Ok, there’s an inconsistency then. The DISA STIG says that the private keys need to be 0600. Looks like they set permissions to the DISA version of the rule, but are scanning the SSG version of the rule.
Can you provide a “proof of concept” that shows the key generation failing if the permissions are set to 0600 so I have something in my back pocket to show our customer? Tom A. From: Gabe Alford <[email protected]> Sent: Thursday, September 20, 2018 10:44 AM To: SCAP Security Guide <[email protected]> Subject: EXTERNAL: Re: False positive message for sshd key file permission The scan fails because permissions should be 0640 for the private key. If they are not set to 0640, this prevents sshd from generating keys. On Thu, Sep 20, 2018 at 8:40 AM, Dushyant Uge <[email protected]<mailto:[email protected]>> wrote: Hello Team, One of our customer raised concern that -- The rule going wrong are: xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key On the customer's system, the correct permissions seen -- Red Hat Enterprise Linux Server release 7.5 (Maipo) openssh-server-7.4p1-16.el7.x86_64 openscap-1.2.16-6.el7.x86_64 - 640 for public key files (*.pub) - 600 for private key files (*_key) Output of ls –l /etc/ssh -rw-r--r--. 1 root root 581843 Nov 24 2017 moduli -rw-r--r--. 1 root root 2276 Nov 24 2017 ssh_config -rw-------. 1 root root 4026 Sep 4 14:20 sshd_config -rw-------. 1 root ssh_keys 241 Sep 4 14:20 ssh_host_ecdsa_key -rw-r--r--. 1 root root 162 Sep 4 14:20 ssh_host_ecdsa_key.pub -rw-------. 1 root ssh_keys 1704 Sep 4 14:20 ssh_host_rsa_key -rw-r--r--. 1 root root 382 Sep 4 14:20 ssh_host_rsa_key.pub -rw-r--r--. 1 root root 2548 Sep 4 14:20 ssh_known_hosts Please find attached screenshot and suggest. Warm Regards, Dushyant Uge Red Hat Global Support _______________________________________________ scap-security-guide mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
