ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.18k stars 695 forks source link

sshd configuration check miss detection if a parameter set in multiple files in /etc/ssh/sshd_config.d #11221

Open JGoutin opened 1 year ago

JGoutin commented 1 year ago

Description of problem:

Apply to the rule sshd_disable_gssapi_auth (And may likely also concern other sshd_* rules checking /etc/ssh/sshd_config)

This rule check that GSSAPIAuthentication yes is set in sshd config, but fails in the following case:

There are two files setting GSSAPIAuthentication with opposites values

Running sshd -T confirms that the value is GSSAPIAuthentication no.

I assume the precedence order of /etc/ssh/sshd_config.d files parsed by the check is inverted.

SCAP Security Guide Version:

Benchmark ID: xccdf_org.ssgproject.content_benchmark_FEDORA Benchmark version: 0.1.69 Profile ID: xccdf_org.ssgproject.content_profile_ospp

Operating System Version:

Fedora 38

Steps to Reproduce:

Actual Results:

The rules check FAIL

Expected Results:

The rules check PASS

rbur004 commented 1 week ago

Same is true on Ubuntu 22.04

Our base /etc/ssh/sshd_config is the default, as shipped.

Our /etc/ssh/sshd_config.d/*.conf files override the defaults, but openscap reports a fail when the sshd_config default is more permissive, even though we have overridden it in a sshd_config.d/compliance.conf