Step 3: First Test Run of the Verification

Under Construction

Working with AIX > AIX Security > AIX Security Expert (AIXPert) > Creating your own aixpert Script > Aixpert Script for PermitRootLogin (SSHD)

Step 3: First Test Run of the Verification

This allows us to start a test run and perform a check using the XML file we just created:

/etc/security/aixpert # aixpert -c -P custom/sshd.xml
Processedrules=1        Passedrules=1   Failedrules=0   Level=TEST
        Input file=custom/sshd.xml
/etc/security/aixpert #

The verification was successful (Passedrules=1). However, if we look at the current value of PermitRootLogin on our system, we see that the test should not have been successful:

# grep ^PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin yes
#

If only a check is to be performed, a command is called with the variable AIXPERT_CHECK_REPORT=1 set. We extend our script accordingly and add a check for this variable. If the variable is set to “1,” we determine the value of PermitRootLogin and check it:

# cat /etc/security/aixpert/bin/local_chsshdconf
#! /bin/ksh

# Check whether AIXPERT_CHECK_REPORT environment variable is set or not.
report=`echo $AIXPERT_CHECK_REPORT`

if [ "$report" = "1" ]
then
        ret=1

        permit=$( awk '$1 ~ /^PermitRootLogin$/ { print $2; }' /etc/ssh/sshd_config 2>/dev/null | tail -n 1 )
        case "$permit" in
        [Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]) ret=0 ;;
        esac

        exit $ret
fi

exit 0

#

Note: In this and the following listings of the script, we have marked the newly added or changed lines in green!

The command checks whether a check should be performed (“$report” = “1”). In this case, it determines the value of PermitRootLogin using awk and checks whether one of the values No or False is set. If No or False is set, the script exits with “exit 0” (successful); otherwise, it exits with “exit 1” (failed).

We perform another review:

/etc/security/aixpert # aixpert -c -P custom/sshd.xml
Processedrules=1        Passedrules=0   Failedrules=1   Level=TEST
        Input file=custom/sshd.xml
/etc/security/aixpert #

This time the check returns the correct result: failed (Failedrules=1)!

If you change the value of PermitRootLogin in /etc/ssh/sshd_config to “no” and start the check again, the test is successful:

/etc/security/aixpert # aixpert -c -P custom/sshd.xml
Processedrules=1        Passedrules=1   Failedrules=0   Level=TEST
        Input file=custom/sshd.xml
/etc/security/aixpert #

The check now returns successfully as expected (Passedrules=1)!

Note: For the following steps, we set PermitRootLogin back to “yes” because we want to generate further messages in case of errors.