From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
Date: Wed, 11 Dec 2013 20:53:14 +0000 (UTC) [thread overview]
Message-ID: <1386795066.912cc3b552b8dd23ddccdca7f77a1beaa490d136.swift@gentoo> (raw)
commit: 912cc3b552b8dd23ddccdca7f77a1beaa490d136
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Dec 11 20:51:06 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Dec 11 20:51:06 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=912cc3b5
Adding OpenSSH files
---
xml/SCAP/openssh-oval.xml | 354 +++++++++++++++++++++++++++
xml/SCAP/openssh-xccdf.xml | 579 +++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 933 insertions(+)
diff --git a/xml/SCAP/openssh-oval.xml b/xml/SCAP/openssh-oval.xml
new file mode 100644
index 0000000..ad1ca8c
--- /dev/null
+++ b/xml/SCAP/openssh-oval.xml
@@ -0,0 +1,354 @@
+<?xml version="1.0"?>
+<oval_definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
+ xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"
+ xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
+ xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"
+ xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
+ <generator>
+ <oval:product_name>vim</oval:product_name>
+ <oval:schema_version>5.9</oval:schema_version>
+ <oval:timestamp>2011-10-31T12:00:00-04:00</oval:timestamp>
+ </generator>
+
+<definitions>
+<!-- @@GENOVAL START DEFINITIONS -->
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:1" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:1" comment="file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:2" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:2" comment="file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:3" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:3" comment="file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:5" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config must have a line that matches ^AllowGroup</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^AllowGroup</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="file /etc/ssh/sshd_config must have a line that matches ^AllowGroup" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:6" version="1">
+ <metadata>
+ <title>file /etc/hosts.allow must have a line that matches ^sshd:</title>
+ <description>file /etc/hosts.allow must have a line that matches ^sshd:</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:6" comment="file /etc/hosts.allow must have a line that matches ^sshd:" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:7" version="1">
+ <metadata>
+ <title>file /etc/hosts.deny must have a line that matches ^sshd: ALL</title>
+ <description>file /etc/hosts.deny must have a line that matches ^sshd: ALL</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:7" comment="file /etc/hosts.deny must have a line that matches ^sshd: ALL" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:8" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:8" comment="file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:9" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:9" comment="file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:10" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:10" comment="file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:11" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:11" comment="file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:12" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:12" comment="file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:13" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:13" comment="file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:14" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:14" comment="file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:15" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:15" comment="file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:16" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:16" comment="file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:17" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:17" comment="file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:18" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:18" comment="file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:19" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config must have a line that matches ^ListenAddress</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^ListenAddress</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:19" comment="file /etc/ssh/sshd_config must have a line that matches ^ListenAddress" />
+ </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:20" version="1">
+ <metadata>
+ <title>file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="oval:org.gentoo.dev.swift:tst:20" comment="file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no" />
+ </criteria>
+</definition>
+<!-- @@GENOVAL END DEFINITIONS -->
+</definitions>
+
+<tests>
+<!-- @@GENOVAL START TESTS -->
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:1" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:1" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:2" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:3" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:3" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:5" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^AllowGroup" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:4" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:6" version="1" check="at least one" comment="file /etc/hosts.allow must have a line that matches ^sshd:" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:2" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:5" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:7" version="1" check="at least one" comment="file /etc/hosts.deny must have a line that matches ^sshd: ALL" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:3" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:6" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:8" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:7" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:9" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:8" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:10" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:9" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:11" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:10" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:12" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:11" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:13" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:12" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:14" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:13" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:15" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:14" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:16" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:15" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:17" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:16" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:18" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:17" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:19" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^ListenAddress" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:18" />
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:20" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no" check_existence="at_least_one_exists">
+ <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1" />
+ <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:19" />
+</ind-def:textfilecontent54_test>
+<!-- @@GENOVAL END TESTS -->
+</tests>
+
+<objects>
+<!-- @@GENOVAL START OBJECTS -->
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:1" version="1" comment="Non-comment lines in /etc/ssh/sshd_config">
+ <ind-def:filepath>/etc/ssh/sshd_config</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:2" version="1" comment="Non-comment lines in /etc/hosts.allow">
+ <ind-def:filepath>/etc/hosts.allow</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:3" version="1" comment="Non-comment lines in /etc/hosts.deny">
+ <ind-def:filepath>/etc/hosts.deny</ind-def:filepath>
+ <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+ <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<!-- @@GENOVAL END OBJECTS -->
+</objects>
+
+<states>
+<!-- @@GENOVAL START STATES -->
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:1" version="1" comment="The match of ^PermitRootLogin no">
+ <ind-def:subexpression operation="pattern match">^PermitRootLogin no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:2" version="1" comment="The match of ^PasswordAuthentication no">
+ <ind-def:subexpression operation="pattern match">^PasswordAuthentication no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:3" version="1" comment="The match of ^ChallengeResponseAuthentication no">
+ <ind-def:subexpression operation="pattern match">^ChallengeResponseAuthentication no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:4" version="1" comment="The match of ^AllowGroup">
+ <ind-def:subexpression operation="pattern match">^AllowGroup</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:5" version="1" comment="The match of ^sshd">
+ <ind-def:subexpression operation="pattern match">^sshd</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:6" version="1" comment="The match of ^sshd">
+ <ind-def:subexpression operation="pattern match">^sshd</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:7" version="1" comment="The match of ^IgnoreRhosts.*no">
+ <ind-def:subexpression operation="pattern match">^IgnoreRhosts.*no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:8" version="1" comment="The match of ^RhostsRSAAuthentication.*yes">
+ <ind-def:subexpression operation="pattern match">^RhostsRSAAuthentication.*yes</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:9" version="1" comment="The match of ^HostbasedAuthentication.*yes">
+ <ind-def:subexpression operation="pattern match">^HostbasedAuthentication.*yes</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:10" version="1" comment="The match of ^PermitEmptyPasswords.*yes">
+ <ind-def:subexpression operation="pattern match">^PermitEmptyPasswords.*yes</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:11" version="1" comment="The match of ^UsePAM.*no">
+ <ind-def:subexpression operation="pattern match">^UsePAM.*no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:12" version="1" comment="The match of ^Protocol.*1">
+ <ind-def:subexpression operation="pattern match">^Protocol.*1</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:13" version="1" comment="The match of ^UsePrivilegeSeparation.*no">
+ <ind-def:subexpression operation="pattern match">^UsePrivilegeSeparation.*no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:14" version="1" comment="The match of ^X11Forwarding.*yes">
+ <ind-def:subexpression operation="pattern match">^X11Forwarding.*yes</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:15" version="1" comment="The match of ^StrictMode.*no">
+ <ind-def:subexpression operation="pattern match">^StrictMode.*no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:16" version="1" comment="The match of ^ListenAddress.*0.0.0.0">
+ <ind-def:subexpression operation="pattern match">^ListenAddress.*0.0.0.0</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:17" version="1" comment="The match of ^ListenAddress *">
+ <ind-def:subexpression operation="pattern match">^ListenAddress[ ]*</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:18" version="1" comment="The match of ^ListenAddress">
+ <ind-def:subexpression operation="pattern match">^ListenAddress</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:19" version="1" comment="The match of ^AllowTcpForwarding.*no">
+ <ind-def:subexpression operation="pattern match">^AllowTcpForwarding.*no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<!-- @@GENOVAL END STATES -->
+</states>
+
+</oval_definitions>
diff --git a/xml/SCAP/openssh-xccdf.xml b/xml/SCAP/openssh-xccdf.xml
new file mode 100644
index 0000000..0230c63
--- /dev/null
+++ b/xml/SCAP/openssh-xccdf.xml
@@ -0,0 +1,579 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_Gentoo-Security-Benchmark-OpenSSH-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0">
+ <status date="2012-07-14">draft</status>
+ <title>Hardening OpenSSH</title>
+ <description>
+ The OpenSSH server offers remote Secure Shell services towards your users. This benchmark
+ focuses on the hardening of OpenSSH within a Gentoo Hardened environment.
