Bug 1323270 - SCAP ClientAliveInterval not set
Summary: SCAP ClientAliveInterval not set
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.5.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: 5.6.0
Assignee: Nick Carboni
QA Contact: luke couzens
URL:
Whiteboard: appliance:security:scap:black
Depends On:
Blocks: 1327728
TreeView+ depends on / blocked
 
Reported: 2016-04-01 16:32 UTC by luke couzens
Modified: 2016-04-22 12:55 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1327728 (view as bug list)
Environment:
Last Closed: 2016-04-22 12:55:50 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:


Attachments (Terms of Use)

Description luke couzens 2016-04-01 16:32:18 UTC
Description of problem:After hardening an appliance with SCAP ClientAliveInterval is not active.


Version-Release number of selected component (if applicable):5.5.3.2


How reproducible:100%


Steps to Reproduce:
1.ssh to configured appliance
2.run appliance_console
3.select harden with SCAP
4.create new user/pass
5.ssh with new user
6.check if kicked after interval time

Actual results:Does not log you out


Expected results:logged out


Additional info:Checking the /etc/ssh/sshd_config I see the rule is there but in a comment line above ClientAliveCountMax.

#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs serverClientAliveInterval 900
ClientAliveCountMax 0
PermitEmptyPasswords no
PermitUserEnvironment no
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

Comment 2 Nick Carboni 2016-04-04 13:41:59 UTC
This issue was fixed in https://github.com/ManageIQ/manageiq-appliance-build/pull/79

Discussion here https://bugzilla.redhat.com/show_bug.cgi?id=1219230

I can't reproduce this using a new 5.5.3.2 appliance.

Has this appliance been migrated from a version prior to 5.5.0? The fix (adding a newline at the end of /etc/ssh/sshd_config in the kickstart) was introduced at 5.5.0 so if this config file is from a release prior to 5.5.0 the file wouldn't have the new line and you could see this behavior.

Comment 4 Nick Carboni 2016-04-14 15:03:42 UTC
https://github.com/OpenSCAP/scap-security-guide/pull/1207 should fix this once and for all, but that may not get into a scap-security-guide rpm build for some time.

Comment 6 Nick Carboni 2016-04-22 12:55:50 UTC
I can't reproduce this on a new 5.6.0 build or 5.5.3.4

Closing as WORKSFORME. Either way this will get fixed for sure when https://github.com/OpenSCAP/scap-security-guide/pull/1207 gets into the version of scap-security-guide running on the appliance.


Note You need to log in before you can comment on or make changes to this bug.