| Summary: | USGCB/STIG Profile causes SSHD to not start | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Brian Stinson <bstinson> | ||||
| Component: | scap-security-guide | Assignee: | Watson Yuuma Sato <wsato> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Marek Haicman <mhaicman> | ||||
| Severity: | urgent | Docs Contact: | Mirek Jahoda <mjahoda> | ||||
| Priority: | high | ||||||
| Version: | 7.3 | CC: | alee, cfu, cww, degts, dsirrine, ebenes, edewata, jmagne, kbost, mhaicman, mharmsen, mihai, mjahoda, mpreisle, nkinder, openscap-maint, wsato | ||||
| Target Milestone: | rc | Keywords: | ZStream | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: |
Prior to this update, the OpenSCAP remediation function based on United States Government Configuration Baseline (USGCB) or Security Technical Implementation Guide (STIG) profiles from the SCAP Security Guide incorrectly changed the /etc/ssh/sshd_config file. Consequently, the SSH daemon failed to start and the system was not accessible using the SSH protocol. The remediation function has been fixed and a machine remediated using USGCB or STIG profiles is now accessible by SSH.
|
Story Points: | --- | ||||
| Clone Of: | |||||||
| : | 1415152 (view as bug list) | Environment: | |||||
| Last Closed: | 2017-08-01 12:23:38 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1415152 | ||||||
| Attachments: |
|
||||||
This PR should fix the issue: https://github.com/OpenSCAP/scap-security-guide/pull/1471 Verified fix in scap-security-guide-0.1.33-4.el7.noarch State of /etc/ssh/sshd_config after full remediation of ospp (USGCB) profile: OLD (scap-security-guide-0.1.30-3.el7.noarch): <snip> # Per CCE: Set PermitEmptyPasswords no in /etc/ssh/sshd_config PermitEmptyPasswords no # Per CCE: Set PermitUserEnvironment no in /etc/ssh/sshd_config PermitUserEnvironment no # Per CCE: Set Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc in /etc/ssh/sshd_config Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbcMACs hmac-sha2-512,hmac-sha2-256,hmac-sha1 NEW: <snip> # Per CCE-CCE-27295-5: Set Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc in /etc/ssh/sshd_config Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc # Per CCE-CCE-27455-5: Set MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm,hmac-sha2-256-etm,hmac-sha2-512-etm in /etc/ssh/sshd_config MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm,hmac-sha2-256-etm,hmac-sha2-512-etm Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2064 |
Created attachment 1227420 [details] Log showing Cipher messages Description of problem: Installing RHEL 7.3 and selecting the 'United States Government Configuration Baseline (USGCB/STIG)' profile causes the sshd service to stop on a malformed configuration file. Version-Release number of selected component (if applicable): $ rpm -qa scap-security-guide scap-security-guide-0.1.30-3.el7.noarch How reproducible: Every new install with the USGCB/STIG profile applied Steps to Reproduce: 1. Start a fresh RHEL 7.3 Install 2. Choose the 'United States Government Configuration Baseline' profile from the security profile spoke 3. Notice that journalctl -u sshd reports an error, and that the last line of /etc/ssh/sshd_config containing the ciphers is concatenated with another directive for the MACs Actual results: sshd.service is stopped, and a 'BAD SSH2 cipher spec' message appears in the journal (see attached sshd_log) Expected results: sshd.service should be running Additional info: I suspect that the sshd_config does not have a trailing newline after the 'Ciphers' directive which means that remediations/bash/sshd_use_approved_macs.sh concatenates the MACs directive onto the same line