Blame SOURCES/scap-security-guide-0.1.37-fix-sshd_required-unset.patch

0950b5
From 939d1cfd84b980e3a96dd1d82dfddcabf4b2a34a Mon Sep 17 00:00:00 2001
0950b5
From: Watson Sato <wsato@redhat.com>
0950b5
Date: Fri, 8 Dec 2017 15:14:26 +0100
0950b5
Subject: [PATCH 1/6] Drop check of package in sshd_required definitions
0950b5
0950b5
This is not the best place to check if openssh-server is installed.
0950b5
0950b5
We can check for openssh-server package when sshd is required and not
0950b5
required.
0950b5
But when sshd_required is not set, we don't check if openssh-server is
0950b5
installed or not, because both are valid states.
0950b5
0950b5
This gives the impression that when extending sshd_required_or_unset
0950b5
and sshd_not_required_or_unset there is no need to check for
0950b5
openssh-server package, which is not true.
0950b5
0950b5
The only purpose of these definitions should be to check for state of
0950b5
sshd_required value.
0950b5
---
0950b5
 shared/checks/oval/sshd_not_required_or_unset.xml | 6 +-----
0950b5
 shared/checks/oval/sshd_required_or_unset.xml     | 6 +-----
0950b5
 2 files changed, 2 insertions(+), 10 deletions(-)
0950b5
0950b5
diff --git a/shared/checks/oval/sshd_not_required_or_unset.xml b/shared/checks/oval/sshd_not_required_or_unset.xml
0950b5
index 76bf1b9b4..206b1b474 100644
0950b5
--- a/shared/checks/oval/sshd_not_required_or_unset.xml
0950b5
+++ b/shared/checks/oval/sshd_not_required_or_unset.xml
0950b5
@@ -9,11 +9,7 @@
0950b5
       <description>If SSHD is not required, we check it is not installed. If SSH requirement is unset, we are good.</description>
0950b5
     </metadata>
0950b5
     <criteria comment="SSH not required or not set" operator="OR">
0950b5
-      <criteria comment="SSH is not required and not installed" operator="AND">
0950b5
-        <criterion test_ref="test_sshd_not_required" />
0950b5
-        
0950b5
-        definition_ref="package_openssh-server_removed" />
0950b5
-      </criteria>
0950b5
+      <criterion test_ref="test_sshd_not_required" />
0950b5
       
0950b5
       definition_ref="sshd_requirement_unset" />
0950b5
     </criteria>
0950b5
diff --git a/shared/checks/oval/sshd_required_or_unset.xml b/shared/checks/oval/sshd_required_or_unset.xml
0950b5
index 04d6a687b..4518b181f 100644
0950b5
--- a/shared/checks/oval/sshd_required_or_unset.xml
0950b5
+++ b/shared/checks/oval/sshd_required_or_unset.xml
0950b5
@@ -9,11 +9,7 @@
0950b5
       <description>If SSHD is required, we check it is installed. If SSH requirement is unset, we are good.</description>
0950b5
     </metadata>
0950b5
     <criteria comment="SSH required or not set" operator="OR">
0950b5
-      <criteria comment="SSH is required and installed" operator="AND">
0950b5
-        <criterion test_ref="test_sshd_required" />
0950b5
-        
0950b5
-        definition_ref="package_openssh-server_installed" />
0950b5
-      </criteria>
0950b5
+      <criterion test_ref="test_sshd_required" />
0950b5
       
