ssh-baseline icon indicating copy to clipboard operation
ssh-baseline copied to clipboard

Published 20 hours ago verified publisher icon dev-sec

Privilege separation conditional check

Open sfuerte opened this issue 4 years ago • 3 comments

Describe the bug The subject option has been deprecated since OpenSSH 7.5 (https://www.openssh.com/txt/release-7.5), hence the check shall be conditional.

Expected behavior No error

Actual behavior

  ×  sshd-16: Server: Use privilege separation
     ×  SSHD Configuration UsePrivilegeSeparation is expected to eq "sandbox"

     expected: "sandbox"
          got: nil

     (compared using ==)

OS / Environment

$ lsb_release -d
Description:	Ubuntu 20.04 LTS

$ ssh -V
OpenSSH_8.2p1 Ubuntu-4, OpenSSL 1.1.1f  31 Mar 2020

Inspec Version

$ inspec --version
4.18.114

Baseline Version

name: ssh-baseline
title: DevSec SSH Baseline
maintainer: DevSec Hardening Framework Team
copyright: DevSec Hardening Framework Team
copyright_email: [email protected]
license: Apache-2.0
summary: Test-suite for best-practice SSH hardening
version: 2.5.6
supports:
  - os-family: unix

sfuerte avatar May 21 '20 17:05 sfuerte

@sfuerte Thank you for the hint. I suggest we change the test to ensure that it is not set at all. This allows us to ensure the defaults are used. Any PR is welcome.

chris-rock avatar May 22 '20 07:05 chris-rock

Agreed. Openssh 7.5 is 3 years old. If someone still uses a previous version of SSH, it is another level of problems than this profile can solve.

micheelengronne avatar May 22 '20 08:05 micheelengronne

https://github.com/dev-sec/ssh-baseline/pull/171

micheelengronne avatar May 22 '20 08:05 micheelengronne