On 08/04/2017 12:15 AM, Paige, David B CTR USARMY ICOE (US) wrote:
There are some issues in the STIG for Red Hat Enterprise Linux 7 Server,
profile: stig-rhel7-server-upstream in ssg-rhel7-xccdf.xml.
The first is "Use Only FIPS Approved MACs", RHEL-07-040620.
The STIG indicates that only hmac-sha2-512 and hmac-sha2-256 should be used.
However, the remediation script adds hmac-sha1 to the list of MACs. Removing
hmac-sha1 causes the test to fail. Also, the reference listed is incorrect.
It should be RHEL-07-040400. Also, in one instance when performing a
remediation, the MACs line appended to the last line of /etc/ssh/sshd_config,
causing sshd to fail.
The second is "Use Only Approved Ciphers", RHEL-07-040110.
The STIG indicates that the line should be listed as follows:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
However, the remediation script adds aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc.
Removing these cbc and 3des ciphers causes the check to fail.
_______________________________________________
scap-security-guide mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Hello David,
it looks like you use older version of SCAP Security Guide (0.1.30 I
guess?). Can you try newer one? At least the MACs line mangling
sshd_config should be fixed there. The rest is possibly still not in
line with expectations and we have to take a look.
Thanks,
Marek
_______________________________________________
scap-security-guide mailing list -- [email protected]
To unsubscribe send an email to [email protected]
