Hide Forgot
Description of problem:After hardening an appliance with SCAP ClientAliveInterval is not active. Version-Release number of selected component (if applicable):5.5.3.2 How reproducible:100% Steps to Reproduce: 1.ssh to configured appliance 2.run appliance_console 3.select harden with SCAP 4.create new user/pass 5.ssh with new user 6.check if kicked after interval time Actual results:Does not log you out Expected results:logged out Additional info:Checking the /etc/ssh/sshd_config I see the rule is there but in a comment line above ClientAliveCountMax. # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs serverClientAliveInterval 900 ClientAliveCountMax 0 PermitEmptyPasswords no PermitUserEnvironment no Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
This issue was fixed in https://github.com/ManageIQ/manageiq-appliance-build/pull/79 Discussion here https://bugzilla.redhat.com/show_bug.cgi?id=1219230 I can't reproduce this using a new 5.5.3.2 appliance. Has this appliance been migrated from a version prior to 5.5.0? The fix (adding a newline at the end of /etc/ssh/sshd_config in the kickstart) was introduced at 5.5.0 so if this config file is from a release prior to 5.5.0 the file wouldn't have the new line and you could see this behavior.
https://github.com/OpenSCAP/scap-security-guide/pull/1207 should fix this once and for all, but that may not get into a scap-security-guide rpm build for some time.
I can't reproduce this on a new 5.6.0 build or 5.5.3.4 Closing as WORKSFORME. Either way this will get fixed for sure when https://github.com/OpenSCAP/scap-security-guide/pull/1207 gets into the version of scap-security-guide running on the appliance.