0950b5
       definition_ref="sshd_requirement_unset" />
0950b5
     </criteria>
0950b5
0950b5
From 0b02493e535e9b529af9eb71bf97f5b02d04c89e Mon Sep 17 00:00:00 2001
0950b5
From: Watson Sato <wsato@redhat.com>
0950b5
Date: Wed, 13 Dec 2017 18:09:47 +0100
0950b5
Subject: [PATCH 2/6] Also check state openssh-server package when
0950b5
 sshd_required is unset
0950b5
0950b5
Explicitly check state of openssh-server package.
0950b5
When openssh-server is installed, system should be configured, when not
0950b5
installed, system is ok.
0950b5
When sshd_required is set, either to required or not required, they act
0950b5
as selector of openssh-server package state. If sshd_required is unset,
0950b5
the state of openssh-server package selects whether system should be
0950b5
configured or not.
0950b5
---
0950b5
 rhel7/checks/oval/sshd_disable_compression.xml       | 14 ++++++++++----
0950b5
 rhel7/checks/oval/sshd_disable_gssapi_auth.xml       | 14 ++++++++++----
0950b5
 rhel7/checks/oval/sshd_disable_kerb_auth.xml         | 14 ++++++++++----
0950b5
 rhel7/checks/oval/sshd_enable_strictmodes.xml        | 14 ++++++++++----
0950b5
 rhel7/checks/oval/sshd_use_approved_macs.xml         | 14 ++++++++++----
0950b5
 rhel7/checks/oval/sshd_use_priv_separation.xml       | 14 ++++++++++----
0950b5
 shared/checks/oval/disable_host_auth.xml             | 15 +++++++++++----
0950b5
 shared/checks/oval/sshd_allow_only_protocol2.xml     | 15 +++++++++++----
0950b5
 shared/checks/oval/sshd_disable_empty_passwords.xml  | 14 ++++++++++----
0950b5
 shared/checks/oval/sshd_disable_rhosts.xml           | 14 ++++++++++----
0950b5
 shared/checks/oval/sshd_disable_rhosts_rsa.xml       | 14 ++++++++++----
0950b5
 shared/checks/oval/sshd_disable_root_login.xml       | 14 ++++++++++----
0950b5
 shared/checks/oval/sshd_disable_user_known_hosts.xml | 15 +++++++++++----
0950b5
 shared/checks/oval/sshd_do_not_permit_user_env.xml   | 14 ++++++++++----
0950b5
 shared/checks/oval/sshd_enable_warning_banner.xml    | 14 ++++++++++----
0950b5
 shared/checks/oval/sshd_enable_x11_forwarding.xml    | 14 ++++++++++----
0950b5
 shared/checks/oval/sshd_print_last_log.xml           | 14 ++++++++++----
0950b5
 shared/checks/oval/sshd_set_idle_timeout.xml         | 18 ++++++++++++------
0950b5
 shared/checks/oval/sshd_set_keepalive.xml            | 14 ++++++++++----
0950b5
 shared/checks/oval/sshd_use_approved_ciphers.xml     | 18 ++++++++++++------
0950b5
 shared/checks/oval/sshd_use_approved_macs.xml        | 14 ++++++++++----
0950b5
 21 files changed, 217 insertions(+), 88 deletions(-)
0950b5
0950b5
diff --git a/rhel7/checks/oval/sshd_disable_compression.xml b/rhel7/checks/oval/sshd_disable_compression.xml
0950b5
index 8a4334f06..014741fe1 100644
0950b5
--- a/rhel7/checks/oval/sshd_disable_compression.xml
0950b5
+++ b/rhel7/checks/oval/sshd_disable_compression.xml
0950b5
@@ -7,13 +7,19 @@
0950b5
       </affected>
0950b5
       <description>SSH should either have compression disabled or set to delayed.</description>
0950b5
     </metadata>
0950b5
-    
0950b5
+    
0950b5
     operator="OR">
0950b5
-      
0950b5
-      definition_ref="sshd_not_required_or_unset" />
0950b5
+      <criteria comment="sshd is not installed" operator="AND">
0950b5
+        
0950b5
+        definition_ref="sshd_not_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_removed" />
0950b5
+      </criteria>
0950b5
       <criteria comment="sshd is installed and configured" operator="AND">
0950b5
-        
0950b5
+        
0950b5
         definition_ref="sshd_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_installed" />
0950b5
         
0950b5
         test_ref="test_sshd_disable_compression" />
0950b5
       </criteria>
0950b5
diff --git a/rhel7/checks/oval/sshd_disable_gssapi_auth.xml b/rhel7/checks/oval/sshd_disable_gssapi_auth.xml
0950b5
index ee184b8e8..5f32edc1e 100644
0950b5
--- a/rhel7/checks/oval/sshd_disable_gssapi_auth.xml
0950b5
+++ b/rhel7/checks/oval/sshd_disable_gssapi_auth.xml
0950b5
@@ -8,13 +8,19 @@
0950b5
       <description>Unless needed, disable the GSSAPI authentication option for
0950b5
 the SSH Server.</description>
0950b5
     </metadata>
0950b5
-    
0950b5
+    
0950b5
     operator="OR">
0950b5
-      
0950b5
-      definition_ref="sshd_not_required_or_unset" />
0950b5
+      <criteria comment="sshd is not installed" operator="AND">
0950b5
+        
0950b5
+        definition_ref="sshd_not_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_removed" />
0950b5
+      </criteria>
0950b5
       <criteria comment="sshd is installed and configured" operator="AND">
0950b5
-        
0950b5
+        
0950b5
         definition_ref="sshd_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_installed" />
0950b5
         
0950b5
         test_ref="test_sshd_disable_gssapi_auth" />
0950b5
       </criteria>
0950b5
diff --git a/rhel7/checks/oval/sshd_disable_kerb_auth.xml b/rhel7/checks/oval/sshd_disable_kerb_auth.xml
0950b5
index c63cef03e..6f0e0babe 100644
0950b5
--- a/rhel7/checks/oval/sshd_disable_kerb_auth.xml
0950b5
+++ b/rhel7/checks/oval/sshd_disable_kerb_auth.xml
0950b5
@@ -8,13 +8,19 @@
0950b5
       <description>Unless needed, disable the Kerberos authentication option for
0950b5
 the SSH Server.</description>
0950b5
     </metadata>
0950b5
-    
0950b5
+    
0950b5
     operator="OR">
0950b5
-      
0950b5
-      definition_ref="sshd_not_required_or_unset" />
0950b5
+      <criteria comment="sshd is not installed" operator="AND">
0950b5
+        
0950b5
+        definition_ref="sshd_not_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_removed" />
0950b5
+      </criteria>
0950b5
       <criteria comment="sshd is installed and configured" operator="AND">
0950b5
-        
0950b5
+        
0950b5
         definition_ref="sshd_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_installed" />
0950b5
         
