[Open-scap] oscap-ssh based remediation killing remote server

Fen Labalme fen at civicactions.com
Thu Apr 28 17:52:00 UTC 2016 

Attached are my scan results. I'll be going over these today (well, more
likely tomorrow) to and will let you know soonest should I find anything.

I've had difficulty generating a fix file as I'm scanning remotely using
oscap-ssh which doesn't support the "generate" argument.

Thanks for your support - OpenSCAP rocks!
=Fen


On Thu, Apr 28, 2016 at 3:36 AM, Jan Cerny <jcerny at redhat.com> wrote:

> Hi Fen,
>
> The RHEL7 STIG profile contains some rules that check configuration of
> the SSH server. For some of them there are remediation script provided.
> There are quite a lot of them:
> - Allow Only SSH Protocol 2
> - Set SSH Idle Timeout Interval
> - Set SSH Client Alive Count
> - Disable SSH Support for .rhosts Files
> - Disable Host-Based Authentication
> - Disable SSH Root Login
> - Disable SSH Access via Empty Passwords
> - Enable SSH Warning Banner
> - Do Not Allow SSH Environment Options
> - Use Only Approved Ciphers
> - Use Only FIPS Approved MACs
> (Hopefully I haven't forgotten any other.)
>
> Maybe you have discovered a bug in some of the remediation scripts
> for some of these rules. To identify the problem, we have to check
> the scan results and find which rules your system didn't pass.
> The we can go trough each of them, find why they didn't pass and compare
> this
> with the remediation scripts. It is possible that your system was in
> configuration
> that the remediation scripts does not cover.
>
> Please, could you provide your scan results?
> It would greatly help us to investigate your problem.
> Have you done any customization of the profile?
>
> If you find any possible reason, please share it with us.
> Thank you
>
> Best Regards
>
> Jan Černý
> Security Technologies | Red Hat, Inc.
>
> ----- Original Message -----
> > From: "Fen Labalme" <fen at civicactions.com>
> > To: "open-scap-list" <open-scap-list at redhat.com>
> > Sent: Friday, April 22, 2016 12:14:04 AM
> > Subject: [Open-scap] oscap-ssh based remediation killing remote server
> >
> > Hi,
> >
> > I'm running oscap-ssh on CentOS 7 using oscap-user and the `sudo` option.
> > Running a scan on a remote server works great (thank you!):
> >
> >
> >
> > oscap-ssh sudo oscap-user at 192.168.56.102 22 xccdf eval --profile
> > xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream
> > --results-arf scans/results-arf.xml --results scans/results.xml --report
> > scans/results.html scap/ssg-centos7-ds.xml
> >
> > Then I run a remediation with the line:
> >
> >
> >
> > oscap-ssh sudo oscap-user at 192.168.56.102 22 xccdf eval --remediate
> --profile
> > xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream --results
> > scans/remediation-results.xml --fetch-remote-resources
> > scap/ssg-centos7-ds.xml
> >
> > This completely kills access to the server at 192.168.56.102 (via host or
> > dashboard).
> >
> > Am I calling remediation incorrectly? Has anyone else seen anything like
> > this? No obvious errors are reported.
> >
> > Suggestions on how to debug what step might be killing the server are
> > welcome. Note that it doesn't die until the SSJ connection is closed,
> e.g.
> > after:
> >
> >
> >
> > Shared connection to 192.168.56.102 closed.
> > oscap exit code: 2
> > Copying back requested files...
> > results.xml 100% 1889KB 1.9MB/s 00:00
> > Removing remote temporary directory...
> > Disconnecting ssh and removing master ssh socket directory...
> > Exit request sent.
> >
> > The exact steps I'm using are captured in a completely self-contained
> ansible
> > role test setup (that uses vagrant) documented - shpuld you want to
> recreate
> > my process - at
> >
> https://github.com/openprivacy/ansible-role-govready/blob/master/tests/README.md
> >
> > Thanks,
> > =Fen
> >
> > --
> > Fen Labalme, CISO at CivicActions.com
> > Security | Quality | DevOps
> > mobile: 412-996-4113
> > github/skype/twitter: openprivacy
> >
> > _______________________________________________
> > Open-scap-list mailing list
> > Open-scap-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/open-scap-list
>



-- 
Fen Labalme, CISO at CivicActions.com
Security | Quality | DevOps
mobile: 412-996-4113
github/skype/twitter: openprivacy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20160428/8c3671a0/attachment.htm>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20160428/8c3671a0/attachment.html>

More information about the Open-scap-list mailing list