled" > definition_ref="service_sshd_disabled" /> > - <criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config" > test_ref="test_sshd_idle_timeout" /> > - </criteria> > - </definition> > - > - <ind:textfilecontent54_test check="all" check_existence="all_exist" > comment="timeout is configured" id="test_sshd_idle_timeout" version="1"> > - <ind:object object_ref="object_sshd_idle_timeout" /> > - <ind:state state_ref="state_timeout_value" /> > - </ind:textfilecontent54_test> > - > - <ind:textfilecontent54_object id="object_sshd_idle_timeout" version="1"> > - <ind:filepath>/etc/ssh/sshd_config</ind:filepath> > - <ind:pattern operation="pattern > match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*$</ind:pattern> > - <ind:instance datatype="int">1</ind:instance> > - </ind:textfilecontent54_object> > - > - <ind:textfilecontent54_state comment="ClientAliveInterval in seconds" > id="state_timeout_value" version="1"> > - <ind:subexpression datatype="int" operation="less than or equal" > var_check="all" var_ref="sshd_idle_timeout_value" /> > - </ind:textfilecontent54_state> > - > - <external_variable comment="timeout value" datatype="int" > id="sshd_idle_timeout_value" version="1" /> > - > -</def-group> > diff --git a/Fedora/input/checks/sshd_set_idle_timeout.xml > b/Fedora/input/checks/sshd_set_idle_timeout.xml > new file mode 120000 > index 0000000..2fd18f6 > --- /dev/null > +++ b/Fedora/input/checks/sshd_set_idle_timeout.xml > @@ -0,0 +1 @@ > +../../../shared/oval/sshd_set_idle_timeout.xml > \ No newline at end of file > diff --git a/shared/oval/sshd_set_idle_timeout.xml > b/shared/oval/sshd_set_idle_timeout.xml > index ad63830..f891e65 100644 > --- a/shared/oval/sshd_set_idle_timeout.xml > +++ b/shared/oval/sshd_set_idle_timeout.xml > @@ -5,10 +5,12 @@ > <affected family="unix"> > <platform>Red Hat Enterprise Linux 6</platform> > <platform>Red Hat Enterprise Linux 7</platform> > + <platform>Fedora 20</platform> > </affected> > <description>The SSH idle timeout interval should be set to an > appropriate value.</description> > <reference source="MED" ref_id="20130813" ref_url="test_attestation" /> > + <!-- Fedora 20: <reference source="JL" ref_id="20140224" > ref_url="test_attestation" /> --> > </metadata> > <criteria comment="SSH is not being used or conditions are met" > operator="OR"> > @@ -18,21 +20,32 @@ > test_ref="test_sshd_idle_timeout" /> > </criteria> > </definition> > + > <ind:textfilecontent54_test check="all" check_existence="all_exist" > comment="timeout is configured" id="test_sshd_idle_timeout" version="1"> > <ind:object object_ref="object_sshd_idle_timeout" /> > - <ind:state state_ref="state_timeout_value" /> > + <ind:state state_ref="state_timeout_value_upper_bound" /> > + <ind:state state_ref="state_timeout_value_lower_bound" /> > </ind:textfilecontent54_test> > + > <ind:textfilecontent54_object id="object_sshd_idle_timeout" version="1"> > <ind:filepath>/etc/ssh/sshd_config</ind:filepath> > <ind:pattern operation="pattern > match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*$</ind:pattern> > <ind:instance datatype="int">1</ind:instance> > </ind:textfilecontent54_object> > - <ind:textfilecontent54_state comment="ClientAliveInterval in seconds" > - id="state_timeout_value" version="1"> > + > + <ind:textfilecontent54_state comment="upper bound of ClientAliveInterval > in seconds" > + id="state_timeout_value_upper_bound" version="1"> > <ind:subexpression datatype="int" operation="less than or equal" > var_check="all" > var_ref="sshd_idle_timeout_value" /> > </ind:textfilecontent54_state> > + > + <ind:textfilecontent54_state comment="lower bound of ClientAliveInterval > in seconds" > + id="state_timeout_value_lower_bound" version="1"> > + <ind:subexpression datatype="int" operation="greater > than">0</ind:subexpression> > + </ind:textfilecontent54_state> > + > <external_variable comment="timeout value" datatype="int" > id="sshd_idle_timeout_value" version="1" /> > + > </def-group> > > > > > Good finding. Ack. > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 [email protected] -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
