Re: [Open-scap] Set SSH Idle Timeout Interval Debian 8

2018-08-30 Thread Watson Yuuma Sato 

On 29/08/18 19:00, Dhanushka Parakrama wrote:

Guys


Hello Dhanushka,

The "anssi_np_nt28_high profile" extends "anssi_np_nt28_restrictive", 
which "extends anssi_np_nt28_average".
And "average" Profile sets value "sshd_idle_timeout_value=5_minutes", 
i.e. 300.
So value 400 for ClientAliveInterval correctly fails the scan, as the 
value configured should be between zero and "sshd_idle_timeout_value".


For the scan to pass with "ClientAliveInterval 400" you need to create a 
tailoring and change the value for "sshd_idle_timeout_value".
Unfortunately, there is no preset value for 400, you check them here: 
https://github.com/OpenSCAP/scap-security-guide/blob/master/linux_os/guide/services/ssh/sshd_idle_timeout_value.var




In Debian 8 i have configured the settings as below for ssh client timeout

ClientAliveInterval 400
but seems like scan is not picking it up , 
Version scap-security-guide-0.1.40


*oscap-ssh  --sudo wso2@192.168.8.150  22 
xccdf eval   --profile 
xccdf_org.ssgproject.content_profile_anssi_np_nt28_high --report 
abc.html  ssg-debian8-ds.xml

*


and still shows output as below

*Title   Set SSH Idle Timeout Interval*
*Rule xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout*
*Result  fail*



___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list



--
Watson Sato
Security Technologies | Red Hat, Inc

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

[Open-scap] Set SSH Idle Timeout Interval Debian 8

2018-08-29 Thread Dhanushka Parakrama 
Guys

In Debian 8 i have configured the settings as below for ssh client timeout

ClientAliveInterval 400

but seems like scan is not picking it up ,
Version scap-security-guide-0.1.40


*oscap-ssh  --sudo wso2@192.168.8.150  22 xccdf eval
 --profile xccdf_org.ssgproject.content_profile_anssi_np_nt28_high --report
abc.html  ssg-debian8-ds.xml*


and still shows output as below

*Title   Set SSH Idle Timeout Interval*
*Rulexccdf_org.ssgproject.content_rule_sshd_set_idle_timeout*
*Result  fail*
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list