Bug 1467784 - Openscap scan allows only exactly the list of ciphers for rule ssg-obj_sshd_use_approved_ciphers
Openscap scan allows only exactly the list of ciphers for rule ssg-obj_sshd_u...
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: scap-security-guide (Show other bugs)
All Linux
high Severity high
: rc
: ---
Assigned To: Watson Yuuma Sato
BaseOS QE Security Team
Depends On:
Blocks: 1461138
  Show dependency treegraph
Reported: 2017-07-05 03:10 EDT by dgupte
Modified: 2017-09-20 12:19 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Bugzilla 1413494 None None None 2017-07-05 03:10 EDT

  None (edit)
Description dgupte 2017-07-05 03:10:19 EDT
Description of problem:

Using the profile C2S and  PCI-DSS for Red Hat Enterprise Linux 6, the following test fails

Object oval:ssg-obj_sshd_use_approved_ciphers:obj:1 of type textfilecontent54_object

/etc/ssh/sshd_config	^[\s]*(?i)Ciphers(?-i)[\s]+aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc[\s]*(?:|(?:#.*))?$

This is not a valid test, because it allows only EXACTLY the list of ciphers:

Customer's systems use only:


All of which are in the list of approved ciphers, and is MORE restrictive than the test, yet the test fails.

It fails because it expects that exact list of ciphers in that exact order.  The test needs to be updated so that instead of a simple match, it actually checks that all listed ciphers are in the approved list (ie, any subset of the approved ciphers in any order should be a vaild test).

Version-Release number of selected component (if applicable):

Additional info:

- There's existing bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1413494) for RHEL7 and planned to resolve in RHEL 7.4 release. 

Really need to backport this functionality in RHEL 6 as well.

    <ind:textfilecontent54_object id="oval:ssg-obj_sshd_use_approved_ciphers:obj:1" version="2">
      <ind:pattern operation="pattern match">^[\s]*(?i)Ciphers(?-i)[\s]+aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc[\s]*(?:|(?:#.*))?$</ind:pattern>

Note You need to log in before you can comment on or make changes to this bug.