xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_common

Evaluation Characteristics

Target machine	localhost.localdomain
Benchmark URL	/usr/share/xml/scap/ssg/fedora/ssg-fedora-ds.xml
Profile ID	xccdf_org.ssgproject.content_profile_common
Started at	2014-10-17T09:07:43
Finished at	2014-10-17T09:07:55
Performed by	root

CPE Platforms

cpe:/o:fedoraproject:fedora:21
cpe:/o:fedoraproject:fedora:20
cpe:/o:fedoraproject:fedora:19

Addresses

IPv4 127.0.0.1
IPv6 0:0:0:0:0:0:0:1
MAC 00:00:00:00:00:00

Compliance and Scoring

The target system did not satisfy conditions of 11 rules! Please review rule results and consider applying remediation.

Rule result breakdown

12 passed

11 failed

1 other

Failed rules by severity breakdown

1 high

8 medium

2 low

0 other

Score

Scoring system	Score	Maximum	%
urn:xccdf:scoring:default	34.722221	100.000000	34.72%

Rule Overview

Title	Severity	Result
Guide to the Secure Configuration of Fedora 11x fail 1x notchecked
Introduction
General Principles
Encrypt Transmitted Data Whenever Possible
Minimize Software to Minimize Vulnerability
Run Different Network Services on Separate Systems
Configure Security Tools to Improve System Robustness
Least Privilege
How to Use This Guide
Read Sections Completely and in Order
Test in Non-Production Environment
Root Shell Environment Assumed
Formatting Conventions
Reboot Required
System Settings 6x fail 1x notchecked
General System Wide Configuration Settings
Prelinking Disabled waived	low	pass
Installing and Maintaining Software
Updating Software
gpgcheck Enabled In Main Yum Configuration waived	high	pass
gpgcheck Enabled For All Yum Package Repositories waived	high	pass
File Permissions and Masks 1x fail
Verify File Permissions Within Some Important Directories 1x fail
Shared Library Files Have Restrictive Permissions waived	medium	fail
Shared Library Files Have Root Ownership waived	medium	pass
System Executables Have Restrictive Permissions waived	medium	pass
System Executables Have Root Ownership waived	medium	pass
Account and Access Control 5x fail 1x notchecked
Protect Accounts by Restricting Password-Based Login 5x fail 1x notchecked
Restrict Root Logins 1x fail 1x notchecked
Direct root Logins Not Allowed waived	medium	notchecked
Virtual Console Root Logins Restricted waived	medium	fail
Serial Port Root Logins Restricted waived	low	pass
Web Browser Use for Administrative Accounts Restricted waived	low	notselected
System Accounts Do Not Run a Shell Upon Login waived	medium	notselected
Only Root Has UID 0 waived	medium	pass
Root Path Is Vendor Default waived	low	notselected
Proper Storage and Existence of Password Hashes 1x fail
Log In to Accounts With Empty Password Impossible waived	high	fail
Password Hashes For Each Account Shadowed waived	medium	pass
All GIDs referenced in /etc/passwd Defined in /etc/group waived	low	notselected
netrc Files Do Not Exist waived	medium	pass
Set Password Expiration Parameters 3x fail
Password Minimum Length waived	medium	fail
Password Minimum Age waived	medium	fail
Password Maximum Age waived	medium	fail
Password Warning Age waived	low	pass
Services 5x fail
Network Time Protocol 2x fail
NTP Daemon Enabled waived	medium	fail
Remote NTP Server Specified waived	medium	fail
SSH Server 3x fail
Configure OpenSSH Server if Necessary 3x fail
SSH Root Login Disabled waived	medium	fail
SSH Access via Empty Passwords Disabled waived	high	pass
SSH Idle Timeout Interval Used waived	low	fail
SSH Client Alive Count Used waived	low	fail

