I’d leave it, since something seems to revert the permissions later back to 0640.
(Probably a package update, but I haven’t researched it yet.).
Tom A.
Sent from my iPhone
On Sep 25, 2018, at 2:24 PM, Matus Marhefka
<mmarhefk@redhat.com<mailto:mmarhefk@redhat.com>> wrote:
Hello,
@Shawn Wells<mailto:swells@redhat.com> you are right and I fixed our content, see
https://github.com/ComplianceAsCode/content/pull/3362 for more details. Is it okay or
should we stay with 0600 until DISA fixes it in their content?
Best Regards,
Matus
On Thu, Sep 20, 2018 at 8:31 PM Dushyant Uge
<duge@redhat.com<mailto:duge@redhat.com>> wrote:
Thank you all for your responses.
@Albrecht, Thomas C
Yes, the customer said --
We are using the profile DISA STIG for Red Hat Enterprise Linux 7 based on ssg-rhel7-ds
security.xml as found on
https://github.com/OpenSCAP/scap-security-guide/releases/download/v0.1.40...
and tried with the default openscap scanner from the RHEL 7.5 ISO as well as the latest
version available on the redhat site (1.2.16.8.el7_5).
Warm Regards,
Dushyant Uge
Red Hat Global Support
On Thu, Sep 20, 2018 at 8:05 AM, Shawn Wells
<shawn@redhat.com<mailto:shawn@redhat.com>> wrote:
On 9/20/18 10:52 AM, Albrecht, Thomas C wrote:
Ok, there’s an inconsistency then. The DISA STIG says that the private keys need to be
0600. Looks like they set permissions to the DISA version of the rule, but are scanning
the SSG version of the rule.
Can you provide a “proof of concept” that shows the key generation failing if the
permissions are set to 0600 so I have something in my back pocket to show our customer?
It's a known issue in the DISA content. We let them know about it a few years ago now.
Have been told a fix is making it's way through their release processes.
_______________________________________________
scap-security-guide mailing list --
scap-security-guide@lists.fedorahosted.org<mailto:scap-security-guide@lists.fedorahosted.org>
To unsubscribe send an email to
scap-security-guide-leave@lists.fedorahosted.org<mailto:scap-security-guide-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
_______________________________________________
scap-security-guide mailing list --
scap-security-guide@lists.fedorahosted.org<mailto:scap-security-guide@lists.fedorahosted.org>
To unsubscribe send an email to
scap-security-guide-leave@lists.fedorahosted.org<mailto:scap-security-guide-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
_______________________________________________
scap-security-guide mailing list --
scap-security-guide@lists.fedorahosted.org<mailto:scap-security-guide@lists.fedorahosted.org>
To unsubscribe send an email to
scap-security-guide-leave@lists.fedorahosted.org<mailto:scap-security-guide-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...