On 7/29/14, 8:43 PM, Gabe wrote:
- fix false positive for PermitRootLogin check in sshd_config
Signed-off-by: Gabe<[email protected]>
---
shared/oval/sshd_disable_root_login.xml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/shared/oval/sshd_disable_root_login.xml
b/shared/oval/sshd_disable_root_login.xml
index 73c4906..6f8cede 100644
--- a/shared/oval/sshd_disable_root_login.xml
+++ b/shared/oval/sshd_disable_root_login.xml
@@ -15,7 +15,7 @@
<extend_definition comment="sshd service is disabled"
definition_ref="service_sshd_disabled" />
<criterion comment="Check PermitRootLogin in /etc/ssh/sshd_config"
- test_ref="test_sshd_permitrootlogin_no" />
+ negate="true" test_ref="test_sshd_permitrootlogin_no" />
</criteria>
</definition>
<ind:textfilecontent54_test check="all" check_existence="none_exist"
@@ -25,7 +25,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_sshd_permitrootlogin_no" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*(?i)PermitRootLogin(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern>
+ <ind:pattern operation="pattern
match">^[\s]*(?i)PermitRootLogin(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
-- 2.0.0
The default for PermitRootLogin is yes [1], so this should fail if:
- PermitRootLogin is left unconfigured
- PermitRootLogin is set to yes
The existing rule had a failure only if "PermitRootLogin yes"....
changing it to scan for "PermitRootLogin no," with your negate
statement, is a much cleaner way to ensure proper checking.
Ack.
[1] http://rc.quest.com/man.php?id=sshd_config(5)
--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
