Bug 2115343 - file_permissions_sshd_private_key is not aligned with DISA STIG benchmark
Summary: file_permissions_sshd_private_key is not aligned with DISA STIG benchmark
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: scap-security-guide
Version: 8.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Vojtech Polasek
QA Contact: Jiri Jaburek
Jan Fiala
URL:
Whiteboard:
Depends On:
Blocks: 2123284 2168057 2168058 2168059
TreeView+ depends on / blocked
 
Reported: 2022-08-04 13:06 UTC by Milan Lysonek
Modified: 2023-06-28 09:12 UTC (History)
9 users (show)

Fixed In Version: scap-security-guide-0.1.66-1.el8
Doc Type: Bug Fix
Doc Text:
.SCAP Security Guide rule `file_permissions_sshd_private_key` is aligned with STIG configuration RHEL-08-010490 Previously, the implementation of rule `file_permissions_sshd_private_key` allowed private SSH keys to be readable by the `ssh_keys` group with mode `0644`, while DISA STIG version RHEL-08-010490 required private SSH keys to have mode `0600`. As a consequence, evaluation with DISA’s automated STIG benchmark failed for configuration RHEL-08-010490. For this update, we worked with DISA to align the expected permissions for private SSH keys, and now private keys are expected to have mode `0644` or less permissive. As a result, the rule `file_permissions_sshd_private_key` and configuration RHEL-08-010490 are now aligned.
Clone Of:
: 2123284 2168057 2168058 2168059 (view as bug list)
Environment:
Last Closed: 2023-05-16 08:39:27 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-130306 0 None None None 2022-08-04 13:17:35 UTC
Red Hat Product Errata RHBA-2023:2869 0 None None None 2023-05-16 08:40:27 UTC

Description Milan Lysonek 2022-08-04 13:06:42 UTC 
Description of problem:
Scap-security-guide rule xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key is not aligned with DISA STIG xccdf_mil.disa.stig_rule_SV-230287r743951_rule.

SSG:
xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key expects SSH private keys with:
 0600 permission and owned by root:root
or
 0640 permission and owned by root:ssh_key

DISA:
xccdf_mil.disa.stig_rule_SV-230287r743951_rule expects SSH private keys with 0600 permission, no matter the group owner.


Version-Release number of selected component (if applicable):
scap-security-guide-0.1.63-1.el8.noarch

How reproducible:
100%

Steps to Reproduce:
1. Private keys with 0640 permission and ssh_keys group exist
2. oscap xccdf eval --profile '(all)' --rule xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
3. oscap xccdf eval --profile '(all)' --rule xccdf_mil.disa.stig_rule_SV-230287r743951_rule disa-stig-rhel8-v1r6-xccdf-scap.xml

Actual results:
# oscap xccdf eval --profile '(all)' --rule xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 
--- Starting Evaluation ---

Title   Verify Permissions on SSH Server Private *_key Key Files
Rule    xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key
Ident   CCE-82424-3
Result  pass

# oscap xccdf eval --profile '(all)' --rule xccdf_mil.disa.stig_rule_SV-230287r743951_rule disa-stig-rhel8-v1r6-xccdf-scap.xml
--- Starting Evaluation ---

Title   The RHEL 8 SSH private host key files must have mode 0600 or less permissive.
Rule    xccdf_mil.disa.stig_rule_SV-230287r743951_rule
Ident   CCI-000366
Result  fail


Expected results:
# oscap xccdf eval --profile '(all)' --rule xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 
--- Starting Evaluation ---

Title   Verify Permissions on SSH Server Private *_key Key Files
Rule    xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key
Ident   CCE-82424-3
Result  pass

# oscap xccdf eval --profile '(all)' --rule xccdf_mil.disa.stig_rule_SV-230287r743951_rule disa-stig-rhel8-v1r6-xccdf-scap.xml
--- Starting Evaluation ---

Title   The RHEL 8 SSH private host key files must have mode 0600 or less permissive.
Rule    xccdf_mil.disa.stig_rule_SV-230287r743951_rule
Ident   CCI-000366
Result  pass
Comment 1 Matěj Týč 2022-08-29 14:10:57 UTC 
See also: https://github.com/ComplianceAsCode/content/issues/9251
and https://github.com/ComplianceAsCode/content/issues/7833 for the context.
Comment 4 Watson Yuuma Sato 2023-01-26 10:26:39 UTC 
DISA has updated their automated content and now the rules are aligned.
The update to DISA's automated content V1R8 aligns them:
https://github.com/ComplianceAsCode/content/pull/10078
Comment 28 errata-xmlrpc 2023-05-16 08:39:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2869
Note You need to log in before you can comment on or make changes to this bug.