0950b5
         test_ref="test_sshd_disable_kerb_auth" />
0950b5
       </criteria>
0950b5
diff --git a/rhel7/checks/oval/sshd_enable_strictmodes.xml b/rhel7/checks/oval/sshd_enable_strictmodes.xml
0950b5
index 1346191d5..7728f6ae6 100644
0950b5
--- a/rhel7/checks/oval/sshd_enable_strictmodes.xml
0950b5
+++ b/rhel7/checks/oval/sshd_enable_strictmodes.xml
0950b5
@@ -8,13 +8,19 @@
0950b5
       <description>Enable StrictMode to check users home directory permissions
0950b5
 and configurations.</description>
0950b5
     </metadata>
0950b5
-    
0950b5
+    
0950b5
     operator="OR">
0950b5
-      
0950b5
-      definition_ref="sshd_not_required_or_unset" />
0950b5
+      <criteria comment="sshd is not installed" operator="AND">
0950b5
+        
0950b5
+        definition_ref="sshd_not_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_removed" />
0950b5
+      </criteria>
0950b5
       <criteria comment="sshd is installed and configured" operator="AND">
0950b5
-        
0950b5
+        
0950b5
         definition_ref="sshd_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_installed" />
0950b5
         
0950b5
         test_ref="test_sshd_enable_strictmodes" />
0950b5
       </criteria>
0950b5
diff --git a/rhel7/checks/oval/sshd_use_approved_macs.xml b/rhel7/checks/oval/sshd_use_approved_macs.xml
0950b5
index bd05a5152..20b57041b 100644
0950b5
--- a/rhel7/checks/oval/sshd_use_approved_macs.xml
0950b5
+++ b/rhel7/checks/oval/sshd_use_approved_macs.xml
0950b5
@@ -9,13 +9,19 @@
0950b5
     </metadata>
0950b5
     <criteria operator="AND">
0950b5
       <extend_definition comment="Installed OS is certified" definition_ref="installed_OS_is_certified" />
0950b5
-      
0950b5
+      
0950b5
       operator="OR">
0950b5
-        
0950b5
-        definition_ref="sshd_not_required_or_unset" />
0950b5
+        <criteria comment="sshd is not installed" operator="AND">
0950b5
+          
0950b5
+          definition_ref="sshd_not_required_or_unset" />
0950b5
+          
0950b5
+          definition_ref="package_openssh-server_removed" />
0950b5
+        </criteria>
0950b5
         <criteria comment="sshd is installed and configured" operator="AND">
0950b5
-          
0950b5
+          
0950b5
           definition_ref="sshd_required_or_unset" />
0950b5
+          
0950b5
+          definition_ref="package_openssh-server_installed" />
0950b5
           
0950b5
           test_ref="test_sshd_use_approved_macs" />
0950b5
         </criteria>
0950b5
diff --git a/rhel7/checks/oval/sshd_use_priv_separation.xml b/rhel7/checks/oval/sshd_use_priv_separation.xml
0950b5
index c5ae32c27..2ec883fea 100644
0950b5
--- a/rhel7/checks/oval/sshd_use_priv_separation.xml
0950b5
+++ b/rhel7/checks/oval/sshd_use_priv_separation.xml
0950b5
@@ -8,13 +8,19 @@
0950b5
       <description>Use priviledge separation to cause the SSH process to drop
0950b5
 root privileges when not needed.</description>
0950b5
     </metadata>
0950b5
-    
0950b5
+    
0950b5
     operator="OR">
0950b5
-      
0950b5
-      definition_ref="sshd_not_required_or_unset" />
0950b5
+      <criteria comment="sshd is not installed" operator="AND">
0950b5
+        
0950b5
+        definition_ref="sshd_not_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_removed" />
0950b5
+      </criteria>
0950b5
       <criteria comment="sshd is installed and configured" operator="AND">
0950b5
-        
0950b5
+        
0950b5
         definition_ref="sshd_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_installed" />
0950b5
         
0950b5
         test_ref="test_sshd_use_priv_separation" />
0950b5
       </criteria>
0950b5
diff --git a/shared/checks/oval/disable_host_auth.xml b/shared/checks/oval/disable_host_auth.xml
0950b5
index 3e4cc5aea..3a00964ab 100644
0950b5
--- a/shared/checks/oval/disable_host_auth.xml
0950b5
+++ b/shared/checks/oval/disable_host_auth.xml
0950b5
@@ -7,12 +7,19 @@
0950b5
       </affected>
0950b5
       <description>SSH host-based authentication should be disabled.</description>
0950b5
     </metadata>
0950b5
-    <criteria comment="SSH is not installed or conditions are met" operator="OR">
0950b5
-      
0950b5
-      definition_ref="sshd_not_required_or_unset" />
0950b5
+    
0950b5
+    operator="OR">
0950b5
+      <criteria comment="sshd is not installed" operator="AND">
0950b5
+        
0950b5
+        definition_ref="sshd_not_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_removed" />
0950b5
+      </criteria>
0950b5
       <criteria comment="sshd is installed and configured" operator="AND">
0950b5
-        
0950b5
+        
0950b5
         definition_ref="sshd_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_installed" />
0950b5
         
