ComplianceAsCode
`sshd_use_approved_ciphers` fails for all CIS profiles in all test cases
Description of problem:
sshd_use_approved_ciphers fails to remediate (error during remediation) resulting to fail during final test scan.
The problem is in CIS Server L1, CIS Server L2, CIS Workstation L1, and CIS Workstation L2.
Fails for Anaconda installation, Ansible playbook, host-os remediation, Image builder, and also oscap remediation of a VM.
SCAP Security Guide Version:
latest master
Operating System Version:
RHEL 9
Steps to Reproduce:
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --progress --report /var/tmp/contest-hardening-host-os-oscap-cis/remediation.html --remediate /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Actual Results:
sshd_use_approved_ciphers fails
Expected Results:
sshd_use_approved_ciphers pass
Additional Information/Debugging Steps:
The problem is RHEL9 only
I suspect https://github.com/ComplianceAsCode/content/pull/12067
However, HTML report says that ciphers setting is true (copied from HTML report):
tests the value of Ciphers setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_use_approved_ciphers:tst:1 true
Following items have been found on the system:
Result of item-state comparison | Var ref | Value | Value | Value | Value | Value -- | -- | -- | -- | -- | -- | -- true | oval:ssg-var_sshd_config_ciphers:var:1 | -3des-cbc | aes128-cbc | aes192-cbc | aes256-cbc | [email protected]
Also caught by Automatus:
- fail: sshd_use_approved_ciphers/correct_reduced_list.pass
- fail: sshd_use_approved_ciphers/correct_scrambled.pass
- fail: sshd_use_approved_ciphers/correct_value.pass
- fail: sshd_use_approved_ciphers/correct_value_full.pass
- fail: sshd_use_approved_ciphers/correct_variable.pass
With the new productization model, these items also started to appear for a "Per Rule" test /per-rule/13/oscap/sshd_use_approved_ciphers/ which runs Automatus test.
Part of of the pain is that rule requires the OS be to FIPS certified.
However, there still is something wrong with the Ansible remediation when that extend_definition is removed from the rule.
fatal: [192.168.124.214]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"attributes": null,
"backrefs": false,
"backup": false,
"create": true,
"firstmatch": false,
"group": null,
"insertafter": null,
"insertbefore": "BOF",
"line": "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,[email protected]",
"mode": null,
"owner": null,
"path": "/etc/ssh/sshd_config",
"regexp": "(?i)^\\s*Ciphers\\s+",
"search_string": null,
"selevel": null,
"serole": null,
"setype": null,
"seuser": null,
"state": "present",
"unsafe_writes": false,
"validate": "/usr/sbin/sshd -t -f %s"
}
},
"msg": "failed to validate: rc:255 error:/root/.ansible/tmp/ansible-tmp-1720564661.0396807-2932742-161335065381119/tmpr9wabewl line 1: Bad SSH2 cipher spec 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,[email protected]'.\r\n"
}
I can reproduce locally with Ansible the error is above.
As sshd_use_approved_ciphers got removed from profiles, I don't consider this issue relevant for now. The rule needs rework until that adding blocked label.
Part of the issue is to decide if we remove the installed of is fips certified criterium or not.
Okay, so I consider this issue as something we want to have fixed in 0.1.74 release and we should focus on now.
The profiles group says remove FIPS external check and warning section about FIPS.
Profiles that need FIPS certifications should add rules requiring it.