Result Details

Prelinking Disabled

Rule ID	xccdf_org.ssgproject.content_rule_disable_prelink
Result	pass
Time	2014-10-17T09:07:43
Severity	low
Identifiers and References	references: CM-6(d), CM-6(3), SC-28, SI-7
This rule has been waived by John Doe at 2014-11-06T15:45:43. This is a false positive on our infrastructure. The previous result was fail .
The prelinking feature changes binaries in an attempt to decrease their startup time. In order to disable it, change or add the following line inside the file /etc/sysconfig/prelink: PRELINKING=no Next, run the following command to return binaries to a normal, non-prelinked state: # /sbin/prelink -ua

gpgcheck Enabled In Main Yum Configuration

Rule ID	xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Result	pass
Time	2014-10-17T09:07:43
Severity	high
Identifiers and References	references: SI-7, MA-1(b), 352, 663

The gpgcheck option should be used to ensure checking of an RPM package's signature always occurs prior to its installation. To configure yum to check package signatures before installing them, ensure the following line appears in /etc/yum.conf in the [main] section: gpgcheck=1

gpgcheck Enabled For All Yum Package Repositories

Rule ID	xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
Result	pass
Time	2014-10-17T09:07:43
Severity	high
Identifiers and References	references: SI-7, MA-1(b), 352, 663

To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form: gpgcheck=0

Shared Library Files Have Restrictive Permissions

Rule ID xccdf_org.ssgproject.content_rule_file_permissions_library_dirs

Result

fail

Time 2014-10-17T09:07:51

Severity medium

Identifiers and References

references: AC-6, 1499

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:

/lib
/lib64
/usr/lib
/usr/lib64

Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All files in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:

# chmod go-w FILE

OVAL details

Items violating library files go-w:

path	type	size	permissions
/usr/lib/rpm/redhat/config.sub	regular	35576	`rwxrwxr-x`
/lib/rpm/redhat/config.guess	regular	45297	`rwxrwxr-x`
/lib/rpm/redhat/config.sub	regular	35576	`rwxrwxr-x`
/usr/lib/rpm/redhat/config.guess	regular	45297	`rwxrwxr-x`

Shared Library Files Have Root Ownership

Rule ID	xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
Result	pass
Time	2014-10-17T09:07:53
Severity	medium
Identifiers and References	references: AC-6, 1499

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: /lib /lib64 /usr/lib /usr/lib64 Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directory, or any file in these directories, is found to be owned by a user other than root correct its ownership with the following command: # chown root FILE

System Executables Have Restrictive Permissions

Rule ID	xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs
Result	pass
Time	2014-10-17T09:07:55
Severity	medium
Identifiers and References	references: AC-6, 1499

System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command: # chmod go-w FILE

System Executables Have Root Ownership

Rule ID	xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs
Result	pass
Time	2014-10-17T09:07:55
Severity	medium
Identifiers and References	references: AC-6, 1499

System executables are stored in the following directories by default: /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin All files in these directories should be owned by the root user. If any file FILE in these directories is found to be owned by a user other than root, correct its ownership with the following command: # chown root FILE

Direct root Logins Not Allowed

Rule ID	xccdf_org.ssgproject.content_rule_no_direct_root_logins
Result	notchecked
Time	2014-10-17T09:07:55
Severity	medium
Identifiers and References	references: IA-2(1)

To further limit access to the root account, administrators can disable root logins at the console by editing the /etc/securetty file. This file lists all devices the root user is allowed to login to. If the file does not exist at all, the root user can login through any communication device on the system, whether via the console or via a raw network interface. This is dangerous as user can login to his machine as root via Telnet, which sends the password in plain text over the network. By default, Fedora's /etc/securetty file only allows the root user to login at the console physically attached to the machine. To prevent root from logging in, remove the contents of this file. To prevent direct root logins, remove the contents of this file by typing the following command: echo > /etc/securetty

Virtual Console Root Logins Restricted

Rule ID

xccdf_org.ssgproject.content_rule_securetty_root_login_console_only

Result

fail

Time

2014-10-17T09:07:55

Severity

medium

Identifiers and References

references: AC-6(2), 770

To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in /etc/securetty:

vc/1
vc/2
vc/3
vc/4

OVAL details

Items violating virtual consoles /etc/securetty:

path	content
/etc/securetty	vc/1
/etc/securetty	vc/2
/etc/securetty	vc/3
/etc/securetty	vc/4
/etc/securetty	vc/5
/etc/securetty	vc/6
/etc/securetty	vc/7
/etc/securetty	vc/8
/etc/securetty	vc/9
/etc/securetty	vc/10
/etc/securetty	vc/11

