Hello,
Great! Thanks for clarification.
I have reported this issue upstream. You can track fixing the problem there.
https://github.com/OpenSCAP/scap-security-guide/issues/2296
Regards
Jan Černý
Security Technologies | Red Hat, Inc.
----- Original Message -----
> From: "Jakub Jelen" <jjelen(a)redhat.com>
> To: "Jan Cerny" <jcerny(a)redhat.com>
> Cc: "Dushyant Uge" <duge(a)redhat.com>, "tech-list" <tech-list(a)redhat.com>, "SCAP Security Guide"
> <scap-security-guide(a)lists.fedorahosted.org>
> Sent: Tuesday, September 5, 2017 1:26:01 PM
> Subject: Re: Reg: Openscap scanning for SSH
>
> On Tue, 2017-09-05 at 07:22 -0400, Jan Cerny wrote:
> > Hi,
> >
> > Thank you very much for letting us know.
> >
> > I have looked into this issue. The rule "Allow Only SSH Protocol 2"
> > checks if /etc/sshd_config cotains string "Protocol 2".
> > See the implementation of this check:
> > https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/te
> > mplates/static/oval/sshd_allow_only_protocol2.xml
> >
> > Jakub, do I understand it well, that since RHEL 7.4 this
> > configuration
> > option doesn't exist anymore? Will the system always satisfy the
> > requirement
> > that only SSHv2 is allowed? What way do you recommend to check that
> > this requirement is satisfied?
> >
> > I think If SSH v2 is the only option on RHEL 7.4, we should remove
> > this rule from SCAP Security Guide for RHEL7 completely.
>
> I would not remove it. Some people might be running the old openssh
> from RHEL7.3. I would say that every OpenSSH RPM package >=7.4 will
> satisfy this rule. If we have older version, I would leave the check as
> it was. Though not sure how to write it in your language :)
>
> Jakub
>
> > Dushyant, FYI, rules for OpenSCAP comes from "SCAP Security Guide"
> > project,
> > https://github.com/OpenSCAP/scap-security-guide
> > which has a special mailing list:
> > https://lists.fedorahosted.org/admin/lists/scap-security-guide.lists.
> > fedorahosted.org/
> > If you run in similar problem in future, you can ask there directly
> > :D
> > I'm including the mailing list to this thread so that experts can
> > chime in.
> >
> >
> > Regards
> >
> > Jan Černý
> > Security Technologies | Red Hat, Inc.
> >
> > ----- Original Message -----
> > > From: "Jakub Jelen" <jjelen(a)redhat.com>
> > > To: "Dushyant Uge" <duge(a)redhat.com>
> > > Cc: "tech-list" <tech-list(a)redhat.com>, jcerny(a)redhat.com
> > > Sent: Tuesday, September 5, 2017 10:29:19 AM
> > > Subject: Re: Reg: Openscap scanning for SSH
> > >
> > > On Tue, 2017-09-05 at 08:07 +0530, Dushyant Uge wrote:
> > > > Hello Jakub Jelen,
> > > >
> > > > Thank you for your response.
> > > >
> > > > > > The rules in OpenSCAP needs to be updated to reflect this
> > > >
> > > > So, Are we in the process of updating OpenSCAP scanning rules?
> > > > or Do we need to file a bugzilla ?
> > >
> > > I am not sure if the OpenSCAP team or SGG is aware of this issue. I
> > > added Jan, who should know better.
> > >
> > > >
> > > > On Mon, Sep 4, 2017 at 5:08 PM, Jakub Jelen <jjelen(a)redhat.com>
> > > > wrote:
> > > >
> > > > > On Mon, 2017-09-04 at 11:02 +0530, Dushyant Uge wrote:
> > > > > > Hello,
> > > > > >
> > > > > > While scanning RHEL7 system with openscap below are results
> > > > > > for
> > > > > > ssh
> > > > > > protocol2
> > > > > >
> > > > > > -------------------------------------
> > > > > > oval:ssg-sshd_allow_only_protocol2:def:1 false compliance
> > > > > > [20140414],
> > > > > > [sshd_allow_only_protocol2] Ensure Only Protocol 2
> > > > > > Connections
> > > > > > Allowed
> > > > > > -------------------------------------
> > > > > >
> > > > > > Customer has below concern --
> > > > > >
> > > > > > The description in the openscap-workbench:
> > > > > > Only SSH protocol version 2 connections should be permitted.
> > > > > > The
> > > > > > default
> > > > > > setting in /etc/ssh/sshd_config is correct, and can be
> > > > > > verified
> > > > > > by
> > > > > > ensuring
> > > > > > that the following line appears: Protocol 2
> > > > > >
> > > > > > While doing Since this is the default, the check should NOT
> > > > > > be
> > > > > > for
> > > > > > "2", but
> > > > > > to make sure that "1" is NOT present.
> > > > > >
> > > > > > Is this a valid implementation request ?
> > > > > >
> > > > > > Please suggest.
> > > > > >
> > > > >
> > > > > The SSH-1 protocol was removed in RHEL7.4 (openssh-7.4p1 and
> > > > > newer)
> > > > > therefore the configuration files will not contain Protocol
> > > > > option
> > > > > nor
> > > > > sshd -T will output it. The rules in OpenSCAP needs to be
> > > > > updated
> > > > > to
> > > > > reflect this
> > > > >
> > > > > https://access.redhat.com/articles/3022681
> > > > >
> > >
> > > --
> > > Jakub Jelen
> > > Software Engineer
> > > Security Technologies
> > > Red Hat, Inc.
> > >
> --
> Jakub Jelen
> Software Engineer
> Security Technologies
> Red Hat, Inc.
>
Hi All,
I recall recently someone had asked about SSG for Ubuntu, and there was a
long thread following about the STIG process. I was surprised today when
someone asked me if I could look at the Ubuntu STIG because just last week
I had been on the STIG website and no such thing had existed.
Anyway, https://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx has
Ubuntu 16.04 STIG v1r1 available. Will there be any work in the SSG
project to incorporate this?
P.S. I wonder how Canonical got a STIG published with out going through any
draft releases and less than 18 months after the OS version was published?
--Sean
Hello,
Regarding issue
https://github.com/OpenSCAP/scap-security-guide/issues/2202, which is
about remediation of Rule 'set_firewalld_default_zone' setting default
zone of firewalld to drop, and as a consequence locking down the machine
if no interface is assigned to a zone with SSH service enabled (because
a interface with no zone assigned goes to default zone).
There is PR https://github.com/OpenSCAP/scap-security-guide/pull/2285
which introduced a remediation for Rule 'firewalld_sshd_port_enabled'
that will assign the first Ethernet interface found to a zone with SSH
enabled, this will avoid lock down of the machine.
But the question is, how useful is this remediation? Would it work in
your infrastructure?
There is concern that this scenario is too complex for a remediation to
fix correctly and in a suitable way for everybody. There is too many
unknowns about configuration, hardware, SSH use cases.
We may be in a situation that any remediation implemented will do more
harm than good.
Dropping remediations for 'set_firewalld_default_zone' and
'firewalld_sshd_port_enabled' can be asafer solution for
https://github.com/OpenSCAP/scap-security-guide/issues/2202, as the fix
for these rules are not straight forward.
With regards,
--
Watson Sato
Security Technologies | Red Hat, Inc
Hi,
Thank you very much for letting us know.
I have looked into this issue. The rule "Allow Only SSH Protocol 2"
checks if /etc/sshd_config cotains string "Protocol 2".
See the implementation of this check:
https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/template…
Jakub, do I understand it well, that since RHEL 7.4 this configuration
option doesn't exist anymore? Will the system always satisfy the requirement
that only SSHv2 is allowed? What way do you recommend to check that
this requirement is satisfied?
I think If SSH v2 is the only option on RHEL 7.4, we should remove
this rule from SCAP Security Guide for RHEL7 completely.
Dushyant, FYI, rules for OpenSCAP comes from "SCAP Security Guide" project,
https://github.com/OpenSCAP/scap-security-guide
which has a special mailing list:
https://lists.fedorahosted.org/admin/lists/scap-security-guide.lists.fedora…
If you run in similar problem in future, you can ask there directly :D
I'm including the mailing list to this thread so that experts can chime in.
Regards
Jan Černý
Security Technologies | Red Hat, Inc.
----- Original Message -----
> From: "Jakub Jelen" <jjelen(a)redhat.com>
> To: "Dushyant Uge" <duge(a)redhat.com>
> Cc: "tech-list" <tech-list(a)redhat.com>, jcerny(a)redhat.com
> Sent: Tuesday, September 5, 2017 10:29:19 AM
> Subject: Re: Reg: Openscap scanning for SSH
>
> On Tue, 2017-09-05 at 08:07 +0530, Dushyant Uge wrote:
> > Hello Jakub Jelen,
> >
> > Thank you for your response.
> >
> > > > The rules in OpenSCAP needs to be updated to reflect this
> >
> > So, Are we in the process of updating OpenSCAP scanning rules?
> > or Do we need to file a bugzilla ?
>
> I am not sure if the OpenSCAP team or SGG is aware of this issue. I
> added Jan, who should know better.
>
> >
> > On Mon, Sep 4, 2017 at 5:08 PM, Jakub Jelen <jjelen(a)redhat.com>
> > wrote:
> >
> > > On Mon, 2017-09-04 at 11:02 +0530, Dushyant Uge wrote:
> > > > Hello,
> > > >
> > > > While scanning RHEL7 system with openscap below are results for
> > > > ssh
> > > > protocol2
> > > >
> > > > -------------------------------------
> > > > oval:ssg-sshd_allow_only_protocol2:def:1 false compliance
> > > > [20140414],
> > > > [sshd_allow_only_protocol2] Ensure Only Protocol 2 Connections
> > > > Allowed
> > > > -------------------------------------
> > > >
> > > > Customer has below concern --
> > > >
> > > > The description in the openscap-workbench:
> > > > Only SSH protocol version 2 connections should be permitted. The
> > > > default
> > > > setting in /etc/ssh/sshd_config is correct, and can be verified
> > > > by
> > > > ensuring
> > > > that the following line appears: Protocol 2
> > > >
> > > > While doing Since this is the default, the check should NOT be
> > > > for
> > > > "2", but
> > > > to make sure that "1" is NOT present.
> > > >
> > > > Is this a valid implementation request ?
> > > >
> > > > Please suggest.
> > > >
> > >
> > > The SSH-1 protocol was removed in RHEL7.4 (openssh-7.4p1 and newer)
> > > therefore the configuration files will not contain Protocol option
> > > nor
> > > sshd -T will output it. The rules in OpenSCAP needs to be updated
> > > to
> > > reflect this
> > >
> > > https://access.redhat.com/articles/3022681
> > >
> --
> Jakub Jelen
> Software Engineer
> Security Technologies
> Red Hat, Inc.
>