Bug 2123284

Summary: file_permissions_sshd_private_key is not aligned with DISA STIG benchmark [rhel-7.9.z]
Product: Red Hat Enterprise Linux 7 Reporter: Matus Marhefka <mmarhefk>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED ERRATA QA Contact: Matus Marhefka <mmarhefk>
Severity: unspecified Docs Contact: Jan Fiala <jafiala>
Priority: unspecified    
Version: 7.9CC: ggasparb, jafiala, kpfleming, matyc, mhaicman, mlysonek, qe-baseos-security, vpolasek, wsato
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.66-1.el7_9 Doc Type: Bug Fix
Doc Text:
.SCAP Security Guide rule `file_permissions_sshd_private_key` is aligned with STIG configuration RHEL-07-040420 Previously, the implementation of rule `file_permissions_sshd_private_key` allowed private SSH keys to be readable by the `ssh_keys` group with mode `0644`, while DISA STIG version RHEL-07-040420 required private SSH keys to have mode `0600`. As a consequence, evaluation with DISA’s automated STIG benchmark failed for configuration RHEL-07-040420. For this update, we worked with DISA to align the expected permissions for private SSH keys, and now private keys are expected to have mode `0644` or less permissive. As a result, the rule `file_permissions_sshd_private_key` and configuration RHEL-07-040420 are now aligned.
 Story Points: ---
Clone Of: 2115343 Environment:
Last Closed: 2023-03-07 09:54:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2115343    
Bug Blocks:    

Comment 3 Watson Yuuma Sato 2023-01-26 11:27:51 UTC 
DISA has updated their automated content and now the rules are aligned.
The update to DISA's automated content V3R10 aligns them:
https://github.com/ComplianceAsCode/content/pull/10079
Comment 14 errata-xmlrpc 2023-03-07 09:54:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:1099