Serial Port Root Logins Restricted

Rule ID	xccdf_org.ssgproject.content_rule_restrict_serial_port_logins
Result	pass
Time	2014-10-17T09:07:55
Severity	low
Identifiers and References	references: AC-6(2), 770

To restrict root logins on serial ports, ensure lines of this form do not appear in /etc/securetty: ttyS0 ttyS1

Web Browser Use for Administrative Accounts Restricted

Rule ID	xccdf_org.ssgproject.content_rule_no_root_webbrowsing
Result	notselected
Time	2014-10-17T09:07:55
Severity	low
Identifiers and References

Enforce policy requiring administrative accounts use web browsers only for local service administration.

System Accounts Do Not Run a Shell Upon Login

Rule ID	xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Result	notselected
Time	2014-10-17T09:07:55
Severity	medium
Identifiers and References	references: http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf, 178

Some accounts are not associated with a human user of the system, and exist to perform some administrative function. Should an attacker be able to log into these accounts, they should not be granted access to a shell. The login shell for each local account is stored in the last field of each line in /etc/passwd. System accounts are those user accounts with a user ID less than 500. The user ID is stored in the third field. If any system account SYSACCT (other than root) has a login shell, disable it with the command: # usermod -s /sbin/nologin SYSACCT

Only Root Has UID 0

Rule ID	xccdf_org.ssgproject.content_rule_no_uidzero_except_root
Result	pass
Time	2014-10-17T09:07:55
Severity	medium
Identifiers and References	references: AC-6, IA-2(1), 366

If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.

Root Path Is Vendor Default

Rule ID	xccdf_org.ssgproject.content_rule_root_path_default
Result	notselected
Time	2014-10-17T09:07:55
Severity	low
Identifiers and References

Assuming root shell is bash, edit the following files: ~/.profile ~/.bashrc Change any PATH variables to the vendor default for root and remove any empty PATH entries or references to relative paths.

Log In to Accounts With Empty Password Impossible

Rule ID

xccdf_org.ssgproject.content_rule_no_empty_passwords

Result

fail

Time

2014-10-17T09:07:55

Severity

high

Identifiers and References

references: IA-5(b), IA-5(c), IA-5(1)(a)

If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords.

OVAL details

Items violating make sure nullok is not used in /etc/pam.d/system-auth:

path	content
/etc/pam.d/system-auth	nullok

Password Hashes For Each Account Shadowed

Rule ID	xccdf_org.ssgproject.content_rule_no_hashes_outside_shadow
Result	pass
Time	2014-10-17T09:07:55
Severity	medium
Identifiers and References	references: IA-5(h), 201

If any password hashes are stored in /etc/passwd (in the second field, instead of an x), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.

All GIDs referenced in /etc/passwd Defined in /etc/group

Rule ID	xccdf_org.ssgproject.content_rule_gid_passwd_group_same
Result	notselected
Time	2014-10-17T09:07:55
Severity	low
Identifiers and References	references: 366

Add a group to the system for each GID referenced without a corresponding group.

netrc Files Do Not Exist

Rule ID	xccdf_org.ssgproject.content_rule_no_netrc_files
Result	pass
Time	2014-10-17T09:07:55
Severity	medium
Identifiers and References	references: IA-5(h), 196

The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any .netrc files should be removed.

Password Minimum Length

Rule ID xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs

Result

fail

Time 2014-10-17T09:07:55

Severity medium

Identifiers and References

references: IA-5(f), IA-5(1)(a), 205

To specify password length requirements for new accounts, edit the file /etc/login.defs and add or correct the following lines:

PASS_MIN_LEN 12

Nowadays recommended values, considered as secure by various organizations focused on topic of computer security, range from 12 (FISMA) up to 14 (DoD) characters for password length requirements. If a program consults /etc/login.defs and also another PAM module (such as pam_cracklib) during a password change operation, then the most restrictive must be satisfied. See PAM section for more information about enforcing password quality requirements.

