Bug 1686007

Patch that fixes this issue, https://github.com/ComplianceAsCode/content/pull/3616.
The patch was released in scap-security-guide-0.1.42.
With the fix, the task will do a search using expression for the pub and private keys, and set permissions for files that were found.

PR https://github.com/ComplianceAsCode/content/pull/4204 (not released yet) is also required for Ansible playbooks.

Manually verified that ansible playbooks apply correctly and fix the file permissions.

RHEL Compose - RHEL-7.7-20190502.1

Package versions
scap-security-guide-0.1.43-4.el7.noarch
openscap-scanner-1.2.17-2.el7.x86_64
openscap-1.2.17-2.el7.x86_64

ansible-2.7.10-1.el7ae.noarch

------------------------------------>8-----------------------------------

- System with wrong permissions (ssh_host_ecdsa_key, ssh_host_ecdsa_key.pub):
ls -la /etc/ssh/
total 612
drwxr-xr-x.  2 root root       4096 May  3 03:51 .
drwxr-xr-x. 81 root root       4096 May 15 08:54 ..
-rw-r--r--.  1 root root     581843 Mar  4 08:34 moduli
-rw-r--r--.  1 root root       2276 Mar  4 08:34 ssh_config
-rw-------.  1 root root       3907 Mar  4 08:34 sshd_config
-rw-r--r--.  1 root ssh_keys    227 May  3 03:51 ssh_host_ecdsa_key
-rw-rw-rw-.  1 root root        162 May  3 03:51 ssh_host_ecdsa_key.pub
-rw-r-----.  1 root ssh_keys    387 May  3 03:51 ssh_host_ed25519_key
-rw-r--r--.  1 root root         82 May  3 03:51 ssh_host_ed25519_key.pub
-rw-r-----.  1 root ssh_keys   1675 May  3 03:51 ssh_host_rsa_key
-rw-r--r--.  1 root root        382 May  3 03:51 ssh_host_rsa_key.pub

------------------------------------>8-----------------------------------

- Generate Ansible fixes
oscap xccdf generate fix --fix-type ansible --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --output /tmp/stig-rhel7-role.yml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

------------------------------------>8-----------------------------------

- Apply remediation for /etc/ssh/*.pub files
[root@ci-vm-10-0-136-234 common]# ansible-playbook --tags DISA-STIG-RHEL-07-040410 /tmp/stig-rhel7-role.yml -i 10.0.136.22,
 [WARNING]: While constructing a mapping from /tmp/stig-rhel7-role.yml, line 312, column 9, found a duplicate dict key (section). Using last defined value only.


PLAY [all] ********************************************************************************************************************************************************************************************************

TASK [Gathering Facts] ********************************************************************************************************************************************************************************************
The authenticity of host '10.0.136.22 (10.0.136.22)' can't be established.
ED25519 key fingerprint is SHA256:sOlMjJ1zyqHwgjhtIkckFR9hg09E1ug5uIW2i07A97Q.
ED25519 key fingerprint is MD5:85:98:9c:1d:5e:2c:82:ef:a2:fb:82:9f:28:0f:a6:20.
Are you sure you want to continue connecting (yes/no)? yes
ok: [10.0.136.22]

TASK [Find /etc/ssh file(s)] **************************************************************************************************************************************************************************************
ok: [10.0.136.22]

TASK [Set permissions for /etc/ssh file(s)] ***********************************************************************************************************************************************************************
ok: [10.0.136.22] => (item={u'rusr': True, u'uid': 0, u'rgrp': True, u'xoth': False, u'islnk': False, u'woth': False, u'nlink': 1, u'issock': False, u'mtime': 1556869882.3097064, u'gr_name': u'root', u'path': u'/etc/ssh/ssh_host_rsa_key.pub', u'xusr': False, u'atime': 1557924871.16212, u'inode': 149850, u'isgid': False, u'size': 382, u'isdir': False, u'ctime': 1556869882.3357065, u'roth': True, u'isblk': False, u'xgrp': False, u'isuid': False, u'dev': 64769, u'wgrp': False, u'isreg': True, u'isfifo': False, u'mode': u'0644', u'pw_name': u'root', u'gid': 0, u'ischr': False, u'wusr': True})
changed: [10.0.136.22] => (item={u'rusr': True, u'uid': 0, u'rgrp': True, u'xoth': False, u'islnk': False, u'woth': True, u'nlink': 1, u'issock': False, u'mtime': 1556869882.4077065, u'gr_name': u'root', u'path': u'/etc/ssh/ssh_host_ecdsa_key.pub', u'xusr': False, u'atime': 1557925125.69812, u'inode': 149852, u'isgid': False, u'size': 162, u'isdir': False, u'ctime': 1557925028.85612, u'roth': True, u'isblk': False, u'xgrp': False, u'isuid': False, u'dev': 64769, u'wgrp': True, u'isreg': True, u'isfifo': False, u'mode': u'0666', u'pw_name': u'root', u'gid': 0, u'ischr': False, u'wusr': True})
ok: [10.0.136.22] => (item={u'rusr': True, u'uid': 0, u'rgrp': True, u'xoth': False, u'islnk': False, u'woth': False, u'nlink': 1, u'issock': False, u'mtime': 1556869882.4897065, u'gr_name': u'root', u'path': u'/etc/ssh/ssh_host_ed25519_key.pub', u'xusr': False, u'atime': 1557924871.1771202, u'inode': 149854, u'isgid': False, u'size': 82, u'isdir': False, u'ctime': 1556869882.5047066, u'roth': True, u'isblk': False, u'xgrp': False, u'isuid': False, u'dev': 64769, u'wgrp': False, u'isreg': True, u'isfifo': False, u'mode': u'0644', u'pw_name': u'root', u'gid': 0, u'ischr': False, u'wusr': True})

