Hello, I checked RHEL7.5 has been released now.
My question -- Is SCAP Security Guide 0.1.36 released with RHEL7.5? Thanks & Regards, Dushyant Uge On Tue, Apr 17, 2018 at 7:17 AM, Dushyant Uge <[email protected]> wrote: > Hello, > > I checked RHEL7.5 has been released now. > > So, Is SCAP Security Guide 0.1.36 released in RHEL7.5? > > Thanks & Regards, > Dushyant Uge > > On Mon, Nov 27, 2017 at 1:00 AM, Jan Cerny <[email protected]> wrote: > >> Hi, >> >> the problem was fixed in SCAP Security Guide 0.1.36. >> >> Regards >> >> Jan Černý >> Security Technologies | Red Hat, Inc. >> >> ----- Original Message ----- >> > From: "Dushyant Uge" <[email protected]> >> > To: "Jan Cerny" <[email protected]> >> > Cc: "Jakub Jelen" <[email protected]>, "tech-list" < >> [email protected]>, "SCAP Security Guide" >> > <[email protected]> >> > Sent: Saturday, November 25, 2017 1:38:03 PM >> > Subject: Re: Reg: Openscap scanning for SSH >> > >> > Hello Team, >> > >> > I can see the status of below issue "Closed" >> > >> > https://github.com/OpenSCAP/scap-security-guide/issues/2296 >> > >> > What shall we update to customer now ? >> > >> > >> > On Tue, Sep 5, 2017 at 5:14 PM, Jan Cerny <[email protected]> wrote: >> > >> > > Hello, >> > > >> > > Great! Thanks for clarification. >> > > >> > > I have reported this issue upstream. You can track fixing the problem >> > > there. >> > > https://github.com/OpenSCAP/scap-security-guide/issues/2296 >> > > >> > > Regards >> > > >> > > Jan Černý >> > > Security Technologies | Red Hat, Inc. >> > > >> > > ----- Original Message ----- >> > > > From: "Jakub Jelen" <[email protected]> >> > > > To: "Jan Cerny" <[email protected]> >> > > > Cc: "Dushyant Uge" <[email protected]>, "tech-list" < >> [email protected]>, >> > > "SCAP Security Guide" >> > > > <[email protected]> >> > > > Sent: Tuesday, September 5, 2017 1:26:01 PM >> > > > Subject: Re: Reg: Openscap scanning for SSH >> > > > >> > > > On Tue, 2017-09-05 at 07:22 -0400, Jan Cerny wrote: >> > > > > Hi, >> > > > > >> > > > > Thank you very much for letting us know. >> > > > > >> > > > > I have looked into this issue. The rule "Allow Only SSH Protocol >> 2" >> > > > > checks if /etc/sshd_config cotains string "Protocol 2". >> > > > > See the implementation of this check: >> > > > > https://github.com/OpenSCAP/scap-security-guide/blob/master/ >> shared/te >> > > > > mplates/static/oval/sshd_allow_only_protocol2.xml >> > > > > >> > > > > Jakub, do I understand it well, that since RHEL 7.4 this >> > > > > configuration >> > > > > option doesn't exist anymore? Will the system always satisfy the >> > > > > requirement >> > > > > that only SSHv2 is allowed? What way do you recommend to check >> that >> > > > > this requirement is satisfied? >> > > > > >> > > > > I think If SSH v2 is the only option on RHEL 7.4, we should remove >> > > > > this rule from SCAP Security Guide for RHEL7 completely. >> > > > >> > > > I would not remove it. Some people might be running the old openssh >> > > > from RHEL7.3. I would say that every OpenSSH RPM package >=7.4 will >> > > > satisfy this rule. If we have older version, I would leave the >> check as >> > > > it was. Though not sure how to write it in your language :) >> > > > >> > > > Jakub >> > > > >> > > > > Dushyant, FYI, rules for OpenSCAP comes from "SCAP Security Guide" >> > > > > project, >> > > > > https://github.com/OpenSCAP/scap-security-guide >> > > > > which has a special mailing list: >> > > > > https://lists.fedorahosted.org/admin/lists/scap-security-gui >> de.lists. >> > > > > fedorahosted.org/ >> > > > > If you run in similar problem in future, you can ask there >> directly >> > > > > :D >> > > > > I'm including the mailing list to this thread so that experts can >> > > > > chime in. >> > > > > >> > > > > >> > > > > Regards >> > > > > >> > > > > Jan Černý >> > > > > Security Technologies | Red Hat, Inc. >> > > > > >> > > > > ----- Original Message ----- >> > > > > > From: "Jakub Jelen" <[email protected]> >> > > > > > To: "Dushyant Uge" <[email protected]> >> > > > > > Cc: "tech-list" <[email protected]>, [email protected] >> > > > > > Sent: Tuesday, September 5, 2017 10:29:19 AM >> > > > > > Subject: Re: Reg: Openscap scanning for SSH >> > > > > > >> > > > > > On Tue, 2017-09-05 at 08:07 +0530, Dushyant Uge wrote: >> > > > > > > Hello Jakub Jelen, >> > > > > > > >> > > > > > > Thank you for your response. >> > > > > > > >> > > > > > > > > The rules in OpenSCAP needs to be updated to reflect this >> > > > > > > >> > > > > > > So, Are we in the process of updating OpenSCAP scanning rules? >> > > > > > > or Do we need to file a bugzilla ? >> > > > > > >> > > > > > I am not sure if the OpenSCAP team or SGG is aware of this >> issue. I >> > > > > > added Jan, who should know better. >> > > > > > >> > > > > > > >> > > > > > > On Mon, Sep 4, 2017 at 5:08 PM, Jakub Jelen < >> [email protected]> >> > > > > > > wrote: >> > > > > > > >> > > > > > > > On Mon, 2017-09-04 at 11:02 +0530, Dushyant Uge wrote: >> > > > > > > > > Hello, >> > > > > > > > > >> > > > > > > > > While scanning RHEL7 system with openscap below are >> results >> > > > > > > > > for >> > > > > > > > > ssh >> > > > > > > > > protocol2 >> > > > > > > > > >> > > > > > > > > ------------------------------------- >> > > > > > > > > oval:ssg-sshd_allow_only_protocol2:def:1 false >> compliance >> > > > > > > > > [20140414], >> > > > > > > > > [sshd_allow_only_protocol2] Ensure Only Protocol 2 >> > > > > > > > > Connections >> > > > > > > > > Allowed >> > > > > > > > > ------------------------------------- >> > > > > > > > > >> > > > > > > > > Customer has below concern -- >> > > > > > > > > >> > > > > > > > > The description in the openscap-workbench: >> > > > > > > > > Only SSH protocol version 2 connections should be >> permitted. >> > > > > > > > > The >> > > > > > > > > default >> > > > > > > > > setting in /etc/ssh/sshd_config is correct, and can be >> > > > > > > > > verified >> > > > > > > > > by >> > > > > > > > > ensuring >> > > > > > > > > that the following line appears: Protocol 2 >> > > > > > > > > >> > > > > > > > > While doing Since this is the default, the check should >> NOT >> > > > > > > > > be >> > > > > > > > > for >> > > > > > > > > "2", but >> > > > > > > > > to make sure that "1" is NOT present. >> > > > > > > > > >> > > > > > > > > Is this a valid implementation request ? >> > > > > > > > > >> > > > > > > > > Please suggest. >> > > > > > > > > >> > > > > > > > >> > > > > > > > The SSH-1 protocol was removed in RHEL7.4 (openssh-7.4p1 and >> > > > > > > > newer) >> > > > > > > > therefore the configuration files will not contain Protocol >> > > > > > > > option >> > > > > > > > nor >> > > > > > > > sshd -T will output it. The rules in OpenSCAP needs to be >> > > > > > > > updated >> > > > > > > > to >> > > > > > > > reflect this >> > > > > > > > >> > > > > > > > https://access.redhat.com/articles/3022681 >> > > > > > > > >> > > > > > >> > > > > > -- >> > > > > > Jakub Jelen >> > > > > > Software Engineer >> > > > > > Security Technologies >> > > > > > Red Hat, Inc. >> > > > > > >> > > > -- >> > > > Jakub Jelen >> > > > Software Engineer >> > > > Security Technologies >> > > > Red Hat, Inc. >> > > > >> > > >> > >> > >> > >> > -- >> > Warm Regards, >> > Dushyant Uge >> > Red Hat Global Support >> > >> > > > > -- > Warm Regards, > Dushyant Uge > Red Hat Global Support > -- Warm Regards, Dushyant Uge Red Hat Global Support
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