0950b5
         test_ref="test_sshd_hostbasedauthentication" />
0950b5
       </criteria>
0950b5
diff --git a/shared/checks/oval/sshd_allow_only_protocol2.xml b/shared/checks/oval/sshd_allow_only_protocol2.xml
0950b5
index 0a7ace128..224010263 100644
0950b5
--- a/shared/checks/oval/sshd_allow_only_protocol2.xml
0950b5
+++ b/shared/checks/oval/sshd_allow_only_protocol2.xml
0950b5
@@ -9,12 +9,19 @@
0950b5
       </affected>
0950b5
       <description>The OpenSSH daemon should be running protocol 2.</description>
0950b5
     </metadata>
0950b5
-    <criteria comment="SSH is not installed or conditions are met" operator="OR">
0950b5
-      
0950b5
-      definition_ref="sshd_not_required_or_unset" />
0950b5
+    
0950b5
+    operator="OR">
0950b5
+      <criteria comment="sshd is not installed" operator="AND">
0950b5
+        
0950b5
+        definition_ref="sshd_not_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_removed" />
0950b5
+      </criteria>
0950b5
       <criteria comment="sshd is installed and configured" operator="AND">
0950b5
-        
0950b5
+        
0950b5
         definition_ref="sshd_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_installed" />
0950b5
         <criteria comment="SSH version is equal or higher than 7.4 or it is configured with protocol 2" operator="OR">
0950b5
           <extend_definition comment="OpenSSH version 7.4 or higher supports only protocol 2" definition_ref="sshd_version_equal_or_higher_than_74" />
0950b5
           
0950b5
diff --git a/shared/checks/oval/sshd_disable_empty_passwords.xml b/shared/checks/oval/sshd_disable_empty_passwords.xml
0950b5
index e923d64fd..9570ee5c7 100644
0950b5
--- a/shared/checks/oval/sshd_disable_empty_passwords.xml
0950b5
+++ b/shared/checks/oval/sshd_disable_empty_passwords.xml
0950b5
@@ -8,13 +8,19 @@
0950b5
       <description>Remote connections from accounts with empty passwords should
0950b5
       be disabled (and dependencies are met)</description>
0950b5
     </metadata>
0950b5
-    
0950b5
+    
0950b5
     operator="OR">
0950b5
-      
0950b5
-      definition_ref="sshd_not_required_or_unset" />
0950b5
+      <criteria comment="sshd is not installed" operator="AND">
0950b5
+        
0950b5
+        definition_ref="sshd_not_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_removed" />
0950b5
+      </criteria>
0950b5
       <criteria comment="sshd is installed and configured" operator="AND">
0950b5
-        
0950b5
+        
0950b5
         definition_ref="sshd_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_installed" />
0950b5
         
0950b5
         negate="true" test_ref="test_sshd_permitemptypasswords_no" />
0950b5
       </criteria>
0950b5
diff --git a/shared/checks/oval/sshd_disable_rhosts.xml b/shared/checks/oval/sshd_disable_rhosts.xml
0950b5
index 86eb94a22..163ccfca5 100644
0950b5
--- a/shared/checks/oval/sshd_disable_rhosts.xml
0950b5
+++ b/shared/checks/oval/sshd_disable_rhosts.xml
0950b5
@@ -8,13 +8,19 @@
0950b5
       <description>Emulation of the rsh command through the ssh server should
0950b5
       be disabled (and dependencies are met)</description>
0950b5
     </metadata>
0950b5
-    
0950b5
+    
0950b5
     operator="OR">
0950b5
-      
0950b5
-      definition_ref="sshd_not_required_or_unset" />
0950b5
+      <criteria comment="sshd is not installed" operator="AND">
0950b5
+        
0950b5
+        definition_ref="sshd_not_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_removed" />
0950b5
+      </criteria>
0950b5
       <criteria comment="sshd is installed and configured" operator="AND">
0950b5
-        
0950b5
+        
0950b5
         definition_ref="sshd_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_installed" />
0950b5
         
0950b5
         test_ref="test_sshd_rsh_emulation_disabled" />
0950b5
       </criteria>
0950b5
diff --git a/shared/checks/oval/sshd_disable_rhosts_rsa.xml b/shared/checks/oval/sshd_disable_rhosts_rsa.xml
0950b5
index 2abf88c70..e949fb031 100644
0950b5
--- a/shared/checks/oval/sshd_disable_rhosts_rsa.xml
0950b5
+++ b/shared/checks/oval/sshd_disable_rhosts_rsa.xml
0950b5
@@ -8,13 +8,19 @@
0950b5
       <description>SSH can allow authentication through the obsolete rsh command
0950b5
       through the use of the authenticating user's SSH keys. This should be disabled.</description>
0950b5
     </metadata>
0950b5
-    
0950b5
+    
0950b5
     operator="OR">
0950b5
-      
0950b5
-      definition_ref="sshd_not_required_or_unset" />
0950b5
+      <criteria comment="sshd is not installed" operator="AND">
0950b5
+        
0950b5
+        definition_ref="sshd_not_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_removed" />
0950b5
+      </criteria>
0950b5
       <criteria comment="sshd is installed and configured" operator="AND">
0950b5
-        
0950b5
+        
0950b5
         definition_ref="sshd_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_installed" />
0950b5
         <criteria comment="SSH version is equal or higher than 7.4 has deprecated RhostsRSAAuthentication" operator="OR">
0950b5
           <extend_definition comment="OpenSSH version 7.4 or higher has deprecated RhostsRSAAuthentication" definition_ref="sshd_version_equal_or_higher_than_74" />
0950b5
           