+ </description>
+ <platform idref="cpe:/o:gentoo:linux"/>
+ <version>1</version>
+ <model system="urn:xccdf:scoring:default"/>
+ <model system="urn:xccdf:scoring:flat"/>
+ <Profile id="xccdf_org.gentoo.dev.swift_profile_default">
+ <title>OpenSSH server setup settings</title>
+ <description>
+ Profile matching all OpenSSH hardening rules
+ </description>
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-rhosts" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-rrsa" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-hostbased" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-empty" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-pam" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-protocol" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-useprivsep" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-nox11fwd" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-strictmode" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-norootlogin" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-nopasswordauth" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-nochallengeresponse" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-allowgroup" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-hostsallow" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-hostsdeny" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-listen" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-listen4" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-listen6" selected="true" />
+ <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-notcpfwd" selected="true" />
+ </Profile>
+ <Group id="xccdf_org.gentoo.dev.swift_group_intro">
+ <title>Introduction</title>
+ <description>
+ The OpenSSH service is one of the most used SSH providing services.
+ </description>
+ <Group id="xccdf_org.gentoo.dev.swift_group_intro-using">
+ <title>Using this guide</title>
+ <description>
+ The guide you are currently reading is the guide generated from this SCAP
+ content (more specifically, the XCCDF document) using <h:b>openscap</h:b>,
+ a free software implementation for handling SCAP content. Within Gentoo,
+ the package <h:code>app-forensics/openscap</h:code> provides the tools, and
+ the following command is used to generate the HTML output:
+ <h:br />
+ <h:pre>### Command to generate this guide ###
+# <h:b>oscap xccdf generate guide scap-openssh-xccdf.xml > output.html</h:b>
+ </h:pre>
+ <h:br />
+ Secondly, together with this XCCDF XML, you will also find an OVAL XML file.
+ The two files combined allow you to automatically validate various settings as
+ documented in the benchmark.
+ <h:br />
+ <h:br />
+ You can test the benchmark against your configuration.
+ <h:pre>### Testing the rules mentioned in the XCCDF document ###
+# <h:b>oscap xccdf eval --profile Default scap-openssh-xccdf.xml</h:b></h:pre>
+ <h:br />
+ To generate a full report in HTML as well, you can use the next command:
+ <h:pre>### Testing the rules and generating an HTML report ###
+# <h:b>oscap xccdf eval --profile Default --results xccdf-results.xml --report report.html scap-openssh-xccdf.xml</h:b></h:pre>
+ <h:br />
+ Finally, this benchmark will suggest some settings which you do not want
+ to enable. That is perfectly fine - even more, some settings might even
+ raise eyebrows left and right. We'll try to document the reasoning behind
+ the settings but you are free to deviate from them. If that is the case,
+ you might want to create your own profile which only contains the rules
+ you want checked. You can then use that profile instead of the Default one.
+ </description>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_intro-profiles">
+ <title>Available XCCDF Profiles</title>
+ <description>
+ As mentioned earlier, the XCCDF document supports multiple profiles. For the time
+ being, one profile is defined:
+ <h:br />
+ <h:ul>
+ <h:li>Default contains all mentioned tests</h:li>
+ </h:ul>
+ Substitute the profile information in the commands above with the profile you want to test on.
+ </description>
+ </Group>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config">
+ <title>Configuration Settings</title>
+ <description>
+ In this section, we look at the configuration settings of an OpenSSH service
+ </description>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default">
+ <title>Default OpenSSH settings</title>
+ <description>
+ OpenSSH comes with some sane defaults to start with. These should not be touched.
+ </description>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-rhosts">
+ <title>Ignore Rhosts</title>
+ <description>
+ Historically, users could define a <h:code>.rhosts</h:code> or <h:code>.shosts</h:code>
+ file in which they mention the systems from which they log on to the system (the client
+ hosts). When the user then logs on from one of these remote locations, the shell service
+ would not ask for password authentication and just automatically log in the user.
+ <h:br />
+ <h:br />
+ The shell service treats <h:code>.shosts</h:code> mentioned hosts a bit different: it first
+ checks that hosts identity using some public key authentication scheme (in which case the
+ host keys of the clients are placed in <h:code>/etc/ssh/ssh_known_hosts</h:code> or
+ <h:code>~/.ssh/known_hosts</h:code>).
