From 32605051864e5e7ba16e7582d1a75459c826ef59 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Thu, 5 May 2022 20:08:59 +0200 Subject: [PATCH 22/39] Improve remediation, do not trigger second inhibitor In the past, both of the inhibitors were triggered when the configuration file did not contain any PermitRootLogin configuration option. But this really does not make any sense to report the second inhibitor if the first one is already raised. Signed-off-by: Jakub Jelen --- .../actors/opensshpermitrootlogincheck/actor.py | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py index ae3b4586..4cc4cbc2 100644 --- a/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py +++ b/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py @@ -74,13 +74,16 @@ class OpenSshPermitRootLoginCheck(Actor): reporting.Severity(reporting.Severity.HIGH), reporting.Tags(COMMON_REPORT_TAGS), reporting.Remediation( - hint='If you depend on remote root logins using ' - 'passwords, consider setting up a different ' - 'user for remote administration or adding ' - '"PermitRootLogin yes" to sshd_config.' + hint='If you depend on remote root logins using passwords, consider ' + 'setting up a different user for remote administration or adding ' + '"PermitRootLogin yes" to sshd_config. ' + 'If this change is ok for you, add explicit ' + '"PermitRootLogin prohibit-password" to your sshd_config ' + 'to ignore this inhibitor' ), reporting.Flags([reporting.Flags.INHIBITOR]) ] + COMMON_RESOURCES) + return # Check if there is at least one PermitRootLogin other than "no" # in match blocks (other than Match All). -- 2.35.3