Rule: sshd_include_crypto_policy, drop remediations, improve OVAL #13028 #13037

evgenyz · 2025-02-12T12:59:28Z

Description:

We are dropping all remediations for now, as the recommended one is questionable.
OVAL now recognizes Include directive in any drop-in file, in case-insensitive and tolerant to different separators way.
Dropping the not osbuild platform as well.

Rationale:

Current remediation causes a lot of troubles and most likely not efficient: Fix ssh include cryptopolicy #12931.
We should not force the location of the Include directive in the check, any drop-in file is OK.
Platform is not needed if the rule does not try to remediate the system in a barbaric way.

We are dropping all remediations for now, as the recommended one is questionable. OVAL now recognizes Include directive in any drop-in file, in case-insensitive and tolerant to different separators way. Dropping the 'not osbuild' platform as well.

github-actions · 2025-02-12T13:06:26Z

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy
+++ xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy
@@ -7,6 +7,9 @@
 In order to accomplish this the SSHD configuration should include the configuration file provided by the system crypto policy.
 The following line should be present in /etc/ssh/sshd_config or in a file included by this file (a file within the /etc/ssh/sshd_config.d directory):
 Include /etc/crypto-policies/back-ends/opensshserver.config
+
+[warning]:
+There is no automated remediation because recommended action could severely disrupt the system and might not be efficient in fixing the problem.
 
 [reference]:
 CCI-001453

New data stream is missing bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy'.
New data stream is missing ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy'.
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy'
--- xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy
+++ xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy
@@ -1 +1 @@
-oval:ssg-installed_env_is_osbuild:def:1
+

vojtapolasek

Looks good. Merging bypassing Automatus tests. They fail because the rule is currently only in RHEL 9 datastream.

evgenyz added backported-into-stabilization PRs which were cherry-picked during stabilization process. RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related. labels Feb 12, 2025

evgenyz assigned vojtapolasek Feb 12, 2025

vojtapolasek approved these changes Feb 12, 2025

View reviewed changes

vojtapolasek added this to the 0.1.76 milestone Feb 12, 2025

vojtapolasek merged commit 0cdba0e into ComplianceAsCode:stabilization-v0.1.76 Feb 12, 2025
90 of 96 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Rule: sshd_include_crypto_policy, drop remediations, improve OVAL #13028 #13037

Rule: sshd_include_crypto_policy, drop remediations, improve OVAL #13028 #13037

evgenyz commented Feb 12, 2025

github-actions bot commented Feb 12, 2025

vojtapolasek left a comment

Rule: sshd_include_crypto_policy, drop remediations, improve OVAL #13028 #13037

Rule: sshd_include_crypto_policy, drop remediations, improve OVAL #13028 #13037

Conversation

evgenyz commented Feb 12, 2025

Description:

Rationale:

github-actions bot commented Feb 12, 2025

vojtapolasek left a comment

Choose a reason for hiding this comment