For SSH (and other configurations), we want to preserve the ability to not flag non-compliance if the default (unspecified) is compliant. It reduces costs, which makes for a more compelling (less uncompelling?) argument for C&A activities.
The wording of this is rough and definitely not final. After all the other checks and profile inclusion adjustments are complete, and when we get to copy editing, it will undoubtedly be improved. Jeffrey Blank (1): added new macro for SSH checks (rough wording for now), and used it
RHEL6/input/services/ssh.xml | 15 +++++++++++++++ RHEL6/transforms/shorthand2xccdf.xslt | 21 ++++++++++++++++++++- 2 files changed, 35 insertions(+), 1 deletions(-)
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/services/ssh.xml | 15 +++++++++++++++ RHEL6/transforms/shorthand2xccdf.xslt | 21 ++++++++++++++++++++- 2 files changed, 35 insertions(+), 1 deletions(-)
diff --git a/RHEL6/input/services/ssh.xml b/RHEL6/input/services/ssh.xml index d60e499..9bbab3a 100644 --- a/RHEL6/input/services/ssh.xml +++ b/RHEL6/input/services/ssh.xml @@ -205,6 +205,9 @@ To ensure that this behavior is disabled, add or correct the following line: <pre>IgnoreRhosts yes</pre> </description> +<ocil> +<sshd-check-macro option="IgnoreRhosts" value="yes" default="yes" /> +</ocil> <rationale> SSH trust relationships mean that a compromise on one host can allow an attacker to move trivially to other hosts. @@ -226,6 +229,9 @@ To disable host-based authentication, add or correct the following line: <pre>HostbasedAuthentication no</pre> </description> +<ocil> +<sshd-check-macro option="HostbasedAuthentication" value="no" default="yes" /> +</ocil> <rationale> SSH trust relationships mean that a compromise on one host can allow an attacker to move trivially to other hosts. @@ -242,6 +248,9 @@ system directly over a network. To disable root login via SSH, add or correct the following line: <pre>PermitRootLogin no</pre> </description> +<ocil> +<sshd-check-macro option="PermitRootLogin" value="no" default="no" /> +</ocil> <rationale> Permitting direct root login reduces auditable information about who ran privileged commands on the system @@ -261,6 +270,9 @@ empty passwords, add or correct the following line: Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. </description> +<ocil> +<sshd-check-macro option="PermitEmptyPasswords" value="no" default="yes" /> +</ocil> <rationale> Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, @@ -279,6 +291,9 @@ across the system, add or correct the following line in <tt>/etc/ssh/sshd_config Another section contains information on how to create an appropriate system-wide warning banner. </description> +<ocil> +<sshd-check-macro option="Banner" value="/etc/issue" default="no" /> +</ocil> <rationale> Although unlikely to dissuade a serious attacker, the warning message reinforces policy awareness during the logon process. Alternatively, diff --git a/RHEL6/transforms/shorthand2xccdf.xslt b/RHEL6/transforms/shorthand2xccdf.xslt index e046709..8511fd2 100644 --- a/RHEL6/transforms/shorthand2xccdf.xslt +++ b/RHEL6/transforms/shorthand2xccdf.xslt @@ -45,7 +45,9 @@ exclude-result-prefixes="xccdf xhtml"> <xsl:apply-templates select="ref"/> <xsl:apply-templates select="rationale"/> <xsl:apply-templates select="ident"/> - <xsl:apply-templates select="node()[not(self::title|self::description|self::warning|self::ref|self::rationale|self::ident)]"/> + <!-- order oval (shorthand tag) first, to indicate to tools to prefer its automated checks --> + <xsl:apply-templates select="oval"/> + <xsl:apply-templates select="node()[not(self::title|self::description|self::warning|self::ref|self::rationale|self::ident|self::oval)]"/> </xsl:copy> </xsl:template>
@@ -197,6 +199,7 @@ exclude-result-prefixes="xccdf xhtml"> <xsl:if test="package-check-macro">the package is installed</xsl:if> <xsl:if test="module-disable-check-macro">no line is returned</xsl:if> <xsl:if test="audit-syscall-check-macro">no line is returned</xsl:if> + <xsl:if test="sshd-check-macro">the required value is not set</xsl:if> </xsl:attribute>
<!-- add clause if explicitly specified (and also override any above) --> @@ -367,6 +370,22 @@ If the system is configured to audit this activity, it will return a line. </xsl:template>
+ <xsl:template match="sshd-check-macro"> + <!-- could also do this with sshd -T to test live configuration --> + To determine how the SSH daemon's + xhtml:code<xsl:value-of select="@option"/></xhtml:code> + option is set, run the following command: + <xhtml:pre xml:space="preserve"># grep -i <xsl:value-of select="@option"/> /etc/ssh/sshd_config</xhtml:pre> + <xsl:if test="@default='yes'"> + If no line, a commented line, or a line indicating the value + xhtml:code<xsl:value-of select="@value"/></xhtml:code> is returned, then the required value is set. + </xsl:if> + <xsl:if test="@default='no' or @default=''"> + If a line indicating <xsl:value-of select="@value"/> is returned, then the required value is set. + </xsl:if> + </xsl:template> + + <!-- CORRECTING TERRIBLE ABUSE OF NAMESPACES BELOW --> <!-- (expanding xhtml tags back into the xhtml namespace) --> <xsl:template match="br">
Looks great; ACK
On 09/27/2012 09:49 AM, Jeffrey Blank wrote:
For SSH (and other configurations), we want to preserve the ability to not flag non-compliance if the default (unspecified) is compliant. It reduces costs, which makes for a more compelling (less uncompelling?) argument for C&A activities.
The wording of this is rough and definitely not final. After all the other checks and profile inclusion adjustments are complete, and when we get to copy editing, it will undoubtedly be improved. Jeffrey Blank (1): added new macro for SSH checks (rough wording for now), and used it
RHEL6/input/services/ssh.xml | 15 +++++++++++++++ RHEL6/transforms/shorthand2xccdf.xslt | 21 ++++++++++++++++++++- 2 files changed, 35 insertions(+), 1 deletions(-)
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
David Smith -
Jeffrey Blank