|
|
0950b5 |
From 939d1cfd84b980e3a96dd1d82dfddcabf4b2a34a Mon Sep 17 00:00:00 2001
|
|
|
0950b5 |
From: Watson Sato <wsato@redhat.com>
|
|
|
0950b5 |
Date: Fri, 8 Dec 2017 15:14:26 +0100
|
|
|
0950b5 |
Subject: [PATCH 1/6] Drop check of package in sshd_required definitions
|
|
|
0950b5 |
|
|
|
0950b5 |
This is not the best place to check if openssh-server is installed.
|
|
|
0950b5 |
|
|
|
0950b5 |
We can check for openssh-server package when sshd is required and not
|
|
|
0950b5 |
required.
|
|
|
0950b5 |
But when sshd_required is not set, we don't check if openssh-server is
|
|
|
0950b5 |
installed or not, because both are valid states.
|
|
|
0950b5 |
|
|
|
0950b5 |
This gives the impression that when extending sshd_required_or_unset
|
|
|
0950b5 |
and sshd_not_required_or_unset there is no need to check for
|
|
|
0950b5 |
openssh-server package, which is not true.
|
|
|
0950b5 |
|
|
|
0950b5 |
The only purpose of these definitions should be to check for state of
|
|
|
0950b5 |
sshd_required value.
|
|
|
0950b5 |
---
|
|
|
0950b5 |
shared/checks/oval/sshd_not_required_or_unset.xml | 6 +-----
|
|
|
0950b5 |
shared/checks/oval/sshd_required_or_unset.xml | 6 +-----
|
|
|
0950b5 |
2 files changed, 2 insertions(+), 10 deletions(-)
|
|
|
0950b5 |
|
|
|
0950b5 |
diff --git a/shared/checks/oval/sshd_not_required_or_unset.xml b/shared/checks/oval/sshd_not_required_or_unset.xml
|
|
|
0950b5 |
index 76bf1b9b4..206b1b474 100644
|
|
|
0950b5 |
--- a/shared/checks/oval/sshd_not_required_or_unset.xml
|
|
|
0950b5 |
+++ b/shared/checks/oval/sshd_not_required_or_unset.xml
|
|
|
0950b5 |
@@ -9,11 +9,7 @@
|
|
|
0950b5 |
<description>If SSHD is not required, we check it is not installed. If SSH requirement is unset, we are good.</description>
|
|
|
0950b5 |
</metadata>
|
|
|
0950b5 |
<criteria comment="SSH not required or not set" operator="OR">
|
|
|
0950b5 |
- <criteria comment="SSH is not required and not installed" operator="AND">
|
|
|
0950b5 |
- <criterion test_ref="test_sshd_not_required" />
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="package_openssh-server_removed" />
|
|
|
0950b5 |
- </criteria>
|
|
|
0950b5 |
+ <criterion test_ref="test_sshd_not_required" />
|
|
|
0950b5 |
|
|
|
0950b5 |
definition_ref="sshd_requirement_unset" />
|
|
|
0950b5 |
</criteria>
|
|
|
0950b5 |
diff --git a/shared/checks/oval/sshd_required_or_unset.xml b/shared/checks/oval/sshd_required_or_unset.xml
|
|
|
0950b5 |
index 04d6a687b..4518b181f 100644
|
|
|
0950b5 |
--- a/shared/checks/oval/sshd_required_or_unset.xml
|
|
|
0950b5 |
+++ b/shared/checks/oval/sshd_required_or_unset.xml
|
|
|
0950b5 |
@@ -9,11 +9,7 @@
|
|
|
0950b5 |
<description>If SSHD is required, we check it is installed. If SSH requirement is unset, we are good.</description>
|
|
|
0950b5 |
</metadata>
|
|
|
0950b5 |
<criteria comment="SSH required or not set" operator="OR">
|
|
|
0950b5 |
- <criteria comment="SSH is required and installed" operator="AND">
|
|
|
0950b5 |
- <criterion test_ref="test_sshd_required" />
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="package_openssh-server_installed" />
|
|
|
0950b5 |
- </criteria>
|
|
|
0950b5 |
+ <criterion test_ref="test_sshd_required" />
|
|
|
0950b5 |
|
|
|
0950b5 |
definition_ref="sshd_requirement_unset" />
|
|
|
0950b5 |
</criteria>
|
|
|
0950b5 |
|
|
|
0950b5 |
From 0b02493e535e9b529af9eb71bf97f5b02d04c89e Mon Sep 17 00:00:00 2001
|
|
|
0950b5 |
From: Watson Sato <wsato@redhat.com>
|
|
|
0950b5 |
Date: Wed, 13 Dec 2017 18:09:47 +0100
|
|
|
0950b5 |
Subject: [PATCH 2/6] Also check state openssh-server package when
|
|
|
0950b5 |
sshd_required is unset
|
|
|
0950b5 |
|
|
|
0950b5 |
Explicitly check state of openssh-server package.
|
|
|
0950b5 |
When openssh-server is installed, system should be configured, when not
|
|
|
0950b5 |
installed, system is ok.
|
|
|
0950b5 |
When sshd_required is set, either to required or not required, they act
|
|
|
0950b5 |
as selector of openssh-server package state. If sshd_required is unset,
|
|
|
0950b5 |
the state of openssh-server package selects whether system should be
|
|
|
0950b5 |
configured or not.
