On 08/04/2017 12:15 AM, Paige, David B CTR USARMY ICOE (US) wrote:
There are some issues in the STIG for Red Hat Enterprise Linux 7
Server, profile: stig-rhel7-server-upstream in ssg-rhel7-xccdf.xml.
The first is "Use Only FIPS Approved MACs", RHEL-07-040620.
The STIG indicates that only hmac-sha2-512 and hmac-sha2-256 should be used. However,
the remediation script adds hmac-sha1 to the list of MACs. Removing hmac-sha1 causes the
test to fail. Also, the reference listed is incorrect. It should be RHEL-07-040400.
Also, in one instance when performing a remediation, the MACs line appended to the last
line of /etc/ssh/sshd_config, causing sshd to fail.
The second is "Use Only Approved Ciphers", RHEL-07-040110.
The STIG indicates that the line should be listed as follows:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
However, the remediation script adds aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc. Removing
these cbc and 3des ciphers causes the check to fail.
_______________________________________________
scap-security-guide mailing list -- scap-security-guide(a)lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-leave(a)lists.fedorahosted.org
Hello David,
it looks like you use older version of SCAP Security Guide (0.1.30 I
guess?). Can you try newer one? At least the MACs line mangling
sshd_config should be fixed there. The rest is possibly still not in
line with expectations and we have to take a look.
Thanks,
Marek