Prior to this update, the OpenSCAP remediation function based on United States Government Configuration Baseline (USGCB) or Security Technical Implementation Guide (STIG) profiles from the SCAP Security Guide incorrectly changed the /etc/ssh/sshd_config file. Consequently, the SSH daemon failed to start and the system was not accessible using the SSH protocol. The remediation function has been fixed and a machine remediated using USGCB or STIG profiles is now accessible by SSH.
Created attachment 1227420[details]
Log showing Cipher messages
Description of problem:
Installing RHEL 7.3 and selecting the 'United States Government Configuration Baseline (USGCB/STIG)' profile causes the sshd service to stop on a malformed configuration file.
Version-Release number of selected component (if applicable):
$ rpm -qa scap-security-guide
scap-security-guide-0.1.30-3.el7.noarch
How reproducible:
Every new install with the USGCB/STIG profile applied
Steps to Reproduce:
1. Start a fresh RHEL 7.3 Install
2. Choose the 'United States Government Configuration Baseline' profile from the security profile spoke
3. Notice that journalctl -u sshd reports an error, and that the last line of /etc/ssh/sshd_config containing the ciphers is concatenated with another directive for the MACs
Actual results:
sshd.service is stopped, and a 'BAD SSH2 cipher spec' message appears in the journal (see attached sshd_log)
Expected results:
sshd.service should be running
Additional info:
I suspect that the sshd_config does not have a trailing newline after the 'Ciphers' directive which means that remediations/bash/sshd_use_approved_macs.sh concatenates the MACs directive onto the same line
Verified fix in scap-security-guide-0.1.33-4.el7.noarch
State of /etc/ssh/sshd_config after full remediation of ospp (USGCB) profile:
OLD (scap-security-guide-0.1.30-3.el7.noarch):
<snip>
# Per CCE: Set PermitEmptyPasswords no in /etc/ssh/sshd_config
PermitEmptyPasswords no
# Per CCE: Set PermitUserEnvironment no in /etc/ssh/sshd_config
PermitUserEnvironment no
# Per CCE: Set Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc in /etc/ssh/sshd_config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbcMACs hmac-sha2-512,hmac-sha2-256,hmac-sha1
NEW:
<snip>
# Per CCE-CCE-27295-5: Set Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc in /etc/ssh/sshd_config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
# Per CCE-CCE-27455-5: Set MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm,hmac-sha2-256-etm,hmac-sha2-512-etm in /etc/ssh/sshd_config
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm,hmac-sha2-256-etm,hmac-sha2-512-etm
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2017:2064
Created attachment 1227420 [details] Log showing Cipher messages Description of problem: Installing RHEL 7.3 and selecting the 'United States Government Configuration Baseline (USGCB/STIG)' profile causes the sshd service to stop on a malformed configuration file. Version-Release number of selected component (if applicable): $ rpm -qa scap-security-guide scap-security-guide-0.1.30-3.el7.noarch How reproducible: Every new install with the USGCB/STIG profile applied Steps to Reproduce: 1. Start a fresh RHEL 7.3 Install 2. Choose the 'United States Government Configuration Baseline' profile from the security profile spoke 3. Notice that journalctl -u sshd reports an error, and that the last line of /etc/ssh/sshd_config containing the ciphers is concatenated with another directive for the MACs Actual results: sshd.service is stopped, and a 'BAD SSH2 cipher spec' message appears in the journal (see attached sshd_log) Expected results: sshd.service should be running Additional info: I suspect that the sshd_config does not have a trailing newline after the 'Ciphers' directive which means that remediations/bash/sshd_use_approved_macs.sh concatenates the MACs directive onto the same line