Re: [PATCH 1/3] [bugfix] - disable_host_auth OVAL false positive

Shawn Wells Fri, 01 Aug 2014 13:11:02 -0700


On 7/29/14, 8:43 PM, Gabe wrote:

- fix false positive for SSH host-based authentication check in sshd_config


Signed-off-by: Gabe <[email protected]>
---
  shared/oval/disable_host_auth.xml | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/shared/oval/disable_host_auth.xml 
b/shared/oval/disable_host_auth.xml
index 6f4eb9d..de51fd7 100644
--- a/shared/oval/disable_host_auth.xml
+++ b/shared/oval/disable_host_auth.xml
@@ -14,7 +14,7 @@
        <extend_definition comment="sshd service is disabled"
        definition_ref="service_sshd_disabled" />
        <criterion comment="Check HostbasedAuthentication in 
/etc/ssh/sshd_config"
-      test_ref="test_sshd_hostbasedauthentication" />
+      negate="true" test_ref="test_sshd_hostbasedauthentication" />
      </criteria>
    </definition>
    <ind:textfilecontent54_test check="all" check_existence="none_exist"
@@ -24,7 +24,7 @@
    </ind:textfilecontent54_test>
    <ind:textfilecontent54_object id="object_sshd_hostbasedauthentication" 
version="2">
      <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-    <ind:pattern operation="pattern 
match">^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern>
+    <ind:pattern operation="pattern 
match">^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern>
      <ind:instance datatype="int">1</ind:instance>
    </ind:textfilecontent54_object>
  </def-group>

The negate properly will fail you if HostbasedAuthentication != no, butI'm not getting the false positive. Can you share how to reproduce?


this passes as expected:
$ sudo grep ^HostbasedAuthentication /etc/ssh/sshd_config
HostbasedAuthentication no
$ sudo ./testcheck.py disable_host_auth.xml
Evaluating with OVAL tempfile : /tmp/disable_host_authaoRDFL.xml
Writing results to : /tmp/disable_host_authaoRDFL.xml-results
Definition oval:scap-security-guide.testing:def:103: false
Definition oval:scap-security-guide.testing:def:101: false
Definition oval:scap-security-guide.testing:def:100: true
Evaluation done.

fails as expected:

$ sudo sed -i 's/HostbasedAuthentication no/HostbasedAuthenticationyes/g' /etc/ssh/sshd_config

$ sudo grep ^HostbasedAuthentication /etc/ssh/sshd_config
HostbasedAuthentication yes
$ sudo ./testcheck.py disable_host_auth.xml
Evaluating with OVAL tempfile : /tmp/disable_host_auth2Vo5qy.xml
Writing results to : /tmp/disable_host_auth2Vo5qy.xml-results
Definition oval:scap-security-guide.testing:def:103: false
Definition oval:scap-security-guide.testing:def:101: false
Definition oval:scap-security-guide.testing:def:100: false
Evaluation done.



--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/

Re: [PATCH 1/3] [bugfix] - disable_host_auth OVAL false positive

Reply via email to