SSHD parameter using -T

[prensing]

Description of problem:

The checks of the SSHD parameter all seem to look at the file /etc/ssh/sshd_config file (and maybe subfiles). However, many/most of the required parameters default to the desired values without setting them in the config file. Also, SSHD now can have separate config files. So for instance, the Ubuntu STIG expects "PubkeyAuthentication yes" but this has long been the default setting, so really should be fine without an explicit setting.

Consider using the command "sshd -T". This will output all the active config settings, including all the defaults. The script can check the output to verify the required settings. This should also suck in all the subfiles, etc.

So, in the above example, the script would check with: sshd -T |grep -i -q "^pubkeyauthentication yes$" and if successful, it is satisfied.

I don't know if this will require changes to the OpenScap scanner.

SCAP Security Guide Version:

1.70.0

Operating System Version:

Linux

Steps to Reproduce:

Actual Results:

Expected Results:

Additional Information/Debugging Steps:

[marcusburghardt]

Unfortunately we can't execute commands in OVAL. It could be done via SCE script, but this is not SCAP compliant. It could be used in the remediation, but some policies require the settings to be explicit in the config file. Therefore we could not assume that checking the implicit default value is enough to satisfy all policies requirement. I afraid there is not too much to do about this.