Bug 1323270

Summary: SCAP ClientAliveInterval not set
Product: Red Hat CloudForms Management Engine Reporter: luke couzens <lcouzens>
Component: ApplianceAssignee: Nick Carboni <ncarboni>
Status: CLOSED WORKSFORME QA Contact: luke couzens <lcouzens>
Severity: high Docs Contact:
Priority: high    
Version: 5.5.0CC: abellott, cpelland, dajohnso, jhardy, lcouzens, ncarboni, obarenbo
Target Milestone: GAKeywords: ZStream
Target Release: 5.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: appliance:security:scap:black
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1327728 (view as bug list) Environment:
Last Closed: 2016-04-22 12:55:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1327728    

Description luke couzens 2016-04-01 16:32:18 UTC
Description of problem:After hardening an appliance with SCAP ClientAliveInterval is not active.


Version-Release number of selected component (if applicable):5.5.3.2


How reproducible:100%


Steps to Reproduce:
1.ssh to configured appliance
2.run appliance_console
3.select harden with SCAP
4.create new user/pass
5.ssh with new user
6.check if kicked after interval time

Actual results:Does not log you out


Expected results:logged out


Additional info:Checking the /etc/ssh/sshd_config I see the rule is there but in a comment line above ClientAliveCountMax.

#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs serverClientAliveInterval 900
ClientAliveCountMax 0
PermitEmptyPasswords no
PermitUserEnvironment no
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

Comment 2 Nick Carboni 2016-04-04 13:41:59 UTC
This issue was fixed in https://github.com/ManageIQ/manageiq-appliance-build/pull/79

Discussion here https://bugzilla.redhat.com/show_bug.cgi?id=1219230

I can't reproduce this using a new 5.5.3.2 appliance.

Has this appliance been migrated from a version prior to 5.5.0? The fix (adding a newline at the end of /etc/ssh/sshd_config in the kickstart) was introduced at 5.5.0 so if this config file is from a release prior to 5.5.0 the file wouldn't have the new line and you could see this behavior.

Comment 4 Nick Carboni 2016-04-14 15:03:42 UTC
https://github.com/OpenSCAP/scap-security-guide/pull/1207 should fix this once and for all, but that may not get into a scap-security-guide rpm build for some time.

Comment 6 Nick Carboni 2016-04-22 12:55:50 UTC
I can't reproduce this on a new 5.6.0 build or 5.5.3.4

Closing as WORKSFORME. Either way this will get fixed for sure when https://github.com/OpenSCAP/scap-security-guide/pull/1207 gets into the version of scap-security-guide running on the appliance.