+ <h:br />
+ <h:br />
+ This is however a very insecure setup and can be easily circumvented. It only performs
+ host-based authentication, not user authentication, and in case of the <h:code>.rhosts</h:code>
+ file this host-based authentication is only based on the hostname/IP matching.
+ <h:br />
+ <h:br />
+ For this reason, support for the <h:code>.rhosts</h:code> and <h:code>.shosts</h:code>
+ files is by default disabled.
+ <h:br />
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : IgnoreRhosts
+# If set, IgnoreRhosts must be set to yes (which is the default)
+IgnoreRhosts yes</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-rhosts -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-rhosts" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:8" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-rhosts -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-rhostsrsa">
+ <title>Do not allow RSA Host Authentication</title>
+ <description>
+ As part of the Rhosts implementation, OpenSSH supports using RSA authentication for remote hosts.
+ With RSA authentication enabled, hosts mentioned in the <h:code>.rhosts</h:code> (or <h:code>/etc/hosts.equiv</h:code>)
+ files need to be authenticated based on their RSA key. This applies to the SSH protocol version 1 only.
+ <h:br />
+ <h:br />
+ As Rhosts is found insecure, this option does not make rhosts more feasible to use. For this reason,
+ this option is by default disabled.
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : RhostsRSAAuthentication
+# If set, RhostsRSAAuthentication must be set to "no" (which is the default).
+RhostsRSAAuthentication no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-rrsa -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-rrsa" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:9" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-rrsa -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-hostbased">
+ <title>Do not allow Host-based Authentication</title>
+ <description>
+ As part of the Rhosts implementation, Ope SSH supports using public key authenticatoin for remote hosts.
+ With this enabled, hosts mentioned in the <h:code>.rhosts</h:code> (or <h:code>/etc/hosts.equiv</h:code>)
+ files need to be authenticated based on their public key. This applies to the SSH protocol version 2 only.
+ <h:br />
+ <h:br />
+ As Rhosts is found insecure, this option does not make rhosts more feasible to use. For this reason,
+ this option is by default disabled.
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : HostbasedAuthentication
+# If set, HostbasedAuthentication must be set to "no" (which is the default)
+HostbasedAuthentication no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-hostbased -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-hostbased" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:10" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-hostbased -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-emptypassword">
+ <title>Do not Permit Empty Passwords</title>
+ <description>
+ If password-based authentication is used, it is wise not to allow empty passwords.
+ <h:br />
+ <h:br />
+ Allowing empty passwords within your network makes the services <h:em>very</h:em> vulnerable
+ to exploit, even when the software is fully up-to-date.
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : PermitEmptyPasswords
+# If set, PermitEmptyPasswords must be set to "no" (which is the default).
+PermitEmptyPasswords no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-empty -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-empty" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:11" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-empty -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-pam">
+ <title>Use PAM</title>
+ <description>
+ PAM (Pluggable Authentication Modules) is a powerful framework for managing
+ authentication of users and services in a flexible manner. By default, OpenSSH
+ uses PAM for the authentication of users.
+ <h:br />
+ <h:br />
+ One of the many advantages of PAM is that you can add in additional rules you want
+ to enforce during the authentication. You can limit access based on login count (or number of failures),
+ use centralized authentication repositories (like OpenLDAP), allow access only during specific
+ time windows, etc.
+ <h:br />
+ <h:br />
+ It is strongly advised to use PAM for SSH authentication too (but do manage the PAM configuration
+ properly!) Be aware though that the authentication services themselves (is the user who he sais
+ he is) of PAM are not used if public key authentication is used. The other services, which include
+ the access controls mentioned earlier, are still consulted though.
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : UsePAM
+# If set, UsePAM must be set to "yes" (which is the default)
+UsePAM yes</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-pam -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-pam" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:12" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-pam -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-protocol2">
+ <title>Only use version 2 of the SSH protocol</title>
+ <description>
+ The first version of the SSH protocol has been found insecure: TODO.
+ <h:br />
+ <h:br />
+ For this reason, it is strongly advised to use version 2 of the protocol only. This is also
+ the default for OpenSSH.
