When checking /etc/ssh/sshd_config for proper settings of various
directives allow also line directive versions suffixed with comments
(so we wouldn't report inappropriate results).
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
From a680e7ef8ea197e758c8dd29117c27428f70707e Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <[email protected]>
Date: Tue, 8 Apr 2014 11:08:05 +0200
Subject: [PATCH] [shared] Allow comments in sshd config directives
Signed-off-by: Jan Lieskovsky <[email protected]>
---
shared/oval/disable_host_auth.xml | 4 ++--
shared/oval/sshd_allow_only_protocol2.xml | 4 ++--
shared/oval/sshd_disable_empty_passwords.xml | 4 ++--
shared/oval/sshd_disable_rhosts.xml | 4 ++--
shared/oval/sshd_disable_root_login.xml | 4 ++--
shared/oval/sshd_do_not_permit_user_env.xml | 4 ++--
shared/oval/sshd_enable_warning_banner.xml | 4 ++--
shared/oval/sshd_set_idle_timeout.xml | 4 ++--
shared/oval/sshd_set_keepalive.xml | 4 ++--
shared/oval/sshd_use_approved_ciphers.xml | 4 ++--
10 files changed, 20 insertions(+), 20 deletions(-)
diff --git a/shared/oval/disable_host_auth.xml b/shared/oval/disable_host_auth.xml
index faf372d..d1be88b 100644
--- a/shared/oval/disable_host_auth.xml
+++ b/shared/oval/disable_host_auth.xml
@@ -22,9 +22,9 @@
version="1">
<ind:object object_ref="object_sshd_hostbasedauthentication" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_sshd_hostbasedauthentication" version="1">
+ <ind:textfilecontent54_object id="object_sshd_hostbasedauthentication" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)HostbasedAuthentication[\s]+yes[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*(?i)HostbasedAuthentication[\s]+yes[\s]*</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/shared/oval/sshd_allow_only_protocol2.xml b/shared/oval/sshd_allow_only_protocol2.xml
index 7ae306c..db0bf18 100644
--- a/shared/oval/sshd_allow_only_protocol2.xml
+++ b/shared/oval/sshd_allow_only_protocol2.xml
@@ -22,9 +22,9 @@
comment="sshd uses protocol 2" id="test_sshd_allow_only_protocol2" version="1">
<ind:object object_ref="object_sshd_allow_only_protocol2" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_sshd_allow_only_protocol2" version="2">
+ <ind:textfilecontent54_object id="object_sshd_allow_only_protocol2" version="3">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)Protocol[\s]+2[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*(?i)Protocol[\s]+2[\s]*</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/shared/oval/sshd_disable_empty_passwords.xml b/shared/oval/sshd_disable_empty_passwords.xml
index 81032c7..c5aef55 100644
--- a/shared/oval/sshd_disable_empty_passwords.xml
+++ b/shared/oval/sshd_disable_empty_passwords.xml
@@ -24,9 +24,9 @@
<ind:object object_ref="obj_sshd_permitemptypasswords_no" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_sshd_permitemptypasswords_no"
- version="1">
+ version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)PermitEmptyPasswords[\s]+no[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*(?i)PermitEmptyPasswords[\s]+no[\s]*</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/shared/oval/sshd_disable_rhosts.xml b/shared/oval/sshd_disable_rhosts.xml
index 62d9e44..d26c448 100644
--- a/shared/oval/sshd_disable_rhosts.xml
+++ b/shared/oval/sshd_disable_rhosts.xml
@@ -24,9 +24,9 @@
<ind:object object_ref="obj_sshd_rsh_emulation_disabled" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_sshd_rsh_emulation_disabled"
- version="1">
+ version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)IgnoreRhosts[\s]+no[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*(?i)IgnoreRhosts[\s]+no[\s]*</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/shared/oval/sshd_disable_root_login.xml b/shared/oval/sshd_disable_root_login.xml
index 0547354..3ac955e 100644
