Yes, version 0.1.36 has been released. On Fri, Apr 20, 2018 at 11:10 AM, Dushyant Uge <[email protected]> wrote:
> Hello, > > I checked RHEL7.5 has been released now. > > My question -- > > Is SCAP Security Guide 0.1.36 released with RHEL7.5? > > > Thanks & Regards, > Dushyant Uge > > On Tue, Apr 17, 2018 at 7:17 AM, Dushyant Uge <[email protected]> wrote: > >> Hello, >> >> I checked RHEL7.5 has been released now. >> >> So, Is SCAP Security Guide 0.1.36 released in RHEL7.5? >> >> Thanks & Regards, >> Dushyant Uge >> >> On Mon, Nov 27, 2017 at 1:00 AM, Jan Cerny <[email protected]> wrote: >> >>> Hi, >>> >>> the problem was fixed in SCAP Security Guide 0.1.36. >>> >>> Regards >>> >>> Jan Černý >>> Security Technologies | Red Hat, Inc. >>> >>> ----- Original Message ----- >>> > From: "Dushyant Uge" <[email protected]> >>> > To: "Jan Cerny" <[email protected]> >>> > Cc: "Jakub Jelen" <[email protected]>, "tech-list" < >>> [email protected]>, "SCAP Security Guide" >>> > <[email protected]> >>> > Sent: Saturday, November 25, 2017 1:38:03 PM >>> > Subject: Re: Reg: Openscap scanning for SSH >>> > >>> > Hello Team, >>> > >>> > I can see the status of below issue "Closed" >>> > >>> > https://github.com/OpenSCAP/scap-security-guide/issues/2296 >>> > >>> > What shall we update to customer now ? >>> > >>> > >>> > On Tue, Sep 5, 2017 at 5:14 PM, Jan Cerny <[email protected]> wrote: >>> > >>> > > Hello, >>> > > >>> > > Great! Thanks for clarification. >>> > > >>> > > I have reported this issue upstream. You can track fixing the problem >>> > > there. >>> > > https://github.com/OpenSCAP/scap-security-guide/issues/2296 >>> > > >>> > > Regards >>> > > >>> > > Jan Černý >>> > > Security Technologies | Red Hat, Inc. >>> > > >>> > > ----- Original Message ----- >>> > > > From: "Jakub Jelen" <[email protected]> >>> > > > To: "Jan Cerny" <[email protected]> >>> > > > Cc: "Dushyant Uge" <[email protected]>, "tech-list" < >>> [email protected]>, >>> > > "SCAP Security Guide" >>> > > > <[email protected]> >>> > > > Sent: Tuesday, September 5, 2017 1:26:01 PM >>> > > > Subject: Re: Reg: Openscap scanning for SSH >>> > > > >>> > > > On Tue, 2017-09-05 at 07:22 -0400, Jan Cerny wrote: >>> > > > > Hi, >>> > > > > >>> > > > > Thank you very much for letting us know. >>> > > > > >>> > > > > I have looked into this issue. The rule "Allow Only SSH Protocol >>> 2" >>> > > > > checks if /etc/sshd_config cotains string "Protocol 2". >>> > > > > See the implementation of this check: >>> > > > > https://github.com/OpenSCAP/scap-security-guide/blob/master/ >>> shared/te >>> > > > > mplates/static/oval/sshd_allow_only_protocol2.xml >>> > > > > >>> > > > > Jakub, do I understand it well, that since RHEL 7.4 this >>> > > > > configuration >>> > > > > option doesn't exist anymore? Will the system always satisfy the >>> > > > > requirement >>> > > > > that only SSHv2 is allowed? What way do you recommend to check >>> that >>> > > > > this requirement is satisfied? >>> > > > > >>> > > > > I think If SSH v2 is the only option on RHEL 7.4, we should >>> remove >>> > > > > this rule from SCAP Security Guide for RHEL7 completely. >>> > > > >>> > > > I would not remove it. Some people might be running the old openssh >>> > > > from RHEL7.3. I would say that every OpenSSH RPM package >=7.4 will >>> > > > satisfy this rule. If we have older version, I would leave the >>> check as >>> > > > it was. Though not sure how to write it in your language :) >>> > > > >>> > > > Jakub >>> > > > >>> > > > > Dushyant, FYI, rules for OpenSCAP comes from "SCAP Security >>> Guide" >>> > > > > project, >>> > > > > https://github.com/OpenSCAP/scap-security-guide >>> > > > > which has a special mailing list: >>> > > > > https://lists.fedorahosted.org/admin/lists/scap-security-gui >>> de.lists. >>> > > > > fedorahosted.org/ >>> > > > > If you run in similar problem in future, you can ask there >>> directly >>> > > > > :D >>> > > > > I'm including the mailing list to this thread so that experts can >>> > > > > chime in. >>> > > > > >>> > > > > >>> > > > > Regards >>> > > > > >>> > > > > Jan Černý >>> > > > > Security Technologies | Red Hat, Inc. >>> > > > > >>> > > > > ----- Original Message ----- >>> > > > > > From: "Jakub Jelen" <[email protected]> >>> > > > > > To: "Dushyant Uge" <[email protected]> >>> > > > > > Cc: "tech-list" <[email protected]>, [email protected] >>> > > > > > Sent: Tuesday, September 5, 2017 10:29:19 AM >>> > > > > > Subject: Re: Reg: Openscap scanning for SSH >>> > > > > > >>> > > > > > On Tue, 2017-09-05 at 08:07 +0530, Dushyant Uge wrote: >>> > > > > > > Hello Jakub Jelen, >>> > > > > > > >>> > > > > > > Thank you for your response. >>> > > > > > > >>> > > > > > > > > The rules in OpenSCAP needs to be updated to reflect this >>> > > > > > > >>> > > > > > > So, Are we in the process of updating OpenSCAP scanning >>> rules? >>> > > > > > > or Do we need to file a bugzilla ? >>> > > > > > >>> > > > > > I am not sure if the OpenSCAP team or SGG is aware of this >>> issue. I >>> > > > > > added Jan, who should know better. >>> > > > > > >>> > > > > > > >>> > > > > > > On Mon, Sep 4, 2017 at 5:08 PM, Jakub Jelen < >>> [email protected]> >>> > > > > > > wrote: >>> > > > > > > >>> > > > > > > > On Mon, 2017-09-04 at 11:02 +0530, Dushyant Uge wrote: >>> > > > > > > > > Hello, >>> > > > > > > > > >>> > > > > > > > > While scanning RHEL7 system with openscap below are >>> results >>> > > > > > > > > for >>> > > > > > > > > ssh >>> > > > > > > > > protocol2 >>> > > > > > > > > >>> > > > > > > > > ------------------------------------- >>> > > > > > > > > oval:ssg-sshd_allow_only_protocol2:def:1 false >>> compliance >>> > > > > > > > > [20140414], >>> > > > > > > > > [sshd_allow_only_protocol2] Ensure Only Protocol 2 >>> > > > > > > > > Connections >>> > > > > > > > > Allowed >>> > > > > > > > > ------------------------------------- >>> > > > > > > > > >>> > > > > > > > > Customer has below concern -- >>> > > > > > > > > >>> > > > > > > > > The description in the openscap-workbench: >>> > > > > > > > > Only SSH protocol version 2 connections should be >>> permitted. >>> > > > > > > > > The >>> > > > > > > > > default >>> > > > > > > > > setting in /etc/ssh/sshd_config is correct, and can be >>> > > > > > > > > verified >>> > > > > > > > > by >>> > > > > > > > > ensuring >>> > > > > > > > > that the following line appears: Protocol 2 >>> > > > > > > > > >>> > > > > > > > > While doing Since this is the default, the check should >>> NOT >>> > > > > > > > > be >>> > > > > > > > > for >>> > > > > > > > > "2", but >>> > > > > > > > > to make sure that "1" is NOT present. >>> > > > > > > > > >>> > > > > > > > > Is this a valid implementation request ? >>> > > > > > > > > >>> > > > > > > > > Please suggest. >>> > > > > > > > > >>> > > > > > > > >>> > > > > > > > The SSH-1 protocol was removed in RHEL7.4 (openssh-7.4p1 >>> and >>> > > > > > > > newer) >>> > > > > > > > therefore the configuration files will not contain Protocol >>> > > > > > > > option >>> > > > > > > > nor >>> > > > > > > > sshd -T will output it. The rules in OpenSCAP needs to be >>> > > > > > > > updated >>> > > > > > > > to >>> > > > > > > > reflect this >>> > > > > > > > >>> > > > > > > > https://access.redhat.com/articles/3022681 >>> > > > > > > > >>> > > > > > >>> > > > > > -- >>> > > > > > Jakub Jelen >>> > > > > > Software Engineer >>> > > > > > Security Technologies >>> > > > > > Red Hat, Inc. >>> > > > > > >>> > > > -- >>> > > > Jakub Jelen >>> > > > Software Engineer >>> > > > Security Technologies >>> > > > Red Hat, Inc. >>> > > > >>> > > >>> > >>> > >>> > >>> > -- >>> > Warm Regards, >>> > Dushyant Uge >>> > Red Hat Global Support >>> > >>> >> >> >> >> -- >> Warm Regards, >> Dushyant Uge >> Red Hat Global Support >> > > > > -- > Warm Regards, > Dushyant Uge > Red Hat Global Support > > _______________________________________________ > scap-security-guide mailing list -- scap-security-guide@lists. > fedorahosted.org > To unsubscribe send an email to scap-security-guide-leave@ > lists.fedorahosted.org > >
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
