44 lines
2.2 KiB
Diff
44 lines
2.2 KiB
Diff
|
From 32605051864e5e7ba16e7582d1a75459c826ef59 Mon Sep 17 00:00:00 2001
|
||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||
|
Date: Thu, 5 May 2022 20:08:59 +0200
|
||
|
Subject: [PATCH 22/39] Improve remediation, do not trigger second inhibitor
|
||
|
|
||
|
In the past, both of the inhibitors were triggered when the
|
||
|
configuration file did not contain any PermitRootLogin configuration
|
||
|
option. But this really does not make any sense to report the second
|
||
|
inhibitor if the first one is already raised.
|
||
|
|
||
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||
|
---
|
||
|
.../actors/opensshpermitrootlogincheck/actor.py | 11 +++++++----
|
||
|
1 file changed, 7 insertions(+), 4 deletions(-)
|
||
|
|
||
|
diff --git a/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py
|
||
|
index ae3b4586..4cc4cbc2 100644
|
||
|
--- a/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py
|
||
|
+++ b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py
|
||
|
@@ -74,13 +74,16 @@ class OpenSshPermitRootLoginCheck(Actor):
|
||
|
reporting.Severity(reporting.Severity.HIGH),
|
||
|
reporting.Tags(COMMON_REPORT_TAGS),
|
||
|
reporting.Remediation(
|
||
|
- hint='If you depend on remote root logins using '
|
||
|
- 'passwords, consider setting up a different '
|
||
|
- 'user for remote administration or adding '
|
||
|
- '"PermitRootLogin yes" to sshd_config.'
|
||
|
+ hint='If you depend on remote root logins using passwords, consider '
|
||
|
+ 'setting up a different user for remote administration or adding '
|
||
|
+ '"PermitRootLogin yes" to sshd_config. '
|
||
|
+ 'If this change is ok for you, add explicit '
|
||
|
+ '"PermitRootLogin prohibit-password" to your sshd_config '
|
||
|
+ 'to ignore this inhibitor'
|
||
|
),
|
||
|
reporting.Flags([reporting.Flags.INHIBITOR])
|
||
|
] + COMMON_RESOURCES)
|
||
|
+ return
|
||
|
|
||
|
# Check if there is at least one PermitRootLogin other than "no"
|
||
|
# in match blocks (other than Match All).
|
||
|
--
|
||
|
2.35.3
|
||
|
|