One of RHEL7 bugzillas [1] shows an interesting discrepancy between our
content and STIG:
* We feature [2] a rule "Use Only FIPS 140-2 Validated Ciphers"
* STIG has its own [3] "A FIPS 140-2 approved cryptographic algorithm
must be used for SSH communications."
There is a discrepancy between the two - while we claim that the
following ciphers are FIPS 140-2 certified on Red Hat Enterprise Linux
7, only three of them are recognized as such by the STIG:
* aes128-ctr(STIG)
* aes192-ctr(STIG)
* aes256-ctr(STIG)
* aes128-cb
* aes192-cbc
* aes256-cbc
* 3des-cbc
* [email protected]
I have confirmed correctness of our description with our FIPS SME Tomas
Mraz (in CC), so this issue looks as a bug in STIG - either the
requirement is too strict, so it is incorrect, or it is supposed to be
strict, and it should therefore be reworded, and we need to create a new
rule in our content.
What is the procedure in cases like this?
References:
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1781244
[2]:
https://static.open-scap.org/ssg-guides/ssg-rhel7-guide-stig.html#xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
[3]:
https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-72221
_______________________________________________
scap-security-guide mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
