sshd_use_approved_ciphers fails for all CIS profiles in all test cases

[mildas]

Description of problem:

sshd_use_approved_ciphers fails to remediate (error during remediation) resulting to fail during final test scan.

The problem is in CIS Server L1, CIS Server L2, CIS Workstation L1, and CIS Workstation L2.

Fails for Anaconda installation, Ansible playbook, host-os remediation, Image builder, and also oscap remediation of a VM.

SCAP Security Guide Version:

latest master

Operating System Version:

RHEL 9

Steps to Reproduce:

1. oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --progress --report /var/tmp/contest-hardening-host-os-oscap-cis/remediation.html --remediate /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

Actual Results:

sshd_use_approved_ciphers fails

Expected Results:

sshd_use_approved_ciphers pass

Additional Information/Debugging Steps:

The problem is RHEL9 only
I suspect #12067
However, HTML report says that ciphers setting is true (copied from HTML report):

tests the value of Ciphers setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_use_approved_ciphers:tst:1  true

Following items have been found on the system:

Result of item-state comparison | Var ref | Value | Value | Value | Value | Value -- | -- | -- | -- | -- | -- | -- true | oval:ssg-var_sshd_config_ciphers:var:1 | -3des-cbc | aes128-cbc | aes192-cbc | aes256-cbc | rijndael-cbc@lysator.liu.se

[mildas]

Also caught by Automatus:

• fail: sshd_use_approved_ciphers/correct_reduced_list.pass
• fail: sshd_use_approved_ciphers/correct_scrambled.pass
• fail: sshd_use_approved_ciphers/correct_value.pass
• fail: sshd_use_approved_ciphers/correct_value_full.pass
• fail: sshd_use_approved_ciphers/correct_variable.pass

[jan-cerny]

With the new productization model, these items also started to appear for a "Per Rule" test /per-rule/13/oscap/sshd_use_approved_ciphers/ which runs Automatus test.

[Mab879]

Part of of the pain is that rule requires the OS be to FIPS certified.

However, there still is something wrong with the Ansible remediation when that extend_definition is removed from the rule.

[Mab879]

fatal: [192.168.124.214]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "attributes": null,
            "backrefs": false,
            "backup": false,
            "create": true,
            "firstmatch": false,
            "group": null,
            "insertafter": null,
            "insertbefore": "BOF",
            "line": "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se",
            "mode": null,
            "owner": null,
            "path": "/etc/ssh/sshd_config",
            "regexp": "(?i)^\\s*Ciphers\\s+",
            "search_string": null,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "state": "present",
            "unsafe_writes": false,
            "validate": "/usr/sbin/sshd -t -f %s"
        }
    },
    "msg": "failed to validate: rc:255 error:/root/.ansible/tmp/ansible-tmp-1720564661.0396807-2932742-161335065381119/tmpr9wabewl line 1: Bad SSH2 cipher spec 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se'.\r\n"
}

I can reproduce locally with Ansible the error is above.

[Mab879]

Removed blocker since #12150 has been merged.

[mildas]

As sshd_use_approved_ciphers got removed from profiles, I don't consider this issue relevant for now. The rule needs rework until that adding blocked label.

[ggbecker]

Part of the issue is to decide if we remove the installed of is fips certified criterium or not.

[mildas]

Okay, so I consider this issue as something we want to have fixed in 0.1.74 release and we should focus on now.

[Mab879]

The profiles group says remove FIPS external check and warning section about FIPS.

Profiles that need FIPS certifications should add rules requiring it.