0950b5
diff --git a/shared/checks/oval/sshd_disable_root_login.xml b/shared/checks/oval/sshd_disable_root_login.xml
0950b5
index 7bfd54d4e..10e7afb18 100644
0950b5
--- a/shared/checks/oval/sshd_disable_root_login.xml
0950b5
+++ b/shared/checks/oval/sshd_disable_root_login.xml
0950b5
@@ -8,13 +8,19 @@
0950b5
       <description>Root login via SSH should be disabled (and dependencies are
0950b5
       met)</description>
0950b5
     </metadata>
0950b5
-    
0950b5
+    
0950b5
     operator="OR">
0950b5
-      
0950b5
-      definition_ref="sshd_not_required_or_unset" />
0950b5
+      <criteria comment="sshd is not installed" operator="AND">
0950b5
+        
0950b5
+        definition_ref="sshd_not_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_removed" />
0950b5
+      </criteria>
0950b5
       <criteria comment="sshd is installed and configured" operator="AND">
0950b5
-        
0950b5
+        
0950b5
         definition_ref="sshd_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_installed" />
0950b5
         
0950b5
         negate="true" test_ref="test_sshd_permitrootlogin_no" />
0950b5
       </criteria>
0950b5
diff --git a/shared/checks/oval/sshd_disable_user_known_hosts.xml b/shared/checks/oval/sshd_disable_user_known_hosts.xml
0950b5
index cc01ec6ca..0e121d496 100644
0950b5
--- a/shared/checks/oval/sshd_disable_user_known_hosts.xml
0950b5
+++ b/shared/checks/oval/sshd_disable_user_known_hosts.xml
0950b5
@@ -9,12 +9,19 @@
0950b5
 to connect to systems if a cache of the remote systems public keys are available.
0950b5
 This should be disabled.</description>
0950b5
     </metadata>
0950b5
-    <criteria comment="SSH is not installed or conditions are met" operator="OR">
0950b5
-      
0950b5
-      definition_ref="sshd_not_required_or_unset" />
0950b5
+    
0950b5
+    operator="OR">
0950b5
+      <criteria comment="sshd is not installed" operator="AND">
0950b5
+        
0950b5
+        definition_ref="sshd_not_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_removed" />
0950b5
+      </criteria>
0950b5
       <criteria comment="sshd is installed and configured" operator="AND">
0950b5
-        
0950b5
+        
0950b5
         definition_ref="sshd_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_installed" />
0950b5
         
0950b5
         test_ref="test_sshd_disable_user_known_hosts" />
0950b5
       </criteria>
0950b5
diff --git a/shared/checks/oval/sshd_do_not_permit_user_env.xml b/shared/checks/oval/sshd_do_not_permit_user_env.xml
0950b5
index ad8ecdf68..afb799e20 100644
0950b5
--- a/shared/checks/oval/sshd_do_not_permit_user_env.xml
0950b5
+++ b/shared/checks/oval/sshd_do_not_permit_user_env.xml
0950b5
@@ -7,13 +7,19 @@
0950b5
       </affected>
0950b5
       <description>PermitUserEnvironment should be disabled</description>
0950b5
     </metadata>
0950b5
-    
0950b5
+    
0950b5
     operator="OR">
0950b5
-      
0950b5
-      definition_ref="sshd_not_required_or_unset" />
0950b5
+      <criteria comment="sshd is not installed" operator="AND">
0950b5
+        
0950b5
+        definition_ref="sshd_not_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_removed" />
0950b5
+      </criteria>
0950b5
       <criteria comment="sshd is installed and configured" operator="AND">
0950b5
-        
0950b5
+        
0950b5
         definition_ref="sshd_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_installed" />
0950b5
         
0950b5
         negate="true" test_ref="test_sshd_no_user_envset" />
0950b5
       </criteria>
0950b5
diff --git a/shared/checks/oval/sshd_enable_warning_banner.xml b/shared/checks/oval/sshd_enable_warning_banner.xml
0950b5
index 933822eb6..cd14ec9e9 100644
0950b5
--- a/shared/checks/oval/sshd_enable_warning_banner.xml
0950b5
+++ b/shared/checks/oval/sshd_enable_warning_banner.xml
0950b5
@@ -8,13 +8,19 @@
0950b5
       <description>SSH warning banner should be enabled (and dependencies are
0950b5
       met)</description>
0950b5
     </metadata>
0950b5
-    
0950b5
+    
0950b5
     operator="OR">
0950b5
-      
0950b5
-      definition_ref="sshd_not_required_or_unset" />
0950b5
+      <criteria comment="sshd is not installed" operator="AND">
0950b5
+        
0950b5
+        definition_ref="sshd_not_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_removed" />
0950b5
+      </criteria>
0950b5
       <criteria comment="sshd is installed and configured" operator="AND">
0950b5
-        
0950b5
+        
0950b5
         definition_ref="sshd_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_installed" />
0950b5
         
