sshd_use_approved_ciphers
fails for all CIS profiles in all test cases
#12096
Labels
BLOCKER
Impediments to release, like failure to build content, or content built is out of standard's syntax
CIS
CIS Benchmark related.
productization-issue
Issue found in upstream stabilization process.
RHEL9
Red Hat Enterprise Linux 9 product related.
Description of problem:
sshd_use_approved_ciphers
fails to remediate (error
during remediation) resulting tofail
during final test scan.The problem is in CIS Server L1, CIS Server L2, CIS Workstation L1, and CIS Workstation L2.
Fails for Anaconda installation, Ansible playbook, host-os remediation, Image builder, and also oscap remediation of a VM.
SCAP Security Guide Version:
latest master
Operating System Version:
RHEL 9
Steps to Reproduce:
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --progress --report /var/tmp/contest-hardening-host-os-oscap-cis/remediation.html --remediate /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Actual Results:
sshd_use_approved_ciphers fails
Expected Results:
sshd_use_approved_ciphers pass
Additional Information/Debugging Steps:
The problem is RHEL9 only
I suspect #12067
However, HTML report says that ciphers setting is
true
(copied from HTML report):tests the value of Ciphers setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_use_approved_ciphers:tst:1 true
Following items have been found on the system:
Result of item-state comparison | Var ref | Value | Value | Value | Value | Value -- | -- | -- | -- | -- | -- | -- true | oval:ssg-var_sshd_config_ciphers:var:1 | -3des-cbc | aes128-cbc | aes192-cbc | aes256-cbc | rijndael-cbc@lysator.liu.seThe text was updated successfully, but these errors were encountered: