content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon ComplianceAsCode

`sshd_set_keepalive` is misaligned with DISA STIG

Open mildas opened this issue 1 year ago • 2 comments

Description of problem:

sshd_set_keepalive is misaligned with DISA's xccdf_mil.disa.stig_rule_SV-257995r970703_rule. Content uses distributed config and puts it to different file than DISA expects.

For SSG, the rule passes, because it finds remediated ClientAliveCountMax 1 in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf DISA fails, because it searches only for ClientAliveCountMax 1 in /etc/ssh/sshd_config file.

SCAP Security Guide Version:

latest master

Operating System Version:

RHEL 9

Actual Results:

SSG and DISA rules are misaligned.

Expected Results:

SSG is aligned with DISA.

mildas avatar Nov 05 '24 12:11 mildas

We are out of aliment based the text "If "ClientAliveCountMax" does not exist, is not set to a value of "1" in "/etc/ssh/sshd_config", or is commented out, this is a finding."

The STIG requires it to be in the main file, not drop in files

See https://stigaview.com/products/rhel9/v2r2/RHEL-09-255095/

Mab879 avatar Nov 05 '24 17:11 Mab879

As we want DISA to change their approach and accept drop in files, adding blocked label

mildas avatar Nov 08 '24 13:11 mildas