search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.16k stars 686 forks source link

xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy erroneously checks for presence of CRYPTO_POLICY line #8817

Closed ThiloSolbrig closed 2 years ago

ThiloSolbrig commented 2 years ago

Description of problem:

Check seems to expect ^\s*(?i)CRYPTO_POLICY\s*=.*$ to match a line of /etc/sysconfig/sshd. But remediation ensures no such line is found in /etc/sysconfig/sshd. Hence check checks for the opposite of what remediation sets.

SCAP Security Guide Version:

0.1.62

Operating System Version:

Oracle Linux Server release 8.6

Steps to Reproduce:

  1. Remove or comment CRYPTO_POLICY= in /etc/sysconfig/sshd
  2. Run /usr/share/scap-security-guide/ansible/ol8-playbook-standard.yml against host
  3. Security scan the host (oscap xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_standard --results-arf /tmp/results.xml --report /tmp/results.html /usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml)
  4. Find "Configure SSH to use System Crypto Policy" in "error" state

Actual Results:

"Configure SSH to use System Crypto Policy" in "error" state

Expected Results:

"Configure SSH to use System Crypto Policy" should be in "pass" state

Additional Information/Debugging Steps:

ThiloSolbrig commented 2 years ago

My bad. Had to run the check as root user to get access to /etc/sysconfig/sshd