|
|
|
0950b5 |
---
|
|
|
0950b5 |
rhel7/checks/oval/sshd_disable_compression.xml | 14 ++++++++++----
|
|
|
0950b5 |
rhel7/checks/oval/sshd_disable_gssapi_auth.xml | 14 ++++++++++----
|
|
|
0950b5 |
rhel7/checks/oval/sshd_disable_kerb_auth.xml | 14 ++++++++++----
|
|
|
0950b5 |
rhel7/checks/oval/sshd_enable_strictmodes.xml | 14 ++++++++++----
|
|
|
0950b5 |
rhel7/checks/oval/sshd_use_approved_macs.xml | 14 ++++++++++----
|
|
|
0950b5 |
rhel7/checks/oval/sshd_use_priv_separation.xml | 14 ++++++++++----
|
|
|
0950b5 |
shared/checks/oval/disable_host_auth.xml | 15 +++++++++++----
|
|
|
0950b5 |
shared/checks/oval/sshd_allow_only_protocol2.xml | 15 +++++++++++----
|
|
|
0950b5 |
shared/checks/oval/sshd_disable_empty_passwords.xml | 14 ++++++++++----
|
|
|
0950b5 |
shared/checks/oval/sshd_disable_rhosts.xml | 14 ++++++++++----
|
|
|
0950b5 |
shared/checks/oval/sshd_disable_rhosts_rsa.xml | 14 ++++++++++----
|
|
|
0950b5 |
shared/checks/oval/sshd_disable_root_login.xml | 14 ++++++++++----
|
|
|
0950b5 |
shared/checks/oval/sshd_disable_user_known_hosts.xml | 15 +++++++++++----
|
|
|
0950b5 |
shared/checks/oval/sshd_do_not_permit_user_env.xml | 14 ++++++++++----
|
|
|
0950b5 |
shared/checks/oval/sshd_enable_warning_banner.xml | 14 ++++++++++----
|
|
|
0950b5 |
shared/checks/oval/sshd_enable_x11_forwarding.xml | 14 ++++++++++----
|
|
|
0950b5 |
shared/checks/oval/sshd_print_last_log.xml | 14 ++++++++++----
|
|
|
0950b5 |
shared/checks/oval/sshd_set_idle_timeout.xml | 18 ++++++++++++------
|
|
|
0950b5 |
shared/checks/oval/sshd_set_keepalive.xml | 14 ++++++++++----
|
|
|
0950b5 |
shared/checks/oval/sshd_use_approved_ciphers.xml | 18 ++++++++++++------
|
|
|
0950b5 |
shared/checks/oval/sshd_use_approved_macs.xml | 14 ++++++++++----
|
|
|
0950b5 |
21 files changed, 217 insertions(+), 88 deletions(-)
|
|
|
0950b5 |
|
|
|
0950b5 |
diff --git a/rhel7/checks/oval/sshd_disable_compression.xml b/rhel7/checks/oval/sshd_disable_compression.xml
|
|
|
0950b5 |
index 8a4334f06..014741fe1 100644
|
|
|
0950b5 |
--- a/rhel7/checks/oval/sshd_disable_compression.xml
|
|
|
0950b5 |
+++ b/rhel7/checks/oval/sshd_disable_compression.xml
|
|
|
0950b5 |
@@ -7,13 +7,19 @@
|
|
|
0950b5 |
</affected>
|
|
|
0950b5 |
<description>SSH should either have compression disabled or set to delayed.</description>
|
|
|
0950b5 |
</metadata>
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
operator="OR">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+ <criteria comment="sshd is not installed" operator="AND">
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_removed" />
|
|
|
0950b5 |
+ </criteria>
|
|
|
0950b5 |
<criteria comment="sshd is installed and configured" operator="AND">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
definition_ref="sshd_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_installed" />
|
|
|
0950b5 |
|
|
|
0950b5 |
test_ref="test_sshd_disable_compression" />
|
|
|
0950b5 |
</criteria>
|
|
|
0950b5 |
diff --git a/rhel7/checks/oval/sshd_disable_gssapi_auth.xml b/rhel7/checks/oval/sshd_disable_gssapi_auth.xml
|
|
|
0950b5 |
index ee184b8e8..5f32edc1e 100644
|
|
|
0950b5 |
--- a/rhel7/checks/oval/sshd_disable_gssapi_auth.xml
|
|
|
0950b5 |
+++ b/rhel7/checks/oval/sshd_disable_gssapi_auth.xml
|
|
|
0950b5 |
@@ -8,13 +8,19 @@
|
|
|
0950b5 |
<description>Unless needed, disable the GSSAPI authentication option for
|
|
|
0950b5 |
the SSH Server.</description>
|
|
|
0950b5 |
</metadata>
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
operator="OR">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+ <criteria comment="sshd is not installed" operator="AND">
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_removed" />
|
|
|
0950b5 |
+ </criteria>
|
|
|
0950b5 |
<criteria comment="sshd is installed and configured" operator="AND">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
definition_ref="sshd_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_installed" />
|
|
|
0950b5 |
|
|
|
0950b5 |
test_ref="test_sshd_disable_gssapi_auth" />
|
|
|
0950b5 |
</criteria>
|
|
|
0950b5 |
diff --git a/rhel7/checks/oval/sshd_disable_kerb_auth.xml b/rhel7/checks/oval/sshd_disable_kerb_auth.xml
|
|
|
0950b5 |
index c63cef03e..6f0e0babe 100644
|
|
|
0950b5 |
--- a/rhel7/checks/oval/sshd_disable_kerb_auth.xml
|
|
|
0950b5 |
+++ b/rhel7/checks/oval/sshd_disable_kerb_auth.xml
|
|
|
0950b5 |
@@ -8,13 +8,19 @@
|
|
|
0950b5 |
<description>Unless needed, disable the Kerberos authentication option for
|
|
|
0950b5 |
the SSH Server.</description>
|
|
|
0950b5 |
</metadata>
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
operator="OR">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+ <criteria comment="sshd is not installed" operator="AND">
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_removed" />
|
|
|
0950b5 |
+ </criteria>
|
|
|
0950b5 |
<criteria comment="sshd is installed and configured" operator="AND">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
definition_ref="sshd_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_installed" />
|
|
|
0950b5 |
|
|
|
0950b5 |
test_ref="test_sshd_disable_kerb_auth" />
|
|
|
0950b5 |
</criteria>
|
|
|
0950b5 |
diff --git a/rhel7/checks/oval/sshd_enable_strictmodes.xml b/rhel7/checks/oval/sshd_enable_strictmodes.xml
|
|
|
0950b5 |
index 1346191d5..7728f6ae6 100644
|
|
|
0950b5 |
--- a/rhel7/checks/oval/sshd_enable_strictmodes.xml
|
|
|
0950b5 |
