>From bddae5d68040dba016d9f95ead6a57730a7bad82 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Thu, 23 Jan 2014 00:57:11 -0500 Subject: [PATCH 02/10] Moved sshd_set_keepalive to shared/
- Updated CPE for RHEL7 after testing - Moved to shared/ - Added to RHEL7 rht-ccp profile --- RHEL/6/input/checks/sshd_set_keepalive.xml | 35 +----------------------------- RHEL/7/input/checks/sshd_set_keepalive.xml | 1 + RHEL/7/input/profiles/rht-ccp.xml | 3 +-- shared/oval/sshd_set_keepalive.xml | 35 ++++++++++++++++++++++++++++++ 4 files changed, 38 insertions(+), 36 deletions(-) mode change 100644 => 120000 RHEL/6/input/checks/sshd_set_keepalive.xml create mode 120000 RHEL/7/input/checks/sshd_set_keepalive.xml create mode 100644 shared/oval/sshd_set_keepalive.xml diff --git a/RHEL/6/input/checks/sshd_set_keepalive.xml b/RHEL/6/input/checks/sshd_set_keepalive.xml deleted file mode 100644 index 539a6a9..0000000 --- a/RHEL/6/input/checks/sshd_set_keepalive.xml +++ /dev/null @@ -1,34 +0,0 @@ -<def-group> - <definition class="compliance" id="sshd_set_keepalive" version="1"> - <metadata> - <title>Set ClientAliveCountMax for User Logins</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The SSH ClientAliveCountMax should be set to an appropriate - value (and dependencies are met)</description> - <reference source="MED" ref_id="20130813" ref_url="test_attestation" /> - </metadata> - <criteria comment="SSH is not being used or conditions are met" - operator="OR"> - <extend_definition comment="sshd service is disabled" - definition_ref="service_sshd_disabled" /> - <criterion comment="Check ClientAliveCountMax in /etc/ssh/sshd_config" - test_ref="test_sshd_clientalivecountmax" /> - </criteria> - </definition> - <ind:textfilecontent54_test check="all" check_existence="all_exist" - comment="Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file" - id="test_sshd_clientalivecountmax" version="1"> - <ind:object object_ref="obj_sshd_clientalivecountmax" /> - <ind:state state_ref="state_sshd_clientalivecountmax" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_state id="state_sshd_clientalivecountmax" version="1"> - <ind:subexpression datatype="int" operation="equals">0</ind:subexpression> - </ind:textfilecontent54_state> - <ind:textfilecontent54_object id="obj_sshd_clientalivecountmax" version="1"> - <ind:filepath>/etc/ssh/sshd_config</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*$</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/RHEL/6/input/checks/sshd_set_keepalive.xml b/RHEL/6/input/checks/sshd_set_keepalive.xml new file mode 120000 index 0000000..4053d82 --- /dev/null +++ b/RHEL/6/input/checks/sshd_set_keepalive.xml @@ -0,0 +1 @@ +../../../../shared/oval/sshd_set_keepalive.xml \ No newline at end of file diff --git a/RHEL/7/input/checks/sshd_set_keepalive.xml b/RHEL/7/input/checks/sshd_set_keepalive.xml new file mode 120000 index 0000000..4053d82 --- /dev/null +++ b/RHEL/7/input/checks/sshd_set_keepalive.xml @@ -0,0 +1 @@ +../../../../shared/oval/sshd_set_keepalive.xml \ No newline at end of file diff --git a/RHEL/7/input/profiles/rht-ccp.xml b/RHEL/7/input/profiles/rht-ccp.xml index 02dcbd1..a01f7a8 100644 --- a/RHEL/7/input/profiles/rht-ccp.xml +++ b/RHEL/7/input/profiles/rht-ccp.xml @@ -126,9 +126,8 @@ ANTIQUATED SERVICES SSH / REMOTE ACCESS CHECKS <select idref="sshd_allow_only_protocol2" selected="true"/> --> <select idref="sshd_set_idle_timeout" selected="true"/> - -<!-- <select idref="sshd_set_keepalive" selected="true"/> +<!-- <select idref="sshd_disable_rhosts" selected="true"/> <select idref="disable_host_auth" selected="true"/> <select idref="sshd_disable_root_login" selected="true"/> diff --git a/shared/oval/sshd_set_keepalive.xml b/shared/oval/sshd_set_keepalive.xml new file mode 100644 index 0000000..6e3bf7b --- /dev/null +++ b/shared/oval/sshd_set_keepalive.xml @@ -0,0 +1,35 @@ +<def-group> + <definition class="compliance" id="sshd_set_keepalive" version="1"> + <metadata> + <title>Set ClientAliveCountMax for User Logins</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description>The SSH ClientAliveCountMax should be set to an appropriate + value (and dependencies are met)</description> + <reference source="MED" ref_id="20130813" ref_url="test_attestation" /> + </metadata> + <criteria comment="SSH is not being used or conditions are met" + operator="OR"> + <extend_definition comment="sshd service is disabled" + definition_ref="service_sshd_disabled" /> + <criterion comment="Check ClientAliveCountMax in /etc/ssh/sshd_config" + test_ref="test_sshd_clientalivecountmax" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" check_existence="all_exist" + comment="Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file" + id="test_sshd_clientalivecountmax" version="1"> + <ind:object object_ref="obj_sshd_clientalivecountmax" /> + <ind:state state_ref="state_sshd_clientalivecountmax" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_state id="state_sshd_clientalivecountmax" version="1"> + <ind:subexpression datatype="int" operation="equals">0</ind:subexpression> + </ind:textfilecontent54_state> + <ind:textfilecontent54_object id="obj_sshd_clientalivecountmax" version="1"> + <ind:filepath>/etc/ssh/sshd_config</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
