Closed mildas closed 1 month ago
Also caught by Automatus:
With the new productization model, these items also started to appear for a "Per Rule" test /per-rule/13/oscap/sshd_use_approved_ciphers/ which runs Automatus test.
Part of of the pain is that rule requires the OS be to FIPS certified.
However, there still is something wrong with the Ansible remediation when that extend_definition
is removed from the rule.
fatal: [192.168.124.214]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"attributes": null,
"backrefs": false,
"backup": false,
"create": true,
"firstmatch": false,
"group": null,
"insertafter": null,
"insertbefore": "BOF",
"line": "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se",
"mode": null,
"owner": null,
"path": "/etc/ssh/sshd_config",
"regexp": "(?i)^\\s*Ciphers\\s+",
"search_string": null,
"selevel": null,
"serole": null,
"setype": null,
"seuser": null,
"state": "present",
"unsafe_writes": false,
"validate": "/usr/sbin/sshd -t -f %s"
}
},
"msg": "failed to validate: rc:255 error:/root/.ansible/tmp/ansible-tmp-1720564661.0396807-2932742-161335065381119/tmpr9wabewl line 1: Bad SSH2 cipher spec 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se'.\r\n"
}
I can reproduce locally with Ansible the error is above.
Removed blocker since #12150 has been merged.
As sshd_use_approved_ciphers
got removed from profiles, I don't consider this issue relevant for now. The rule needs rework until that adding blocked
label.
Part of the issue is to decide if we remove the installed of is fips certified criterium or not.
Okay, so I consider this issue as something we want to have fixed in 0.1.74 release and we should focus on now.
The profiles group says remove FIPS external check and warning section about FIPS.
Profiles that need FIPS certifications should add rules requiring it.
Description of problem:
sshd_use_approved_ciphers
fails to remediate (error
during remediation) resulting tofail
during final test scan.The problem is in CIS Server L1, CIS Server L2, CIS Workstation L1, and CIS Workstation L2.
Fails for Anaconda installation, Ansible playbook, host-os remediation, Image builder, and also oscap remediation of a VM.
SCAP Security Guide Version:
latest master
Operating System Version:
RHEL 9
Steps to Reproduce:
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --progress --report /var/tmp/contest-hardening-host-os-oscap-cis/remediation.html --remediate /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Actual Results:
sshd_use_approved_ciphers fails
Expected Results:
sshd_use_approved_ciphers pass
Additional Information/Debugging Steps:
The problem is RHEL9 only I suspect https://github.com/ComplianceAsCode/content/pull/12067 However, HTML report says that ciphers setting is
true
(copied from HTML report):tests the value of Ciphers setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_use_approved_ciphers:tst:1 true
Following items have been found on the system:
Result of item-state comparison | Var ref | Value | Value | Value | Value | Value -- | -- | -- | -- | -- | -- | -- true | oval:ssg-var_sshd_config_ciphers:var:1 | -3des-cbc | aes128-cbc | aes192-cbc | aes256-cbc | rijndael-cbc@lysator.liu.se