Bug 1372070 - RHEL 7.3 beta error: SSH private key file permissions
Summary: RHEL 7.3 beta error: SSH private key file permissions
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide
Version: 7.3
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Watson Yuuma Sato
QA Contact: Matus Marhefka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-31 20:15 UTC by Shawn Wells
Modified: 2017-08-01 12:23 UTC (History)
6 users (show)

Fixed In Version: scap-security-guide-0.1.32-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 12:23:38 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2064 normal SHIPPED_LIVE scap-security-guide bug fix and enhancement update 2017-08-01 16:05:50 UTC
Github https://github.com/OpenSCAP scap-security-guide issues 1542 None None None 2016-11-08 03:35:51 UTC

Description Shawn Wells 2016-08-31 20:15:42 UTC 
RHEL 7.3 beta install remains non-compliant on SSH private keys:

- CCE-27485-2: xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key
Comment 2 Shawn Wells 2016-11-08 03:35:51 UTC 
Upstream BZ https://github.com/OpenSCAP/scap-security-guide/issues/1542
Comment 3 redhatrises 2016-11-08 14:06:22 UTC 
Remediation script upstream is here: https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/templates/static/bash/file_permissions_sshd_private_key.sh

Shawn would expect the permissions be 0600 or 0640 to accommodate the ssh_keys group?
Comment 4 Shawn Wells 2016-11-08 15:54:28 UTC 
(In reply to redhatrises from comment #3)
> Remediation script upstream is here:
> https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/templates/
> static/bash/file_permissions_sshd_private_key.sh
> 
> Shawn would expect the permissions be 0600 or 0640 to accommodate the
> ssh_keys group?

Haven't had a chance to look yet. Appears the group membership needs to be there. If that holds true, need to tip off DISA so they can update their content too.

From https://bugzilla.redhat.com/show_bug.cgi?id=819896:
------------

Description of problem: The /usr/libexec/openssh/ssh-keysign is setgid, not setuid as it used to be.  The group is set to ssh_keys.  In the /usr/sbin/sshd-keygen script, the keys are created with the group set to ssh_keys, but the group read bit is disabled.  Thus, only root can read the keys, and host-based authentication does not work.
......
......


Steps to Reproduce:
1. Install Fedora.
2. Look at permissions on /etc/ssh/ssh_host_*key
3.
  
Actual results:
bash-4.2$ ls -l /etc/ssh/ssh_host_*key
-rw------- 1 root ssh_keys  668 May  7 15:22 /etc/ssh/ssh_host_dsa_key
-rw------- 1 root ssh_keys  965 May  7 15:22 /etc/ssh/ssh_host_key
-rw------- 1 root ssh_keys 1679 May  7 15:22 /etc/ssh/ssh_host_rsa_key


Expected results:
bash-4.2$ ls -l /etc/ssh/ssh_host_*key
-rw-r----- 1 root ssh_keys  668 May  7 15:22 /etc/ssh/ssh_host_dsa_key
-rw-r----- 1 root ssh_keys  965 May  7 15:22 /etc/ssh/ssh_host_key
-rw-r----- 1 root ssh_keys 1679 May  7 15:22 /etc/ssh/ssh_host_rsa_key
------------
Comment 5 redhatrises 2016-11-08 17:54:19 UTC 
Since the SSH keys get generated on first boot, this won't be able to be remediated through Anaconda.

> Haven't had a chance to look yet. Appears the group membership needs to be there. If that holds true, need to tip off DISA so they can update their content too.

IMO, we should tip off DISA and fix the content. Although, DISA might have done 0600 on purpose, and they may have not wanted to allow read access to the ssh_keys group....
Comment 6 redhatrises 2016-11-08 19:33:25 UTC 
Fix submitted to upstream. See https://github.com/OpenSCAP/scap-security-guide/pull/1556
Comment 9 Marek Haicman 2017-06-21 19:44:04 UTC 
Verified for version scap-security-guide-0.1.33-5.el7.noarch
Verification performed using SSG Test Suite https://github.com/OpenSCAP/scap-security-guide/commits/ba02d65857f02c824e18878e238ff8a9aea657c1

OLD:
scap-security-guide-0.1.30-3.el7.noarch
INFO - xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key
INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7-server
ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial
ERROR - Rule result should have been "pass", but is "fail"!
WARNING - Skipping to the next scenario
INFO - Script wrong_value.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7-server
ERROR - Scan has exited with return code 2, instead of expected 0 during stage remediation
ERROR - Rule result should have been "fixed", but is "fail"!
INFO - All snapshots reverted successfully


NEW:
INFO - Logging into /home/dahaic/RH/git/upstream/dahaic/scap-security-guide/tests/logs/rule_file_permissions_sshd_private_key-2017-06-21-21:36-1/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key
INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7
INFO - Script wrong_value.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp-rhel7
INFO - All snapshots reverted successfully
Comment 10 errata-xmlrpc 2017-08-01 12:23:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2064
Note You need to log in before you can comment on or make changes to this bug.