Hello, @Shawn Wells <[email protected]> you are right and I fixed our content, see https://github.com/ComplianceAsCode/content/pull/3362 for more details. Is it okay or should we stay with 0600 until DISA fixes it in their content?
Best Regards, Matus On Thu, Sep 20, 2018 at 8:31 PM Dushyant Uge <[email protected]> wrote: > Thank you all for your responses. > > @Albrecht, Thomas C > > Yes, the customer said -- > > We are using the profile DISA STIG for Red Hat Enterprise Linux 7 based > on ssg-rhel7-ds security.xml as found on > https://github.com/OpenSCAP/scap-security-guide/releases/download/v0.1.40/scap-security-guide-0.1.40-oval-510.zip > and tried with the default openscap scanner from the RHEL 7.5 ISO as well > as the latest version available on the redhat site (1.2.16.8.el7_5). > > > Warm Regards, > Dushyant Uge > Red Hat Global Support > > On Thu, Sep 20, 2018 at 8:05 AM, Shawn Wells <[email protected]> wrote: > >> >> >> On 9/20/18 10:52 AM, Albrecht, Thomas C wrote: >> >> Ok, there’s an inconsistency then. The DISA STIG says that the private >> keys need to be 0600. Looks like they set permissions to the DISA version >> of the rule, but are scanning the SSG version of the rule. >> >> Can you provide a “proof of concept” that shows the key generation >> failing if the permissions are set to 0600 so I have something in my back >> pocket to show our customer? >> >> >> It's a known issue in the DISA content. We let them know about it a few >> years ago now. Have been told a fix is making it's way through their >> release processes. >> >> _______________________________________________ >> scap-security-guide mailing list -- >> [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> >> > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
