Unable to load host key: Private Key file bad permissions.

[cortesana]

Description of problem:

Permissions for the private key file are too open (It is required that your private key files are NOT accessible by others) and so the PK is ignored. This affects the following test cases:

• /Sanity/test-ansible-playbook-run CIS Workstation (GUI) in RHEL 8.8 and RHEL 7.9.
• /Sanity/test-profiles-remediation CUI, CIS Workstation L2 (GUI) in RHEL 8.8 and RHEL 7.9.
• /Sanity/test-profiles-ansible-remediation CUI, CIS Workstation L2 (GUI) in RHEL 9.2, RHEL 8.8 and RHEL 7.9.
• /Regression/profile_rule_list_validation in RHEL 7.9.
• /Sanity/ansible-machine-hardening CIS Server Level 2 in RHEL 9.2, RHEL 8.8 and RHEL 7.9.

SCAP Security Guide Version:

Operating System Version:

RHEL 9.2, RHEL 8.8, RHEL 7.9

Steps to Reproduce:

1. Run Ansible remediations.

Actual Results:

TASK [Insert correct line to /etc/ssh/sshd_config] *****************************
fatal: FAILED! => {"changed": false, "msg": "failed to validate: rc:1 error:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
WARNING: UNPROTECTED PRIVATE KEY FILE!
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key \"/etc/ssh/ssh_host_rsa_key\": bad permissions
Unable to load host key: /etc/ssh/ssh_host_rsa_key

Expected Results:

TASK [Insert correct line to /etc/ssh/sshd_config] *****************************
ok: [...]

Additional Information/Debugging Steps:

It affects the following set of rules:

xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key - fail
xccdf_org.ssgproject.content_rule_sshd_set_keepalive - fail
xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout - fail
xccdf_org.ssgproject.content_rule_sshd_disable_rhosts - fail
xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding - fail
xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding - fail
xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env - fail
xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net - fail
xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time - fail
xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose - fail
xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries - fail
xccdf_org.ssgproject.content_rule_sshd_set_max_sessions - fail
xccdf_org.ssgproject.content_rule_sshd_set_maxstartups - fail
xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers - fail
xccdf_org.ssgproject.content_rule_sshd_use_approved_macs - fail
xccdf_org.ssgproject.content_rule_sshd_use_strong_kex - fail 

[ggbecker]

I suspect that a different rule is causing this problem from this PR: https://github.com/ComplianceAsCode/content/pull/10552/files

[mildas]

Passed in last productization. Closing