Bug 2214610
| Summary: | SSH ClientAliveInterval remediation not taking place | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Julia Schindler <juschind> |
| Component: | scap-security-guide | Assignee: | Watson Yuuma Sato <wsato> |
| Status: | CLOSED MIGRATED | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.2 | CC: | ggasparb, matyc, mhaicman, mlysonek, mpoole, myllynen, openscap-maint, vpolasek |
| Target Milestone: | rc | Keywords: | MigratedToJIRA, Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-08-18 07:27:31 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug. This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there. To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer. You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like: "Bugzilla Bug" = 1234567 In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. |
Description of problem: The CIS RHEL 9 Benchmark document point 5.2.20 "Ensure SSH Idle Timeout Interval is configured" requires that the sshd config option ClientAliveInterval has a value greater than 0. The default value is 0. A rule for this option is shown as included in the CIS L2 profile when creating a guide using `oscap xccdf generate guide --profile xccdf_org.ssgproject.content_profile_cis /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml > ssg-guide-checklist.html` with the rule ID "xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" and the title "Set SSH Client Alive Interval". Also scap-workbench shows the rule as included for CIS L2 profile. However, when running `oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_cis --report /root/remediate-report.html /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml` on a freshly installed RHEL 9.2 system (entry "#ClientAliveInterval 0" in /etc/ssh/sshd_config, no further mention of the option in /etc/ssh/sshd_config.d/*.conf), the option ClientAliveInterval is not updated in /etc/ssh/sshd_config or /etc/ssh/sshd_config.d/{00-complianceascode-hardening.conf,01-complianceascode-reinforce-os-defaults.conf}. The rule is also not present in the command output or report. How reproducible: always Steps to Reproduce: 1. Run `oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_cis --report /root/remediate-report.html /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml` on a RHEL 9.2 system. 2. Check sshd config files and remediation output. Actual results: The option ClientAliveInterval is not updated in /etc/ssh/sshd_config or /etc/ssh/sshd_config.d/{00-complianceascode-hardening.conf,01-complianceascode-reinforce-os-defaults.conf} with a value greater than zero. Expected results: Judging from the default value for xccdf_org.ssgproject.content_value_sshd_idle_timeout_value as seen in scap-workbench, there should be a line "ClientAliveInterval 300" in an appropriate sshd config file.