Description
Description of problem:
I perform a manual install of a RHEL 9.3 VM with the STIG profile with the latest upstream content. After first boot I perform a scan. The rules that are checking OpenSSH client and server ciphers and MACs are failing.
Moreover, these rules fail also with the STIG GUI profile when a Server with GUI is installed.
See the HTML report and ARF in the attachement:
stig.zip
This problem has been discovered by the Profile remediation in Anaconda downstream test.
SCAP Security Guide Version:
current upstream master branch as of 2023-05-29 as of HEAD 47955e5
Operating System Version:
RHEL 9.3
Steps to Reproduce:
- Install RHEL 9.3 virtual machine, minimal installation, from ISO, manually, using graphical anaconda installation, with the STIG profile from a ssg-rhel9-ds.xml served via HTTP server.
- after first boot, copy
ssg-rhel9-ds.xmlto the VM and runsudo oscap xccdf eval --report stig_final.html --results-arf stig_final.xml --profile stig ./ssg-rhel9-ds.xml
Actual Results:
these rules fail:
xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy
Expected Results:
the rules pass
Additional Information/Debugging Steps:
[test@localhost ~]$ rpm -qf /etc/crypto-policies/back-ends/openssh.config
crypto-policies-20230505-1.gitf69bbc2.el9.noarch
[test@localhost ~]$ cat /etc/crypto-policies/back-ends/openssh.config
Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
GSSAPIKeyExchange no
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512
RequiredRSASize 2048
[test@localhost ~]$ cat /etc/crypto-policies/back-ends/opensshserver.config
Ciphers aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
GSSAPIKeyExchange no
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512
RequiredRSASize 2048