0950b5
         test_ref="test_sshd_banner_set" />
0950b5
       </criteria>
0950b5
diff --git a/shared/checks/oval/sshd_enable_x11_forwarding.xml b/shared/checks/oval/sshd_enable_x11_forwarding.xml
0950b5
index 3aa45e51b..0a0e1bafd 100644
0950b5
--- a/shared/checks/oval/sshd_enable_x11_forwarding.xml
0950b5
+++ b/shared/checks/oval/sshd_enable_x11_forwarding.xml
0950b5
@@ -7,13 +7,19 @@
0950b5
       </affected>
0950b5
       <description>Enable X11Forwarding to encrypt X11 remote connections over SSH.</description>
0950b5
     </metadata>
0950b5
-    
0950b5
+    
0950b5
     operator="OR">
0950b5
-      
0950b5
-      definition_ref="sshd_not_required_or_unset" />
0950b5
+      <criteria comment="sshd is not installed" operator="AND">
0950b5
+        
0950b5
+        definition_ref="sshd_not_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_removed" />
0950b5
+      </criteria>
0950b5
       <criteria comment="sshd is installed and configured" operator="AND">
0950b5
-        
0950b5
+        
0950b5
         definition_ref="sshd_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_installed" />
0950b5
         
0950b5
         test_ref="test_sshd_enable_x11_forwarding" />
0950b5
       </criteria>
0950b5
diff --git a/shared/checks/oval/sshd_print_last_log.xml b/shared/checks/oval/sshd_print_last_log.xml
0950b5
index 29367969d..83bc0df79 100644
0950b5
--- a/shared/checks/oval/sshd_print_last_log.xml
0950b5
+++ b/shared/checks/oval/sshd_print_last_log.xml
0950b5
@@ -8,13 +8,19 @@
0950b5
       <description>Enable PrintLastLog to display user's last login time 
0950b5
 and date.</description>
0950b5
     </metadata>
0950b5
-    
0950b5
+    
0950b5
     operator="OR">
0950b5
-      
0950b5
-      definition_ref="sshd_not_required_or_unset" />
0950b5
+      <criteria comment="sshd is not installed" operator="AND">
0950b5
+        
0950b5
+        definition_ref="sshd_not_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_removed" />
0950b5
+      </criteria>
0950b5
       <criteria comment="sshd is installed and configured" operator="AND">
0950b5
-        
0950b5
+        
0950b5
         definition_ref="sshd_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_installed" />
0950b5
         
0950b5
         test_ref="test_sshd_enable_printlastlog" />
0950b5
       </criteria>
0950b5
diff --git a/shared/checks/oval/sshd_set_idle_timeout.xml b/shared/checks/oval/sshd_set_idle_timeout.xml
0950b5
index a414790a0..180e87d83 100644
0950b5
--- a/shared/checks/oval/sshd_set_idle_timeout.xml
0950b5
+++ b/shared/checks/oval/sshd_set_idle_timeout.xml
0950b5
@@ -8,14 +8,20 @@
0950b5
       <description>The SSH idle timeout interval should be set to an
0950b5
       appropriate value.</description>
0950b5
     </metadata>
0950b5
-    
0950b5
+    
0950b5
     operator="OR">
0950b5
-        
0950b5
+      <criteria comment="sshd is not installed" operator="AND">
0950b5
+        
0950b5
         definition_ref="sshd_not_required_or_unset" />
0950b5
-        <criteria comment="sshd is installed and configured" operator="AND">
0950b5
-          
0950b5
-          definition_ref="sshd_required_or_unset" />
0950b5
-          
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_removed" />
0950b5
+      </criteria>
0950b5
+      <criteria comment="sshd is installed and configured" operator="AND">
0950b5
+        
0950b5
+        definition_ref="sshd_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_installed" />
0950b5
+        
0950b5
         test_ref="test_sshd_idle_timeout" />
0950b5
       </criteria>
0950b5
     </criteria>
0950b5
diff --git a/shared/checks/oval/sshd_set_keepalive.xml b/shared/checks/oval/sshd_set_keepalive.xml
0950b5
index 5640638ae..8774e1d25 100644
0950b5
--- a/shared/checks/oval/sshd_set_keepalive.xml
0950b5
+++ b/shared/checks/oval/sshd_set_keepalive.xml
0950b5
@@ -8,13 +8,19 @@
0950b5
       <description>The SSH ClientAliveCountMax should be set to an appropriate
0950b5
       value (and dependencies are met)</description>
0950b5
     </metadata>
0950b5
-    
0950b5
+    
0950b5
     operator="OR">
0950b5
-      
0950b5
-      definition_ref="sshd_not_required_or_unset" />
0950b5
+      <criteria comment="sshd is not installed" operator="AND">
0950b5
+        
0950b5
+        definition_ref="sshd_not_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_removed" />
0950b5
+      </criteria>
0950b5
       <criteria comment="sshd is installed and configured" operator="AND">
0950b5
-        
0950b5
+        
0950b5
         definition_ref="sshd_required_or_unset" />
0950b5
+        
0950b5
+        definition_ref="package_openssh-server_installed" />
0950b5
         