+++ b/rhel7/checks/oval/sshd_enable_strictmodes.xml
|
|
|
0950b5 |
@@ -8,13 +8,19 @@
|
|
|
0950b5 |
<description>Enable StrictMode to check users home directory permissions
|
|
|
0950b5 |
and configurations.</description>
|
|
|
0950b5 |
</metadata>
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
operator="OR">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+ <criteria comment="sshd is not installed" operator="AND">
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_removed" />
|
|
|
0950b5 |
+ </criteria>
|
|
|
0950b5 |
<criteria comment="sshd is installed and configured" operator="AND">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
definition_ref="sshd_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_installed" />
|
|
|
0950b5 |
|
|
|
0950b5 |
test_ref="test_sshd_enable_strictmodes" />
|
|
|
0950b5 |
</criteria>
|
|
|
0950b5 |
diff --git a/rhel7/checks/oval/sshd_use_approved_macs.xml b/rhel7/checks/oval/sshd_use_approved_macs.xml
|
|
|
0950b5 |
index bd05a5152..20b57041b 100644
|
|
|
0950b5 |
--- a/rhel7/checks/oval/sshd_use_approved_macs.xml
|
|
|
0950b5 |
+++ b/rhel7/checks/oval/sshd_use_approved_macs.xml
|
|
|
0950b5 |
@@ -9,13 +9,19 @@
|
|
|
0950b5 |
</metadata>
|
|
|
0950b5 |
<criteria operator="AND">
|
|
|
0950b5 |
<extend_definition comment="Installed OS is certified" definition_ref="installed_OS_is_certified" />
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
operator="OR">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+ <criteria comment="sshd is not installed" operator="AND">
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_removed" />
|
|
|
0950b5 |
+ </criteria>
|
|
|
0950b5 |
<criteria comment="sshd is installed and configured" operator="AND">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
definition_ref="sshd_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_installed" />
|
|
|
0950b5 |
|
|
|
0950b5 |
test_ref="test_sshd_use_approved_macs" />
|
|
|
0950b5 |
</criteria>
|
|
|
0950b5 |
diff --git a/rhel7/checks/oval/sshd_use_priv_separation.xml b/rhel7/checks/oval/sshd_use_priv_separation.xml
|
|
|
0950b5 |
index c5ae32c27..2ec883fea 100644
|
|
|
0950b5 |
--- a/rhel7/checks/oval/sshd_use_priv_separation.xml
|
|
|
0950b5 |
+++ b/rhel7/checks/oval/sshd_use_priv_separation.xml
|
|
|
0950b5 |
@@ -8,13 +8,19 @@
|
|
|
0950b5 |
<description>Use priviledge separation to cause the SSH process to drop
|
|
|
0950b5 |
root privileges when not needed.</description>
|
|
|
0950b5 |
</metadata>
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
operator="OR">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+ <criteria comment="sshd is not installed" operator="AND">
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_removed" />
|
|
|
0950b5 |
+ </criteria>
|
|
|
0950b5 |
<criteria comment="sshd is installed and configured" operator="AND">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
definition_ref="sshd_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_installed" />
|
|
|
0950b5 |
|
|
|
0950b5 |
test_ref="test_sshd_use_priv_separation" />
|
|
|
0950b5 |
</criteria>
|
|
|
0950b5 |
diff --git a/shared/checks/oval/disable_host_auth.xml b/shared/checks/oval/disable_host_auth.xml
|
|
|
0950b5 |
index 3e4cc5aea..3a00964ab 100644
|
|
|
0950b5 |
--- a/shared/checks/oval/disable_host_auth.xml
|
|
|
0950b5 |
+++ b/shared/checks/oval/disable_host_auth.xml
|
|
|
0950b5 |
@@ -7,12 +7,19 @@
|
|
|
0950b5 |
</affected>
|
|
|
0950b5 |
<description>SSH host-based authentication should be disabled.</description>
|
|
|
0950b5 |
</metadata>
|
|
|
0950b5 |
- <criteria comment="SSH is not installed or conditions are met" operator="OR">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ operator="OR">
|
|
|
0950b5 |
+ <criteria comment="sshd is not installed" operator="AND">
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_removed" />
|
|
|
0950b5 |
+ </criteria>
|
|
|
0950b5 |
<criteria comment="sshd is installed and configured" operator="AND">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
definition_ref="sshd_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_installed" />
|
|
|
0950b5 |
|
|
|
0950b5 |
test_ref="test_sshd_hostbasedauthentication" />
|
|
|
0950b5 |
</criteria>
|
|
|
0950b5 |
diff --git a/shared/checks/oval/sshd_allow_only_protocol2.xml b/shared/checks/oval/sshd_allow_only_protocol2.xml
|
|
|
0950b5 |
index 0a7ace128..224010263 100644
|
|
|
0950b5 |
--- a/shared/checks/oval/sshd_allow_only_protocol2.xml
|
|
|
0950b5 |
+++ b/shared/checks/oval/sshd_allow_only_protocol2.xml
|
|
|
0950b5 |
@@ -9,12 +9,19 @@
|
|
|
0950b5 |
</affected>
|
|
|
0950b5 |
<description>The OpenSSH daemon should be running protocol 2.</description>
|
|
|
0950b5 |
</metadata>
|
|
|
0950b5 |
- <criteria comment="SSH is not installed or conditions are met" operator="OR">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ operator="OR">
|
|
|
0950b5 |
+ <criteria comment="sshd is not installed" operator="AND">
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_removed" />
|
|
|
0950b5 |
+ </criteria>
|
|
|
0950b5 |
<criteria comment="sshd is installed and configured" operator="AND">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
definition_ref="sshd_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_installed" />
|
|
|
0950b5 |
<criteria comment="SSH version is equal or higher than 7.4 or it is configured with protocol 2" operator="OR">
|
|
|
