search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.16k stars 685 forks source link

xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy (CCE-85902-5) fails due to excess whitespace #12186

Open red-avalanche opened 1 month ago

red-avalanche commented 1 month ago

Share the context

After installing RHEL 8.10 using kickstart with following configuration: 

%addon org_fedora_oscap
    content-type = datastream
    content-url = $MY_URL/ssg-rhel8-ds-1.2_0.1.73.xml
    datastream-id = scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf.xml
    xccdf-id = scap_org.open-scap_cref_ssg-rhel8-xccdf.xml
    profile = xccdf_org.ssgproject.content_profile_stig
    fingerprint = 40c7d18cb94f440866e5e9d1650d4af2ba2caa3a19a94847e8e420f435f0f065
%end

I ran an oscap scan using the xccdf_org.ssgproject.content_profile_stig profile.

Description of problem:

Rule ID xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy failed despite the openssh.config line it was complaining about matching. Except when I copy/pasted the content I found that the check text is misformatted:

Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com

There is extra whitespace and it's failing the check due to this unnecessary whitespace. Manual testing showed if there was not both a newline plus the 12 spaces the check will fail despite the extra whitespace having no actual effect.

Proposed change:

The text to match against should not include the excess whitespace.

red-avalanche commented 1 month ago

There is a similar issue with xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy:

-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com