Hello,
Great! Thanks for clarification.
I have reported this issue upstream. You can track fixing the problem there. https://github.com/OpenSCAP/scap-security-guide/issues/2296
Regards
Jan Černý Security Technologies | Red Hat, Inc.
----- Original Message -----
From: "Jakub Jelen" jjelen@redhat.com To: "Jan Cerny" jcerny@redhat.com Cc: "Dushyant Uge" duge@redhat.com, "tech-list" tech-list@redhat.com, "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Tuesday, September 5, 2017 1:26:01 PM Subject: Re: Reg: Openscap scanning for SSH
On Tue, 2017-09-05 at 07:22 -0400, Jan Cerny wrote:
Hi,
Thank you very much for letting us know.
I have looked into this issue. The rule "Allow Only SSH Protocol 2" checks if /etc/sshd_config cotains string "Protocol 2". See the implementation of this check: https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/te mplates/static/oval/sshd_allow_only_protocol2.xml
Jakub, do I understand it well, that since RHEL 7.4 this configuration option doesn't exist anymore? Will the system always satisfy the requirement that only SSHv2 is allowed? What way do you recommend to check that this requirement is satisfied?
I think If SSH v2 is the only option on RHEL 7.4, we should remove this rule from SCAP Security Guide for RHEL7 completely.
I would not remove it. Some people might be running the old openssh from RHEL7.3. I would say that every OpenSSH RPM package >=7.4 will satisfy this rule. If we have older version, I would leave the check as it was. Though not sure how to write it in your language :)
Jakub
Dushyant, FYI, rules for OpenSCAP comes from "SCAP Security Guide" project, https://github.com/OpenSCAP/scap-security-guide which has a special mailing list: https://lists.fedorahosted.org/admin/lists/scap-security-guide.lists. fedorahosted.org/ If you run in similar problem in future, you can ask there directly :D I'm including the mailing list to this thread so that experts can chime in.
Regards
Jan Černý Security Technologies | Red Hat, Inc.
----- Original Message -----
From: "Jakub Jelen" jjelen@redhat.com To: "Dushyant Uge" duge@redhat.com Cc: "tech-list" tech-list@redhat.com, jcerny@redhat.com Sent: Tuesday, September 5, 2017 10:29:19 AM Subject: Re: Reg: Openscap scanning for SSH
On Tue, 2017-09-05 at 08:07 +0530, Dushyant Uge wrote:
Hello Jakub Jelen,
Thank you for your response.
The rules in OpenSCAP needs to be updated to reflect this
So, Are we in the process of updating OpenSCAP scanning rules? or Do we need to file a bugzilla ?
I am not sure if the OpenSCAP team or SGG is aware of this issue. I added Jan, who should know better.
On Mon, Sep 4, 2017 at 5:08 PM, Jakub Jelen jjelen@redhat.com wrote:
On Mon, 2017-09-04 at 11:02 +0530, Dushyant Uge wrote:
Hello,
While scanning RHEL7 system with openscap below are results for ssh protocol2
oval:ssg-sshd_allow_only_protocol2:def:1 false compliance [20140414], [sshd_allow_only_protocol2] Ensure Only Protocol 2 Connections Allowed
Customer has below concern --
The description in the openscap-workbench: Only SSH protocol version 2 connections should be permitted. The default setting in /etc/ssh/sshd_config is correct, and can be verified by ensuring that the following line appears: Protocol 2
While doing Since this is the default, the check should NOT be for "2", but to make sure that "1" is NOT present.
Is this a valid implementation request ?
Please suggest.
The SSH-1 protocol was removed in RHEL7.4 (openssh-7.4p1 and newer) therefore the configuration files will not contain Protocol option nor sshd -T will output it. The rules in OpenSCAP needs to be updated to reflect this
-- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.
-- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.
Hello Team,
I can see the status of below issue "Closed"
https://github.com/OpenSCAP/scap-security-guide/issues/2296
What shall we update to customer now ?
On Tue, Sep 5, 2017 at 5:14 PM, Jan Cerny jcerny@redhat.com wrote:
Hello,
Great! Thanks for clarification.