0950b5 |
<extend_definition comment="OpenSSH version 7.4 or higher supports only protocol 2" definition_ref="sshd_version_equal_or_higher_than_74" />
|
|
|
0950b5 |
|
|
|
0950b5 |
diff --git a/shared/checks/oval/sshd_disable_empty_passwords.xml b/shared/checks/oval/sshd_disable_empty_passwords.xml
|
|
|
0950b5 |
index e923d64fd..9570ee5c7 100644
|
|
|
0950b5 |
--- a/shared/checks/oval/sshd_disable_empty_passwords.xml
|
|
|
0950b5 |
+++ b/shared/checks/oval/sshd_disable_empty_passwords.xml
|
|
|
0950b5 |
@@ -8,13 +8,19 @@
|
|
|
0950b5 |
<description>Remote connections from accounts with empty passwords should
|
|
|
0950b5 |
be disabled (and dependencies are met)</description>
|
|
|
0950b5 |
</metadata>
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
operator="OR">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+ <criteria comment="sshd is not installed" operator="AND">
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_removed" />
|
|
|
0950b5 |
+ </criteria>
|
|
|
0950b5 |
<criteria comment="sshd is installed and configured" operator="AND">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
definition_ref="sshd_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_installed" />
|
|
|
0950b5 |
|
|
|
0950b5 |
negate="true" test_ref="test_sshd_permitemptypasswords_no" />
|
|
|
0950b5 |
</criteria>
|
|
|
0950b5 |
diff --git a/shared/checks/oval/sshd_disable_rhosts.xml b/shared/checks/oval/sshd_disable_rhosts.xml
|
|
|
0950b5 |
index 86eb94a22..163ccfca5 100644
|
|
|
0950b5 |
--- a/shared/checks/oval/sshd_disable_rhosts.xml
|
|
|
0950b5 |
+++ b/shared/checks/oval/sshd_disable_rhosts.xml
|
|
|
0950b5 |
@@ -8,13 +8,19 @@
|
|
|
0950b5 |
<description>Emulation of the rsh command through the ssh server should
|
|
|
0950b5 |
be disabled (and dependencies are met)</description>
|
|
|
0950b5 |
</metadata>
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
operator="OR">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+ <criteria comment="sshd is not installed" operator="AND">
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_removed" />
|
|
|
0950b5 |
+ </criteria>
|
|
|
0950b5 |
<criteria comment="sshd is installed and configured" operator="AND">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
definition_ref="sshd_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_installed" />
|
|
|
0950b5 |
|
|
|
0950b5 |
test_ref="test_sshd_rsh_emulation_disabled" />
|
|
|
0950b5 |
</criteria>
|
|
|
0950b5 |
diff --git a/shared/checks/oval/sshd_disable_rhosts_rsa.xml b/shared/checks/oval/sshd_disable_rhosts_rsa.xml
|
|
|
0950b5 |
index 2abf88c70..e949fb031 100644
|
|
|
0950b5 |
--- a/shared/checks/oval/sshd_disable_rhosts_rsa.xml
|
|
|
0950b5 |
+++ b/shared/checks/oval/sshd_disable_rhosts_rsa.xml
|
|
|
0950b5 |
@@ -8,13 +8,19 @@
|
|
|
0950b5 |
<description>SSH can allow authentication through the obsolete rsh command
|
|
|
0950b5 |
through the use of the authenticating user's SSH keys. This should be disabled.</description>
|
|
|
0950b5 |
</metadata>
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
operator="OR">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+ <criteria comment="sshd is not installed" operator="AND">
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_removed" />
|
|
|
0950b5 |
+ </criteria>
|
|
|
0950b5 |
<criteria comment="sshd is installed and configured" operator="AND">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
definition_ref="sshd_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_installed" />
|
|
|
0950b5 |
<criteria comment="SSH version is equal or higher than 7.4 has deprecated RhostsRSAAuthentication" operator="OR">
|
|
|
0950b5 |
<extend_definition comment="OpenSSH version 7.4 or higher has deprecated RhostsRSAAuthentication" definition_ref="sshd_version_equal_or_higher_than_74" />
|
|
|
0950b5 |
|
|
|
0950b5 |
diff --git a/shared/checks/oval/sshd_disable_root_login.xml b/shared/checks/oval/sshd_disable_root_login.xml
|
|
|
0950b5 |
index 7bfd54d4e..10e7afb18 100644
|
|
|
0950b5 |
--- a/shared/checks/oval/sshd_disable_root_login.xml
|
|
|
0950b5 |
+++ b/shared/checks/oval/sshd_disable_root_login.xml
|
|
|
0950b5 |
@@ -8,13 +8,19 @@
|
|
|
0950b5 |
<description>Root login via SSH should be disabled (and dependencies are
|
|
|
0950b5 |
met)</description>
|
|
|
0950b5 |
</metadata>
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
operator="OR">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+ <criteria comment="sshd is not installed" operator="AND">
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_removed" />
|
|
|
0950b5 |
+ </criteria>
|
|
|
0950b5 |
<criteria comment="sshd is installed and configured" operator="AND">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
definition_ref="sshd_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_installed" />
|
|
|
0950b5 |
|
|
|
0950b5 |
negate="true" test_ref="test_sshd_permitrootlogin_no" />
|
|
|
0950b5 |
</criteria>
|
|
|
0950b5 |
diff --git a/shared/checks/oval/sshd_disable_user_known_hosts.xml b/shared/checks/oval/sshd_disable_user_known_hosts.xml
|
|
|
0950b5 |
index cc01ec6ca..0e121d496 100644
|
|
|
0950b5 |
--- a/shared/checks/oval/sshd_disable_user_known_hosts.xml
|
|
|
0950b5 |
+++ b/shared/checks/oval/sshd_disable_user_known_hosts.xml
|
|
|
0950b5 |
@@ -9,12 +9,19 @@
|
|
|
0950b5 |
to connect to systems if a cache of the remote systems public keys are available.