--- a/shared/oval/sshd_disable_root_login.xml
+++ b/shared/oval/sshd_disable_root_login.xml
@@ -23,9 +23,9 @@
id="test_sshd_permitrootlogin_no" version="1">
<ind:object object_ref="obj_sshd_permitrootlogin_no" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_sshd_permitrootlogin_no" version="1">
+ <ind:textfilecontent54_object id="obj_sshd_permitrootlogin_no" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)PermitRootLogin[\s]+yes[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*(?i)PermitRootLogin[\s]+yes[\s]*</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/shared/oval/sshd_do_not_permit_user_env.xml b/shared/oval/sshd_do_not_permit_user_env.xml
index 1d12591..cb8ef8f 100644
--- a/shared/oval/sshd_do_not_permit_user_env.xml
+++ b/shared/oval/sshd_do_not_permit_user_env.xml
@@ -22,9 +22,9 @@
id="test_sshd_no_user_envset" version="1">
<ind:object object_ref="obj_sshd_no_user_envset" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_sshd_no_user_envset" version="1">
+ <ind:textfilecontent54_object id="obj_sshd_no_user_envset" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)PermitUserEnvironment[\s]+no[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*(?i)PermitUserEnvironment[\s]+no[\s]*</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/shared/oval/sshd_enable_warning_banner.xml b/shared/oval/sshd_enable_warning_banner.xml
index 656a644..5e861d4 100644
--- a/shared/oval/sshd_enable_warning_banner.xml
+++ b/shared/oval/sshd_enable_warning_banner.xml
@@ -23,9 +23,9 @@
id="test_sshd_banner_set" version="1">
<ind:object object_ref="obj_sshd_banner_set" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_sshd_banner_set" version="1">
+ <ind:textfilecontent54_object id="obj_sshd_banner_set" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)Banner(?-i)[\s]+/etc/issue[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*(?i)Banner(?-i)[\s]+/etc/issue[\s]*</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/shared/oval/sshd_set_idle_timeout.xml b/shared/oval/sshd_set_idle_timeout.xml
index f891e65..7b4c1a9 100644
--- a/shared/oval/sshd_set_idle_timeout.xml
+++ b/shared/oval/sshd_set_idle_timeout.xml
@@ -28,9 +28,9 @@
<ind:state state_ref="state_timeout_value_lower_bound" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_sshd_idle_timeout" version="1">
+ <ind:textfilecontent54_object id="object_sshd_idle_timeout" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/shared/oval/sshd_set_keepalive.xml b/shared/oval/sshd_set_keepalive.xml
index 6e3bf7b..5466b61 100644
--- a/shared/oval/sshd_set_keepalive.xml
+++ b/shared/oval/sshd_set_keepalive.xml
@@ -27,9 +27,9 @@
<ind:textfilecontent54_state id="state_sshd_clientalivecountmax" version="1">
<ind:subexpression datatype="int" operation="equals">0</ind:subexpression>
</ind:textfilecontent54_state>
- <ind:textfilecontent54_object id="obj_sshd_clientalivecountmax" version="1">
+ <ind:textfilecontent54_object id="obj_sshd_clientalivecountmax" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/shared/oval/sshd_use_approved_ciphers.xml b/shared/oval/sshd_use_approved_ciphers.xml
index 04ef3e2..ef044d6 100644
--- a/shared/oval/sshd_use_approved_ciphers.xml
+++ b/shared/oval/sshd_use_approved_ciphers.xml
@@ -23,9 +23,9 @@
id="test_sshd_use_approved_ciphers" version="1">
<ind:object object_ref="obj_sshd_use_approved_ciphers" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_sshd_use_approved_ciphers" version="1">
+ <ind:textfilecontent54_object id="obj_sshd_use_approved_ciphers" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)Ciphers(?-i)[\s]+aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*(?i)Ciphers(?-i)[\s]+aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc[\s]*</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
--
1.8.3.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
