Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

Sync from "Extern...

XML

Word

Printable

Type: Story
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: rhel-8.10.z
Affects Version/s: rhel-8.7.0
Component/s: scap-security-guide
Labels:

Fixed in Build:
scap-security-guide-0.1.78-1.el8
Severity:
None
Epic Link:
OPENSCAP-5955

AssignedTeam:
rhel-security-compliance
Sub-System Group:

ssg_security

Story Points:
1
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
None

Git Pull Request:
https://github.com/ComplianceAsCode/content/pull/13692
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/154689
Test Coverage:

Manual

Release Note Type:
If docs needed, set a value

Experience:
Architecture:

x86_64
Bugzilla Bug:
RHBZ: 2169990

PX Impact Score:
PX Priority Data:
PX Review Complete:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None
Internal Target Milestone numeric:
57,005

The STIG rule 'Configure GnuTLS library to use DoD-approved TLS Encryption' remediates a correct RHEL default configuration.
See screenshot of the finding

To my understanding the fidnding is the same as the default RHEL provided configured, only the swapped order to excluded ssl3,tls1.0,tls1.1 is swapped

Order expected by SCAP check
+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0

Order by RedHat default:
+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0

Below the output of RHEL8.7 that shows that this order is always the same there for all back-ends and not matching the STIG order even not for the expected FIPS crypto profile:
~~~
[Azure] vrempet-admin@hiltiq.com@li-lc-2635 ~
$ rpm -q crypto-policies
crypto-policies-20211116-1.gitae470d6.el8.noarch

[Azure] vrempet-admin@hiltiq.com@li-lc-2635 ~
$ grep -o '+VERS.:+COMP' /usr/share/crypto-policies/back-ends//gnutls.config
/usr/share/crypto-policies/back-ends/DEFAULT/gnutls.config:+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0:+COMP
/usr/share/crypto-policies/back-ends/FIPS/gnutls.config:+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0:+COMP
/usr/share/crypto-policies/back-ends/FUTURE/gnutls.config:+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0:+COMP
/usr/share/crypto-policies/back-ends/LEGACY/gnutls.config:+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:+COMP
~~~

There are 3 Solutions:

Make the SCAP check more advanced to check for +VERS-ALL: and then for each not to exclude VERS independent of the order (as long as it is after the +VERS-ALL)
Update the RedHat defaults to match SCAP
Update the SCAP expected order to match the RedHat defaults

Reproducer run STIG remediate on

update-crypto-policies --set FIPS
run STIG SCAP

Result:

Finding on 'Configure GnuTLS library to use DoD-approved TLS Encryption'

Expected:

No finding 'Configure GnuTLS library to use DoD-approved TLS Encryption'

What is the business impact? Please also provide timeframe information.
Unneeded finding/remediate of a configuration

external trackers

Red Hat Customer Portal 03365466

Red Hat Customer Portal 03430486

Red Hat Issue Tracker RHELPLAN-148707

links to

RHBA-2025:154689 scap-security-guide bug fix and enhancement update

Assignee:: Jan Cerny

Reporter:: Rajesh Dulhani

Developer:: Vojtech Polasek

QA Contact:: Matus Marhefka

Votes:: 0 Vote for this issue

Watchers:: 13 Start watching this issue

Created:: 2023/08/30 8:28 AM

Updated:: 2025/10/10 8:38 AM

Resolved:: 2025/09/29 12:13 PM

Next Planned Release Date:: 1970/01/01

Release Date:: 2025/09/29

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates