Hello, Great! Thanks for clarification.
I have reported this issue upstream. You can track fixing the problem there. https://github.com/OpenSCAP/scap-security-guide/issues/2296 Regards Jan Černý Security Technologies | Red Hat, Inc. ----- Original Message ----- > From: "Jakub Jelen" <[email protected]> > To: "Jan Cerny" <[email protected]> > Cc: "Dushyant Uge" <[email protected]>, "tech-list" <[email protected]>, > "SCAP Security Guide" > <[email protected]> > Sent: Tuesday, September 5, 2017 1:26:01 PM > Subject: Re: Reg: Openscap scanning for SSH > > On Tue, 2017-09-05 at 07:22 -0400, Jan Cerny wrote: > > Hi, > > > > Thank you very much for letting us know. > > > > I have looked into this issue. The rule "Allow Only SSH Protocol 2" > > checks if /etc/sshd_config cotains string "Protocol 2". > > See the implementation of this check: > > https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/te > > mplates/static/oval/sshd_allow_only_protocol2.xml > > > > Jakub, do I understand it well, that since RHEL 7.4 this > > configuration > > option doesn't exist anymore? Will the system always satisfy the > > requirement > > that only SSHv2 is allowed? What way do you recommend to check that > > this requirement is satisfied? > > > > I think If SSH v2 is the only option on RHEL 7.4, we should remove > > this rule from SCAP Security Guide for RHEL7 completely. > > I would not remove it. Some people might be running the old openssh > from RHEL7.3. I would say that every OpenSSH RPM package >=7.4 will > satisfy this rule. If we have older version, I would leave the check as > it was. Though not sure how to write it in your language :) > > Jakub > > > Dushyant, FYI, rules for OpenSCAP comes from "SCAP Security Guide" > > project, > > https://github.com/OpenSCAP/scap-security-guide > > which has a special mailing list: > > https://lists.fedorahosted.org/admin/lists/scap-security-guide.lists. > > fedorahosted.org/ > > If you run in similar problem in future, you can ask there directly > > :D > > I'm including the mailing list to this thread so that experts can > > chime in. > > > > > > Regards > > > > Jan Černý > > Security Technologies | Red Hat, Inc. > > > > ----- Original Message ----- > > > From: "Jakub Jelen" <[email protected]> > > > To: "Dushyant Uge" <[email protected]> > > > Cc: "tech-list" <[email protected]>, [email protected] > > > Sent: Tuesday, September 5, 2017 10:29:19 AM > > > Subject: Re: Reg: Openscap scanning for SSH > > > > > > On Tue, 2017-09-05 at 08:07 +0530, Dushyant Uge wrote: > > > > Hello Jakub Jelen, > > > > > > > > Thank you for your response. > > > > > > > > > > The rules in OpenSCAP needs to be updated to reflect this > > > > > > > > So, Are we in the process of updating OpenSCAP scanning rules? > > > > or Do we need to file a bugzilla ? > > > > > > I am not sure if the OpenSCAP team or SGG is aware of this issue. I > > > added Jan, who should know better. > > > > > > > > > > > On Mon, Sep 4, 2017 at 5:08 PM, Jakub Jelen <[email protected]> > > > > wrote: > > > > > > > > > On Mon, 2017-09-04 at 11:02 +0530, Dushyant Uge wrote: > > > > > > Hello, > > > > > > > > > > > > While scanning RHEL7 system with openscap below are results > > > > > > for > > > > > > ssh > > > > > > protocol2 > > > > > > > > > > > > ------------------------------------- > > > > > > oval:ssg-sshd_allow_only_protocol2:def:1 false compliance > > > > > > [20140414], > > > > > > [sshd_allow_only_protocol2] Ensure Only Protocol 2 > > > > > > Connections > > > > > > Allowed > > > > > > ------------------------------------- > > > > > > > > > > > > Customer has below concern -- > > > > > > > > > > > > The description in the openscap-workbench: > > > > > > Only SSH protocol version 2 connections should be permitted. > > > > > > The > > > > > > default > > > > > > setting in /etc/ssh/sshd_config is correct, and can be > > > > > > verified > > > > > > by > > > > > > ensuring > > > > > > that the following line appears: Protocol 2 > > > > > > > > > > > > While doing Since this is the default, the check should NOT > > > > > > be > > > > > > for > > > > > > "2", but > > > > > > to make sure that "1" is NOT present. > > > > > > > > > > > > Is this a valid implementation request ? > > > > > > > > > > > > Please suggest. > > > > > > > > > > > > > > > > The SSH-1 protocol was removed in RHEL7.4 (openssh-7.4p1 and > > > > > newer) > > > > > therefore the configuration files will not contain Protocol > > > > > option > > > > > nor > > > > > sshd -T will output it. The rules in OpenSCAP needs to be > > > > > updated > > > > > to > > > > > reflect this > > > > > > > > > > https://access.redhat.com/articles/3022681 > > > > > > > > > > > -- > > > Jakub Jelen > > > Software Engineer > > > Security Technologies > > > Red Hat, Inc. > > > > -- > Jakub Jelen > Software Engineer > Security Technologies > Red Hat, Inc. > _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
