Some of the RHEL-9 hardening scripts are not mitigating the security finding

Summary

Some of the RHEL-9 hardening scripts don't seem to do as it should. OpenSCAP scanner scanned and still flagged in the reports after the hardening scripts are executed. These are the ones:

High - Configure SSH Client to Use FIPS 140-2 Validated Ciphers: xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy.sh Medium - Configure SSH Server to Use FIPS 140-2 Validated Ciphers: xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy.sh Medium - Disable storing coredump - Script: xccdf_org.ssgproject.content_rule_coredump_disable_storage.sh Medium - Disable coredump backtraces - script: xccdf_org.ssgproject.content_rule_coredump_disable_backtraces.sh Medium - Ensure the Default Bash Umask is Set Correctly - script: xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc.sh

Steps to reproduce

(How one can reproduce the issue - this is very important) Scan the hardened RHEL 9 base image, look into the report html file and those findings are still there.

What is the current bug behavior?

(What actually happens) Scan the hardened RHEL 9 base image, look into the report html file and those findings are still there.

What is the expected correct behavior?

(What you should see instead) I'd expected the hardening scripts would mitigate the issues.

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's very hard to read otherwise.)

Possible fixes

(If you can, link to the line of code that might be responsible for the problem)

Tasks

• Bug has been identified and corrected within the container

Please read the Iron Bank Documentation for more info