Yes, version 0.1.36 has been released.
On Fri, Apr 20, 2018 at 11:10 AM, Dushyant Uge <duge(a)redhat.com> wrote:
Hello,
I checked RHEL7.5 has been released now.
My question --
Is SCAP Security Guide 0.1.36 released with RHEL7.5?
Thanks & Regards,
Dushyant Uge
On Tue, Apr 17, 2018 at 7:17 AM, Dushyant Uge <duge(a)redhat.com> wrote:
> Hello,
>
> I checked RHEL7.5 has been released now.
>
> So, Is SCAP Security Guide 0.1.36 released in RHEL7.5?
>
> Thanks & Regards,
> Dushyant Uge
>
> On Mon, Nov 27, 2017 at 1:00 AM, Jan Cerny <jcerny(a)redhat.com> wrote:
>
>> Hi,
>>
>> the problem was fixed in SCAP Security Guide 0.1.36.
>>
>> Regards
>>
>> Jan Černý
>> Security Technologies | Red Hat, Inc.
>>
>> ----- Original Message -----
>> > From: "Dushyant Uge" <duge(a)redhat.com>
>> > To: "Jan Cerny" <jcerny(a)redhat.com>
>> > Cc: "Jakub Jelen" <jjelen(a)redhat.com>, "tech-list"
<
>> tech-list(a)redhat.com>, "SCAP Security Guide"
>> > <scap-security-guide(a)lists.fedorahosted.org>
>> > Sent: Saturday, November 25, 2017 1:38:03 PM
>> > Subject: Re: Reg: Openscap scanning for SSH
>> >
>> > Hello Team,
>> >
>> > I can see the status of below issue "Closed"
>> >
>> >
https://github.com/OpenSCAP/scap-security-guide/issues/2296
>> >
>> > What shall we update to customer now ?
>> >
>> >
>> > On Tue, Sep 5, 2017 at 5:14 PM, Jan Cerny <jcerny(a)redhat.com> wrote:
>> >
>> > > Hello,
>> > >
>> > > Great! Thanks for clarification.
>> > >
>> > > I have reported this issue upstream. You can track fixing the problem
>> > > there.
>> > >
https://github.com/OpenSCAP/scap-security-guide/issues/2296
>> > >
>> > > Regards
>> > >
>> > > Jan Černý
>> > > Security Technologies | Red Hat, Inc.
>> > >
>> > > ----- Original Message -----
>> > > > From: "Jakub Jelen" <jjelen(a)redhat.com>
>> > > > To: "Jan Cerny" <jcerny(a)redhat.com>
>> > > > Cc: "Dushyant Uge" <duge(a)redhat.com>,
"tech-list" <
>> tech-list(a)redhat.com>,
>> > > "SCAP Security Guide"
>> > > > <scap-security-guide(a)lists.fedorahosted.org>
>> > > > Sent: Tuesday, September 5, 2017 1:26:01 PM
>> > > > Subject: Re: Reg: Openscap scanning for SSH
>> > > >
>> > > > On Tue, 2017-09-05 at 07:22 -0400, Jan Cerny wrote:
>> > > > > Hi,
>> > > > >
>> > > > > Thank you very much for letting us know.
>> > > > >
>> > > > > I have looked into this issue. The rule "Allow Only SSH
Protocol
>> 2"
>> > > > > checks if /etc/sshd_config cotains string "Protocol
2".
>> > > > > See the implementation of this check:
>> > > > >
https://github.com/OpenSCAP/scap-security-guide/blob/master/
>> shared/te
>> > > > > mplates/static/oval/sshd_allow_only_protocol2.xml
>> > > > >
>> > > > > Jakub, do I understand it well, that since RHEL 7.4 this
>> > > > > configuration
>> > > > > option doesn't exist anymore? Will the system always
satisfy the
>> > > > > requirement
>> > > > > that only SSHv2 is allowed? What way do you recommend to
check
>> that
>> > > > > this requirement is satisfied?
>> > > > >
>> > > > > I think If SSH v2 is the only option on RHEL 7.4, we should
>> remove
>> > > > > this rule from SCAP Security Guide for RHEL7 completely.
>> > > >
>> > > > I would not remove it. Some people might be running the old
openssh
>> > > > from RHEL7.3. I would say that every OpenSSH RPM package >=7.4
will
>> > > > satisfy this rule. If we have older version, I would leave the
>> check as
>> > > > it was. Though not sure how to write it in your language :)
>> > > >
>> > > > Jakub
>> > > >
>> > > > > Dushyant, FYI, rules for OpenSCAP comes from "SCAP
Security
>> Guide"
>> > > > > project,
>> > > > >
https://github.com/OpenSCAP/scap-security-guide
>> > > > > which has a special mailing list:
>> > > > >
https://lists.fedorahosted.org/admin/lists/scap-security-gui
>> de.lists.
>> > > > >
fedorahosted.org/
>> > > > > If you run in similar problem in future, you can ask there
>> directly
>> > > > > :D
>> > > > > I'm including the mailing list to this thread so that
experts can
>> > > > > chime in.
