False Positive finding with `configure_openssl_tls_crypto_policy` on UBI 9 container #13439

awilmo8 · 2025-05-07T18:06:49Z

The check xccdf_org.ssgproject.content_rule_configure_openssl_tls_crypto_policy in STIG mode presents a false positive finding if ran on a minimized redhat UBI container that does not have the sudo utility.
The STIG check runs sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config and expects back the TLS and DTLS protocol versions. If ran on a redhat system without sudo , the command returns bash: sudo: command not found which is returned as a False Positive.
This can be demonstrated by running the RHEL-9 STIG profile on the Gitlab CNG Base FIPS image

Package: ssg-base
Version: 0.1.71-1
Priority: optional
Section: universe/admin
Source: scap-security-guide
Origin: Ubuntu

Package: ssg-nondebian
Version: 0.1.71-1
Priority: optional
Section: universe/admin
Source: scap-security-guide

RHEL 9.5 / UBI 9.5

Setup OpenSCAP, OpenSCAP-Podman, SSG - relevant bootstrap script
Pull the Gitlab CNG Fips container podman pull registry.gitlab.com/gitlab-org/build/cng/gitlab-base:master-fips
Run the check - oscap-podman $image xccdf eval --report /tmp/cng-base-stig.html --profile xccdf_org.ssgproject.content_profile_stig /usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml
Review the result HTML for "Configure OpenSSL library to use TLS Encryption" and see that it fails
run the container, exec into it and run the check manually, both with and without sudo -

fail

pass

The text was updated successfully, but these errors were encountered:

Mab879 · 2025-05-15T13:11:21Z

That SSG version is rather old, December 2023. Can you please try using the latest release.

Mab879 added the triaged label May 15, 2025

Provide feedback