Hi Fen, The RHEL7 STIG profile contains some rules that check configuration of the SSH server. For some of them there are remediation script provided. There are quite a lot of them: - Allow Only SSH Protocol 2 - Set SSH Idle Timeout Interval - Set SSH Client Alive Count - Disable SSH Support for .rhosts Files - Disable Host-Based Authentication - Disable SSH Root Login - Disable SSH Access via Empty Passwords - Enable SSH Warning Banner - Do Not Allow SSH Environment Options - Use Only Approved Ciphers - Use Only FIPS Approved MACs (Hopefully I haven't forgotten any other.)
Maybe you have discovered a bug in some of the remediation scripts for some of these rules. To identify the problem, we have to check the scan results and find which rules your system didn't pass. The we can go trough each of them, find why they didn't pass and compare this with the remediation scripts. It is possible that your system was in configuration that the remediation scripts does not cover. Please, could you provide your scan results? It would greatly help us to investigate your problem. Have you done any customization of the profile? If you find any possible reason, please share it with us. Thank you Best Regards Jan Černý Security Technologies | Red Hat, Inc. ----- Original Message ----- > From: "Fen Labalme" <f...@civicactions.com> > To: "open-scap-list" <open-scap-list@redhat.com> > Sent: Friday, April 22, 2016 12:14:04 AM > Subject: [Open-scap] oscap-ssh based remediation killing remote server > > Hi, > > I'm running oscap-ssh on CentOS 7 using oscap-user and the `sudo` option. > Running a scan on a remote server works great (thank you!): > > > > oscap-ssh sudo oscap-user@192.168.56.102 22 xccdf eval --profile > xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream > --results-arf scans/results-arf.xml --results scans/results.xml --report > scans/results.html scap/ssg-centos7-ds.xml > > Then I run a remediation with the line: > > > > oscap-ssh sudo oscap-user@192.168.56.102 22 xccdf eval --remediate --profile > xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream --results > scans/remediation-results.xml --fetch-remote-resources > scap/ssg-centos7-ds.xml > > This completely kills access to the server at 192.168.56.102 (via host or > dashboard). > > Am I calling remediation incorrectly? Has anyone else seen anything like > this? No obvious errors are reported. > > Suggestions on how to debug what step might be killing the server are > welcome. Note that it doesn't die until the SSJ connection is closed, e.g. > after: > > > > Shared connection to 192.168.56.102 closed. > oscap exit code: 2 > Copying back requested files... > results.xml 100% 1889KB 1.9MB/s 00:00 > Removing remote temporary directory... > Disconnecting ssh and removing master ssh socket directory... > Exit request sent. > > The exact steps I'm using are captured in a completely self-contained ansible > role test setup (that uses vagrant) documented - shpuld you want to recreate > my process - at > https://github.com/openprivacy/ansible-role-govready/blob/master/tests/README.md > > Thanks, > =Fen > > -- > Fen Labalme, CISO at CivicActions.com > Security | Quality | DevOps > mobile: 412-996-4113 > github/skype/twitter: openprivacy > > _______________________________________________ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
