On 8/5/14, 9:35 AM, Gabe Alford wrote:
Hi Shawn,
At least on RHEL6.5 if I run the scap scan (using oscap) with the
scap-security-guide without configuring sshd_config at all, the scan
tells me that I pass the 'Disable Host-Based Authentication' when in
fact it is not configured. Same thing goes for the other ignoring
rhosts, and disabling root login checks.
Thanks,
Gabe
Ah, yes, this is expected. The default for HostbasedAuthentication is
disabled, so the absence of explicit "HostbasedAuthentication no" is
still a pass.
Ref manpage @ http://rc.quest.com/man.php?id=sshd_config(5) (do a find
on "HostbasedAuthentication")
On Fri, Aug 1, 2014 at 2:10 PM, Shawn Wells <[email protected]
<mailto:[email protected]>> wrote:
On 7/29/14, 8:43 PM, Gabe wrote:
- fix false positive for SSH host-based authentication check
in sshd_config
Signed-off-by: Gabe <[email protected]
<mailto:[email protected]>>
---
shared/oval/disable_host_auth.xml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/shared/oval/disable_host_auth.xml
b/shared/oval/disable_host_auth.xml
index 6f4eb9d..de51fd7 100644
--- a/shared/oval/disable_host_auth.xml
+++ b/shared/oval/disable_host_auth.xml
@@ -14,7 +14,7 @@
<extend_definition comment="sshd service is disabled"
definition_ref="service_sshd_disabled" />
<criterion comment="Check HostbasedAuthentication in
/etc/ssh/sshd_config"
- test_ref="test_sshd_hostbasedauthentication" />
+ negate="true"
test_ref="test_sshd_hostbasedauthentication" />
</criteria>
</definition>
<ind:textfilecontent54_test check="all"
check_existence="none_exist"
@@ -24,7 +24,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object
id="object_sshd_hostbasedauthentication" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern>
+ <ind:pattern operation="pattern
match">^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
The negate properly will fail you if HostbasedAuthentication !=
no, but I'm not getting the false positive. Can you share how to
reproduce?
this passes as expected:
$ sudo grep ^HostbasedAuthentication /etc/ssh/sshd_config
HostbasedAuthentication no
$ sudo ./testcheck.py disable_host_auth.xml
Evaluating with OVAL tempfile : /tmp/disable_host_authaoRDFL.xml
Writing results to : /tmp/disable_host_authaoRDFL.xml-results
Definition oval:scap-security-guide.testing:def:103: false
Definition oval:scap-security-guide.testing:def:101: false
Definition oval:scap-security-guide.testing:def:100: true
Evaluation done.
fails as expected:
$ sudo sed -i 's/HostbasedAuthentication
no/HostbasedAuthentication yes/g' /etc/ssh/sshd_config
$ sudo grep ^HostbasedAuthentication /etc/ssh/sshd_config
HostbasedAuthentication yes
$ sudo ./testcheck.py disable_host_auth.xml
Evaluating with OVAL tempfile : /tmp/disable_host_auth2Vo5qy.xml
Writing results to : /tmp/disable_host_auth2Vo5qy.xml-results
Definition oval:scap-security-guide.testing:def:103: false
Definition oval:scap-security-guide.testing:def:101: false
Definition oval:scap-security-guide.testing:def:100: false
Evaluation done.
--
SCAP Security Guide mailing list
[email protected]
<mailto:[email protected]>
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
-- SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
--
Shawn Wells
Director, Innovation Programs
[email protected] | 443.534.0130
@shawndwells
--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