0950b5
         test_ref="test_sshd_clientalivecountmax" />
0950b5
       </criteria>
0950b5
diff --git a/shared/checks/oval/sshd_use_approved_ciphers.xml b/shared/checks/oval/sshd_use_approved_ciphers.xml
0950b5
index 84088aa5c..5a4e3a1f9 100644
0950b5
--- a/shared/checks/oval/sshd_use_approved_ciphers.xml
0950b5
+++ b/shared/checks/oval/sshd_use_approved_ciphers.xml
0950b5
@@ -9,13 +9,19 @@
0950b5
     </metadata>
0950b5
     <criteria operator="AND">
0950b5
       <extend_definition comment="Installed OS is certified" definition_ref="installed_OS_is_certified" />
0950b5
-      
0950b5
+      
0950b5
       operator="OR">
0950b5
-      
0950b5
-      definition_ref="sshd_not_required_or_unset" />
0950b5
-      <criteria comment="sshd is installed and configured" operator="AND">
0950b5
-        
0950b5
-        definition_ref="sshd_required_or_unset" />
0950b5
+        <criteria comment="sshd is not installed" operator="AND">
0950b5
+          
0950b5
+          definition_ref="sshd_not_required_or_unset" />
0950b5
+          
0950b5
+          definition_ref="package_openssh-server_removed" />
0950b5
+        </criteria>
0950b5
+        <criteria comment="sshd is installed and configured" operator="AND">
0950b5
+          
0950b5
+          definition_ref="sshd_required_or_unset" />
0950b5
+          
0950b5
+          definition_ref="package_openssh-server_installed" />
0950b5
           
0950b5
           test_ref="test_sshd_use_approved_ciphers" />
0950b5
         </criteria>
0950b5
diff --git a/shared/checks/oval/sshd_use_approved_macs.xml b/shared/checks/oval/sshd_use_approved_macs.xml
0950b5
index d2f622af1..b403d0449 100644
0950b5
--- a/shared/checks/oval/sshd_use_approved_macs.xml
0950b5
+++ b/shared/checks/oval/sshd_use_approved_macs.xml
0950b5
@@ -9,13 +9,19 @@
0950b5
     </metadata>
0950b5
     <criteria operator="AND">
0950b5
       <extend_definition comment="Installed OS is certified" definition_ref="installed_OS_is_certified" />
0950b5
-      
0950b5
+      
0950b5
       operator="OR">
0950b5
-        
0950b5
-        definition_ref="sshd_not_required_or_unset" />
0950b5
+        <criteria comment="sshd is not installed" operator="AND">
0950b5
+          
0950b5
+          definition_ref="sshd_not_required_or_unset" />
0950b5
+          
0950b5
+          definition_ref="package_openssh-server_removed" />
0950b5
+        </criteria>
0950b5
         <criteria comment="sshd is installed and configured" operator="AND">
0950b5
-          
0950b5
+          
0950b5
           definition_ref="sshd_required_or_unset" />
0950b5
+          
0950b5
+          definition_ref="package_openssh-server_installed" />
0950b5
           
0950b5
           test_ref="test_sshd_use_approved_macs" />
0950b5
         </criteria>
0950b5
0950b5
From 441881052627a5b14be015d74d36d271f9268908 Mon Sep 17 00:00:00 2001
0950b5
From: Watson Sato <wsato@redhat.com>
0950b5
Date: Wed, 13 Dec 2017 18:22:29 +0100
0950b5
Subject: [PATCH 3/6] Remove backslashes from echo command
0950b5
0950b5
Echo command output is literal, there is no need for backslashes
0950b5
---
0950b5
 .../rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh            | 2 +-
0950b5
 1 file changed, 1 insertion(+), 1 deletion(-)
0950b5
0950b5
diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh
0950b5
index 227611543..7172539c7 100644
0950b5
--- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh
0950b5
+++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh
0950b5
@@ -5,5 +5,5 @@
0950b5
 if grep -q "^Ciphers" /etc/ssh/sshd_config; then
0950b5
 	sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes192-cbc,aes256-cbc,aes256-ctr,aes128-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config
0950b5
 else
0950b5
-	echo "Ciphers aes128-ctr,aes192-ctr,aes192-cbc,aes256-cbc,aes256-ctr,aes128-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config
0950b5
+	echo "Ciphers aes128-ctr,aes192-ctr,aes192-cbc,aes256-cbc,aes256-ctr,aes128-cbc,3des-cbc,rijndael-cbc@lysator.liu.se" >> /etc/ssh/sshd_config
0950b5
 fi
0950b5
0950b5
From 995a5e64eb841c73849571395cc985f94607c4cb Mon Sep 17 00:00:00 2001
0950b5
From: Watson Sato <wsato@redhat.com>
0950b5
Date: Mon, 18 Dec 2017 11:12:13 +0100
0950b5
Subject: [PATCH 4/6] Fix test scenarios for sshd_use_priv_separation
0950b5
0950b5
As of PR #2162 the Rule checks for "sandbox"
0950b5
---
0950b5
 .../rule_sshd_use_priv_separation/correct_value.pass.sh               | 4 ++--
0950b5
 1 file changed, 2 insertions(+), 2 deletions(-)
0950b5
0950b5
diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh
0950b5
index d63caa85b..36e8c1bba 100644
0950b5
--- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh
0950b5
+++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh
0950b5
@@ -3,7 +3,7 @@
0950b5
 # profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
0950b5
 
