search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.22k stars 698 forks source link

`sshd_set_keepalive` is misaligned with DISA STIG #12573

Open mildas opened 2 weeks ago

mildas commented 2 weeks ago

Description of problem:

sshd_set_keepalive is misaligned with DISA's xccdf_mil.disa.stig_rule_SV-257995r970703_rule. Content uses distributed config and puts it to different file than DISA expects.

For SSG, the rule passes, because it finds remediated ClientAliveCountMax 1 in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf DISA fails, because it searches only for ClientAliveCountMax 1 in /etc/ssh/sshd_config file.

SCAP Security Guide Version:

latest master

Operating System Version:

RHEL 9

Actual Results:

SSG and DISA rules are misaligned.

Expected Results:

SSG is aligned with DISA.

Mab879 commented 2 weeks ago

We are out of aliment based the text "If "ClientAliveCountMax" does not exist, is not set to a value of "1" in "/etc/ssh/sshd_config", or is commented out, this is a finding."

The STIG requires it to be in the main file, not drop in files

See https://stigaview.com/products/rhel9/v2r2/RHEL-09-255095/

mildas commented 1 week ago

As we want DISA to change their approach and accept drop in files, adding blocked label