Patch summary:
* provide v2 of the patch to support trailing comments after
various directives in / from /etc/ssh/sshd_config - based on feedback from:
https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-April/005185.html
* add end terminator for "case-insensitive" regex match for cases
where appropriate
(e.g. "PermitRootLogin Yes" is not allowed, since sshd allows just
directive names to be case-insensitive. Can be verified by attempt
to start sshd with such config.)
* update versions & test attestations
Testing report:
* all changed files / directives has been tested on RHEL-6 for both cases
(with / without trailing comments) and generate same results in particular
configuration (IOW it's irrelevant if the comment is there or not)
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
0001-shared-Allow-comments-in-sshd-config-directives-supp.patch
From 65d4cc63e2a4aff31ff4fe081f8d3247345139e9 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky<[email protected]>
Date: Mon, 14 Apr 2014 19:04:04 +0200
Subject: [PATCH] [shared] Allow comments in sshd config directives, support
only lowercase sshd config values (yes/no)
Signed-off-by: Jan Lieskovsky<[email protected]>
---
shared/oval/disable_host_auth.xml | 6 +++---
shared/oval/sshd_allow_only_protocol2.xml | 6 +++---
shared/oval/sshd_disable_empty_passwords.xml | 6 +++---
shared/oval/sshd_disable_rhosts.xml | 6 +++---
shared/oval/sshd_disable_root_login.xml | 6 +++---
shared/oval/sshd_do_not_permit_user_env.xml | 6 +++---
shared/oval/sshd_enable_warning_banner.xml | 6 +++---
shared/oval/sshd_set_idle_timeout.xml | 6 +++---
shared/oval/sshd_set_keepalive.xml | 6 +++---
shared/oval/sshd_use_approved_ciphers.xml | 6 +++---
10 files changed, 30 insertions(+), 30 deletions(-)
diff --git a/shared/oval/disable_host_auth.xml
b/shared/oval/disable_host_auth.xml
index faf372d..6f4eb9d 100644
--- a/shared/oval/disable_host_auth.xml
+++ b/shared/oval/disable_host_auth.xml
@@ -7,7 +7,7 @@
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>SSH host-based authentication should be
disabled.</description>
- <reference source="MED" ref_id="20130813" ref_url="test_attestation" />
+ <reference source="JL" ref_id="20140414" ref_url="test_attestation" />
</metadata>
<criteria comment="SSH is not being used or conditions are met"
operator="OR">
@@ -22,9 +22,9 @@
version="1">
<ind:object object_ref="object_sshd_hostbasedauthentication" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_sshd_hostbasedauthentication"
version="1">
+ <ind:textfilecontent54_object id="object_sshd_hostbasedauthentication"
version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*(?i)HostbasedAuthentication[\s]+yes[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern
match">^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/shared/oval/sshd_allow_only_protocol2.xml
b/shared/oval/sshd_allow_only_protocol2.xml
index 7ae306c..c17d568 100644
--- a/shared/oval/sshd_allow_only_protocol2.xml
+++ b/shared/oval/sshd_allow_only_protocol2.xml
@@ -7,7 +7,7 @@
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The OpenSSH daemon should be running protocol
2.</description>
- <reference source="MED" ref_id="20130813" ref_url="test_attestation" />
+ <reference source="JL" ref_id="20140414" ref_url="test_attestation" />
</metadata>
<criteria comment="SSH is not being used or conditions are met"
operator="OR">
<extend_definition comment="sshd service is disabled"
@@ -22,9 +22,9 @@
comment="sshd uses protocol 2" id="test_sshd_allow_only_protocol2"
version="1">
<ind:object object_ref="object_sshd_allow_only_protocol2" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_sshd_allow_only_protocol2"
version="2">
+ <ind:textfilecontent54_object id="object_sshd_allow_only_protocol2"
version="3">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*(?i)Protocol[\s]+2[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern
match">^[\s]*(?i)Protocol[\s]+2[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/shared/oval/sshd_disable_empty_passwords.xml
b/shared/oval/sshd_disable_empty_passwords.xml
index 81032c7..b450afa 100644
