Bug 1401069 - USGCB/STIG Profile causes SSHD to not start
Summary: USGCB/STIG Profile causes SSHD to not start
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide
Version: 7.3
Hardware: Unspecified
OS: Linux
high
urgent
Target Milestone: rc
: ---
Assignee: Watson Yuuma Sato
QA Contact: Marek Haicman
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks: 1415152
TreeView+ depends on / blocked
 
Reported: 2016-12-02 16:47 UTC by Brian Stinson
Modified: 2017-08-01 12:23 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Prior to this update, the OpenSCAP remediation function based on United States Government Configuration Baseline (USGCB) or Security Technical Implementation Guide (STIG) profiles from the SCAP Security Guide incorrectly changed the /etc/ssh/sshd_config file. Consequently, the SSH daemon failed to start and the system was not accessible using the SSH protocol. The remediation function has been fixed and a machine remediated using USGCB or STIG profiles is now accessible by SSH.
Clone Of:
: 1415152 (view as bug list)
Environment:
Last Closed: 2017-08-01 12:23:38 UTC


Attachments (Terms of Use)
Log showing Cipher messages (11.42 KB, text/x-vhdl)
2016-12-02 16:47 UTC, Brian Stinson
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2064 normal SHIPPED_LIVE scap-security-guide bug fix and enhancement update 2017-08-01 16:05:50 UTC

Description Brian Stinson 2016-12-02 16:47:22 UTC
Created attachment 1227420 [details]
Log showing Cipher messages

Description of problem:
Installing RHEL 7.3 and selecting the 'United States Government Configuration Baseline (USGCB/STIG)' profile causes the sshd service to stop on a malformed configuration file.

Version-Release number of selected component (if applicable):
$ rpm -qa scap-security-guide
scap-security-guide-0.1.30-3.el7.noarch

How reproducible:
Every new install with the USGCB/STIG profile applied


Steps to Reproduce:
1. Start a fresh RHEL 7.3 Install
2. Choose the 'United States Government Configuration Baseline' profile from the security profile spoke
3. Notice that journalctl -u sshd reports an error, and that the last line of /etc/ssh/sshd_config containing the ciphers is concatenated with another directive for the MACs


Actual results:
sshd.service is stopped, and a 'BAD SSH2 cipher spec' message appears in the journal (see attached sshd_log)


Expected results:
sshd.service should be running

Additional info:
I suspect that the sshd_config does not have a trailing newline after the 'Ciphers' directive which means that remediations/bash/sshd_use_approved_macs.sh concatenates the MACs directive onto the same line

Comment 10 Marek Haicman 2017-01-19 12:43:21 UTC
This PR should fix the issue:  https://github.com/OpenSCAP/scap-security-guide/pull/1471

Comment 13 Marek Haicman 2017-06-13 21:47:02 UTC
Verified fix in scap-security-guide-0.1.33-4.el7.noarch

State of /etc/ssh/sshd_config after full remediation of ospp (USGCB) profile:
OLD (scap-security-guide-0.1.30-3.el7.noarch):
<snip>
# Per CCE: Set PermitEmptyPasswords no in /etc/ssh/sshd_config
PermitEmptyPasswords no
# Per CCE: Set PermitUserEnvironment no in /etc/ssh/sshd_config
PermitUserEnvironment no
# Per CCE: Set Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc in /etc/ssh/sshd_config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbcMACs hmac-sha2-512,hmac-sha2-256,hmac-sha1

NEW:
<snip>
# Per CCE-CCE-27295-5: Set Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc in /etc/ssh/sshd_config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

# Per CCE-CCE-27455-5: Set MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com in /etc/ssh/sshd_config
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com

Comment 14 errata-xmlrpc 2017-08-01 12:23:38 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2064


Note You need to log in before you can comment on or make changes to this bug.