|
|
|
0950b5 |
This should be disabled.</description>
|
|
|
0950b5 |
</metadata>
|
|
|
0950b5 |
- <criteria comment="SSH is not installed or conditions are met" operator="OR">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ operator="OR">
|
|
|
0950b5 |
+ <criteria comment="sshd is not installed" operator="AND">
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_removed" />
|
|
|
0950b5 |
+ </criteria>
|
|
|
0950b5 |
<criteria comment="sshd is installed and configured" operator="AND">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
definition_ref="sshd_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_installed" />
|
|
|
0950b5 |
|
|
|
0950b5 |
test_ref="test_sshd_disable_user_known_hosts" />
|
|
|
0950b5 |
</criteria>
|
|
|
0950b5 |
diff --git a/shared/checks/oval/sshd_do_not_permit_user_env.xml b/shared/checks/oval/sshd_do_not_permit_user_env.xml
|
|
|
0950b5 |
index ad8ecdf68..afb799e20 100644
|
|
|
0950b5 |
--- a/shared/checks/oval/sshd_do_not_permit_user_env.xml
|
|
|
0950b5 |
+++ b/shared/checks/oval/sshd_do_not_permit_user_env.xml
|
|
|
0950b5 |
@@ -7,13 +7,19 @@
|
|
|
0950b5 |
</affected>
|
|
|
0950b5 |
<description>PermitUserEnvironment should be disabled</description>
|
|
|
0950b5 |
</metadata>
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
operator="OR">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+ <criteria comment="sshd is not installed" operator="AND">
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_removed" />
|
|
|
0950b5 |
+ </criteria>
|
|
|
0950b5 |
<criteria comment="sshd is installed and configured" operator="AND">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
definition_ref="sshd_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_installed" />
|
|
|
0950b5 |
|
|
|
0950b5 |
negate="true" test_ref="test_sshd_no_user_envset" />
|
|
|
0950b5 |
</criteria>
|
|
|
0950b5 |
diff --git a/shared/checks/oval/sshd_enable_warning_banner.xml b/shared/checks/oval/sshd_enable_warning_banner.xml
|
|
|
0950b5 |
index 933822eb6..cd14ec9e9 100644
|
|
|
0950b5 |
--- a/shared/checks/oval/sshd_enable_warning_banner.xml
|
|
|
0950b5 |
+++ b/shared/checks/oval/sshd_enable_warning_banner.xml
|
|
|
0950b5 |
@@ -8,13 +8,19 @@
|
|
|
0950b5 |
<description>SSH warning banner should be enabled (and dependencies are
|
|
|
0950b5 |
met)</description>
|
|
|
0950b5 |
</metadata>
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
operator="OR">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+ <criteria comment="sshd is not installed" operator="AND">
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_removed" />
|
|
|
0950b5 |
+ </criteria>
|
|
|
0950b5 |
<criteria comment="sshd is installed and configured" operator="AND">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
definition_ref="sshd_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_installed" />
|
|
|
0950b5 |
|
|
|
0950b5 |
test_ref="test_sshd_banner_set" />
|
|
|
0950b5 |
</criteria>
|
|
|
0950b5 |
diff --git a/shared/checks/oval/sshd_enable_x11_forwarding.xml b/shared/checks/oval/sshd_enable_x11_forwarding.xml
|
|
|
0950b5 |
index 3aa45e51b..0a0e1bafd 100644
|
|
|
0950b5 |
--- a/shared/checks/oval/sshd_enable_x11_forwarding.xml
|
|
|
0950b5 |
+++ b/shared/checks/oval/sshd_enable_x11_forwarding.xml
|
|
|
0950b5 |
@@ -7,13 +7,19 @@
|
|
|
0950b5 |
</affected>
|
|
|
0950b5 |
<description>Enable X11Forwarding to encrypt X11 remote connections over SSH.</description>
|
|
|
0950b5 |
</metadata>
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
operator="OR">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+ <criteria comment="sshd is not installed" operator="AND">
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_removed" />
|
|
|
0950b5 |
+ </criteria>
|
|
|
0950b5 |
<criteria comment="sshd is installed and configured" operator="AND">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
definition_ref="sshd_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_installed" />
|
|
|
0950b5 |
|
|
|
0950b5 |
test_ref="test_sshd_enable_x11_forwarding" />
|
|
|
0950b5 |
</criteria>
|
|
|
0950b5 |
diff --git a/shared/checks/oval/sshd_print_last_log.xml b/shared/checks/oval/sshd_print_last_log.xml
|
|
|
0950b5 |
index 29367969d..83bc0df79 100644
|
|
|
0950b5 |
--- a/shared/checks/oval/sshd_print_last_log.xml
|
|
|
0950b5 |
+++ b/shared/checks/oval/sshd_print_last_log.xml
|
|
|
0950b5 |
@@ -8,13 +8,19 @@
|
|
|
0950b5 |
<description>Enable PrintLastLog to display user's last login time
|
|
|
0950b5 |
