Bug 1523827

Summary: SSG does not reflect RhostsRSAAuthentication is deprecated in openssh-7.4+
Product: Red Hat Enterprise Linux 7 Reporter: Marek Haicman <mhaicman>
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: CLOSED ERRATA QA Contact: Marek Haicman <mhaicman>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.4CC: lmiksik, mhaicman, mpreisle, openscap-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.36-6.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 12:21:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marek Haicman 2017-12-08 19:50:44 UTC 
Description of problem:
openssh-7.4 has removed support for protocol 1. With that, option RhostsRSAAuthentication has been deprecated. This should be reflected within OVAL rule of xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.36-4.el7.noarch

How reproducible:
reliable

Steps to Reproduce:
1. update system to have openssh-7.4
2. make sure RhostsRSAAuthentication is not in sshd_config
3. run xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa on updated openssh

Actual results:
it fails, and requires RhostsRSAAuthentication to be defined

Expected results:
result is pass

Additional info:
Comment 2 Marek Haicman 2017-12-08 20:15:13 UTC 
https://github.com/OpenSCAP/scap-security-guide/issues/2478

PR: https://github.com/OpenSCAP/scap-security-guide/pull/2480
Comment 4 Marek Haicman 2018-02-26 11:26:41 UTC 
Verified that in `scap-security-guide-0.1.36-7.el7` rule `sshd_disable_rhosts_rsa` passes in case openssh-server is version 7.4, without having RhostsRSAAuthentication configured in `sshd_config`


OLD SSH:
[root@qeos-46 ~]# rpm -qa openssh-server
openssh-server-6.6.1p1-35.el7_3.x86_64
[root@qeos-46 ~]# grep RhostsRSAAuthentication /etc/ssh/sshd_config #RhostsRSAAuthentication no
# RhostsRSAAuthentication and HostbasedAuthentication

[root@qeos-46 ~]# oscap xccdf eval --profile stig-rhel7-disa --progress --rule xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa ssg-0.1.33-6-ds.xml
xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa:fail


[root@qeos-46 ~]# oscap xccdf eval --profile stig-rhel7-disa --progress --rule xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa ssg-0.1.36-7-ds.xml
xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa:fail


NEW SSH:
[root@qeos-44 ~]# rpm -qa openssh-server
openssh-server-7.4p1-16.el7.x86_64
[root@qeos-44 ~]# grep RhostsRSAAuthentication /etc/ssh/sshd_config
<no stdout>

[root@qeos-44 ~]# oscap xccdf eval --profile stig-rhel7-disa --progress --rule xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa ssg-0.1.33-6-ds.xml
xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa:fail

[root@qeos-44 ~]# oscap xccdf eval --profile stig-rhel7-disa --progress --rule xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa ssg-0.1.36-7-ds.xml
xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa:pass
Comment 7 errata-xmlrpc 2018-04-10 12:21:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0761