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : Protocol
+# If set, Protocol must be set to 2 only (which is the default)
+Protocol 2</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-protocol -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-protocol" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:13" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-protocol -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-privsep">
+ <title>Use privilege separation</title>
+ <description>
+ With privilege separation enabled, the SSH daemon has a tiny footprint running as root,
+ whereas the rest of the application runs as an unprivileged process to deal with the
+ incoming network traffic. This can be tuned with <h:code>UsePrivilegeSeparation yes</h:code>
+ which is the default for OpenSSH.
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : UsePrivilegeSeparation
+# If set, UsePrivilegeSeparation must be set to yes (which is the default)
+UsePrivilegeSeparation yes</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-useprivsep -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-useprivsep" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:14" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-useprivsep -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-x11fwd">
+ <title>Disable X11 forwarding</title>
+ <description>
+ SSH supports forwarding X11 packets, so X11 applications started on the remote system have their
+ display shown on the client. This behavior is by default disabled.
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : X11Forwarding
+# If set, X11Forwarding must be set to no (which is the default)
+X11Forwarding no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-nox11fwd -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-nox11fwd" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:15" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-nox11fwd -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-default-strictmode">
+ <title>Enable strict mode</title>
+ <description>
+ When <h:code>StrictModes yes</h:code> is enabled, the SSH daemon will only allow a remote user to
+ log on when some of the important files in that users' home directory have the proper privileges and
+ ownership. This behavior is by default enabled.
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : StrictModes
+# If set, StrictModes must be set to yes (which is the default)
+StrictModes yes</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-def-strictmode -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-strictmode" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:16" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-def-strictmode -->
+ </Group>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-auth">
+ <title>Authentication-related settings</title>
+ <description>
+ Being a remote shell service, authentication is one of the main features that OpenSSH provides.
+ A few settings help us in hardening the SSH server even further.
+ </description>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-auth-noroot">
+ <title>Disable root logins</title>
+ <description>
+ As root is one of the most powerful accounts, direct access to root should be limited. It is
+ advised that, if a process needs root privileges, it uses a functional account which has the
+ right to call one or a few commands as root, but nothing else.
+ <h:br />
+ <h:br />
+ With OpenSSH, it is possible to prohibit direct root access towards the system if feasible within
+ your architecture. This can be accomplished using the <h:code>PermitRootLogin no</h:code> directive.
+ If you need root logins, consider only allowing specified command access (forced-commands-only).
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : PermitRootLogin
+# Set this to "no" or, if needed, "forced-commands-only"
+PermitRootLogin no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-norootlogin -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-norootlogin" selected="false">
+ <title>file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:1" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-norootlogin -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-auth-nopassword">
+ <title>Use public key authentication</title>
+ <description>
+ By default, OpenSSH uses interactive, keyboard-based password logins. One intrinsic problem with
+ passwords is that they can be weak, but also that hacked passwords can be used from other locations.
+ <h:br />
+ <h:br />
+ A safer approach for remote shell invocation is to use a keypair: the key is much stronger than most
+ passwords, making brute-force improbably and dictionary-attacks useless. The private key is only
+ known by you (on your system) and optionally (but preferably) protected by a (strong) passphraze so that
+ adversaries that force access to your system can still not use your private key.
+ <h:br />
+ <h:br />
+ Such a keypair an be generated by the users using <h:b>ssh-keygen -t dsa</h:b> after which the private and
+ public keys are stored in <h:code>~/.ssh</h:code>
+ <h:br />
+ <h:br />
+ On the OpenSSH server level, you can force the use of public key authentication (and thus deny
+ keyboard-interactive password logins) using <h:code>PasswordAuthentication no</h:code>.
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : PasswordAuthentication
+# Set this to "no"
+PasswordAuthentication no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-nopasswordauth -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-nopasswordauth" selected="false">
+ <title>file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-nopasswordauth -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-auth-nochallengeresponse">
+ <title>Disable ChallengeResponseAuthentication</title>
+ <description>
+ In OpenSSH, a (confusing) parameter called <h:code>ChallengeResponseAuthentication</h:code>
+ is available (and by default enabled). Many users might believe that this implements a more secure
+ authentication method (based on a challenge and a token that need to be verified - i.e. multi-factor
+ authentication). However, in case of this parameter, this isn't true.
