Bug 2115343

Summary: file_permissions_sshd_private_key is not aligned with DISA STIG benchmark
Product: Red Hat Enterprise Linux 8 Reporter: Milan Lysonek <mlysonek>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED ERRATA QA Contact: Jiri Jaburek <jjaburek>
Severity: unspecified Docs Contact: Jan Fiala <jafiala>
Priority: unspecified    
Version: 8.7CC: ggasparb, jafiala, jjaburek, matyc, mhaicman, mlysonek, smahanga, vpolasek, wsato
Target Milestone: rcKeywords: AutoVerified, Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.66-1.el8 Doc Type: Bug Fix
Doc Text:
.SCAP Security Guide rule `file_permissions_sshd_private_key` is aligned with STIG configuration RHEL-08-010490 Previously, the implementation of rule `file_permissions_sshd_private_key` allowed private SSH keys to be readable by the `ssh_keys` group with mode `0644`, while DISA STIG version RHEL-08-010490 required private SSH keys to have mode `0600`. As a consequence, evaluation with DISA’s automated STIG benchmark failed for configuration RHEL-08-010490. For this update, we worked with DISA to align the expected permissions for private SSH keys, and now private keys are expected to have mode `0644` or less permissive. As a result, the rule `file_permissions_sshd_private_key` and configuration RHEL-08-010490 are now aligned.
 Story Points: ---
Clone Of:
: 2123284 2168057 2168058 2168059 (view as bug list) Environment:
Last Closed: 2023-05-16 08:39:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2123284, 2168057, 2168058, 2168059    

Description Milan Lysonek 2022-08-04 13:06:42 UTC 
Description of problem:
Scap-security-guide rule xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key is not aligned with DISA STIG xccdf_mil.disa.stig_rule_SV-230287r743951_rule.

SSG:
xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key expects SSH private keys with:
 0600 permission and owned by root:root
or
 0640 permission and owned by root:ssh_key

DISA:
xccdf_mil.disa.stig_rule_SV-230287r743951_rule expects SSH private keys with 0600 permission, no matter the group owner.


Version-Release number of selected component (if applicable):
scap-security-guide-0.1.63-1.el8.noarch

How reproducible:
100%

Steps to Reproduce:
1. Private keys with 0640 permission and ssh_keys group exist
2. oscap xccdf eval --profile '(all)' --rule xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
3. oscap xccdf eval --profile '(all)' --rule xccdf_mil.disa.stig_rule_SV-230287r743951_rule disa-stig-rhel8-v1r6-xccdf-scap.xml

Actual results:
# oscap xccdf eval --profile '(all)' --rule xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 
--- Starting Evaluation ---

Title   Verify Permissions on SSH Server Private *_key Key Files
Rule    xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key
Ident   CCE-82424-3
Result  pass

# oscap xccdf eval --profile '(all)' --rule xccdf_mil.disa.stig_rule_SV-230287r743951_rule disa-stig-rhel8-v1r6-xccdf-scap.xml
--- Starting Evaluation ---

Title   The RHEL 8 SSH private host key files must have mode 0600 or less permissive.
Rule    xccdf_mil.disa.stig_rule_SV-230287r743951_rule
Ident   CCI-000366
Result  fail


Expected results:
# oscap xccdf eval --profile '(all)' --rule xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 
--- Starting Evaluation ---

Title   Verify Permissions on SSH Server Private *_key Key Files
Rule    xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key
Ident   CCE-82424-3
Result  pass

# oscap xccdf eval --profile '(all)' --rule xccdf_mil.disa.stig_rule_SV-230287r743951_rule disa-stig-rhel8-v1r6-xccdf-scap.xml
--- Starting Evaluation ---

Title   The RHEL 8 SSH private host key files must have mode 0600 or less permissive.
Rule    xccdf_mil.disa.stig_rule_SV-230287r743951_rule
Ident   CCI-000366
Result  pass
Comment 1 Matěj Týč 2022-08-29 14:10:57 UTC 
See also: https://github.com/ComplianceAsCode/content/issues/9251
and https://github.com/ComplianceAsCode/content/issues/7833 for the context.
Comment 4 Watson Yuuma Sato 2023-01-26 10:26:39 UTC 
DISA has updated their automated content and now the rules are aligned.
The update to DISA's automated content V1R8 aligns them:
https://github.com/ComplianceAsCode/content/pull/10078
Comment 28 errata-xmlrpc 2023-05-16 08:39:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2869