Open JGoutin opened 1 year ago
Same is true on Ubuntu 22.04
Our base /etc/ssh/sshd_config is the default, as shipped.
Our /etc/ssh/sshd_config.d/*.conf files override the defaults, but openscap reports a fail when the sshd_config default is more permissive, even though we have overridden it in a sshd_config.d/compliance.conf
Description of problem:
Apply to the rule
sshd_disable_gssapi_auth
(And may likely also concern othersshd_*
rules checking/etc/ssh/sshd_config
)This rule check that
GSSAPIAuthentication yes
is set in sshd config, but fails in the following case:There are two files setting
GSSAPIAuthentication
with opposites values/etc/ssh/sshd_config.d/50-redhat.conf
:GSSAPIAuthentication yes
(File shipped with the OS)/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
:GSSAPIAuthentication no
(File added by admin)Running
sshd -T
confirms that the value isGSSAPIAuthentication no
.I assume the precedence order of
/etc/ssh/sshd_config.d
files parsed by the check is inverted.SCAP Security Guide Version:
Benchmark ID: xccdf_org.ssgproject.content_benchmark_FEDORA Benchmark version: 0.1.69 Profile ID: xccdf_org.ssgproject.content_profile_ospp
Operating System Version:
Fedora 38
Steps to Reproduce:
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
/etc/ssh/sshd_config.d/50-redhat.conf
is present (Should always be present on Fedora and likely some derivatives)oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
Actual Results:
The rules check FAIL
Expected Results:
The rules check PASS