Red Hat Bugzilla – Bug 1467784
Openscap scan allows only exactly the list of ciphers for rule ssg-obj_sshd_use_approved_ciphers
Last modified: 2017-09-20 12:19:02 EDT
Description of problem: Using the profile C2S and PCI-DSS for Red Hat Enterprise Linux 6, the following test fails Object oval:ssg-obj_sshd_use_approved_ciphers:obj:1 of type textfilecontent54_object /etc/ssh/sshd_config ^[\s]*(?i)Ciphers(?-i)[\s]+aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc[\s]*(?:|(?:#.*))?$ This is not a valid test, because it allows only EXACTLY the list of ciphers: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc Customer's systems use only: aes128-ctr,aes192-ctr,aes256-ctr All of which are in the list of approved ciphers, and is MORE restrictive than the test, yet the test fails. It fails because it expects that exact list of ciphers in that exact order. The test needs to be updated so that instead of a simple match, it actually checks that all listed ciphers are in the approved list (ie, any subset of the approved ciphers in any order should be a vaild test). Version-Release number of selected component (if applicable): scap-security-guide-0.1.28-3.el6.noarch Additional info: - There's existing bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1413494) for RHEL7 and planned to resolve in RHEL 7.4 release. Really need to backport this functionality in RHEL 6 as well. ------------------- <ind:textfilecontent54_object id="oval:ssg-obj_sshd_use_approved_ciphers:obj:1" version="2"> <ind:filepath>/etc/ssh/sshd_config</ind:filepath> <ind:pattern operation="pattern match">^[\s]*(?i)Ciphers(?-i)[\s]+aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc[\s]*(?:|(?:#.*))?$</ind:pattern> -------------------