Closed mildas closed 1 month ago
mildas
commented
2 months ago Also caught by Automatus:
jan-cerny
commented
2 months ago With the new productization model, these items also started to appear for a "Per Rule" test /per-rule/13/oscap/sshd_use_approved_ciphers/ which runs Automatus test.
Mab879
commented
2 months ago Part of of the pain is that rule requires the OS be to FIPS certified.
However, there still is something wrong with the Ansible remediation when that extend_definition is removed from the rule.
Mab879
commented
2 months ago fatal: [192.168.124.214]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"attributes": null,
"backrefs": false,
"backup": false,
"create": true,
"firstmatch": false,
"group": null,
"insertafter": null,
"insertbefore": "BOF",
"line": "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se",
"mode": null,
"owner": null,
"path": "/etc/ssh/sshd_config",
"regexp": "(?i)^\\s*Ciphers\\s+",
"search_string": null,
"selevel": null,
"serole": null,
"setype": null,
"seuser": null,
"state": "present",
"unsafe_writes": false,
"validate": "/usr/sbin/sshd -t -f %s"
}
},
"msg": "failed to validate: rc:255 error:/root/.ansible/tmp/ansible-tmp-1720564661.0396807-2932742-161335065381119/tmpr9wabewl line 1: Bad SSH2 cipher spec 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se'.\r\n"
}I can reproduce locally with Ansible the error is above.
Mab879
commented
1 month ago Removed blocker since #12150 has been merged.
mildas
commented
1 month ago As sshd_use_approved_ciphers got removed from profiles, I don't consider this issue relevant for now. The rule needs rework until that adding blocked label.
ggbecker
commented
1 month ago Part of the issue is to decide if we remove the installed of is fips certified criterium or not.
mildas
commented
1 month ago Okay, so I consider this issue as something we want to have fixed in 0.1.74 release and we should focus on now.
Mab879
commented
1 month ago The profiles group says remove FIPS external check and warning section about FIPS.
Profiles that need FIPS certifications should add rules requiring it.
Description of problem:
sshd_use_approved_ciphersfails to remediate (errorduring remediation) resulting tofailduring final test scan.The problem is in CIS Server L1, CIS Server L2, CIS Workstation L1, and CIS Workstation L2.
Fails for Anaconda installation, Ansible playbook, host-os remediation, Image builder, and also oscap remediation of a VM.
SCAP Security Guide Version:
latest master
Operating System Version:
RHEL 9
Steps to Reproduce:
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --progress --report /var/tmp/contest-hardening-host-os-oscap-cis/remediation.html --remediate /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xmlActual Results:
sshd_use_approved_ciphers fails
Expected Results:
sshd_use_approved_ciphers pass
Additional Information/Debugging Steps:
The problem is RHEL9 only I suspect https://github.com/ComplianceAsCode/content/pull/12067 However, HTML report says that ciphers setting is
true(copied from HTML report):tests the value of Ciphers setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_use_approved_ciphers:tst:1 true
Following items have been found on the system:
Result of item-state comparison | Var ref | Value | Value | Value | Value | Value -- | -- | -- | -- | -- | -- | -- true | oval:ssg-var_sshd_config_ciphers:var:1 | -3des-cbc | aes128-cbc | aes192-cbc | aes256-cbc | rijndael-cbc@lysator.liu.se