Bug 1781244

Summary: FIPS approved ciphers need to be updated
Product: Red Hat Enterprise Linux 7 Reporter: imcneal
Component: scap-security-guideAssignee: Matěj Týč <matyc>
Status: CLOSED ERRATA QA Contact: Matus Marhefka <mmarhefk>
Severity: medium Docs Contact:
Priority: high    
Version: 7.7CC: ggasparb, lcervako, matyc, mhaicman, openscap-maint, rhel-docs, wsato
Target Milestone: rcKeywords: Documentation
Target Release: ---Flags: lcervako: mirror+
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.49-2.el7 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 19:52:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description imcneal 2019-12-09 15:52:00 UTC 
Document URL: 
https://people.redhat.com/swells/scap-security-guide/tables/table-rhel7-stig.html

Section Number and Name: 
RHEL-07-040110

Describe the issue: 
RHEL-07-040110
The following are listed
The following ciphers are FIPS 140-2 certified on RHEL 7:
- aes128-ctr
- aes192-ctr
- aes256-ctr
- aes128-cbc
- aes192-cbc
- aes256-cbc
- 3des-cbc
- rijndael-cbc.se

But as per the STIG:
https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-72221
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
Are the only allowed ciphers

Suggestions for improvement: Match section RHEL-07-040110 to the STIG:
https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-72221
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
Are the only allowed ciphers

Additional information: 

From customer


"As documented here - https://people.redhat.com/swells/scap-security-guide/tables/table-rhel7-stig.html

RHEL-07-040110
The following are listed
The following ciphers are FIPS 140-2 certified on RHEL 7:
- aes128-ctr
- aes192-ctr
- aes256-ctr
- aes128-cbc
- aes192-cbc
- aes256-cbc
- 3des-cbc
- rijndael-cbc.se

But as per the STIG:
https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-72221
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
Are the only allowed ciphers"
Comment 3 Mirek Jahoda 2019-12-13 17:21:28 UTC 
I have corrected the component.
Comment 4 Marek Haicman 2020-02-10 16:27:47 UTC 
*** Bug 1781245 has been marked as a duplicate of this bug. ***
Comment 7 Matěj Týč 2020-03-19 10:27:28 UTC 
Fixed by introducing parametrization to the rule:

https://github.com/ComplianceAsCode/content/pull/5308
Comment 13 errata-xmlrpc 2020-09-29 19:52:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3909