I have reported this issue upstream. You can track fixing the problem there. https://github.com/OpenSCAP/scap-security-guide/issues/2296
Regards
Jan Černý Security Technologies | Red Hat, Inc.
----- Original Message -----
From: "Jakub Jelen" jjelen@redhat.com To: "Jan Cerny" jcerny@redhat.com Cc: "Dushyant Uge" duge@redhat.com, "tech-list" tech-list@redhat.com,
"SCAP Security Guide"
scap-security-guide@lists.fedorahosted.org Sent: Tuesday, September 5, 2017 1:26:01 PM Subject: Re: Reg: Openscap scanning for SSH
On Tue, 2017-09-05 at 07:22 -0400, Jan Cerny wrote:
Hi,
Thank you very much for letting us know.
I have looked into this issue. The rule "Allow Only SSH Protocol 2" checks if /etc/sshd_config cotains string "Protocol 2". See the implementation of this check: https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/te mplates/static/oval/sshd_allow_only_protocol2.xml
Jakub, do I understand it well, that since RHEL 7.4 this configuration option doesn't exist anymore? Will the system always satisfy the requirement that only SSHv2 is allowed? What way do you recommend to check that this requirement is satisfied?
I think If SSH v2 is the only option on RHEL 7.4, we should remove this rule from SCAP Security Guide for RHEL7 completely.
I would not remove it. Some people might be running the old openssh from RHEL7.3. I would say that every OpenSSH RPM package >=7.4 will satisfy this rule. If we have older version, I would leave the check as it was. Though not sure how to write it in your language :)
Jakub
Dushyant, FYI, rules for OpenSCAP comes from "SCAP Security Guide" project, https://github.com/OpenSCAP/scap-security-guide which has a special mailing list: https://lists.fedorahosted.org/admin/lists/scap-security-guide.lists. fedorahosted.org/ If you run in similar problem in future, you can ask there directly :D I'm including the mailing list to this thread so that experts can chime in.
Regards
Jan Černý Security Technologies | Red Hat, Inc.
----- Original Message -----
From: "Jakub Jelen" jjelen@redhat.com To: "Dushyant Uge" duge@redhat.com Cc: "tech-list" tech-list@redhat.com, jcerny@redhat.com Sent: Tuesday, September 5, 2017 10:29:19 AM Subject: Re: Reg: Openscap scanning for SSH
On Tue, 2017-09-05 at 08:07 +0530, Dushyant Uge wrote:
Hello Jakub Jelen,
Thank you for your response.
> The rules in OpenSCAP needs to be updated to reflect this
So, Are we in the process of updating OpenSCAP scanning rules? or Do we need to file a bugzilla ?
I am not sure if the OpenSCAP team or SGG is aware of this issue. I added Jan, who should know better.
On Mon, Sep 4, 2017 at 5:08 PM, Jakub Jelen jjelen@redhat.com wrote:
On Mon, 2017-09-04 at 11:02 +0530, Dushyant Uge wrote: > Hello, > > While scanning RHEL7 system with openscap below are results > for > ssh > protocol2 > > ------------------------------------- > oval:ssg-sshd_allow_only_protocol2:def:1 false compliance > [20140414], > [sshd_allow_only_protocol2] Ensure Only Protocol 2 > Connections > Allowed > ------------------------------------- > > Customer has below concern -- > > The description in the openscap-workbench: > Only SSH protocol version 2 connections should be permitted. > The > default > setting in /etc/ssh/sshd_config is correct, and can be > verified > by > ensuring > that the following line appears: Protocol 2 > > While doing Since this is the default, the check should NOT > be > for > "2", but > to make sure that "1" is NOT present. > > Is this a valid implementation request ? > > Please suggest. >
The SSH-1 protocol was removed in RHEL7.4 (openssh-7.4p1 and newer) therefore the configuration files will not contain Protocol option nor sshd -T will output it. The rules in OpenSCAP needs to be updated to reflect this
-- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.
-- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.
scap-security-guide@lists.fedorahosted.org