Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sshd_set_keepalive is misaligned with DISA STIG #12573

Open
mildas opened this issue Nov 5, 2024 · 2 comments
Open

sshd_set_keepalive is misaligned with DISA STIG #12573

mildas opened this issue Nov 5, 2024 · 2 comments
Labels
blocked Issue that can't be fixed in content. RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related.

Comments

@mildas
Copy link
Contributor

mildas commented Nov 5, 2024

Description of problem:

sshd_set_keepalive is misaligned with DISA's xccdf_mil.disa.stig_rule_SV-257995r970703_rule.
Content uses distributed config and puts it to different file than DISA expects.

For SSG, the rule passes, because it finds remediated ClientAliveCountMax 1 in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
DISA fails, because it searches only for ClientAliveCountMax 1 in /etc/ssh/sshd_config file.

SCAP Security Guide Version:

latest master

Operating System Version:

RHEL 9

Actual Results:

SSG and DISA rules are misaligned.

Expected Results:

SSG is aligned with DISA.

@mildas mildas added RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related. labels Nov 5, 2024
@Mab879
Copy link
Member

Mab879 commented Nov 5, 2024

We are out of aliment based the text "If "ClientAliveCountMax" does not exist, is not set to a value of "1" in "/etc/ssh/sshd_config", or is commented out, this is a finding."

The STIG requires it to be in the main file, not drop in files

See https://stigaview.com/products/rhel9/v2r2/RHEL-09-255095/

@mildas
Copy link
Contributor Author

mildas commented Nov 8, 2024

As we want DISA to change their approach and accept drop in files, adding blocked label

@mildas mildas added the blocked Issue that can't be fixed in content. label Nov 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blocked Issue that can't be fixed in content. RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related.
Projects
None yet
Development

No branches or pull requests

2 participants