Hi,
The patch size is misleading: it's just a simple generalization of Jan
Lieskovsky's Fedora's sshd_* fixes on shared/ and a bunch of symlinks.
I could try to figure out how to break it, but I'm not sure it would help.
Thanks
-----Original Message-----
From: scap-security-guide-bounces(a)lists.fedorahosted.org
[mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Shawn Wells
Sent: quinta-feira, 29 de Maio de 2014 03:44
To: scap-security-guide(a)lists.fedorahosted.org
Subject: Re: [PATCH 01/01] Several changes in sshd_* fixes (ignore previous)
On 5/28/14, 11:55 AM, Rui Pedro Bernardino wrote:
From: Rui Bernardino<rui-p-bernardino(a)telecom.pt>
Signed-off-by: Rui Bernardino<rui-p-bernardino(a)telecom.pt>
---
Fedora/input/fixes/bash/sshd_disable_rhosts.sh | 1 +
.../fixes/bash/sshd_do_not_permit_user_env.sh | 1 +
.../input/fixes/bash/sshd_enable_warning_banner.sh | 1 +
.../input/fixes/bash/sshd_use_approved_ciphers.sh | 1 +
.../fixes/bash/sshd_disable_empty_passwords.sh | 6 +--
RHEL/6/input/fixes/bash/sshd_disable_rhosts.sh | 6 +--
RHEL/6/input/fixes/bash/sshd_disable_root_login.sh | 6 +--
.../fixes/bash/sshd_do_not_permit_user_env.sh | 6 +--
.../input/fixes/bash/sshd_enable_warning_banner.sh | 6 +--
RHEL/6/input/fixes/bash/sshd_set_idle_timeout.sh | 9 +---
RHEL/6/input/fixes/bash/sshd_set_keepalive.sh | 6 +--
.../input/fixes/bash/sshd_use_approved_ciphers.sh | 6 +--
.../fixes/bash/sshd_disable_empty_passwords.sh | 6 +--
RHEL/7/input/fixes/bash/sshd_disable_rhosts.sh | 6 +--
RHEL/7/input/fixes/bash/sshd_disable_root_login.sh | 6 +--
.../fixes/bash/sshd_do_not_permit_user_env.sh | 6 +--
.../input/fixes/bash/sshd_enable_warning_banner.sh | 6 +--
RHEL/7/input/fixes/bash/sshd_set_idle_timeout.sh | 9 +---
RHEL/7/input/fixes/bash/sshd_set_keepalive.sh | 6 +--
.../input/fixes/bash/sshd_use_approved_ciphers.sh | 6 +--
shared/fixes/bash/sshd_disable_empty_passwords.sh | 42 ++++++++-------
shared/fixes/bash/sshd_disable_rhosts.sh | 57 ++++++++++++++++++++
shared/fixes/bash/sshd_disable_root_login.sh | 42 ++++++++-------
shared/fixes/bash/sshd_do_not_permit_user_env.sh | 57 ++++++++++++++++++++
shared/fixes/bash/sshd_enable_warning_banner.sh | 57 ++++++++++++++++++++
shared/fixes/bash/sshd_set_idle_timeout.sh | 43 ++++++++-------
shared/fixes/bash/sshd_set_keepalive.sh | 42 ++++++++-------
shared/fixes/bash/sshd_use_approved_ciphers.sh | 57 ++++++++++++++++++++
28 files changed, 337 insertions(+), 166 deletions(-) create mode 120000
Fedora/input/fixes/bash/sshd_disable_rhosts.sh
create mode 120000 Fedora/input/fixes/bash/sshd_do_not_permit_user_env.sh
create mode 120000 Fedora/input/fixes/bash/sshd_enable_warning_banner.sh
create mode 120000 Fedora/input/fixes/bash/sshd_use_approved_ciphers.sh
mode change 100644 => 120000
RHEL/6/input/fixes/bash/sshd_disable_empty_passwords.sh
mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_disable_rhosts.sh
mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_disable_root_login.sh
mode change 100644 => 120000
RHEL/6/input/fixes/bash/sshd_do_not_permit_user_env.sh
mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_enable_warning_banner.sh
mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_set_idle_timeout.sh
mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_set_keepalive.sh
mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_use_approved_ciphers.sh
mode change 100644 => 120000
RHEL/7/input/fixes/bash/sshd_disable_empty_passwords.sh
mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_disable_rhosts.sh
mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_disable_root_login.sh
mode change 100644 => 120000
RHEL/7/input/fixes/bash/sshd_do_not_permit_user_env.sh
mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_enable_warning_banner.sh
mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_set_idle_timeout.sh
mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_set_keepalive.sh
mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_use_approved_ciphers.sh
create mode 100755 shared/fixes/bash/sshd_disable_rhosts.sh
create mode 100755 shared/fixes/bash/sshd_do_not_permit_user_env.sh
create mode 100755 shared/fixes/bash/sshd_enable_warning_banner.sh
create mode 100755 shared/fixes/bash/sshd_use_approved_ciphers.sh
Thanks, Rui! Gave a quick review and noted how you added logic to check the various
stanzas for occurrence location of various configuration directives (e.g. in
sshd_disable_empty_passwords).
The changes are a bit hard to parse as a single patch. Mind breaking this into multiple
patches?
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide