Bug 1401069 - USGCB/STIG Profile causes SSHD to not start
USGCB/STIG Profile causes SSHD to not start
Status: ON_QA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide (Show other bugs)
7.3
Unspecified Linux
high Severity urgent
: rc
: ---
Assigned To: Watson Yuuma Sato
Marek Haicman
Mirek Jahoda
: ZStream
Depends On:
Blocks: 1415152
  Show dependency treegraph
 
Reported: 2016-12-02 11:47 EST by Brian Stinson
Modified: 2017-04-18 20:22 EDT (History)
17 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Prior to this update, the OpenSCAP remediation function based on United States Government Configuration Baseline (USGCB) or Security Technical Implementation Guide (STIG) profiles from the SCAP Security Guide incorrectly changed the /etc/ssh/sshd_config file. Consequently, the SSH daemon failed to start and the system was not accessible using the SSH protocol. The remediation function has been fixed and a machine remediated using USGCB or STIG profiles is now accessible by SSH.
Story Points: ---
Clone Of:
: 1415152 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Log showing Cipher messages (11.42 KB, text/x-vhdl)
2016-12-02 11:47 EST, Brian Stinson
no flags Details

  None (edit)
Description Brian Stinson 2016-12-02 11:47:22 EST
Created attachment 1227420 [details]
Log showing Cipher messages

Description of problem:
Installing RHEL 7.3 and selecting the 'United States Government Configuration Baseline (USGCB/STIG)' profile causes the sshd service to stop on a malformed configuration file.

Version-Release number of selected component (if applicable):
$ rpm -qa scap-security-guide
scap-security-guide-0.1.30-3.el7.noarch

How reproducible:
Every new install with the USGCB/STIG profile applied


Steps to Reproduce:
1. Start a fresh RHEL 7.3 Install
2. Choose the 'United States Government Configuration Baseline' profile from the security profile spoke
3. Notice that journalctl -u sshd reports an error, and that the last line of /etc/ssh/sshd_config containing the ciphers is concatenated with another directive for the MACs


Actual results:
sshd.service is stopped, and a 'BAD SSH2 cipher spec' message appears in the journal (see attached sshd_log)


Expected results:
sshd.service should be running

Additional info:
I suspect that the sshd_config does not have a trailing newline after the 'Ciphers' directive which means that remediations/bash/sshd_use_approved_macs.sh concatenates the MACs directive onto the same line
Comment 10 Marek Haicman 2017-01-19 07:43:21 EST
This PR should fix the issue:  https://github.com/OpenSCAP/scap-security-guide/pull/1471

Note You need to log in before you can comment on or make changes to this bug.