usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 05:53:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

os_sshd_key_exchange_algorithm_configure.yaml does not have a fallback to adding the relevant line #290

New Issue
Closed
opened 2026-01-19 18:29:57 +00:00 by michael · 1 comment
michael commented 2026-01-19 18:29:57 +00:00
Owner
Copy Link

Originally created by @noambernstein on GitHub.

Originally assigned to: @golbiga on GitHub.

Summary

os_sshd_key_exchange_algorithm_configure.yaml fails because there is no KexAlgorithms in sshd_config, and unlike the other sshd_config rules it does not fall back to appending such a line

Steps to reproduce

run build/PROFILE/PROFILE_compliance.sh, tell it to fix os_sshd_key_exchange_algorithm_configure, then run it again and see that it hasn't actually fixed it because there's no line to change with sed.

Operating System version

11.3.0

What is the current bug behavior?

When no KexAlgorithms entry is in /etc/ssh/sshd_config is present, a correct one is not added

What is the expected correct behavior?

When no KexAlgorithms entry is in /etc/ssh/sshd_config is present, a correct one is added

Possible fixes

ebca093853/rules/os/os_sshd_key_exchange_algorithm_configure.yaml (L20)
needs a grep ... || echo .... >> .... type behavior like, e.g. ebca093853/rules/os/os_ssh_fips_140_ciphers.yaml (L18)

Originally created by @noambernstein on GitHub. Originally assigned to: @golbiga on GitHub. <!--- Please read this! Before opening a new issue, make sure to search for keywords in the issues filtered by the "regression" or "bug" label and verify the issue you're about to submit isn't a duplicate. ---> ### Summary os_sshd_key_exchange_algorithm_configure.yaml fails because there is no KexAlgorithms in sshd_config, and unlike the other sshd_config rules it does not fall back to appending such a line ### Steps to reproduce run build/PROFILE/PROFILE_compliance.sh, tell it to fix os_sshd_key_exchange_algorithm_configure, then run it again and see that it hasn't actually fixed it because there's no line to change with sed. ### Operating System version 11.3.0 ### What is the current *bug* behavior? When no KexAlgorithms entry is in /etc/ssh/sshd_config is present, a correct one is not added ### What is the expected *correct* behavior? When no KexAlgorithms entry is in /etc/ssh/sshd_config is present, a correct one *is* added ### Possible fixes https://github.com/usnistgov/macos_security/blob/ebca0938531b2b3e077966c6f3c083636a91bc2b/rules/os/os_sshd_key_exchange_algorithm_configure.yaml#L20 needs a `grep ... || echo .... >> ....` type behavior like, e.g. https://github.com/usnistgov/macos_security/blob/ebca0938531b2b3e077966c6f3c083636a91bc2b/rules/os/os_ssh_fips_140_ciphers.yaml#L18
michael commented 2026-01-19 18:29:57 +00:00
Author
Owner
Copy Link

@golbiga commented on GitHub:

merged with main

@golbiga commented on GitHub: merged with `main`
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#290
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?