On 1/27/14, 11:00 AM, Shawn Wells wrote:
0001-Added-sshd_set_idle_timeout-to-shared-RHEL7.patch
From 8d42270022be11ee84d128dd4eec54cd37a1612c Mon Sep 17 00:00:00 2001 From: Shawn Wellsshawn@redhat.com Date: Thu, 23 Jan 2014 00:54:35 -0500 Subject: [PATCH 01/10] Added sshd_set_idle_timeout to shared/ + RHEL7
- Moved sshd_set_idle_timeout.xml to shared/, tested on RHEL7, updated CPE info
- Added to RHEL7 rht-ccp profile
RHEL/6/input/checks/sshd_set_idle_timeout.xml | 38 +-------------------------- RHEL/7/input/checks/sshd_set_idle_timeout.xml | 1 + RHEL/7/input/profiles/rht-ccp.xml | 11 +++++--- scap-security-guide.spec | 6 ++++- shared/oval/sshd_set_idle_timeout.xml | 38 +++++++++++++++++++++++++++ 5 files changed, 52 insertions(+), 42 deletions(-) mode change 100644 => 120000 RHEL/6/input/checks/sshd_set_idle_timeout.xml create mode 120000 RHEL/7/input/checks/sshd_set_idle_timeout.xml create mode 100644 shared/oval/sshd_set_idle_timeout.xml
diff --git a/RHEL/6/input/checks/sshd_set_idle_timeout.xml b/RHEL/6/input/checks/sshd_set_idle_timeout.xml deleted file mode 100644 index 5183876..0000000 --- a/RHEL/6/input/checks/sshd_set_idle_timeout.xml +++ /dev/null @@ -1,37 +0,0 @@ -<def-group>
<definition class="compliance" id="sshd_set_idle_timeout" version="1">
<metadata>
<title>Set OpenSSH Idle Timeout Interval</title><affected family="unix"><platform>Red Hat Enterprise Linux 6</platform></affected><description>The SSH idle timeout interval should be set to anappropriate value.</description><reference source="MED" ref_id="20130813" ref_url="test_attestation" /></metadata>
- <criteria comment="SSH is not being used or conditions are met"
- operator="OR">
<extend_definition comment="sshd service is disabled"definition_ref="service_sshd_disabled" /><criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config"test_ref="test_sshd_idle_timeout" /></criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="timeout is configured" id="test_sshd_idle_timeout" version="1">
- <ind:object object_ref="object_sshd_idle_timeout" />
- <ind:state state_ref="state_timeout_value" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_sshd_idle_timeout" version="1">
- ind:filepath/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
- <ind:textfilecontent54_state comment="ClientAliveInterval in seconds"
- id="state_timeout_value" version="1">
- <ind:subexpression datatype="int" operation="less than or equal" var_check="all"
- var_ref="sshd_idle_timeout_value" />
- </ind:textfilecontent54_state>
- <external_variable comment="timeout value" datatype="int"
- id="sshd_idle_timeout_value" version="1" />
-</def-group> diff --git a/RHEL/6/input/checks/sshd_set_idle_timeout.xml b/RHEL/6/input/checks/sshd_set_idle_timeout.xml new file mode 120000 index 0000000..2e9bd9a --- /dev/null +++ b/RHEL/6/input/checks/sshd_set_idle_timeout.xml @@ -0,0 +1 @@ +../../../../shared/oval/sshd_set_idle_timeout.xml \ No newline at end of file diff --git a/RHEL/7/input/checks/sshd_set_idle_timeout.xml b/RHEL/7/input/checks/sshd_set_idle_timeout.xml new file mode 120000 index 0000000..2e9bd9a --- /dev/null +++ b/RHEL/7/input/checks/sshd_set_idle_timeout.xml @@ -0,0 +1 @@ +../../../../shared/oval/sshd_set_idle_timeout.xml \ No newline at end of file diff --git a/RHEL/7/input/profiles/rht-ccp.xml b/RHEL/7/input/profiles/rht-ccp.xml index 7bf1318..02dcbd1 100644 --- a/RHEL/7/input/profiles/rht-ccp.xml +++ b/RHEL/7/input/profiles/rht-ccp.xml @@ -80,10 +80,11 @@
