On 7/29/14, 8:43 PM, Gabe wrote:
- fix false positive for IgnoreRhosts check in sshd_config
Signed-off-by: Gabe <[email protected]>
---
shared/oval/sshd_disable_rhosts.xml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/shared/oval/sshd_disable_rhosts.xml
b/shared/oval/sshd_disable_rhosts.xml
index cb59a1f..5d3eeb1 100644
--- a/shared/oval/sshd_disable_rhosts.xml
+++ b/shared/oval/sshd_disable_rhosts.xml
@@ -15,7 +15,7 @@
<extend_definition comment="sshd service is disabled"
definition_ref="service_sshd_disabled" />
<criterion comment="Check IgnoreRhosts in /etc/ssh/sshd_config"
- test_ref="test_sshd_rsh_emulation_disabled" />
+ negate="true" test_ref="test_sshd_rsh_emulation_disabled" />
</criteria>
</definition>
<ind:textfilecontent54_test check="all" check_existence="none_exist"
@@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="obj_sshd_rsh_emulation_disabled"
version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*(?i)IgnoreRhosts(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern>
+ <ind:pattern operation="pattern
match">^[\s]*(?i)IgnoreRhosts(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
The default behavior is to ignore, so this should pass if "IgnoreRhosts
yes" is not present.
--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
