I’d leave it, since something seems to revert the permissions later back to 0640. (Probably a package update, but I haven’t researched it yet.).
Tom A. Sent from my iPhone On Sep 25, 2018, at 2:24 PM, Matus Marhefka <[email protected]<mailto:[email protected]>> wrote: Hello, @Shawn Wells<mailto:[email protected]> you are right and I fixed our content, see https://github.com/ComplianceAsCode/content/pull/3362 for more details. Is it okay or should we stay with 0600 until DISA fixes it in their content? Best Regards, Matus On Thu, Sep 20, 2018 at 8:31 PM Dushyant Uge <[email protected]<mailto:[email protected]>> wrote: Thank you all for your responses. @Albrecht, Thomas C Yes, the customer said -- We are using the profile DISA STIG for Red Hat Enterprise Linux 7 based on ssg-rhel7-ds security.xml as found on https://github.com/OpenSCAP/scap-security-guide/releases/download/v0.1.40/scap-security-guide-0.1.40-oval-510.zip and tried with the default openscap scanner from the RHEL 7.5 ISO as well as the latest version available on the redhat site (1.2.16.8.el7_5). Warm Regards, Dushyant Uge Red Hat Global Support On Thu, Sep 20, 2018 at 8:05 AM, Shawn Wells <[email protected]<mailto:[email protected]>> wrote: On 9/20/18 10:52 AM, Albrecht, Thomas C wrote: Ok, there’s an inconsistency then. The DISA STIG says that the private keys need to be 0600. Looks like they set permissions to the DISA version of the rule, but are scanning the SSG version of the rule. Can you provide a “proof of concept” that shows the key generation failing if the permissions are set to 0600 so I have something in my back pocket to show our customer? It's a known issue in the DISA content. We let them know about it a few years ago now. Have been told a fix is making it's way through their release processes. _______________________________________________ scap-security-guide mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ scap-security-guide mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ scap-security-guide mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
