search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.17k stars 685 forks source link

Inconsistency in RHEL-09-255065 (harden_sshd_ciphers_opensshserver_conf_crypto_policy) #12149

Open ggbecker opened 2 months ago

ggbecker commented 2 months ago

The following STIG item

https://stigaview.com/products/rhel9/v1r3/RHEL-09-255065/

Does not have the "-oCiphers=" parameter, it uses "Cipher " instead. Our rule implementation

https://github.com/ComplianceAsCode/content/blob/34011f7d23235aa128edef33c929097e62201433/controls/stig_rhel9.yml#L1880

targets the RHEL8 STIG implementation only (https://stigaview.com/products/rhel8/v1r13/RHEL-08-010291/), the rule needs to be updated to support RHEL9 format.

https://github.com/ComplianceAsCode/content/blob/34011f7d23235aa128edef33c929097e62201433/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml#L42

The same applies for MAC parameter. https://stigaview.com/products/rhel9/v1r3/RHEL-09-255075/

@Mab879

Mab879 commented 1 month ago

So I fired up a RHEL 8.10 VM it seems that RHEL 8.10 has the same issue:

[root@vm-10-0-184-48 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.10 (Ootpa)
[root@vm-10-0-184-48 ~]# sudo grep -i ciphers /etc/crypto-policies/back-ends/openssh.config 
Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc

So this rule wrong for RHEL 8 as well. Plus the STIG might need updating.