Got it. So if the default behavior is disabled, then the scan passes.
Ignore this patch and the disable_rhosts patch then.
On Tue, Aug 5, 2014 at 12:27 PM, Shawn Wells <shawn(a)redhat.com> wrote:
On 8/5/14, 9:35 AM, Gabe Alford wrote:
Hi Shawn,
At least on RHEL6.5 if I run the scap scan (using oscap) with the
scap-security-guide without configuring sshd_config at all, the scan tells
me that I pass the 'Disable Host-Based Authentication' when in fact it is
not configured. Same thing goes for the other ignoring rhosts, and
disabling root login checks.
Thanks,
Gabe
Ah, yes, this is expected. The default for HostbasedAuthentication is
disabled, so the absence of explicit "HostbasedAuthentication no" is still
a pass.
Ref manpage @
http://rc.quest.com/man.php?id=sshd_config(5) (do a find on
"HostbasedAuthentication")
On Fri, Aug 1, 2014 at 2:10 PM, Shawn Wells <shawn(a)redhat.com> wrote:
>
> On 7/29/14, 8:43 PM, Gabe wrote:
>
>> - fix false positive for SSH host-based authentication check in
>> sshd_config
>>
>> Signed-off-by: Gabe <redhatrises(a)gmail.com>
>> ---
>> shared/oval/disable_host_auth.xml | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/shared/oval/disable_host_auth.xml
>> b/shared/oval/disable_host_auth.xml
>> index 6f4eb9d..de51fd7 100644
>> --- a/shared/oval/disable_host_auth.xml
>> +++ b/shared/oval/disable_host_auth.xml
>> @@ -14,7 +14,7 @@
>> <extend_definition comment="sshd service is disabled"
>> definition_ref="service_sshd_disabled" />
>> <criterion comment="Check HostbasedAuthentication in
>> /etc/ssh/sshd_config"
>> - test_ref="test_sshd_hostbasedauthentication" />
>> + negate="true"
test_ref="test_sshd_hostbasedauthentication" />
>> </criteria>
>> </definition>
>> <ind:textfilecontent54_test check="all"
check_existence="none_exist"
>> @@ -24,7 +24,7 @@
>> </ind:textfilecontent54_test>
>> <ind:textfilecontent54_object
>> id="object_sshd_hostbasedauthentication" version="2">
>> <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
>> - <ind:pattern operation="pattern
>>
match">^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$</ind:pattern>
>> + <ind:pattern operation="pattern
>>
match">^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern>
>> <ind:instance datatype="int">1</ind:instance>
>> </ind:textfilecontent54_object>
>> </def-group>
>>
>
> The negate properly will fail you if HostbasedAuthentication != no, but
> I'm not getting the false positive. Can you share how to reproduce?
>
> this passes as expected:
> $ sudo grep ^HostbasedAuthentication /etc/ssh/sshd_config
> HostbasedAuthentication no
> $ sudo ./testcheck.py disable_host_auth.xml
> Evaluating with OVAL tempfile : /tmp/disable_host_authaoRDFL.xml
> Writing results to : /tmp/disable_host_authaoRDFL.xml-results
> Definition oval:scap-security-guide.testing:def:103: false
> Definition oval:scap-security-guide.testing:def:101: false
> Definition oval:scap-security-guide.testing:def:100: true
> Evaluation done.
>
> fails as expected:
> $ sudo sed -i 's/HostbasedAuthentication no/HostbasedAuthentication
> yes/g' /etc/ssh/sshd_config
> $ sudo grep ^HostbasedAuthentication /etc/ssh/sshd_config
> HostbasedAuthentication yes
> $ sudo ./testcheck.py disable_host_auth.xml
> Evaluating with OVAL tempfile : /tmp/disable_host_auth2Vo5qy.xml
> Writing results to : /tmp/disable_host_auth2Vo5qy.xml-results
> Definition oval:scap-security-guide.testing:def:103: false
> Definition oval:scap-security-guide.testing:def:101: false
> Definition oval:scap-security-guide.testing:def:100: false
> Evaluation done.
>
>
>
> --
> SCAP Security Guide mailing list
> scap-security-guide(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
>
https://github.com/OpenSCAP/scap-security-guide/
--
SCAP Security Guide mailing
listscap-security-guide@lists.fedorahosted.orghttps://lists.fedorahosted.org/mailman/listinfo/scap-security-guidehttps://github.com/OpenSCAP/scap-security-guide/
--
Shawn Wells
Director, Innovation Programsshawn(a)redhat.com | 443.534.0130
@shawndwells
--
SCAP Security Guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/