>> > > > >
>> > > > >
>> > > > > Regards
>> > > > >
>> > > > > Jan Černý
>> > > > > Security Technologies | Red Hat, Inc.
>> > > > >
>> > > > > ----- Original Message -----
>> > > > > > From: "Jakub Jelen" <jjelen(a)redhat.com>
>> > > > > > To: "Dushyant Uge" <duge(a)redhat.com>
>> > > > > > Cc: "tech-list" <tech-list(a)redhat.com>,
jcerny(a)redhat.com
>> > > > > > Sent: Tuesday, September 5, 2017 10:29:19 AM
>> > > > > > Subject: Re: Reg: Openscap scanning for SSH
>> > > > > >
>> > > > > > On Tue, 2017-09-05 at 08:07 +0530, Dushyant Uge wrote:
>> > > > > > > Hello Jakub Jelen,
>> > > > > > >
>> > > > > > > Thank you for your response.
>> > > > > > >
>> > > > > > > > > The rules in OpenSCAP needs to be updated
to reflect this
>> > > > > > >
>> > > > > > > So, Are we in the process of updating OpenSCAP
scanning
>> rules?
>> > > > > > > or Do we need to file a bugzilla ?
>> > > > > >
>> > > > > > I am not sure if the OpenSCAP team or SGG is aware of
this
>> issue. I
>> > > > > > added Jan, who should know better.
>> > > > > >
>> > > > > > >
>> > > > > > > On Mon, Sep 4, 2017 at 5:08 PM, Jakub Jelen <
>> jjelen(a)redhat.com>
>> > > > > > > wrote:
>> > > > > > >
>> > > > > > > > On Mon, 2017-09-04 at 11:02 +0530, Dushyant
Uge wrote:
>> > > > > > > > > Hello,
>> > > > > > > > >
>> > > > > > > > > While scanning RHEL7 system with openscap
below are
>> results
>> > > > > > > > > for
>> > > > > > > > > ssh
>> > > > > > > > > protocol2
>> > > > > > > > >
>> > > > > > > > > -------------------------------------
>> > > > > > > > > oval:ssg-sshd_allow_only_protocol2:def:1
false
>> compliance
>> > > > > > > > > [20140414],
>> > > > > > > > > [sshd_allow_only_protocol2] Ensure Only
Protocol 2
>> > > > > > > > > Connections
>> > > > > > > > > Allowed
>> > > > > > > > > -------------------------------------
>> > > > > > > > >
>> > > > > > > > > Customer has below concern --
>> > > > > > > > >
>> > > > > > > > > The description in the
openscap-workbench:
>> > > > > > > > > Only SSH protocol version 2 connections
should be
>> permitted.
>> > > > > > > > > The
>> > > > > > > > > default
>> > > > > > > > > setting in /etc/ssh/sshd_config is
correct, and can be
>> > > > > > > > > verified
>> > > > > > > > > by
>> > > > > > > > > ensuring
>> > > > > > > > > that the following line appears: Protocol
2
>> > > > > > > > >
>> > > > > > > > > While doing Since this is the default,
the check should
>> NOT
>> > > > > > > > > be
>> > > > > > > > > for
>> > > > > > > > > "2", but
>> > > > > > > > > to make sure that "1" is NOT
present.
>> > > > > > > > >
>> > > > > > > > > Is this a valid implementation request ?
>> > > > > > > > >
>> > > > > > > > > Please suggest.
>> > > > > > > > >
>> > > > > > > >
>> > > > > > > > The SSH-1 protocol was removed in RHEL7.4
(openssh-7.4p1
>> and
>> > > > > > > > newer)
>> > > > > > > > therefore the configuration files will not
contain Protocol
>> > > > > > > > option
>> > > > > > > > nor
>> > > > > > > > sshd -T will output it. The rules in OpenSCAP
needs to be
>> > > > > > > > updated
>> > > > > > > > to
>> > > > > > > > reflect this
>> > > > > > > >
>> > > > > > > >
https://access.redhat.com/articles/3022681
>> > > > > > > >
>> > > > > >
>> > > > > > --
>> > > > > > Jakub Jelen
>> > > > > > Software Engineer
>> > > > > > Security Technologies
>> > > > > > Red Hat, Inc.
>> > > > > >
>> > > > --
>> > > > Jakub Jelen
>> > > > Software Engineer
>> > > > Security Technologies
>> > > > Red Hat, Inc.
>> > > >
>> > >
>> >
>> >
>> >
>> > --
>> > Warm Regards,
>> > Dushyant Uge
>> > Red Hat Global Support
>> >
>>
>
>
>
> --
> Warm Regards,
> Dushyant Uge
> Red Hat Global Support
>
--
Warm Regards,
Dushyant Uge
Red Hat Global Support
_______________________________________________
scap-security-guide mailing list -- scap-security-guide@lists.
fedorahosted.org
To unsubscribe send an email to scap-security-guide-leave@
lists.fedorahosted.org