+ <h:br />
+ <h:br />
+ The <h:code>ChallengeResponseAuthentication</h:code> setting enables <h:em>TIS Challenge/Response</h:em>
+ in SSH protocol version 1, and keyboard-interactive in SSH protocol v2. Hence, in our case, it is best
+ set disabled as we do not want regular password authentication to be enabled (and don't use protocol
+ version 1).
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : ChallengeResponseAuthentication
+# Set this to "no"
+ChallengeResponseAuthentication no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-nochallengeresponse -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-nochallengeresponse" selected="false">
+ <title>file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:3" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-nochallengeresponse -->
+ </Group>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-acl">
+ <title>Access control related settings</title>
+ <description>
+ By default, OpenSSH allows access from any location and by any user who gets authenticated properly.
+ However, it is safer if you can restrict access from hosts that are allowed to access the SSH service
+ (and not other hosts) as well as users that are known to access the system remotely.
+ </description>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-acl-allowgroup">
+ <title>Only allow specific group(s) access</title>
+ <description>
+ Not every user on your system needs to be able to remotely log on to the system. Many
+ users on your system are local-only, either because they are services accounts, or
+ because the users are only meant to log on directly (or through another service).
+ <h:br />
+ <h:br />
+ With OpenSSH, you can limit SSH access to users defined in a limited set of (Unix) groups.
+ It is recommended to define a Unix group (like <h:code>ssh</h:code> if that isn't used by the
+ service daemon itself) in which those users are defined, and then only allow SSH access
+ for this group.
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : AllowGroup
+# Set this to the unix group whose members are allowed access
+AllowGroup ssh</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-allowgroup -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-allowgroup" selected="false">
+ <title>file /etc/ssh/sshd_config must have a line that matches ^AllowGroup</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^AllowGroup</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:5" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-allowgroup -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-acl-hosts">
+ <title>Only allow specific host(s) access</title>
+ <description>
+ Not every host on your network (or beyond) needs access to your system. On the contrary, most
+ hosts probably shouldn't have SSH access to your system.
+ <h:br />
+ <h:br />
+ With a service called <h:em>tcpwrappers</h:em> OpenSSH allows administrators to define the hosts
+ allowed access (or explicitly not allowed access) in the <h:code>/etc/hosts.allow</h:code> and
+ <h:code>/etc/hosts.deny</h:code>.
+ <h:br />
+ <h:br />
+ For a good secure setting, it is recommended to disallow access from any host, and then explicitly grant
+ access from a select set of hosts (or subnetworks).
+ <h:br />
+ <h:pre>### /etc/hosts.allow
+# Give the list of allowed hosts or networks
+sshd: 192.168.1.0/24</h:pre><h:br />
+ <h:pre>### /etc/hosts.deny
+# Deny access by default from everywhere
+sshd: ALL</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-hostsallow -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-hostsallow" selected="false">
+ <title>file /etc/hosts.allow must have a line that matches ^sshd:</title>
+ <description>file /etc/hosts.allow must have a line that matches ^sshd:</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:6" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-hostsallow -->
+ <!-- @@GEN START rule-sshd-hostsdeny -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-hostsdeny" selected="false">
+ <title>file /etc/hosts.deny must have a line that matches ^sshd: ALL</title>
+ <description>file /etc/hosts.deny must have a line that matches ^sshd: ALL</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:7" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-hostsdeny -->
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-acl-listen">
+ <title>Only listen on proper interfaces</title>
+ <description>
+ By default, OpenSSH listens on all available interfaces. In many cases though, this isn't necessary.
+ <h:br />
+ <h:br />
+ Multihomed systems (i.e. systems with multiple network interfaces) usually only use a single interface
+ for the administrative access, whereas the other interface is to connect to the Internet or disclose the
+ "business applications".