and date.</description>
|
|
|
0950b5 |
</metadata>
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
operator="OR">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+ <criteria comment="sshd is not installed" operator="AND">
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_removed" />
|
|
|
0950b5 |
+ </criteria>
|
|
|
0950b5 |
<criteria comment="sshd is installed and configured" operator="AND">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
definition_ref="sshd_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_installed" />
|
|
|
0950b5 |
|
|
|
0950b5 |
test_ref="test_sshd_enable_printlastlog" />
|
|
|
0950b5 |
</criteria>
|
|
|
0950b5 |
diff --git a/shared/checks/oval/sshd_set_idle_timeout.xml b/shared/checks/oval/sshd_set_idle_timeout.xml
|
|
|
0950b5 |
index a414790a0..180e87d83 100644
|
|
|
0950b5 |
--- a/shared/checks/oval/sshd_set_idle_timeout.xml
|
|
|
0950b5 |
+++ b/shared/checks/oval/sshd_set_idle_timeout.xml
|
|
|
0950b5 |
@@ -8,14 +8,20 @@
|
|
|
0950b5 |
<description>The SSH idle timeout interval should be set to an
|
|
|
0950b5 |
appropriate value.</description>
|
|
|
0950b5 |
</metadata>
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
operator="OR">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+ <criteria comment="sshd is not installed" operator="AND">
|
|
|
0950b5 |
+
|
|
|
0950b5 |
definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
- <criteria comment="sshd is installed and configured" operator="AND">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="sshd_required_or_unset" />
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_removed" />
|
|
|
0950b5 |
+ </criteria>
|
|
|
0950b5 |
+ <criteria comment="sshd is installed and configured" operator="AND">
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="sshd_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_installed" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
test_ref="test_sshd_idle_timeout" />
|
|
|
0950b5 |
</criteria>
|
|
|
0950b5 |
</criteria>
|
|
|
0950b5 |
diff --git a/shared/checks/oval/sshd_set_keepalive.xml b/shared/checks/oval/sshd_set_keepalive.xml
|
|
|
0950b5 |
index 5640638ae..8774e1d25 100644
|
|
|
0950b5 |
--- a/shared/checks/oval/sshd_set_keepalive.xml
|
|
|
0950b5 |
+++ b/shared/checks/oval/sshd_set_keepalive.xml
|
|
|
0950b5 |
@@ -8,13 +8,19 @@
|
|
|
0950b5 |
<description>The SSH ClientAliveCountMax should be set to an appropriate
|
|
|
0950b5 |
value (and dependencies are met)</description>
|
|
|
0950b5 |
</metadata>
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
operator="OR">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+ <criteria comment="sshd is not installed" operator="AND">
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_removed" />
|
|
|
0950b5 |
+ </criteria>
|
|
|
0950b5 |
<criteria comment="sshd is installed and configured" operator="AND">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
definition_ref="sshd_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_installed" />
|
|
|
0950b5 |
|
|
|
0950b5 |
test_ref="test_sshd_clientalivecountmax" />
|
|
|
0950b5 |
</criteria>
|
|
|
0950b5 |
diff --git a/shared/checks/oval/sshd_use_approved_ciphers.xml b/shared/checks/oval/sshd_use_approved_ciphers.xml
|
|
|
0950b5 |
index 84088aa5c..5a4e3a1f9 100644
|
|
|
0950b5 |
--- a/shared/checks/oval/sshd_use_approved_ciphers.xml
|
|
|
0950b5 |
+++ b/shared/checks/oval/sshd_use_approved_ciphers.xml
|
|
|
0950b5 |
@@ -9,13 +9,19 @@
|
|
|
0950b5 |
</metadata>
|
|
|
0950b5 |
<criteria operator="AND">
|
|
|
0950b5 |
<extend_definition comment="Installed OS is certified" definition_ref="installed_OS_is_certified" />
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
operator="OR">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
- <criteria comment="sshd is installed and configured" operator="AND">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="sshd_required_or_unset" />
|
|
|
0950b5 |
+ <criteria comment="sshd is not installed" operator="AND">
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_removed" />
|
|
|
0950b5 |
+ </criteria>
|
|
|
0950b5 |
+ <criteria comment="sshd is installed and configured" operator="AND">
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="sshd_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_installed" />
|
|
|
0950b5 |
|
|
|
0950b5 |
test_ref="test_sshd_use_approved_ciphers" />
|
|
|
0950b5 |
</criteria>
|
|
|
0950b5 |
diff --git a/shared/checks/oval/sshd_use_approved_macs.xml b/shared/checks/oval/sshd_use_approved_macs.xml
