New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed the sshd_set_idle_timeout rule #6293
Conversation
linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh
Outdated
Show resolved
Hide resolved
linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ClientAliveCountMax needs to maintain itself in a new rule. One configuration change per rule only. This is a requirement.
Could you please clarify that "one rule = change to one configuration line" requirement? I see that we can choose between this requirement and a clean, self-contained rule. We know what a self-contained rule is, but we don't know anything about that requirement. |
The configuration works if and only if ClientAliveCountMax is set to 0. Therefore, the check for this rule take both configuration items into account.
All other values don't make any sense from the security POV, so the parametrization has been removed. Thanks to that, the rule may now use a template.
1806881
to
d0a177c
Compare
Changes identified: Show detailsRule sshd_set_idle_timeout: Recommended tests to execute: |
@@ -8,7 +8,7 @@ description: |- | |||
<br /><br /> | |||
To set an idle timeout interval, edit the following line in <tt>/etc/ssh/sshd_config</tt> as | |||
follows: | |||
<pre>ClientAliveInterval <b>{{{ xccdf_value("sshd_idle_timeout_value") }}}</b></pre> | |||
<pre>ClientAliveInterval <b>{{{ xccdf_value("sshd_idle_timeout_value") }}}</b></pre>. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nitpick... this period .
should be removed as it doesn't read right.
Fixed and merged |
I assume that closing of the PR without merge was not intentional, so I suggest to repoen it, as the period has been removed. |
So this is a really weird glitch - the branch has been merged, but this PR doesn't show it. See e.g. https://github.com/ComplianceAsCode/content/tree/master/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout for the proof that this PR has been really merged. |
The reason is because @redhatrises has fixed the request by himself and I'm guessing he pushed straight to master since you can see that he has co-authored the commits, for example: 5ab82b4 |
OK, that makes sense. |
The configuration works if and only if
ClientAliveCountMax
is set to 0.Therefore, the check and remediations for this rule take both configuration items into account.
The rule description has been clarified to warn from situations when the timeout isn't effective.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1859551