+ <h:br />
+ <h:br />
+ On dual stack systems (i.e. systems with an IPv4 and IPv6 stack) the IPv6 (or IPv4) address might not be
+ in use, or not for the administrative access (like through OpenSSH). In these cases, it is wise not to have
+ OpenSSH listen on these addresses either.
+ <h:br />
+ <h:pre>## /etc/ssh/sshd_config : ListenAddress
+# Define a ListenAddress, but do not set it to "any address"
+# (which is 0.0.0.0 in IPv4 and :: in IPv6)
+ListenAddress 192.168.100.121</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-listen -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-listen" selected="false">
+ <title>file /etc/ssh/sshd_config must have a line that matches ^ListenAddress</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^ListenAddress</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:19" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-listen -->
+ <!-- @@GEN START rule-sshd-listen4 -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-listen4" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:17" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-listen4 -->
+ <!-- @@GEN START rule-sshd-listen6 -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-listen6" selected="false">
+ <title>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$</title>
+ <description>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:18" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-listen6 -->
+ </Group>
+ </Group>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-use">
+ <title>Disable unused settings</title>
+ <description>
+ OpenSSH has a few more options that it supports. If you, however, have no need for these options,
+ it is safer to have them disabled. Potential vulnerabilities that might be discovered later on these
+ options then have no effect on your system.
+ </description>
+ <Group id="xccdf_org.gentoo.dev.swift_group_config-use-tcpfwd">
+ <title>Disable TCP forwarding</title>
+ <description>
+ SSH supports "tunneling", where packets are forwarded over a (partially) secure channel towards
+ another location. If you do not need this, disable TCP forwarding through <h:code>AllowTcpForwarding no</h:code>
+ <h:br />
+ <h:pre>### /etc/ssh/sshd_config : AllowTcpForwarding
+# If not needed, disable TCP forwarding
+AllowTcpForwarding no</h:pre>
+ </description>
+ <!-- @@GEN START rule-sshd-notcpfwd -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-notcpfwd" selected="false">
+ <title>file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no</title>
+ <description>file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no</description>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+ <check-content-ref name="oval:org.gentoo.dev.swift:def:20" href="openssh-oval.xml" />
+ </check>
+</Rule>
+ <!-- @@GEN END rule-sshd-notcpfwd -->
+ </Group>
+ </Group>
+ </Group>
+</Benchmark>
next reply other threads:[~2013-12-11 20:53 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-11 20:53 Sven Vermeulen [this message]
-- strict thread matches above, loose matches on Subject: below --
2015-09-04 19:50 [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/ Sven Vermeulen
2015-09-02 20:24 Sven Vermeulen
2014-03-30 20:08 Sven Vermeulen
2014-03-30 20:08 Sven Vermeulen
2014-03-30 18:29 Sven Vermeulen
2014-03-30 18:29 Sven Vermeulen
2014-03-26 21:07 Sven Vermeulen
2014-02-01 14:24 Sven Vermeulen
2014-02-01 14:24 Sven Vermeulen
2014-02-01 14:24 Sven Vermeulen
2014-02-01 14:24 Sven Vermeulen
2013-12-20 14:48 Sven Vermeulen
2013-12-20 14:47 Sven Vermeulen
2013-12-20 14:41 Sven Vermeulen
2013-12-20 14:38 Sven Vermeulen
2013-12-20 14:25 Sven Vermeulen
2013-12-20 14:15 Sven Vermeulen
2013-12-20 14:15 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 13:56 Sven Vermeulen
2013-12-20 10:59 Sven Vermeulen
2013-12-11 20:58 Sven Vermeulen
2013-12-11 20:58 Sven Vermeulen
2013-12-11 20:53 Sven Vermeulen
2013-09-24 17:10 Sven Vermeulen
2013-09-23 11:46 Sven Vermeulen
2013-09-23 11:40 Sven Vermeulen
2013-09-19 19:26 Sven Vermeulen
2013-09-18 13:51 Sven Vermeulen
2013-09-17 19:07 Sven Vermeulen
2013-09-17 19:07 Sven Vermeulen
2013-09-17 19:07 Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1386795066.912cc3b552b8dd23ddccdca7f77a1beaa490d136.swift@gentoo \
--to=swift@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox