ComplianceAsCode
harden_sshd_ciphers_opensshserver_conf_crypto_policy is misaligned with DISA
Description of problem:
harden_sshd_ciphers_opensshserver_conf_crypto_policy is misaligned with DISA
Details:
The SSG's rule checks for a specific list of ciphers. It fails because it finds this:
Ciphers [email protected],aes256-ctr,[email protected],aes128-ctr
The DISA's rule checks whether SSHD configuration includes crypto policies, it doesn't check a specific cipher.
Include /etc/crypto-policies/back-ends/opensshserver.config
Related to: https://github.com/ComplianceAsCode/content/issues/11575
Outcome:
SSG result: fail DISA result: pass
The issue is present in these test variants:
- oscap
- ansible
- anaconda
SCAP Security Guide Version:
Current upstream master as of 2024-03-12 as of HEAD cbbca44.
External Content's Version:
DISA STIG RHEL 9 V1R1
So this is the relevant STIG: https://stigaview.com/products/rhel9/v1r2/RHEL-09-255065/ The description of this upstream issue is misleading because it talks about RHEL-09-255060. DISA needs to change the requirement so that it checks for the file /etc/crypto-policies/back-ends/opensshserver.config, currently in their content it checks for /etc/crypto-policies/back-ends/openssh.config. I believe our check is correct.
STIG ID RHEL-09-255065 should be referencing opensshserver.config but is not. SSG checks the correct file but fails. Rule "harden_sshd_ciphers_opensshserver_conf_crypto_policy" is looking for "[email protected],[email protected],aes256-ctr,[email protected],aes128-ctr" but I believe it should be looking for "[email protected],[email protected],aes256-ctr,[email protected],aes128-ctr".
