Hi Shawn, At least on RHEL6.5 if I run the scap scan (using oscap) with the scap-security-guide without configuring sshd_config at all, the scan tells me that I pass the 'Disable Host-Based Authentication' when in fact it is not configured. Same thing goes for the other ignoring rhosts, and disabling root login checks.
Thanks, Gabe On Fri, Aug 1, 2014 at 2:10 PM, Shawn Wells <[email protected]> wrote: > > On 7/29/14, 8:43 PM, Gabe wrote: > >> - fix false positive for SSH host-based authentication check in >> sshd_config >> >> Signed-off-by: Gabe <[email protected]> >> --- >> shared/oval/disable_host_auth.xml | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/shared/oval/disable_host_auth.xml >> b/shared/oval/disable_host_auth.xml >> index 6f4eb9d..de51fd7 100644 >> --- a/shared/oval/disable_host_auth.xml >> +++ b/shared/oval/disable_host_auth.xml >> @@ -14,7 +14,7 @@ >> <extend_definition comment="sshd service is disabled" >> definition_ref="service_sshd_disabled" /> >> <criterion comment="Check HostbasedAuthentication in >> /etc/ssh/sshd_config" >> - test_ref="test_sshd_hostbasedauthentication" /> >> + negate="true" test_ref="test_sshd_hostbasedauthentication" /> >> </criteria> >> </definition> >> <ind:textfilecontent54_test check="all" check_existence="none_exist" >> @@ -24,7 +24,7 @@ >> </ind:textfilecontent54_test> >> <ind:textfilecontent54_object id="object_sshd_hostbasedauthentication" >> version="2"> >> <ind:filepath>/etc/ssh/sshd_config</ind:filepath> >> - <ind:pattern operation="pattern match">^[\s]*(?i) >> HostbasedAuthentication(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern> >> + <ind:pattern operation="pattern match">^[\s]*(?i) >> HostbasedAuthentication(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern> >> <ind:instance datatype="int">1</ind:instance> >> </ind:textfilecontent54_object> >> </def-group> >> > > The negate properly will fail you if HostbasedAuthentication != no, but > I'm not getting the false positive. Can you share how to reproduce? > > this passes as expected: > $ sudo grep ^HostbasedAuthentication /etc/ssh/sshd_config > HostbasedAuthentication no > $ sudo ./testcheck.py disable_host_auth.xml > Evaluating with OVAL tempfile : /tmp/disable_host_authaoRDFL.xml > Writing results to : /tmp/disable_host_authaoRDFL.xml-results > Definition oval:scap-security-guide.testing:def:103: false > Definition oval:scap-security-guide.testing:def:101: false > Definition oval:scap-security-guide.testing:def:100: true > Evaluation done. > > fails as expected: > $ sudo sed -i 's/HostbasedAuthentication no/HostbasedAuthentication yes/g' > /etc/ssh/sshd_config > $ sudo grep ^HostbasedAuthentication /etc/ssh/sshd_config > HostbasedAuthentication yes > $ sudo ./testcheck.py disable_host_auth.xml > Evaluating with OVAL tempfile : /tmp/disable_host_auth2Vo5qy.xml > Writing results to : /tmp/disable_host_auth2Vo5qy.xml-results > Definition oval:scap-security-guide.testing:def:103: false > Definition oval:scap-security-guide.testing:def:101: false > Definition oval:scap-security-guide.testing:def:100: false > Evaluation done. > > > > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
