Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove the PAM deactivation enforcement #72

Merged
merged 1 commit into from
Dec 23, 2016
Merged

Remove the PAM deactivation enforcement #72

merged 1 commit into from
Dec 23, 2016

Conversation

artem-sidorenko
Copy link
Member

chris-rock
chris-rock reviewed Dec 23, 2016
View reviewed changes
controls/sshd_spec.rb
describe sshd_config do
its('UsePAM') { should eq('no') }
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we check for UsePAM yes?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have reasons to do that? In my eyes if we check for UsePAM yes, it gets to the hardening requirement, but its not a hardening requirement (at least anymore). Do I miss something?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

its('UsePAM') { should cmp 'yes' } would check that pam is activated, right?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes...but why?:)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its fine with me, I am just asking. Opinion @atomic111 ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@artem-sidorenko and @chris-rock yes we can set PAM to yes and remove the check, because we are checking PasswordAuthentication = no and ChallengeResponseAuthentication = no. But we have already the sshd-29, which checks for ChallengeResponseAuthentication = no. i would recommend to remove this PAM check and renumber the rest.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@atomic111 good catch, I updated the PR

@artem-sidorenko artem-sidorenko changed the title Verify the challenge response but not PAM Remove the PAM deactivation enforcement Dec 23, 2016
@chris-rock
Copy link
Member

chris-rock commented Dec 23, 2016
edited
Loading

General question about renumbering: are we sure we want to do this? If you use profile inheritance, renumbering will break rewrites or adaptions of each test. In general we should avoid renumbering, we should just introduce new numbers.

@artem-sidorenko
Copy link
Member Author

@chris-rock Hm, I was not aware of inspec's profile inheritance features. I'll update the PR and remove the renumbering

@artem-sidorenko
Copy link
Member Author

done

@chris-rock
Copy link
Member

This feature is quite new. It is documented here: http://inspec.io/docs/reference/profiles/ and this is an example profile https://github.com/chris-rock/acme-inspec-profile. Does not use specific control ids though.

@chris-rock
Copy link
Member

@atomic111 I like the current adaption. If you're okay, please merge it.

@atomic111
Copy link
Member

@chris-rock thanks for the hint. @artem-sidorenko thanks for removing this test

@atomic111 atomic111 merged commit 8efdafc into dev-sec:master Dec 23, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@atomic111 atomic111 atomic111 left review comments

@chris-rock chris-rock chris-rock approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@artem-sidorenko @chris-rock @atomic111