|
|
|
0950b5 |
index d2f622af1..b403d0449 100644
|
|
|
0950b5 |
--- a/shared/checks/oval/sshd_use_approved_macs.xml
|
|
|
0950b5 |
+++ b/shared/checks/oval/sshd_use_approved_macs.xml
|
|
|
0950b5 |
@@ -9,13 +9,19 @@
|
|
|
0950b5 |
</metadata>
|
|
|
0950b5 |
<criteria operator="AND">
|
|
|
0950b5 |
<extend_definition comment="Installed OS is certified" definition_ref="installed_OS_is_certified" />
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
operator="OR">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
- definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+ <criteria comment="sshd is not installed" operator="AND">
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="sshd_not_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_removed" />
|
|
|
0950b5 |
+ </criteria>
|
|
|
0950b5 |
<criteria comment="sshd is installed and configured" operator="AND">
|
|
|
0950b5 |
-
|
|
|
0950b5 |
+
|
|
|
0950b5 |
definition_ref="sshd_required_or_unset" />
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+ definition_ref="package_openssh-server_installed" />
|
|
|
0950b5 |
|
|
|
0950b5 |
test_ref="test_sshd_use_approved_macs" />
|
|
|
0950b5 |
</criteria>
|
|
|
0950b5 |
|
|
|
0950b5 |
From 441881052627a5b14be015d74d36d271f9268908 Mon Sep 17 00:00:00 2001
|
|
|
0950b5 |
From: Watson Sato <wsato@redhat.com>
|
|
|
0950b5 |
Date: Wed, 13 Dec 2017 18:22:29 +0100
|
|
|
0950b5 |
Subject: [PATCH 3/6] Remove backslashes from echo command
|
|
|
0950b5 |
|
|
|
0950b5 |
Echo command output is literal, there is no need for backslashes
|
|
|
0950b5 |
---
|
|
|
0950b5 |
.../rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh | 2 +-
|
|
|
0950b5 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
0950b5 |
|
|
|
0950b5 |
diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh
|
|
|
0950b5 |
index 227611543..7172539c7 100644
|
|
|
0950b5 |
--- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh
|
|
|
0950b5 |
+++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh
|
|
|
0950b5 |
@@ -5,5 +5,5 @@
|
|
|
0950b5 |
if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
|
|
0950b5 |
sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes192-cbc,aes256-cbc,aes256-ctr,aes128-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config
|
|
|
0950b5 |
else
|
|
|
0950b5 |
- echo "Ciphers aes128-ctr,aes192-ctr,aes192-cbc,aes256-cbc,aes256-ctr,aes128-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config
|
|
|
0950b5 |
+ echo "Ciphers aes128-ctr,aes192-ctr,aes192-cbc,aes256-cbc,aes256-ctr,aes128-cbc,3des-cbc,rijndael-cbc@lysator.liu.se" >> /etc/ssh/sshd_config
|
|
|
0950b5 |
fi
|
|
|
0950b5 |
|
|
|
0950b5 |
From 995a5e64eb841c73849571395cc985f94607c4cb Mon Sep 17 00:00:00 2001
|
|
|
0950b5 |
From: Watson Sato <wsato@redhat.com>
|
|
|
0950b5 |
Date: Mon, 18 Dec 2017 11:12:13 +0100
|
|
|
0950b5 |
Subject: [PATCH 4/6] Fix test scenarios for sshd_use_priv_separation
|
|
|
0950b5 |
|
|
|
0950b5 |
As of PR #2162 the Rule checks for "sandbox"
|
|
|
0950b5 |
---
|
|
|
0950b5 |
.../rule_sshd_use_priv_separation/correct_value.pass.sh | 4 ++--
|
|
|
0950b5 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
0950b5 |
|
|
|
0950b5 |
diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh
|
|
|
0950b5 |
index d63caa85b..36e8c1bba 100644
|
|
|
0950b5 |
--- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh
|
|
|
0950b5 |
+++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh
|
|
|
0950b5 |
@@ -3,7 +3,7 @@
|
|
|
0950b5 |
# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
|
|
|
0950b5 |
|
|
|
0950b5 |
if grep -q "^UsePrivilegeSeparation" /etc/ssh/sshd_config; then
|
|
|
0950b5 |
- sed -i "s/^UsePrivilegeSeparation.*/UsePrivilegeSeparation yes/" /etc/ssh/sshd_config
|
|
|
0950b5 |
+ sed -i "s/^UsePrivilegeSeparation.*/UsePrivilegeSeparation sandbox/" /etc/ssh/sshd_config
|
|
|
0950b5 |
else
|
|
|
0950b5 |
- echo "UsePrivilegeSeparation yes" >> /etc/ssh/sshd_config
|
|
|
0950b5 |
+ echo "UsePrivilegeSeparation sandbox" >> /etc/ssh/sshd_config
|
|
|
0950b5 |
fi
|
|
|
0950b5 |
|
|
|
0950b5 |
From 877f3620d7462e2af6727a9feff16d6a7f08a239 Mon Sep 17 00:00:00 2001
|
|
|
0950b5 |
From: Watson Sato <wsato@redhat.com>
|
|
|
0950b5 |
Date: Mon, 18 Dec 2017 11:40:07 +0100
|
|
|
0950b5 |
Subject: [PATCH 5/6] Fix test scenarios for sshd_disable_kerb_auth
|
|
|
0950b5 |
|
|
|
0950b5 |
As of Pr #2463, the definition checks for ausence of
|
|
|
0950b5 |
"KerberosAuthentication yes", as default setting is not enabled.