--- a/shared/oval/sshd_disable_empty_passwords.xml
+++ b/shared/oval/sshd_disable_empty_passwords.xml
@@ -8,7 +8,7 @@
</affected>
<description>Remote connections from accounts with empty passwords
should
be disabled (and dependencies are met)</description>
- <reference source="MED" ref_id="20130813" ref_url="test_attestation" />
+ <reference source="JL" ref_id="20140414" ref_url="test_attestation" />
</metadata>
<criteria comment="SSH is not being used or conditions are met"
operator="OR">
@@ -24,9 +24,9 @@
<ind:object object_ref="obj_sshd_permitemptypasswords_no" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_sshd_permitemptypasswords_no"
- version="1">
+ version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*(?i)PermitEmptyPasswords[\s]+no[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern
match">^[\s]*(?i)PermitEmptyPasswords(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/shared/oval/sshd_disable_rhosts.xml
b/shared/oval/sshd_disable_rhosts.xml
index 62d9e44..cb59a1f 100644
--- a/shared/oval/sshd_disable_rhosts.xml
+++ b/shared/oval/sshd_disable_rhosts.xml
@@ -8,7 +8,7 @@
</affected>
<description>Emulation of the rsh command through the ssh server should
be disabled (and dependencies are met)</description>
- <reference source="MED" ref_id="20130813" ref_url="test_attestation" />
+ <reference source="JL" ref_id="20140414" ref_url="test_attestation" />
</metadata>
<criteria comment="SSH is not being used or conditions are met"
operator="OR">
@@ -24,9 +24,9 @@
<ind:object object_ref="obj_sshd_rsh_emulation_disabled" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_sshd_rsh_emulation_disabled"
- version="1">
+ version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*(?i)IgnoreRhosts[\s]+no[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern
match">^[\s]*(?i)IgnoreRhosts(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/shared/oval/sshd_disable_root_login.xml
b/shared/oval/sshd_disable_root_login.xml
index 0547354..73c4906 100644
--- a/shared/oval/sshd_disable_root_login.xml
+++ b/shared/oval/sshd_disable_root_login.xml
@@ -8,7 +8,7 @@
</affected>
<description>Root login via SSH should be disabled (and dependencies are
met)</description>
- <reference source="MED" ref_id="20130813" ref_url="test_attestation" />
+ <reference source="JL" ref_id="20140414" ref_url="test_attestation" />
</metadata>
<criteria comment="SSH is not being used or conditions are met"
operator="OR">
@@ -23,9 +23,9 @@
id="test_sshd_permitrootlogin_no" version="1">
<ind:object object_ref="obj_sshd_permitrootlogin_no" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_sshd_permitrootlogin_no" version="1">
+ <ind:textfilecontent54_object id="obj_sshd_permitrootlogin_no" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*(?i)PermitRootLogin[\s]+yes[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern
match">^[\s]*(?i)PermitRootLogin(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/shared/oval/sshd_do_not_permit_user_env.xml
b/shared/oval/sshd_do_not_permit_user_env.xml
index 1d12591..0a0dea1 100644
--- a/shared/oval/sshd_do_not_permit_user_env.xml
+++ b/shared/oval/sshd_do_not_permit_user_env.xml
@@ -7,7 +7,7 @@
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>PermitUserEnvironment should be disabled</description>
- <reference source="MED" ref_id="20130813" ref_url="test_attestation" />
+ <reference source="JL" ref_id="20140414" ref_url="test_attestation" />
</metadata>
<criteria comment="SSH is not being used or conditions are met"
operator="OR">
@@ -22,9 +22,9 @@
id="test_sshd_no_user_envset" version="1">
<ind:object object_ref="obj_sshd_no_user_envset" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_sshd_no_user_envset" version="1">
+ <ind:textfilecontent54_object id="obj_sshd_no_user_envset" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*(?i)PermitUserEnvironment[\s]+no[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern
match">^[\s]*(?i)PermitUserEnvironment(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/shared/oval/sshd_enable_warning_banner.xml
b/shared/oval/sshd_enable_warning_banner.xml
index 656a644..0bd8d32 100644
