Hello Lesley,
----- Original Message -----
From: "Lesley Kimmel" ljkimmel99@hotmail.com To: "SSG" scap-security-guide@lists.fedorahosted.org Sent: Thursday, June 11, 2015 12:14:56 AM Subject: RHEL6 SSG Bug (SSH,Ciphers)
All;
I ran into a bug in the latest SSG for RHEL6 (0.1.21-2). There is definitely an issue with the check for approved Ciphers. Initially the check passed with no entry at all for Ciphers. I then placed a Cipher line with (1) valid cipher: pass. Finally I put an entry in sshd_config with a bogus cipher: passed. I just ran into this at the end of my workday today so I didn't get much of a chance to analyze it. Plus I'm really just starting to dig into the 'innards' of the content so I don't fully realize the connections of all the various sections (rule/def/tst/obj/ste).
Thank you for the report. I will have a look into this issue && report the findings back once obtained.
I'm also pretty sure that some of the other checks against sshd_config are off. The check for 'PermitRootLogin no' passed even though the file contains '#PermitRootLogin yes
For this part it is possible the corresponding regular expression doesn't honours comments properly. I will double check that (btw would be good if you could try the very same with the most recent scap-security-guide 0.1.22 version from upstream's Git, since it's possible it got corrected upstream in between already). But I will double check that, and report back.
' and typically the checks are looking for the presence of the target string, not the absence of it.
For the last part ("the checks are looking for the presence of the target string, not the absence of it" - this is motivated by the "nature" of the sshd service and it's config file /etc/ssh/sshd_config.
A bit longer story about sshd hopefully without too much gory details being as follows - sshd besides loading settings from /etc/sshd/sshd_config file honours also internal "default" options / settings. To mention an example -- "Protocol 2" directive has become a default setting starting from certain sshd version. The implication of these internal "default" settings being that in order to obtain the exact sshd configuration, that will be actually used, it is not sufficient to inspect the content of /etc/ssh/sshd_config file, because it will not list / contain all the settings that will be actually applied.
The only way how to obtain the real settings is to run the "sshd -T" command, which will print out the real settings. Since in the OVAL checks it is not possible to run external / arbitrary commands (this limitation is one of the features of the OVAL language), it is not possible within sshd OVAL checks to run "sshd -T" to obtain final configuration, and therefore it is not possible reliably to verify if some setting is applied or not (it might be applied despite not being explicitly present in the /etc/ssh/sshd_config file. Like it is the case for the "Protocol 2" default internal setting for some time already).
Since we can't inspect the values of internal "default" options, the only way how for sure to tell if the system is configured properly, is to require the option being explicitly present in the /etc/ssh/sshd_config file. In other words we still require the "Protocol 2" directive to be explicitly present in the /etc/ssh/sshd_config file even when "Protocol 2" internal setting has become "default" already and it's very unlikely some sshd setting would use "Protocol 1" version. The obvious implication of this approach being that the sshd OVAL checks might report false negatives in some cases (system is configured properly due to the use of safe internal "default" value, but since the particular option isn't present in /etc/ssh/sshd_config [it's the sshd's default, so it's not necessary to be listed there, since it will be used anyway], we are reporting failure like in the case the system would be configured improperly).
There of course is a way how to report proper sshd results - add a new <sshd_test> probe to the 5.12 version of the OVAL language that would internally run "sshd -T" command when querying sshd options.
That way we would truly inspect sshd options, that would be really applied. But it is not a short-term solution (it takes time till the proposal is accepted into OVAL language, it takes time till the new feature is implemented, and last but not least it would work only on those OVAL scanner versions supporting OVAL 5.12 language versions. IOW till this is implemented, I am afraid we don't have a different option, just to explicitly require some option to be present in /etc/ssh/sshd_config even when this might lead to reporting false negatives in some cases).
Any input would be appreciated.
Hope the above explains the background / motivations behind requiring presence of an options a bit. FWIW regarding those two reported issues (Ciphers check && PermitRootLogin reporting PASS also with '#PermitRootLogin no' setting) I will inspect them yet && report the findings back.
Thanks,
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
Les Kimmel Systems Engineer, CSC
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/