Thanks. Patch has been commited. Commit e354b3c45c87bffa250e32838d6632bacce9b423 <https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=e354b3c45c87bffa250e32838d6632bacce9b423>
On Tue, Aug 5, 2014 at 12:32 PM, Shawn Wells <[email protected]> wrote: > > On 7/29/14, 8:43 PM, Gabe wrote: > > - fix false positive for PermitRootLogin check in sshd_config > > Signed-off-by: Gabe <[email protected]> <[email protected]> > --- > shared/oval/sshd_disable_root_login.xml | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/shared/oval/sshd_disable_root_login.xml > b/shared/oval/sshd_disable_root_login.xml > index 73c4906..6f8cede 100644 > --- a/shared/oval/sshd_disable_root_login.xml > +++ b/shared/oval/sshd_disable_root_login.xml > @@ -15,7 +15,7 @@ > <extend_definition comment="sshd service is disabled" > definition_ref="service_sshd_disabled" /> > <criterion comment="Check PermitRootLogin in /etc/ssh/sshd_config" > - test_ref="test_sshd_permitrootlogin_no" /> > + negate="true" test_ref="test_sshd_permitrootlogin_no" /> > </criteria> > </definition> > <ind:textfilecontent54_test check="all" check_existence="none_exist" > @@ -25,7 +25,7 @@ > </ind:textfilecontent54_test> > <ind:textfilecontent54_object id="obj_sshd_permitrootlogin_no" version="2"> > <ind:filepath>/etc/ssh/sshd_config</ind:filepath> > - <ind:pattern operation="pattern > match">^[\s]*(?i)PermitRootLogin(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern> > + <ind:pattern operation="pattern > match">^[\s]*(?i)PermitRootLogin(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern> > <ind:instance datatype="int">1</ind:instance> > </ind:textfilecontent54_object> > </def-group> > -- > 2.0.0 > > > The default for PermitRootLogin is yes [1], so this should fail if: > - PermitRootLogin is left unconfigured > - PermitRootLogin is set to yes > > The existing rule had a failure only if "PermitRootLogin yes".... changing > it to scan for "PermitRootLogin no," with your negate statement, is a much > cleaner way to ensure proper checking. > > Ack. > > > [1] http://rc.quest.com/man.php?id=sshd_config(5) > > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ >
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