--- a/shared/oval/sshd_enable_warning_banner.xml
+++ b/shared/oval/sshd_enable_warning_banner.xml
@@ -8,7 +8,7 @@
</affected>
<description>SSH warning banner should be enabled (and dependencies are
met)</description>
- <reference source="MED" ref_id="20130813" ref_url="test_attestation" />
+ <reference source="JL" ref_id="20140414" ref_url="test_attestation" />
</metadata>
<criteria comment="SSH is not being used or conditions are met"
operator="OR">
@@ -23,9 +23,9 @@
id="test_sshd_banner_set" version="1">
<ind:object object_ref="obj_sshd_banner_set" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_sshd_banner_set" version="1">
+ <ind:textfilecontent54_object id="obj_sshd_banner_set" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*(?i)Banner(?-i)[\s]+/etc/issue[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern
match">^[\s]*(?i)Banner(?-i)[\s]+/etc/issue[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/shared/oval/sshd_set_idle_timeout.xml
b/shared/oval/sshd_set_idle_timeout.xml
index f891e65..0ccfae8 100644
--- a/shared/oval/sshd_set_idle_timeout.xml
+++ b/shared/oval/sshd_set_idle_timeout.xml
@@ -9,7 +9,7 @@
</affected>
<description>The SSH idle timeout interval should be set to an
appropriate value.</description>
- <reference source="MED" ref_id="20130813" ref_url="test_attestation" />
+ <reference source="JL" ref_id="20140414" ref_url="test_attestation" />
<!-- Fedora 20: <reference source="JL" ref_id="20140224"
ref_url="test_attestation" /> -->
</metadata>
<criteria comment="SSH is not being used or conditions are met"
@@ -28,9 +28,9 @@
<ind:state state_ref="state_timeout_value_lower_bound" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_sshd_idle_timeout" version="1">
+ <ind:textfilecontent54_object id="object_sshd_idle_timeout" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern
match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/shared/oval/sshd_set_keepalive.xml b/shared/oval/sshd_set_keepalive.xml
index 6e3bf7b..424be27 100644
--- a/shared/oval/sshd_set_keepalive.xml
+++ b/shared/oval/sshd_set_keepalive.xml
@@ -8,7 +8,7 @@
</affected>
<description>The SSH ClientAliveCountMax should be set to an appropriate
value (and dependencies are met)</description>
- <reference source="MED" ref_id="20130813" ref_url="test_attestation" />
+ <reference source="JL" ref_id="20140414" ref_url="test_attestation" />
</metadata>
<criteria comment="SSH is not being used or conditions are met"
operator="OR">
@@ -27,9 +27,9 @@
<ind:textfilecontent54_state id="state_sshd_clientalivecountmax"
version="1">
<ind:subexpression datatype="int" operation="equals">0</ind:subexpression>
</ind:textfilecontent54_state>
- <ind:textfilecontent54_object id="obj_sshd_clientalivecountmax" version="1">
+ <ind:textfilecontent54_object id="obj_sshd_clientalivecountmax" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern
match">^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/shared/oval/sshd_use_approved_ciphers.xml
b/shared/oval/sshd_use_approved_ciphers.xml
index 04ef3e2..dd33785 100644
--- a/shared/oval/sshd_use_approved_ciphers.xml
+++ b/shared/oval/sshd_use_approved_ciphers.xml
@@ -8,7 +8,7 @@
</affected>
<description>Limit the ciphers to those which are FIPS-approved and only
use ciphers in counter (CTR) mode.</description>
- <reference source="MED" ref_id="20130813" ref_url="test_attestation" />
+ <reference source="JL" ref_id="20140414" ref_url="test_attestation" />
</metadata>
<criteria comment="SSH is not being used or conditions are met"
operator="OR">
@@ -23,9 +23,9 @@
id="test_sshd_use_approved_ciphers" version="1">
<ind:object object_ref="obj_sshd_use_approved_ciphers" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_sshd_use_approved_ciphers" version="1">
+ <ind:textfilecontent54_object id="obj_sshd_use_approved_ciphers" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*(?i)Ciphers(?-i)[\s]+aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc[\s]*$</ind:pattern>
+ <ind:pattern operation="pattern
match">^[\s]*(?i)Ciphers(?-i)[\s]+aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
-- 1.8.3.1
