content False Positive finding with `harden_sshd_ciphers_openssh_conf_crypto

False Positive finding with `harden_sshd_ciphers_openssh_conf_crypto_policy` on Gitlab UBI 9 container

Open awilmo8 opened this issue 6 months ago • 1 comments

The check xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy in STIG mode presents a false positive finding when ran on our minimized UBI 9 containers.
I have not identified the specific spot where the check is failing, but the check is either failing to access /etc/crypto-policies/back-ends/openssh.config or the regex is failing to parse the Ciphers line from the config file.

Package: ssg-base
Version: 0.1.71-1
Priority: optional
Section: universe/admin
Source: scap-security-guide
Origin: Ubuntu

Package: ssg-nondebian
Version: 0.1.71-1
Priority: optional
Section: universe/admin
Source: scap-security-guide

RHEL 9.5 / UBI 9.5

Setup OpenSCAP, OpenSCAP-Podman, SSG - relevant bootstrap script
Pull the Gitlab CNG Fips container podman pull registry.gitlab.com/gitlab-org/build/cng/gitlab-base:master-fips
Run the check (replace $image with the image hash of the container) - oscap-podman $image xccdf eval --report /tmp/cng-base-stig.html --profile xccdf_org.ssgproject.content_profile_stig /usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml
Review the result HTML for "Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config" and see that it fails
run the container, exec into it and check the ciphers manually -

fail

pass

This is not related to our containers not having aes192-ctr as I still get this issue when I tailor that out of the check.
I was unable to find the exact check code when digging through the XML - if you can point me to the check in the code I can do more testing to see if I can provide a fix.

May 07 '25 18:05 awilmo8

That SSG version is rather old, December 2023. Can you please try using the latest release.

May 15 '25 13:05 Mab879