The default for PermitRootLogin is yes [1], so this should fail if:
On 7/29/14, 8:43 PM, Gabe wrote:
- fix false positive for PermitRootLogin check in sshd_config Signed-off-by: Gabe <redhatrises@gmail.com> --- shared/oval/sshd_disable_root_login.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/oval/sshd_disable_root_login.xml b/shared/oval/sshd_disable_root_login.xml index 73c4906..6f8cede 100644 --- a/shared/oval/sshd_disable_root_login.xml +++ b/shared/oval/sshd_disable_root_login.xml @@ -15,7 +15,7 @@ <extend_definition comment="sshd service is disabled" definition_ref="service_sshd_disabled" /> <criterion comment="Check PermitRootLogin in /etc/ssh/sshd_config" - test_ref="test_sshd_permitrootlogin_no" /> + negate="true" test_ref="test_sshd_permitrootlogin_no" /> </criteria> </definition> <ind:textfilecontent54_test check="all" check_existence="none_exist" @@ -25,7 +25,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_sshd_permitrootlogin_no" version="2"> <ind:filepath>/etc/ssh/sshd_config</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*(?i)PermitRootLogin(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*(?i)PermitRootLogin(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group>-- 2.0.0
- PermitRootLogin is left unconfigured
- PermitRootLogin is set to yes
The existing rule had a failure only if "PermitRootLogin yes".... changing it to scan for "PermitRootLogin no," with your negate statement, is a much cleaner way to ensure proper checking.
Ack.
[1] http://rc.quest.com/man.php?id=sshd_config(5)
--
SCAP Security Guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/