Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sshd_use_approved_ciphers fails for all CIS profiles in all test cases #12096

Open
mildas opened this issue Jun 27, 2024 · 3 comments
Open

sshd_use_approved_ciphers fails for all CIS profiles in all test cases #12096

mildas opened this issue Jun 27, 2024 · 3 comments
Labels
BLOCKER Impediments to release, like failure to build content, or content built is out of standard's syntax CIS CIS Benchmark related. productization-issue Issue found in upstream stabilization process. RHEL9 Red Hat Enterprise Linux 9 product related.

Comments

@mildas
Copy link
Contributor

mildas commented Jun 27, 2024

Description of problem:

sshd_use_approved_ciphers fails to remediate (error during remediation) resulting to fail during final test scan.

The problem is in CIS Server L1, CIS Server L2, CIS Workstation L1, and CIS Workstation L2.

Fails for Anaconda installation, Ansible playbook, host-os remediation, Image builder, and also oscap remediation of a VM.

SCAP Security Guide Version:

latest master

Operating System Version:

RHEL 9

Steps to Reproduce:

  1. oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --progress --report /var/tmp/contest-hardening-host-os-oscap-cis/remediation.html --remediate /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

Actual Results:

sshd_use_approved_ciphers fails

Expected Results:

sshd_use_approved_ciphers pass

Additional Information/Debugging Steps:

The problem is RHEL9 only
I suspect #12067
However, HTML report says that ciphers setting is true (copied from HTML report):

tests the value of Ciphers setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_use_approved_ciphers:tst:1  true

Following items have been found on the system:
Result of item-state comparison | Var ref | Value | Value | Value | Value | Value -- | -- | -- | -- | -- | -- | -- true | oval:ssg-var_sshd_config_ciphers:var:1 | -3des-cbc | aes128-cbc | aes192-cbc | aes256-cbc | rijndael-cbc@lysator.liu.se
@mildas mildas added productization-issue Issue found in upstream stabilization process. RHEL9 Red Hat Enterprise Linux 9 product related. CIS CIS Benchmark related. labels Jun 27, 2024
@mildas
Copy link
Contributor Author

mildas commented Jun 27, 2024

Also caught by Automatus:

  • fail: sshd_use_approved_ciphers/correct_reduced_list.pass
  • fail: sshd_use_approved_ciphers/correct_scrambled.pass
  • fail: sshd_use_approved_ciphers/correct_value.pass
  • fail: sshd_use_approved_ciphers/correct_value_full.pass
  • fail: sshd_use_approved_ciphers/correct_variable.pass

@ggbecker ggbecker added the BLOCKER Impediments to release, like failure to build content, or content built is out of standard's syntax label Jul 1, 2024
@jan-cerny
Copy link
Collaborator

With the new productization model, these items also started to appear for a "Per Rule" test /per-rule/13/oscap/sshd_use_approved_ciphers/ which runs Automatus test.

jan-cerny added a commit to jan-cerny/contest that referenced this issue Jul 2, 2024
@jan-cerny
Waive sshd_use_approved_ciphers
eef1802 
With the new productization model, these items also started to
appear for a "Per Rule" test /per-rule/13/oscap/sshd_use_approved_ciphers/
which runs Automatus test.

See ComplianceAsCode/content#12096
@jan-cerny jan-cerny mentioned this issue Jul 2, 2024
Merged
@Mab879
Copy link
Member

Mab879 commented Jul 2, 2024

Part of of the pain is that rule requires the OS be to FIPS certified.

However, there still is something wrong with the Ansible remediation when that extend_definition is removed from the rule.

mildas pushed a commit to RHSecurityCompliance/contest that referenced this issue Jul 3, 2024
@jan-cerny @mildas
Waive sshd_use_approved_ciphers
39c17e5 
With the new productization model, these items also started to
appear for a "Per Rule" test /per-rule/13/oscap/sshd_use_approved_ciphers/
which runs Automatus test.

See ComplianceAsCode/content#12096
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
BLOCKER Impediments to release, like failure to build content, or content built is out of standard's syntax CIS CIS Benchmark related. productization-issue Issue found in upstream stabilization process. RHEL9 Red Hat Enterprise Linux 9 product related.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Mab879 @jan-cerny @mildas @ggbecker