New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add extended definition to check for OpenSSH 7.4 in sshd_disable_compression #6453
Add extended definition to check for OpenSSH 7.4 in sshd_disable_compression #6453
Conversation
Skipping CI for Draft Pull Request. |
Changes identified: Show detailsRule sshd_disable_compression: Recommended tests to execute: |
This looks really great, especially the test coverage. Is there any reason for keeping it as a draft PR? |
On my tests, the package downgrade commands were not working. I tested on RHEL7.9 and I'm not sure if it's not possible to downgrade them anymore or if I was doing something wrong. Update1: On a RHEL7.9 machine, the command:
returns:
So, the downgrade test scenario should probably go away. |
OpenSSH version higher than 7.4 contains the vulnerability fix for the Compression setting and there is no option that can trigger the issue. So any option should pass if version is higher than 7.4. Packages cannot be downgraded and the test scenario is not reproduceable anymore.
9d877ed
to
431dc18
Compare
I've flipped to ready to review. The solution proposed is to remove all the |
/retest |
Description:
sshd_disable_compression
Rationale:
The pre-authentication vulnerability was fixed since OpenSSH 7.4 so the SSH configuration represented by this rules doesn't make sense if the version is equals or higher to that.
Changelog reference:
Additional Information
The test scenarios still have to be updated, hence the draft PR.
Fixes: sshd_disable_compression fails when set to yes on RHEL7.4+ systems #6345