Summary
CCE-86127-8 (file_groupownership_sshd_private_key) and CCE-90820-2
(file_permissions_sshd_private_key) both report FAIL on RHEL 9 systems
where SSH private key files are correctly configured as root:ssh_keys 0640.
Environment
- OS: Red Hat Enterprise Linux 9
- scap-security-guide: 0.1.80-1.el9_7
- Profile: CIS Red Hat Enterprise Linux 9 Benchmark Level 2 - Server
System state (compliant)
$ ls -la /etc/ssh/*_key
-rw-r-----. 1 root ssh_keys 525 ssh_host_ecdsa_key
-rw-r-----. 1 root ssh_keys 419 ssh_host_ed25519_key
-rw-r-----. 1 root ssh_keys 2610 ssh_host_rsa_key
$ getent group ssh_keys
ssh_keys:!:101:
$ stat /etc/ssh/ssh_host_rsa_key
Access: (0640/-rw-r-----) Uid: (0/root) Gid: (101/ssh_keys)
Root cause
The OVAL uses two textfilecontent54_object elements to resolve the
GID of the ssh_keys group from /etc/group and /usr/lib/group:
<pattern operation="pattern match">^ssh_keys:\w+:(\w+):.*</pattern>
The \w+ pattern in the password field position does not match !,
which is the standard shadow password placeholder used in /etc/group
on RHEL 9 (and RHEL 8). As a result:
- The variable
oval:ssg-var_file_groupownership_sshd_private_key_ssh_keys_gid:var:1
fails to resolve
- The filter state
oval:ssg-state_file_groupownership_sshd_private_key_0_ssh_keys:ste:1
cannot match any files
- No files are excluded from the file_object
check_existence="none_exist" fails because all three *_key files
remain in the unfiltered set
Fix
Change \w+ to [^:]* in the password field position in both
textfilecontent54_object patterns:
<!-- broken -->
<pattern operation="pattern match">^ssh_keys:\w+:(\w+):.*</pattern>
<!-- fixed -->
<pattern operation="pattern match">^ssh_keys:[^:]*:(\w+):.*</pattern>
[^:]* correctly matches any valid /etc/group password field value:
empty, x, !, or *.
Verification
Manually editing /etc/group to replace ssh_keys:!:101: with
ssh_keys:x:101: causes both rules to pass, confirming the regex
is the sole cause of the false positive.
Affected rules
file_groupownership_sshd_private_key (CCE-86127-8)file_permissions_sshd_private_key (CCE-90820-2) — uses the same
GID lookup mechanism and exhibits the same failure
Wider impact
The same \w+ pattern may be present in other group-ownership OVAL
checks that look up named groups from /etc/group. Any system where
a group has ! in the password field (the default on RHEL 9) will
be affected.
Summary
CCE-86127-8 (
file_groupownership_sshd_private_key) and CCE-90820-2(
file_permissions_sshd_private_key) both report FAIL on RHEL 9 systemswhere SSH private key files are correctly configured as
root:ssh_keys 0640.Environment
System state (compliant)
$ ls -la /etc/ssh/*_key
-rw-r-----. 1 root ssh_keys 525 ssh_host_ecdsa_key
-rw-r-----. 1 root ssh_keys 419 ssh_host_ed25519_key
-rw-r-----. 1 root ssh_keys 2610 ssh_host_rsa_key
$ getent group ssh_keys
ssh_keys:!:101:
$ stat /etc/ssh/ssh_host_rsa_key
Access: (0640/-rw-r-----) Uid: (0/root) Gid: (101/ssh_keys)
Root cause
The OVAL uses two
textfilecontent54_objectelements to resolve theGID of the
ssh_keysgroup from/etc/groupand/usr/lib/group:The
\w+pattern in the password field position does not match!,which is the standard shadow password placeholder used in
/etc/groupon RHEL 9 (and RHEL 8). As a result:
oval:ssg-var_file_groupownership_sshd_private_key_ssh_keys_gid:var:1fails to resolve
oval:ssg-state_file_groupownership_sshd_private_key_0_ssh_keys:ste:1cannot match any files
check_existence="none_exist"fails because all three*_keyfilesremain in the unfiltered set
Fix
Change
\w+to[^:]*in the password field position in bothtextfilecontent54_objectpatterns:[^:]*correctly matches any valid/etc/grouppassword field value:empty,
x,!, or*.Verification
Manually editing
/etc/groupto replacessh_keys:!:101:withssh_keys:x:101:causes both rules to pass, confirming the regexis the sole cause of the false positive.
Affected rules
file_groupownership_sshd_private_key(CCE-86127-8)file_permissions_sshd_private_key(CCE-90820-2) — uses the sameGID lookup mechanism and exhibits the same failure
Wider impact
The same
\w+pattern may be present in other group-ownership OVALchecks that look up named groups from
/etc/group. Any system wherea group has
!in the password field (the default on RHEL 9) willbe affected.