Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

os_sshd_fips_compliant remediation does not gracefully handle previous similar configuration settings #458

Open
bernstei opened this issue Dec 19, 2024 · 4 comments
Open

os_sshd_fips_compliant remediation does not gracefully handle previous similar configuration settings #458

bernstei opened this issue Dec 19, 2024 · 4 comments

Comments

@bernstei
Copy link

The remediation for os_sshd_fips_compliant at

macos_security/rules/os/os_sshd_fips_compliant.yaml

Line 40 in 30d4a1a

/usr/bin/grep -qxF "$config" "${include_dir}01-mscp-sshd.conf" 2>/dev/null || echo "$config" >> "${include_dir}01-mscp-sshd.conf"
does not attempt to remove previous lines that refer to the same config fields. As a result, if they have been set before (e.g. by an earlier version of macos_security remediation), the resulting 01-mscp-sshd.conf does not pass the compliance check for the rule.
@ChrisButigieg
Copy link

ChrisButigieg commented Dec 19, 2024
edited
Loading

I had the same issue resulted in Integer 3 instead of 7. Ran a -cfc and still failed for the same exact integer as before. Received an odd Token message, so I even tried running the reset command listed in the yaml file: /usr/libexec/reset-ssh-configuration. Same results. Ended up rebuilding my macOS 15.2 device and it sailed through -cfc.

@golbiga
Copy link
Collaborator

golbiga commented Dec 19, 2024
edited
Loading

In macOS 15.2 there is a reset option for sshd configurations. See the note in the yaml.

NOTE: On macOS 15.2 and higher the SSH configuration can be reset to the macOS default by running /usr/libexec/reset-ssh-configuration

@bernstei can you give this a try and let us know if that resolves your issue.

@bernstei
Copy link
Author

bernstei commented Dec 19, 2024
edited
Loading

So, it's a little weird. It does work in the sense that after I run it, the compliance remediation + check passes with no failures. However, there's one very weird thing that I noticed.

The particular rule that was giving me problems was os_sshd_fips_compliant (sshd, i.e. the server), which checks the output of sshd -G for the required config strings, and if needed remediates by writing into /etc/ssh/sshd_config.d/01-mscp-sshd.conf. However, after the reset and remediation (fixing 12 rules that failed), the strings that remediate this rule (Ciphers, MACs, etc) are not in /etc/ssh/sshd_config.d/01-mscp-sshd.conf. The only place I see them is in /etc/ssh/ssh_config.d/01-mscp-ssh.conf. It looks to me like they are written there by another related rule, os_ssh_fips_compliant. I assumed this file would only apply to the client, not sshd.

Is it expected that sshd -G returns configuration items that are set in files from a directory that is not referenced in /etc/ssh/sshd_config, but only in /etc/ssh/ssh_config?

@bernstei
Copy link
Author

Wait, maybe I'm seeing what's happening - I didn't notice that they also appear in /etc/ssh/crypto/fips.conf. Is that how they're being set for sshd?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@golbiga @bernstei @ChrisButigieg