Description of problem:
sshd_set_idle_timeout checks ClientAliveInterval and ClientAliveCountMax configurations. However remediates only ClientAliveInterval.
ClientAliveCountMax is fixed by sshd_set_keepalive (sshd_set_keepalive_0) rule.
SCAP Security Guide Version:
ece8437
Operating System Version:
RHEL 7, RHEL 8
Steps to Reproduce:
oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig_gui --report report.html scap-security-guide-0.1.61-1.gitece8437.el8-ssg-rhel8-ds.xml
Actual Results:
sshd_set_idle_timeout results in error
Expected Results:
sshd_set_idle_timeout results in fixed
Additional Information/Debugging Steps:
When both rules (sshd_set_idle_timeout and sshd_set_keepalive) are in profile, sshd_set_idle_timeout is remediated first and then sshd_set_keepalive is remediated.
Re-ordering should solve this - remediate sshd_set_keepalive first (it doesn't depend on the other rule) and then remediate sshd_set_idle_timeout. This should lead to 2x fixed instead of error+fixed.
Description of problem:
sshd_set_idle_timeoutchecksClientAliveIntervalandClientAliveCountMaxconfigurations. However remediates onlyClientAliveInterval.ClientAliveCountMaxis fixed bysshd_set_keepalive(sshd_set_keepalive_0) rule.SCAP Security Guide Version:
ece8437
Operating System Version:
RHEL 7, RHEL 8
Steps to Reproduce:
oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig_gui --report report.html scap-security-guide-0.1.61-1.gitece8437.el8-ssg-rhel8-ds.xmlActual Results:
sshd_set_idle_timeoutresults inerrorExpected Results:
sshd_set_idle_timeoutresults infixedAdditional Information/Debugging Steps:
When both rules (
sshd_set_idle_timeoutandsshd_set_keepalive) are in profile,sshd_set_idle_timeoutis remediated first and thensshd_set_keepaliveis remediated.Re-ordering should solve this - remediate
sshd_set_keepalivefirst (it doesn't depend on the other rule) and then remediatesshd_set_idle_timeout. This should lead to 2xfixedinstead oferror+fixed.