Skip to content

Do not use PrintLastLog for Archlinux #897

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Do not use PrintLastLog for Archlinux #897

wants to merge 1 commit into from

Conversation

matclab
Copy link

@matclab matclab commented Aug 12, 2025

Close #896

@matclab matclab force-pushed the 896-no-printlaslog-for-arch branch from abd2896 to e34d35c Compare August 12, 2025 13:44
@matclab
Copy link
Author

matclab commented Aug 12, 2025

Do not merge until we are sure it is intended from Arch !

@schurzi
Copy link
Contributor

schurzi commented Aug 12, 2025

Do not merge until we are sure it is intended from Arch !

Thanks for putting in the extra work!

@matclab
Copy link
Author

matclab commented Aug 14, 2025

Reported in https://gitlab.archlinux.org/archlinux/packaging/packages/openssh/-/issues/15, waiting for comment there.

@matclab
Copy link
Author

matclab commented Aug 17, 2025

It was intended. This PR may be merges if it looks good to you.

schurzi
schurzi requested changes Aug 17, 2025
View reviewed changes
molecule/ssh_hardening/verify.yml
docker.io/cincproject/auditor exec
-t docker://instance
--no-show-progress --no-color
--waiver-file /waivers.yaml
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know you copied this over from the FreeBSD tests, but I don't think we should do that here in this case. I would much rather prefer that we adapt our baseline (https://github.com/dev-sec/linux-baseline). Are you up to adding your changes there instead?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess you're talking about ssh-baseline ?
I'm not familar at all with ruby.

Would this diff be ok:

diff --git a/controls/sshd_spec.rb b/controls/sshd_spec.rb
index a81db94c74..6f04a6f263 100644
--- a/controls/sshd_spec.rb
+++ b/controls/sshd_spec.rb
@@ -466,8 +466,10 @@
   impact 1.0
   title 'Server: PrintLastLog'
   desc 'This tells the SSH daemon to print out information about the last time you logged in.'
-  describe sshd_config("#{sshd_custom_path}/sshd_config") do
-    its('PrintLastLog') { should eq('no') }
+  if os.name != 'arch'
+    describe sshd_config("#{sshd_custom_path}/sshd_config") do
+      its('PrintLastLog') { should eq('no') }
+    end
   end
 end

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess you're talking about ssh-baseline ? I'm not familar at all with ruby.

You are absolutely right ;)

Would this diff be ok:

diff --git a/controls/sshd_spec.rb b/controls/sshd_spec.rb
index a81db94c74..6f04a6f263 100644
--- a/controls/sshd_spec.rb
+++ b/controls/sshd_spec.rb
@@ -466,8 +466,10 @@
   impact 1.0
   title 'Server: PrintLastLog'
   desc 'This tells the SSH daemon to print out information about the last time you logged in.'
-  describe sshd_config("#{sshd_custom_path}/sshd_config") do
-    its('PrintLastLog') { should eq('no') }
+  if os.name != 'arch'
+    describe sshd_config("#{sshd_custom_path}/sshd_config") do
+      its('PrintLastLog') { should eq('no') }
+    end
   end
 end

Using a plain if in controls is discouraged, there is a special construct only_if for this kind of conditions. A example use in the baseline is implemented there: https://github.com/dev-sec/ssh-baseline/blob/master/controls/sshd_spec.rb#L515. Checking for a specific OS looks like that: https://github.com/dev-sec/cis-docker-benchmark/blob/master/controls/docker_daemon_configuration_files.rb#L498

I am a bit split between detecting the OS or detecting the support of the config option, for example sshd -G | grep -qi PrintLastLog would do a specific detection if this version of sshd supports the option.

You are welcome to contribute this but I can also adapt the baseline if you are not comfortable introducing changes there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@schurzi schurzi schurzi requested changes

Assignees
No one assigned
Labels
bug patch ssh_hardening
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Arch Linux does not support PrintLastLog sshd option anymore
2 participants
@matclab @schurzi