From 63bf34c59c3fda632842b99d3afc4219aeb06e03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20Lengronne?= Date: Fri, 22 May 2020 10:33:16 +0200 Subject: [PATCH 1/2] privilege separation deprecated MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/sshd_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/sshd_spec.rb b/controls/sshd_spec.rb index 15ecca0..2956143 100644 --- a/controls/sshd_spec.rb +++ b/controls/sshd_spec.rb @@ -207,9 +207,9 @@ control 'sshd-16' do impact 1.0 title 'Server: Use privilege separation' - desc 'UsePrivilegeSeparation is an option, when enabled will allow the OpenSSH server to run a small (necessary) amount of code as root and the of the code in a chroot jail environment. This enables ssh to deal incoming network traffic in an unprivileged child process to avoid privilege escalation by an attacker.' + desc 'UsePrivilegeSeparation is deprecated.' describe sshd_config(sshd_custom_path + '/sshd_config') do - its('UsePrivilegeSeparation') { should eq(sshd_valid_privseparation) } + its('UsePrivilegeSeparation') { should eq nil } end end From bb538e4c69c2b9f14427414a250915cc7ff03a00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mich=C3=A9e=20Lengronne?= Date: Fri, 22 May 2020 11:27:26 +0200 Subject: [PATCH 2/2] cleaning valid priv separation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michée Lengronne --- controls/sshd_spec.rb | 6 ------ libraries/ssh_crypto.rb | 40 ---------------------------------------- 2 files changed, 46 deletions(-) diff --git a/controls/sshd_spec.rb b/controls/sshd_spec.rb index 2956143..4a1255a 100644 --- a/controls/sshd_spec.rb +++ b/controls/sshd_spec.rb @@ -32,12 +32,6 @@ sshd_custom_path = attribute('sshd_custom_path', value: '/etc/ssh', description: 'Sometimes ssh configuration files are present in another location and ssh use them with the -f flag') sshd_custom_port = attribute('sshd_custom_port', value: '22', description: 'Sometimes the ssh port is not 22. For instance, in a container as another user, 22 is forbidden') -sshd_valid_privseparation = if sshd_custom_user != 'root' - 'no' - else - ssh_crypto.valid_privseparation - end - only_if do command('sshd').exist? end diff --git a/libraries/ssh_crypto.rb b/libraries/ssh_crypto.rb index 0eda6ff..7059cda 100644 --- a/libraries/ssh_crypto.rb +++ b/libraries/ssh_crypto.rb @@ -169,46 +169,6 @@ def valid_macs # rubocop:disable Metrics/CyclomaticComplexity, Metrics/MethodLen macs end - def valid_privseparation # rubocop:disable Metrics/CyclomaticComplexity - # define privilege separation set - ps53 = 'yes' - ps59 = 'sandbox' - ps75 = nil - ps = ps59 - - # debian 7.x and newer has ssh 5.9+ - # ubuntu 12.04 and newer has ssh 5.9+ - - case inspec.os[:name] - when 'debian' - case inspec.os[:release] - when /^6\./ - ps = ps53 - when /^10\./ - ps = ps75 - end - when 'redhat', 'centos', 'oracle' - case inspec.os[:release] - # redhat/centos/oracle 6.x has ssh 5.3 - when /^6\./ - ps = ps53 - when /^7\./ - ps = ps59 - when /^8\./ - ps = ps75 - end - when 'ubuntu' - case inspec.os[:release] - when /^18\./ - ps = ps75 - end - when 'fedora', 'alpine' - ps = ps75 - end - - ps - end - # return a list of valid algoriths for a current platform def valid_algorithms # rubocop:disable Metrics/CyclomaticComplexity alg53 = %w[rsa]