OVAL details

Items violating check PASS_MIN_LEN in /etc/login.defs:

path	content
/etc/login.defs	PASS_MIN_LEN 5

Remediation script:

var_accounts_password_minlen_login_defs="12"
grep -q ^PASS_MIN_LEN /etc/login.defs && \
sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]
then
  echo -e "PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs" >> /etc/login.defs
fi

Password Minimum Age

Rule ID xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs

Result

fail

Time 2014-10-17T09:07:55

Severity medium

Identifiers and References

references: IA-5(f), IA-5(1)(d), 198

To specify password minimum age for new accounts, edit the file /etc/login.defs and add or correct the following line, replacing the DAYS item as appropriate:

PASS_MIN_DAYS DAYS

A value of 1 day is considered to be sufficient for many environments.

OVAL details

Items violating Tests the value of PASS_MIN_DAYS in /etc/login.defs:

path	content
/etc/login.defs	PASS_MIN_DAYS 0

Remediation script:

var_accounts_minimum_age_login_defs="7"
grep -q ^PASS_MIN_DAYS /etc/login.defs && \
sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]
then
  echo -e "PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs" >> /etc/login.defs
fi

Password Maximum Age

Rule ID xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs

Result

fail

Time 2014-10-17T09:07:55

Severity medium

Identifiers and References

references: IA-5(f), IA-5(g), IA-5(1)(d), 180, 199

To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line, replacing the DAYS item appropriately:

PASS_MAX_DAYS DAYS

A value of 180 days is sufficient for many environments.

OVAL details

Items violating the value PASS_MAX_DAYS should be set appropriately in /etc/login.defs:

path	content
/etc/login.defs	PASS_MAX_DAYS 99999

Remediation script:

var_accounts_maximum_age_login_defs="90"
grep -q ^PASS_MAX_DAYS /etc/login.defs && \
sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]
then
  echo -e "PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs" >> /etc/login.defs
fi

Password Warning Age

Rule ID	xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs
Result	pass
Time	2014-10-17T09:07:55
Severity	low
Identifiers and References	references: IA-5(f)

To specify how many days prior to password expiration that a warning will be issued to users, edit the file /etc/login.defs and add or correct the following line, replacing the DAYS item as appropriate: PASS_WARN_AGE DAYS A value of 7 days would be nowadays considered to be a standard.

NTP Daemon Enabled

Rule ID	xccdf_org.ssgproject.content_rule_service_ntpd_enabled
Result	fail
Time	2014-10-17T09:07:55
Severity	medium
Identifiers and References	references: AU-8(1), 160

The ntpd service can be enabled with the following command: # systemctl enable ntpd.service
Remediation script: `# # Install ntp package if necessary # yum -y install ntp # # Enable ntpd service (for current systemd target) # systemctl enable ntpd.service # # Start ntpd if not currently running # systemctl start ntpd.service`

Remote NTP Server Specified

Rule ID	xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server
Result	fail
Time	2014-10-17T09:07:55
Severity	medium
Identifiers and References	references: AU-8(1), 160

To specify a remote NTP server for time synchronization, edit the file /etc/ntp.conf. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver: server ntpserver This instructs the NTP software to contact that remote server to obtain time data.

SSH Root Login Disabled

Rule ID	xccdf_org.ssgproject.content_rule_sshd_disable_root_login
Result	fail
Time	2014-10-17T09:07:55
Severity	medium
Identifiers and References	references: AC-6(2), IA-2(1), 770

The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config: PermitRootLogin no
Remediation script: SSHD_CONFIG='/etc/ssh/sshd_config' # Obtain line number of first uncommented case-insensitive occurrence of Match # block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]Match[^\n]/I{=;q}' $SSHD_CONFIG) # Obtain line number of first uncommented case-insensitive occurence of # PermitRootLogin directive (possibly prefixed with whitespace) present in # $SSHD_CONFIG FIRST_PERMIT_ROOT_LOGIN=$(sed -n '/^[[:space:]]PermitRootLogin[^\n]/I{=;q}' $SSHD_CONFIG) # Case: Match block directive not present in $SSHD_CONFIG if [ -z "$FIRST_MATCH_BLOCK" ] then # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ] then # Append 'PermitRootLogin no' at the end of $SSHD_CONFIG echo -e "\nPermitRootLogin no" >> $SSHD_CONFIG # Case: PermitRootLogin directive present in $SSHD_CONFIG already else # Replace first uncommented case-insensitive occurrence # of PermitRootLogin directive sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]PermitRootLogin.$/PermitRootLogin no/I" $SSHD_CONFIG fi # Case: Match block directive present in $SSHD_CONFIG else # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ] then # Prepend 'PermitRootLogin no' before first uncommented # case-insensitive occurrence of Match block directive sed -i "$FIRST_MATCH_BLOCK s/^$[[:space:]]Match[^\n]$/PermitRootLogin no\n\1/I" $SSHD_CONFIG # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed # before first Match block directive elif [ "$FIRST_PERMIT_ROOT_LOGIN" -lt "$FIRST_MATCH_BLOCK" ] then # Replace first uncommented case-insensitive occurrence # of PermitRootLogin directive sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]PermitRootLogin.$/PermitRootLogin no/I" $SSHD_CONFIG # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed # after first Match block directive else # Prepend 'PermitRootLogin no' before first uncommented # case-insensitive occurrence of Match block directive sed -i "$FIRST_MATCH_BLOCK s/^$[[:space:]]Match[^\n]$/PermitRootLogin no\n\1/I" $SSHD_CONFIG fi fi

SSH Access via Empty Passwords Disabled

Rule ID	xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
Result	pass
Time	2014-10-17T09:07:55
Severity	high
Identifiers and References	references: 765, 766

To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config: PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.

SSH Idle Timeout Interval Used

Rule ID	xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
Result	fail
Time	2014-10-17T09:07:55
Severity	low
Identifiers and References	references: 879, 1133

SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows: ClientAliveInterval INTERVAL The timeout INTERVAL is given in seconds. To have a timeout of 15 minutes, set interval to 900. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
Remediation script: sshd_idle_timeout_value="300" SSHD_CONFIG='/etc/ssh/sshd_config' # Obtain line number of first uncommented case-insensitive occurrence of Match # block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]Match[^\n]/I{=;q}' $SSHD_CONFIG) # Obtain line number of first uncommented case-insensitive occurence of # ClientAliveInterval directive (possibly prefixed with whitespace) present in # $SSHD_CONFIG FIRST_CLIENT_ALIVE_INTERVAL=$(sed -n '/^[[:space:]]ClientAliveInterval[^\n]/I{=;q}' $SSHD_CONFIG) # Case: Match block directive not present in $SSHD_CONFIG if [ -z "$FIRST_MATCH_BLOCK" ] then # Case: ClientAliveInterval directive not present in $SSHD_CONFIG yet if [ -z "$FIRST_CLIENT_ALIVE_INTERVAL" ] then # Append 'ClientAliveInterval $sshd_idle_timeout_value' at the end of $SSHD_CONFIG echo -e "\nClientAliveInterval $sshd_idle_timeout_value" >> $SSHD_CONFIG # Case: ClientAliveInterval directive present in $SSHD_CONFIG already else # Replace first uncommented case-insensitive occurrence # of ClientAliveInterval directive sed -i "$FIRST_CLIENT_ALIVE_INTERVAL s/^[[:space:]]ClientAliveInterval.$/ClientAliveInterval $sshd_idle_timeout_value/I" $SSHD_CONFIG fi # Case: Match block directive present in $SSHD_CONFIG else # Case: ClientAliveInterval directive not present in $SSHD_CONFIG yet if [ -z "$FIRST_CLIENT_ALIVE_INTERVAL" ] then # Prepend 'ClientAliveInterval $sshd_idle_timeout_value' before first uncommented # case-insensitive occurrence of Match block directive sed -i "$FIRST_MATCH_BLOCK s/^$[[:space:]]Match[^\n]$/ClientAliveInterval $sshd_idle_timeout_value\n\1/I" $SSHD_CONFIG # Case: ClientAliveInterval directive present in $SSHD_CONFIG and placed # before first Match block directive elif [ "$FIRST_CLIENT_ALIVE_INTERVAL" -lt "$FIRST_MATCH_BLOCK" ] then # Replace first uncommented case-insensitive occurrence # of ClientAliveInterval directive sed -i "$FIRST_CLIENT_ALIVE_INTERVAL s/^[[:space:]]ClientAliveInterval.$/ClientAliveInterval $sshd_idle_timeout_value/I" $SSHD_CONFIG # Case: ClientAliveInterval directive present in $SSHD_CONFIG and placed # after first Match block directive else # Prepend 'ClientAliveInterval $sshd_idle_timeout_value' before first uncommented # case-insensitive occurrence of Match block directive sed -i "$FIRST_MATCH_BLOCK s/^$[[:space:]]Match[^\n]$/ClientAliveInterval $sshd_idle_timeout_value\n\1/I" $SSHD_CONFIG fi fi

SSH Client Alive Count Used

Rule ID	xccdf_org.ssgproject.content_rule_sshd_set_keepalive
Result	fail
Time	2014-10-17T09:07:55
Severity	low
Identifiers and References	references: 879, 1133

To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax is set, edit /etc/ssh/sshd_config as follows: ClientAliveCountMax 0
Remediation script: SSHD_CONFIG='/etc/ssh/sshd_config' # Obtain line number of first uncommented case-insensitive occurrence of Match # block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]Match[^\n]/I{=;q}' $SSHD_CONFIG) # Obtain line number of first uncommented case-insensitive occurence of # ClientAliveCountMax directive (possibly prefixed with whitespace) present in # $SSHD_CONFIG FIRST_CLIENT_ALIVE_COUNT_MAX=$(sed -n '/^[[:space:]]ClientAliveCountMax[^\n]/I{=;q}' $SSHD_CONFIG) # Case: Match block directive not present in $SSHD_CONFIG if [ -z "$FIRST_MATCH_BLOCK" ] then # Case: ClientAliveCountMax directive not present in $SSHD_CONFIG yet if [ -z "$FIRST_CLIENT_ALIVE_COUNT_MAX" ] then # Append 'ClientAliveCountMax 0' at the end of $SSHD_CONFIG echo -e "\nClientAliveCountMax 0" >> $SSHD_CONFIG # Case: ClientAliveCountMax directive present in $SSHD_CONFIG already else # Replace first uncommented case-insensitive occurrence # of ClientAliveCountMax directive sed -i "$FIRST_CLIENT_ALIVE_COUNT_MAX s/^[[:space:]]ClientAliveCountMax.$/ClientAliveCountMax 0/I" $SSHD_CONFIG fi # Case: Match block directive present in $SSHD_CONFIG else # Case: ClientAliveCountMax directive not present in $SSHD_CONFIG yet if [ -z "$FIRST_CLIENT_ALIVE_COUNT_MAX" ] then # Prepend 'ClientAliveCountMax 0' before first uncommented # case-insensitive occurrence of Match block directive sed -i "$FIRST_MATCH_BLOCK s/^$[[:space:]]Match[^\n]$/ClientAliveCountMax 0\n\1/I" $SSHD_CONFIG # Case: ClientAliveCountMax directive present in $SSHD_CONFIG and placed # before first Match block directive elif [ "$FIRST_CLIENT_ALIVE_COUNT_MAX" -lt "$FIRST_MATCH_BLOCK" ] then # Replace first uncommented case-insensitive occurrence # of ClientAliveCountMax directive sed -i "$FIRST_CLIENT_ALIVE_COUNT_MAX s/^[[:space:]]ClientAliveCountMax.$/ClientAliveCountMax 0/I" $SSHD_CONFIG # Case: ClientAliveCountMax directive present in $SSHD_CONFIG and placed # after first Match block directive else # Prepend 'ClientAliveCountMax 0' before first uncommented # case-insensitive occurrence of Match block directive sed -i "$FIRST_MATCH_BLOCK s/^$[[:space:]]Match[^\n]$/ClientAliveCountMax 0\n\1/I" $SSHD_CONFIG fi fi