|
|
|
0950b5 |
---
|
|
|
0950b5 |
.../group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh | 9 ---------
|
|
|
0950b5 |
.../group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh | 9 +++++++++
|
|
|
0950b5 |
.../{line_not_there.fail.sh => line_not_there.pass.sh} | 0
|
|
|
0950b5 |
3 files changed, 9 insertions(+), 9 deletions(-)
|
|
|
0950b5 |
delete mode 100644 tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh
|
|
|
0950b5 |
create mode 100644 tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh
|
|
|
0950b5 |
rename tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/{line_not_there.fail.sh => line_not_there.pass.sh} (100%)
|
|
|
0950b5 |
|
|
|
0950b5 |
diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh
|
|
|
0950b5 |
deleted file mode 100644
|
|
|
0950b5 |
index 3ae082173..000000000
|
|
|
0950b5 |
--- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh
|
|
|
0950b5 |
+++ /dev/null
|
|
|
0950b5 |
@@ -1,9 +0,0 @@
|
|
|
0950b5 |
-#!/bin/bash
|
|
|
0950b5 |
-#
|
|
|
0950b5 |
-# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
|
|
|
0950b5 |
-
|
|
|
0950b5 |
-if grep -q "^KerberosAuthentication" /etc/ssh/sshd_config; then
|
|
|
0950b5 |
- sed -i "s/^KerberosAuthentication.*/# KerberosAuthentication no/" /etc/ssh/sshd_config
|
|
|
0950b5 |
-else
|
|
|
0950b5 |
- echo "# KerberosAuthentication no" >> /etc/ssh/sshd_config
|
|
|
0950b5 |
-fi
|
|
|
0950b5 |
diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh
|
|
|
0950b5 |
new file mode 100644
|
|
|
0950b5 |
index 000000000..c7d58fbc6
|
|
|
0950b5 |
--- /dev/null
|
|
|
0950b5 |
+++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh
|
|
|
0950b5 |
@@ -0,0 +1,9 @@
|
|
|
0950b5 |
+#!/bin/bash
|
|
|
0950b5 |
+#
|
|
|
0950b5 |
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
|
|
|
0950b5 |
+
|
|
|
0950b5 |
+if grep -q "^KerberosAuthentication" /etc/ssh/sshd_config; then
|
|
|
0950b5 |
+ sed -i "s/^KerberosAuthentication.*/# KerberosAuthentication yes/" /etc/ssh/sshd_config
|
|
|
0950b5 |
+else
|
|
|
0950b5 |
+ echo "# KerberosAuthentication yes" >> /etc/ssh/sshd_config
|
|
|
0950b5 |
+fi
|
|
|
0950b5 |
diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.pass.sh
|
|
|
0950b5 |
similarity index 100%
|
|
|
0950b5 |
rename from tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.fail.sh
|
|
|
0950b5 |
rename to tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.pass.sh
|
|
|
0950b5 |
|
|
|
0950b5 |
From 4ebe165ede448c8998251257998cc94ea5cf3786 Mon Sep 17 00:00:00 2001
|
|
|
0950b5 |
From: Watson Sato <wsato@redhat.com>
|
|
|
0950b5 |
Date: Mon, 18 Dec 2017 11:52:39 +0100
|
|
|
0950b5 |
Subject: [PATCH 6/6] Fix test scenarios for sshd_enable_strictmodes
|
|
|
0950b5 |
|
|
|
0950b5 |
As of Pr #2463, the definition checks fo ausence of "StrictModes no", as
|
|
|
0950b5 |
default value is enabled already.
|
|
|
0950b5 |
---
|
|
|
0950b5 |
.../rule_sshd_enable_strictmodes/{comment.fail.sh => comment.pass.sh} | 4 ++--
|
|
|
0950b5 |
.../{line_not_there.fail.sh => line_not_there.pass.sh} | 0
|
|
|
0950b5 |
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
0950b5 |
rename tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/{comment.fail.sh => comment.pass.sh} (53%)
|
|
|
0950b5 |
rename tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/{line_not_there.fail.sh => line_not_there.pass.sh} (100%)
|
|
|
0950b5 |
|
|
|
0950b5 |
diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.pass.sh
|
|
|
0950b5 |
similarity index 53%
|
|
|
0950b5 |
rename from tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.fail.sh
|
|
|
0950b5 |
rename to tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.pass.sh
|
|
|
0950b5 |
index 3d3b90875..bac02cb4f 100644
|
|
|
0950b5 |
--- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.fail.sh
|
|
|
0950b5 |
+++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.pass.sh
|
|
|
0950b5 |
@@ -3,7 +3,7 @@
|
|
|
0950b5 |
# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
|
|
|
0950b5 |
|
|
|
0950b5 |
if grep -q "^StrictModes" /etc/ssh/sshd_config; then
|
|
|
0950b5 |
- sed -i "s/^StrictModes.*/# StrictModes yes/" /etc/ssh/sshd_config
|
|
|
0950b5 |
+ sed -i "s/^StrictModes.*/# StrictModes no/" /etc/ssh/sshd_config
|
|
|
0950b5 |
else
|
|
|
0950b5 |
- echo "# StrictModes yes" >> /etc/ssh/sshd_config
|
|
|
0950b5 |
+ echo "# StrictModes no" >> /etc/ssh/sshd_config
|
|
|
0950b5 |
fi
|
|
|
0950b5 |
diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.pass.sh
|
|
|
0950b5 |
similarity index 100%
|
|
|
0950b5 |
rename from tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.fail.sh
|
|
|
0950b5 |
rename to tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.pass.sh
|