Bug 2214610
| Summary: | SSH ClientAliveInterval remediation not taking place | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Julia Schindler <juschind> |
| Component: | scap-security-guide | Assignee: | Watson Yuuma Sato <wsato> |
| Status: | NEW --- | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.2 | CC: | ggasparb, matyc, mhaicman, mlysonek, mpoole, myllynen, openscap-maint, vpolasek |
| Target Milestone: | rc | Keywords: | MigratedToJIRA, Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug. |
Description of problem: The CIS RHEL 9 Benchmark document point 5.2.20 "Ensure SSH Idle Timeout Interval is configured" requires that the sshd config option ClientAliveInterval has a value greater than 0. The default value is 0. A rule for this option is shown as included in the CIS L2 profile when creating a guide using `oscap xccdf generate guide --profile xccdf_org.ssgproject.content_profile_cis /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml > ssg-guide-checklist.html` with the rule ID "xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" and the title "Set SSH Client Alive Interval". Also scap-workbench shows the rule as included for CIS L2 profile. However, when running `oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_cis --report /root/remediate-report.html /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml` on a freshly installed RHEL 9.2 system (entry "#ClientAliveInterval 0" in /etc/ssh/sshd_config, no further mention of the option in /etc/ssh/sshd_config.d/*.conf), the option ClientAliveInterval is not updated in /etc/ssh/sshd_config or /etc/ssh/sshd_config.d/{00-complianceascode-hardening.conf,01-complianceascode-reinforce-os-defaults.conf}. The rule is also not present in the command output or report. How reproducible: always Steps to Reproduce: 1. Run `oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_cis --report /root/remediate-report.html /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml` on a RHEL 9.2 system. 2. Check sshd config files and remediation output. Actual results: The option ClientAliveInterval is not updated in /etc/ssh/sshd_config or /etc/ssh/sshd_config.d/{00-complianceascode-hardening.conf,01-complianceascode-reinforce-os-defaults.conf} with a value greater than zero. Expected results: Judging from the default value for xccdf_org.ssgproject.content_value_sshd_idle_timeout_value as seen in scap-workbench, there should be a line "ClientAliveInterval 300" in an appropriate sshd config file.