rootcheck alerts with default "PubkeyAuthentication" setting

[cyb3rz3us]

Disclaimer, ossec noob here so apologies up front for any ignorance on my part.

First, totally understand that if PubkeyAuthentication is set to no, that this should fire but rootcheck also flags this when the setting is commented out. And because the default setting is yes, I'm wondering if this is really a valid alert?

In checking the system_audit_ssh.txt file, it looks like other settings that have the desirable default value do not alert when the setting is commented out. This of course serves to implement the desired default so with that in mind, should the last line of the PubkeyAuthenticationstanza be removed? For example, modify the stanza to read as:

# PubkeyAuthentication yes
# Access only by public key
# Generally people will use weak passwords and have poor password practices. Keys are considered stronger than password.
[SSH Hardening - 4: No Public Key autentication {PCI_DSS: 2.2.4}] [any] [4]
f:$sshd_file -> !r:^# && r:PubkeyAuthentication\.+no;

[atomicturtle]

I guess the deeper question on that would be, has every version of SSH (openssh, or otherwise) defaulted to yes? We implement the tests in these off of the CIS benchmarks, so probably the right place to ask this is with CIS if #PubkeyAuthentication is valid for their test critera. If they update the benchmark to allow that, then we can do that on our side too