Got it. So if the default behavior is disabled, then the scan passes. Ignore this patch and the disable_rhosts patch then.
On Tue, Aug 5, 2014 at 12:27 PM, Shawn Wells <[email protected]> wrote: > > On 8/5/14, 9:35 AM, Gabe Alford wrote: > > Hi Shawn, > > At least on RHEL6.5 if I run the scap scan (using oscap) with the > scap-security-guide without configuring sshd_config at all, the scan tells > me that I pass the 'Disable Host-Based Authentication' when in fact it is > not configured. Same thing goes for the other ignoring rhosts, and > disabling root login checks. > > Thanks, > > Gabe > > > Ah, yes, this is expected. The default for HostbasedAuthentication is > disabled, so the absence of explicit "HostbasedAuthentication no" is still > a pass. > > Ref manpage @ http://rc.quest.com/man.php?id=sshd_config(5) (do a find on > "HostbasedAuthentication") > > > > > > On Fri, Aug 1, 2014 at 2:10 PM, Shawn Wells <[email protected]> wrote: > >> >> On 7/29/14, 8:43 PM, Gabe wrote: >> >>> - fix false positive for SSH host-based authentication check in >>> sshd_config >>> >>> Signed-off-by: Gabe <[email protected]> >>> --- >>> shared/oval/disable_host_auth.xml | 4 ++-- >>> 1 file changed, 2 insertions(+), 2 deletions(-) >>> >>> diff --git a/shared/oval/disable_host_auth.xml >>> b/shared/oval/disable_host_auth.xml >>> index 6f4eb9d..de51fd7 100644 >>> --- a/shared/oval/disable_host_auth.xml >>> +++ b/shared/oval/disable_host_auth.xml >>> @@ -14,7 +14,7 @@ >>> <extend_definition comment="sshd service is disabled" >>> definition_ref="service_sshd_disabled" /> >>> <criterion comment="Check HostbasedAuthentication in >>> /etc/ssh/sshd_config" >>> - test_ref="test_sshd_hostbasedauthentication" /> >>> + negate="true" test_ref="test_sshd_hostbasedauthentication" /> >>> </criteria> >>> </definition> >>> <ind:textfilecontent54_test check="all" check_existence="none_exist" >>> @@ -24,7 +24,7 @@ >>> </ind:textfilecontent54_test> >>> <ind:textfilecontent54_object >>> id="object_sshd_hostbasedauthentication" version="2"> >>> <ind:filepath>/etc/ssh/sshd_config</ind:filepath> >>> - <ind:pattern operation="pattern >>> match">^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern> >>> + <ind:pattern operation="pattern >>> match">^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern> >>> <ind:instance datatype="int">1</ind:instance> >>> </ind:textfilecontent54_object> >>> </def-group> >>> >> >> The negate properly will fail you if HostbasedAuthentication != no, but >> I'm not getting the false positive. Can you share how to reproduce? >> >> this passes as expected: >> $ sudo grep ^HostbasedAuthentication /etc/ssh/sshd_config >> HostbasedAuthentication no >> $ sudo ./testcheck.py disable_host_auth.xml >> Evaluating with OVAL tempfile : /tmp/disable_host_authaoRDFL.xml >> Writing results to : /tmp/disable_host_authaoRDFL.xml-results >> Definition oval:scap-security-guide.testing:def:103: false >> Definition oval:scap-security-guide.testing:def:101: false >> Definition oval:scap-security-guide.testing:def:100: true >> Evaluation done. >> >> fails as expected: >> $ sudo sed -i 's/HostbasedAuthentication no/HostbasedAuthentication >> yes/g' /etc/ssh/sshd_config >> $ sudo grep ^HostbasedAuthentication /etc/ssh/sshd_config >> HostbasedAuthentication yes >> $ sudo ./testcheck.py disable_host_auth.xml >> Evaluating with OVAL tempfile : /tmp/disable_host_auth2Vo5qy.xml >> Writing results to : /tmp/disable_host_auth2Vo5qy.xml-results >> Definition oval:scap-security-guide.testing:def:103: false >> Definition oval:scap-security-guide.testing:def:101: false >> Definition oval:scap-security-guide.testing:def:100: false >> Evaluation done. >> >> >> >> -- >> SCAP Security Guide mailing list >> [email protected] >> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >> https://github.com/OpenSCAP/scap-security-guide/ > > > > > -- > SCAP Security Guide mailing > [email protected]https://lists.fedorahosted.org/mailman/listinfo/scap-security-guidehttps://github.com/OpenSCAP/scap-security-guide/ > > > -- > Shawn Wells > Director, Innovation [email protected] | 443.534.0130 > @shawndwells > > > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ >
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