<select idref="file_ownership_library_dirs" selected="true"/> <select idref="file_permissions_binary_dirs" selected="true"/> <select idref="file_ownership_binary_dirs" selected="true"/> -<!-- these need to be updated - for RHEL7 <select idref="file_permissions_var_log_audit" selected="true"/> -<select idref="user_owner_grub_conf" selected="true"/> + +<!-- These checks need to be updated for RHEL7, + specifically new locations of grub +<select idref="user_owner_grub_conf" selected="true"/> <select idref="group_owner_grub_conf" selected="true"/> <select idref="permissions_grub_conf" selected="true"/> <select idref="bootloader_password" selected="true"/> --> @@ -123,8 +124,10 @@ ANTIQUATED SERVICES <select idref="service_rdisc_disabled" selected="true"/>
SSH / REMOTE ACCESS CHECKS -<select idref="sshd_allow_only_protocol2" selected="true"/> +<select idref="sshd_allow_only_protocol2" selected="true"/> -->
<select idref="sshd_set_idle_timeout" selected="true"/> + +<!-- <select idref="sshd_set_keepalive" selected="true"/> <select idref="sshd_disable_rhosts" selected="true"/> <select idref="disable_host_auth" selected="true"/> diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 7925b6e..c93b8be 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,4 +1,4 @@ -%global redhatssgrelease 16.rc2 +%global redhatssgrelease 16.rc3
Name: scap-security-guide Version: 0.1 @@ -53,6 +53,10 @@ cp -a RHEL/6/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man %doc RHEL/6/LICENSE RHEL/6/output/rhel6-guide.html RHEL/6/output/table-rhel6-cces.html RHEL/6/output/table-rhel6-nistrefs-common.html RHEL/6/output/table-rhel6-nistrefs.html RHEL/6/output/table-rhel6-srgmap-flat.html RHEL/6/output/table-rhel6-srgmap-flat.xhtml RHEL/6/output/table-rhel6-srgmap.html RHEL/6/output/table-rhel6-stig.html JBossEAP5/docs/JBossEAP5_Guide.html
%changelog +* Thu Jan 23 2014 Shawn Wellsshawn@redhat.com 0.1-16.rc3 ++ Added to RHEL7 content pool +- OVAL for sshd_set_idle_timeout
- Tue Dec 24 2013 Shawn Wellsshawn@redhat.com 0.1-16.rc2
- RHEL6 stig-rhel6-server XCCDF profile renamed to stig-rhel6-server-upstream
diff --git a/shared/oval/sshd_set_idle_timeout.xml b/shared/oval/sshd_set_idle_timeout.xml new file mode 100644 index 0000000..ad63830 --- /dev/null +++ b/shared/oval/sshd_set_idle_timeout.xml @@ -0,0 +1,38 @@ +<def-group>
<definition class="compliance" id="sshd_set_idle_timeout" version="1">
<metadata>
<title>Set OpenSSH Idle Timeout Interval</title><affected family="unix"><platform>Red Hat Enterprise Linux 6</platform><platform>Red Hat Enterprise Linux 7</platform></affected><description>The SSH idle timeout interval should be set to anappropriate value.</description><reference source="MED" ref_id="20130813" ref_url="test_attestation" /></metadata>
- <criteria comment="SSH is not being used or conditions are met"
- operator="OR">
<extend_definition comment="sshd service is disabled"definition_ref="service_sshd_disabled" /><criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config"test_ref="test_sshd_idle_timeout" /></criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="timeout is configured" id="test_sshd_idle_timeout" version="1">
- <ind:object object_ref="object_sshd_idle_timeout" />
- <ind:state state_ref="state_timeout_value" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_sshd_idle_timeout" version="1">
- ind:filepath/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
- <ind:textfilecontent54_state comment="ClientAliveInterval in seconds"
- id="state_timeout_value" version="1">
- <ind:subexpression datatype="int" operation="less than or equal" var_check="all"
- var_ref="sshd_idle_timeout_value" />
- </ind:textfilecontent54_state>
- <external_variable comment="timeout value" datatype="int"
- id="sshd_idle_timeout_value" version="1" />
+</def-group> -- 1.8.3.1
Pushing set per ack from Dave (he doesn't have email atm, only chat)
scap-security-guide@lists.fedorahosted.org
-
Shawn Wells