-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BREAKING: privilege separation deprecated #171
base: master
Are you sure you want to change the base?
Conversation
Signed-off-by: Michée Lengronne <[email protected]>
fb6870c
to
63bf34c
Compare
describe sshd_config(sshd_custom_path + '/sshd_config') do | ||
its('UsePrivilegeSeparation') { should eq(sshd_valid_privseparation) } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we also need to remove
ssh-baseline/controls/sshd_spec.rb
Lines 35 to 39 in 0932d5f
sshd_valid_privseparation = if sshd_custom_user != 'root' | |
'no' | |
else | |
ssh_crypto.valid_privseparation | |
end |
ssh-baseline/libraries/ssh_crypto.rb
Lines 172 to 210 in 3849c52
def valid_privseparation # rubocop:disable Metrics/CyclomaticComplexity | |
# define privilege separation set | |
ps53 = 'yes' | |
ps59 = 'sandbox' | |
ps75 = nil | |
ps = ps59 | |
# debian 7.x and newer has ssh 5.9+ | |
# ubuntu 12.04 and newer has ssh 5.9+ | |
case inspec.os[:name] | |
when 'debian' | |
case inspec.os[:release] | |
when /^6\./ | |
ps = ps53 | |
when /^10\./ | |
ps = ps75 | |
end | |
when 'redhat', 'centos', 'oracle' | |
case inspec.os[:release] | |
# redhat/centos/oracle 6.x has ssh 5.3 | |
when /^6\./ | |
ps = ps53 | |
when /^7\./ | |
ps = ps59 | |
when /^8\./ | |
ps = ps75 | |
end | |
when 'ubuntu' | |
case inspec.os[:release] | |
when /^18\./ | |
ps = ps75 | |
end | |
when 'fedora', 'alpine' | |
ps = ps75 | |
end | |
ps | |
end |
Signed-off-by: Michée Lengronne <[email protected]>
We must also warn that it will break compatibility with previous versions. |
It is not a breaking change since the control stays available. I agree that the version bump for the profile should be major instead of minor |
I added BREAKING in the title to introduce a new MAJOR version. |
No description provided.