Update STIG (Ubuntu, SUSE, OL, RHEL) with regards to permissions and group of SSH host private keys.

[ggbecker]

Hello all,

The current implementation of STIG with regards to permissions and group of SSH host private keys defines that the files (*ssh_host*key) should have permissions 0600 or stricter while the group in the example is ssh_keys.

For example: https://stigaview.com/products/rhel8/v1r7/RHEL-08-010490/

Most enterprise linux distros install host keys when the OpenSSH package is installed and it defines the keys with permissions 0640 and ssh_keys group. We believe that these permissions should be ok in terms of security. If you use the group root then you must set the permissions to 0600 or stricter, otherwise the OpenSSH server won't accept connections.

We are requesting DISA to change this approach and allow multiple combinations for these specific keys, as the following:

ssh_keys+0640 (or stricter) and root+0600 (or stricter).

While there is nothing wrong with the current approach, it makes difficult to align with our current content and with different security policies, for example CIS (that allows both of these combinations).

So our desire is to unify this behavior so we can keep a single rule and in the meanwhile our content is aligned with DISA's own SCAP content.

They are willing to make this change, but they are requiring that all of the distros be onboard with the change, because if they change one STIG, they will do it across all the distros to keep consistency.

This discussion is to make you all aware of it and to request that you, if agree with the proposal, contact DISA to acknowledge the change. Otherwise we will have to eventually split our rules to accommodate their own specific verbiage.

I'll be marking in individual answer the specific distro and STIG item that needs the change.

[ggbecker]

Ubuntu 16.04
UBTU-16-030320
https://www.stigviewer.com/stig/canonical_ubuntu_16.04/2020-05-29/finding/V-75845

Ubuntu 18.04 and Ubuntu 20.04 don't have a similar STIG id defined.

@dodys

[dodys]

Both 18.04 and 20.04 do not have such a rule.
16.04 has the one you mentioned, but we don't have STIG for 16.04 as I believe STIG started to be offered with 20.04, also when we started to use CaC. Therefore if we have 16.04 STIG, still it is not CaC-based.

[ggbecker]

I see, do you know if the absence of the rule is because it is not applicable in 18.04/20.04? or is it an omission?

[dodys]

I'm not sure, I was not in the STIG discussions, but it might be that it was not needed on Ubuntu as the /etc/ssh/ssh_host_*_key files are by default 0600 and group root.
We do have file_permissions_sshd_private_key on CIS Level 1, which asks for group root and 0600 as well.
Therefore changing the rule as you want, wouldn't necessarily affect us, as stricter is still accepted and I'm in for making it more unified.

[ggbecker]

SUSE 12
SLES-12-030220

https://stigaview.com/products/sle12/v2r7/SLES-12-030220/

SUSE 15
SLES-15-040250

https://stigaview.com/products/sle15/v1r7/SLES-15-040250/

@abergmann
@brett060102

[brett060102]

@ggbecker @abergmann normally handles the STIG side of thing, but I a don't have an issue with requesting the change from DISA. From my quick read of the oval and remediations for ssh/file_permissions_sshd_private_key, it look like you want DISA to update the STIG to match what is currently in code, And what is in the code looks correct to me. So, I think this is a good idea.

[ggbecker]

It will align better with CIS for example and it will make the default state a pass since the ssh package in most of distros will create the ssh_keys and assign the keys to it.

I'm not sure if you are able to contact DISA. And tell him that SLE would be on board with this change. This is the only way we see this being done on their side. Please contact me on our gitter channel so I can provide you with contact details. https://gitter.im/Compliance-As-Code-The/content if that's the case.

[ggbecker]

Oracle Linux 7
OL07-00-040420
https://stigaview.com/products/ol7/v2r8/OL07-00-040420/

Oracle Linux 8
OL08-00-010490

https://stigaview.com/products/ol8/v1r3/OL08-00-010490/

@Xeicker
@freddieRv

[ggbecker]

maybe you can forward the message to responsible people on your side in case you don't have the means to contact DISA on this matter. Thanks

[ggbecker]

RHEL7
RHEL-07-040420
https://stigaview.com/products/rhel7/v3r8/RHEL-07-040420/

RHEL8
RHEL-08-010490

https://stigaview.com/products/rhel8/v1r7/RHEL-08-010490/

@Mab879
@ggbecker
@yuumasato

[Mab879]

In RHEL 7-9, plus Fedora the default permissions are 640/root ssh_keys, and CIS does this for RHEL (and others) I'm in support of moving to 640 or stricter.

[ggbecker]

I have communicated with DISA and they have accepted this proposal. Although it should take some time for them to reflect this into the STIGs, most likely in April's 2023 release.

[brett060102]

@ggbecker That is great news. Thank you for getting this through..