0950b5
 if grep -q "^UsePrivilegeSeparation" /etc/ssh/sshd_config; then
0950b5
-	sed -i "s/^UsePrivilegeSeparation.*/UsePrivilegeSeparation yes/" /etc/ssh/sshd_config
0950b5
+	sed -i "s/^UsePrivilegeSeparation.*/UsePrivilegeSeparation sandbox/" /etc/ssh/sshd_config
0950b5
 else
0950b5
-	echo "UsePrivilegeSeparation yes" >> /etc/ssh/sshd_config
0950b5
+	echo "UsePrivilegeSeparation sandbox" >> /etc/ssh/sshd_config
0950b5
 fi
0950b5
0950b5
From 877f3620d7462e2af6727a9feff16d6a7f08a239 Mon Sep 17 00:00:00 2001
0950b5
From: Watson Sato <wsato@redhat.com>
0950b5
Date: Mon, 18 Dec 2017 11:40:07 +0100
0950b5
Subject: [PATCH 5/6] Fix test scenarios for sshd_disable_kerb_auth
0950b5
0950b5
As of Pr #2463, the definition checks for ausence of
0950b5
"KerberosAuthentication yes", as default setting is not enabled.
0950b5
---
0950b5
 .../group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh | 9 ---------
0950b5
 .../group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh | 9 +++++++++
0950b5
 .../{line_not_there.fail.sh => line_not_there.pass.sh}           | 0
0950b5
 3 files changed, 9 insertions(+), 9 deletions(-)
0950b5
 delete mode 100644 tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh
0950b5
 create mode 100644 tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh
0950b5
 rename tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/{line_not_there.fail.sh => line_not_there.pass.sh} (100%)
0950b5
0950b5
diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh
0950b5
deleted file mode 100644
0950b5
index 3ae082173..000000000
0950b5
--- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh
0950b5
+++ /dev/null
0950b5
@@ -1,9 +0,0 @@
0950b5
-#!/bin/bash
0950b5
-#
0950b5
-# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
0950b5
-
0950b5
-if grep -q "^KerberosAuthentication" /etc/ssh/sshd_config; then
0950b5
-	sed -i "s/^KerberosAuthentication.*/# KerberosAuthentication no/" /etc/ssh/sshd_config
0950b5
-else
0950b5
-	echo "# KerberosAuthentication no" >> /etc/ssh/sshd_config
0950b5
-fi
0950b5
diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh
0950b5
new file mode 100644
0950b5
index 000000000..c7d58fbc6
0950b5
--- /dev/null
0950b5
+++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh
0950b5
@@ -0,0 +1,9 @@
0950b5
+#!/bin/bash
0950b5
+#
0950b5
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
0950b5
+
0950b5
+if grep -q "^KerberosAuthentication" /etc/ssh/sshd_config; then
0950b5
+	sed -i "s/^KerberosAuthentication.*/# KerberosAuthentication yes/" /etc/ssh/sshd_config
0950b5
+else
0950b5
+	echo "# KerberosAuthentication yes" >> /etc/ssh/sshd_config
0950b5
+fi
0950b5
diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.pass.sh
0950b5
similarity index 100%
0950b5
rename from tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.fail.sh
0950b5
rename to tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.pass.sh
0950b5
0950b5
From 4ebe165ede448c8998251257998cc94ea5cf3786 Mon Sep 17 00:00:00 2001
0950b5
From: Watson Sato <wsato@redhat.com>
0950b5
Date: Mon, 18 Dec 2017 11:52:39 +0100
0950b5
Subject: [PATCH 6/6] Fix test scenarios for sshd_enable_strictmodes
0950b5
0950b5
As of Pr #2463, the definition checks fo ausence of "StrictModes no", as
0950b5
default value is enabled already.
0950b5
---
0950b5
 .../rule_sshd_enable_strictmodes/{comment.fail.sh => comment.pass.sh} | 4 ++--
0950b5
 .../{line_not_there.fail.sh => line_not_there.pass.sh}                | 0
0950b5
 2 files changed, 2 insertions(+), 2 deletions(-)
0950b5
 rename tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/{comment.fail.sh => comment.pass.sh} (53%)
0950b5
 rename tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/{line_not_there.fail.sh => line_not_there.pass.sh} (100%)
0950b5
0950b5
diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.pass.sh
0950b5
similarity index 53%
0950b5
rename from tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.fail.sh
0950b5
rename to tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.pass.sh
0950b5
index 3d3b90875..bac02cb4f 100644
0950b5
--- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.fail.sh
0950b5
+++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.pass.sh
0950b5
@@ -3,7 +3,7 @@
0950b5
 # profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
0950b5
 
0950b5
 if grep -q "^StrictModes" /etc/ssh/sshd_config; then
0950b5
-	sed -i "s/^StrictModes.*/# StrictModes yes/" /etc/ssh/sshd_config
0950b5
+	sed -i "s/^StrictModes.*/# StrictModes no/" /etc/ssh/sshd_config
0950b5
 else
0950b5
-	echo "# StrictModes yes" >> /etc/ssh/sshd_config
0950b5
+	echo "# StrictModes no" >> /etc/ssh/sshd_config
0950b5
 fi
0950b5
diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.pass.sh
0950b5
similarity index 100%
0950b5
rename from tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.fail.sh
0950b5
rename to tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.pass.sh