PLAY RECAP ********************************************************************************************************************************************************************************************************
10.0.136.22                : ok=3    changed=1    unreachable=0    failed=0   

------------------------------------>8-----------------------------------

- Apply remediation for /etc/ssh/*_key files
[root@ci-vm-10-0-136-234 common]# ansible-playbook --tags DISA-STIG-RHEL-07-040420 /tmp/stig-rhel7-role.yml -i 10.0.136.22,
 [WARNING]: While constructing a mapping from /tmp/stig-rhel7-role.yml, line 312, column 9, found a duplicate dict key (section). Using last defined value only.


PLAY [all] ********************************************************************************************************************************************************************************************************

TASK [Gathering Facts] ********************************************************************************************************************************************************************************************
ok: [10.0.136.22]

TASK [Find /etc/ssh file(s)] **************************************************************************************************************************************************************************************
ok: [10.0.136.22]

TASK [Set permissions for /etc/ssh file(s)] ***********************************************************************************************************************************************************************
ok: [10.0.136.22] => (item={u'rusr': True, u'uid': 0, u'rgrp': True, u'xoth': False, u'islnk': False, u'woth': False, u'nlink': 1, u'issock': False, u'mtime': 1556869882.3097064, u'gr_name': u'ssh_keys', u'path': u'/etc/ssh/ssh_host_rsa_key', u'xusr': False, u'atime': 1557924871.1411202, u'inode': 131081, u'isgid': False, u'size': 1675, u'isdir': False, u'ctime': 1556869882.3317065, u'roth': False, u'isblk': False, u'xgrp': False, u'isuid': False, u'dev': 64769, u'wgrp': False, u'isreg': True, u'isfifo': False, u'mode': u'0640', u'pw_name': u'root', u'gid': 997, u'ischr': False, u'wusr': True})
ok: [10.0.136.22] => (item={u'rusr': True, u'uid': 0, u'rgrp': True, u'xoth': False, u'islnk': False, u'woth': False, u'nlink': 1, u'issock': False, u'mtime': 1556869882.4897065, u'gr_name': u'ssh_keys', u'path': u'/etc/ssh/ssh_host_ed25519_key', u'xusr': False, u'atime': 1557924871.1761203, u'inode': 149853, u'isgid': False, u'size': 387, u'isdir': False, u'ctime': 1556869882.5007064, u'roth': False, u'isblk': False, u'xgrp': False, u'isuid': False, u'dev': 64769, u'wgrp': False, u'isreg': True, u'isfifo': False, u'mode': u'0640', u'pw_name': u'root', u'gid': 997, u'ischr': False, u'wusr': True})
changed: [10.0.136.22] => (item={u'rusr': True, u'uid': 0, u'rgrp': True, u'xoth': False, u'islnk': False, u'woth': False, u'nlink': 1, u'issock': False, u'mtime': 1556869882.4077065, u'gr_name': u'ssh_keys', u'path': u'/etc/ssh/ssh_host_ecdsa_key', u'xusr': False, u'atime': 1557925125.69812, u'inode': 149851, u'isgid': False, u'size': 227, u'isdir': False, u'ctime': 1557925000.15612, u'roth': True, u'isblk': False, u'xgrp': False, u'isuid': False, u'dev': 64769, u'wgrp': False, u'isreg': True, u'isfifo': False, u'mode': u'0644', u'pw_name': u'root', u'gid': 997, u'ischr': False, u'wusr': True})

PLAY RECAP ********************************************************************************************************************************************************************************************************
10.0.136.22                : ok=3    changed=1    unreachable=0    failed=0  

------------------------------------>8-----------------------------------

- Remediated system with fixed file permissions:
ls -la /etc/ssh/
total 612
drwxr-xr-x.  2 root root       4096 May  3 03:51 .
drwxr-xr-x. 81 root root       4096 May 15 08:54 ..
-rw-r--r--.  1 root root     581843 Mar  4 08:34 moduli
-rw-r--r--.  1 root root       2276 Mar  4 08:34 ssh_config
-rw-------.  1 root root       3907 Mar  4 08:34 sshd_config
-rw-r-----.  1 root ssh_keys    227 May  3 03:51 ssh_host_ecdsa_key
-rw-r--r--.  1 root root        162 May  3 03:51 ssh_host_ecdsa_key.pub
-rw-r-----.  1 root ssh_keys    387 May  3 03:51 ssh_host_ed25519_key
-rw-r--r--.  1 root root         82 May  3 03:51 ssh_host_ed25519_key.pub
-rw-r-----.  1 root ssh_keys   1675 May  3 03:51 ssh_host_rsa_key
-rw-r--r--.  1 root root        382 May  3 03:51 ssh_host_rsa_key.pub

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2198