Skip to content

BREAKING: privilege separation deprecated #171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
micheelengronne wants to merge 3 commits into
base: master
Choose a base branch
from
Open

BREAKING: privilege separation deprecated #171

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
63bf34c
privilege separation deprecated
micheelengronne May 22, 2020
bb538e4
cleaning valid priv separation
micheelengronne May 22, 2020
8923b7c
Merge branch 'master' into deprecate_privilege_separation
micheelengronne Aug 26, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions controls/sshd_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -207,9 +207,9 @@
control 'sshd-16' do
impact 1.0
title 'Server: Use privilege separation'
desc 'UsePrivilegeSeparation is an option, when enabled will allow the OpenSSH server to run a small (necessary) amount of code as root and the of the code in a chroot jail environment. This enables ssh to deal incoming network traffic in an unprivileged child process to avoid privilege escalation by an attacker.'
desc 'UsePrivilegeSeparation is deprecated.'
describe sshd_config(sshd_custom_path + '/sshd_config') do
its('UsePrivilegeSeparation') { should eq(sshd_valid_privseparation) }
Copy link
Member

@chris-rock chris-rock May 22, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we also need to remove

ssh-baseline/controls/sshd_spec.rb

Lines 35 to 39 in 0932d5f

sshd_valid_privseparation = if sshd_custom_user != 'root'
'no'
else
ssh_crypto.valid_privseparation
end
and

ssh-baseline/libraries/ssh_crypto.rb

Lines 172 to 210 in 3849c52

def valid_privseparation # rubocop:disable Metrics/CyclomaticComplexity
# define privilege separation set
ps53 = 'yes'
ps59 = 'sandbox'
ps75 = nil
ps = ps59
# debian 7.x and newer has ssh 5.9+
# ubuntu 12.04 and newer has ssh 5.9+
case inspec.os[:name]
when 'debian'
case inspec.os[:release]
when /^6\./
ps = ps53
when /^10\./
ps = ps75
end
when 'redhat', 'centos', 'oracle'
case inspec.os[:release]
# redhat/centos/oracle 6.x has ssh 5.3
when /^6\./
ps = ps53
when /^7\./
ps = ps59
when /^8\./
ps = ps75
end
when 'ubuntu'
case inspec.os[:release]
when /^18\./
ps = ps75
end
when 'fedora', 'alpine'
ps = ps75
end
ps
end

its('UsePrivilegeSeparation') { should eq nil }
end
end

Expand Down