content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon ComplianceAsCode

Inconsistency in RHEL-09-255065 (harden_sshd_ciphers_opensshserver_conf_crypto_policy)

Open ggbecker opened this issue 1 year ago • 1 comments

The following STIG item

https://stigaview.com/products/rhel9/v1r3/RHEL-09-255065/

Does not have the "-oCiphers=" parameter, it uses "Cipher " instead. Our rule implementation

https://github.com/ComplianceAsCode/content/blob/34011f7d23235aa128edef33c929097e62201433/controls/stig_rhel9.yml#L1880

targets the RHEL8 STIG implementation only (https://stigaview.com/products/rhel8/v1r13/RHEL-08-010291/), the rule needs to be updated to support RHEL9 format.

https://github.com/ComplianceAsCode/content/blob/34011f7d23235aa128edef33c929097e62201433/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml#L42

The same applies for MAC parameter. https://stigaview.com/products/rhel9/v1r3/RHEL-09-255075/

@Mab879

ggbecker avatar Jul 11 '24 14:07 ggbecker

So I fired up a RHEL 8.10 VM it seems that RHEL 8.10 has the same issue:

[root@vm-10-0-184-48 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.10 (Ootpa)
[root@vm-10-0-184-48 ~]# sudo grep -i ciphers /etc/crypto-policies/back-ends/openssh.config 
Ciphers [email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc

So this rule wrong for RHEL 8 as well. Plus the STIG might need updating.

Mab879 avatar Jul 17 '24 18:07 Mab879

This problem started to appear in the daily productizationon RHEL 9 in the following tests: /scanning/disa-alignment/anaconda, /scanning/disa-alignment/ansible, /scanning/disa-alignment/oscap . The dialy productization has been run on current upstream master HEAD as of 2025-02-11 as of https://github.com/ComplianceAsCode/content/commit/8ec16c5e9a9decd56499263e4120e5fa2c494e81.

Our rule fails because there is no entry matching the ^(?!#).*(-oCiphers=[^\s']+).*$ in /etc/crypto-policies/back-ends/opensshserver.config whereas the DISA rule xccdf_mil.disa.stig_rule_SV-257989r1051240_rule passes because /etc/crypto-policies/back-ends/opensshserver.config contains Ciphers [email protected],aes256-ctr,[email protected],aes128-ctr.

Therefore I'm adding productization issues label.

jan-cerny avatar Feb 11 '25 10:02 jan-cerny

Fixed now.

Mab879 avatar Feb 13 '25 14:02 Mab879