1058 lines
54 KiB
Diff
1058 lines
54 KiB
Diff
|
From 7da420a853591a6e994439a9ada2b88d6793e3e7 Mon Sep 17 00:00:00 2001
|
||
|
From: Carlos Matos <cmatos@redhat.com>
|
||
|
Date: Tue, 29 Jun 2021 14:00:14 -0400
|
||
|
Subject: [PATCH 1/5] New rules for RHEL-08-010291
|
||
|
|
||
|
---
|
||
|
.../services/ssh/sshd_approved_ciphers.var | 2 +-
|
||
|
.../ansible/shared.yml | 16 +++++
|
||
|
.../bash/shared.sh | 13 ++++
|
||
|
.../oval/shared.xml | 35 +++++++++++
|
||
|
.../rule.yml | 62 +++++++++++++++++++
|
||
|
.../tests/stig_correct.pass.sh | 15 +++++
|
||
|
.../tests/stig_correct_commented.fail.sh | 15 +++++
|
||
|
...ct_followed_by_incorrect_commented.pass.sh | 18 ++++++
|
||
|
.../tests/stig_empty_file.fail.sh | 10 +++
|
||
|
.../tests/stig_empty_policy.fail.sh | 14 +++++
|
||
|
...rect_followed_by_correct_commented.fail.sh | 19 ++++++
|
||
|
.../tests/stig_incorrect_policy.fail.sh | 15 +++++
|
||
|
.../tests/stig_missing_file.fail.sh | 11 ++++
|
||
|
.../ansible/shared.yml | 45 ++++++++++++++
|
||
|
.../bash/shared.sh | 25 ++++++++
|
||
|
.../oval/shared.xml | 35 +++++++++++
|
||
|
.../rule.yml | 62 +++++++++++++++++++
|
||
|
.../tests/rhel8_stig_correct.pass.sh | 17 +++++
|
||
|
.../tests/rhel8_stig_empty_policy.fail.sh | 7 +++
|
||
|
.../tests/rhel8_stig_incorrect_policy.fail.sh | 14 +++++
|
||
|
.../tests/rhel8_stig_missing_file.fail.sh | 11 ++++
|
||
|
products/rhel8/profiles/stig.profile | 6 ++
|
||
|
.../data/profile_stability/rhel8/stig.profile | 3 +
|
||
|
.../profile_stability/rhel8/stig_gui.profile | 3 +
|
||
|
24 files changed, 472 insertions(+), 1 deletion(-)
|
||
|
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
|
||
|
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh
|
||
|
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
|
||
|
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
|
||
|
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
|
||
|
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
|
||
|
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
|
||
|
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh
|
||
|
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh
|
||
|
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
|
||
|
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh
|
||
|
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh
|
||
|
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
|
||
|
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
|
||
|
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
|
||
|
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
||
|
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
|
||
|
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
|
||
|
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
|
||
|
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
|
||
|
|
||
|
diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
|
||
|
index 46891daa619..a240bbbfaef 100644
|
||
|
--- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var
|
||
|
+++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
|
||
|
@@ -11,6 +11,6 @@ operator: equals
|
||
|
interactive: false
|
||
|
|
||
|
options:
|
||
|
- stig: aes128-ctr,aes192-ctr,aes256-ctr
|
||
|
+ stig: aes256-ctr,aes192-ctr,aes128-ctr
|
||
|
default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
|
||
|
cis_rhel7: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
|
||
|
new file mode 100644
|
||
|
index 00000000000..badb5896cf2
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
|
||
|
@@ -0,0 +1,16 @@
|
||
|
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
|
||
|
+# reboot = true
|
||
|
+# strategy = restrict
|
||
|
+# complexity = low
|
||
|
+# disruption = low
|
||
|
+{{{ ansible_instantiate_variables("sshd_approved_ciphers") }}}
|
||
|
+
|
||
|
+{{{ ansible_set_config_file(
|
||
|
+ msg='Configure SSH Daemon to Use FIPS 140-2 Validated MACs: openssh.config',
|
||
|
+ file='/etc/crypto-policies/back-ends/openssh.config',
|
||
|
+ parameter='Ciphers',
|
||
|
+ value="{{ sshd_approved_ciphers }}",
|
||
|
+ create='yes',
|
||
|
+ prefix_regex='^.*'
|
||
|
+ )
|
||
|
+}}}
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh
|
||
|
new file mode 100644
|
||
|
index 00000000000..cdc66a8aac6
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh
|
||
|
@@ -0,0 +1,13 @@
|
||
|
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
|
||
|
+. /usr/share/scap-security-guide/remediation_functions
|
||
|
+{{{ bash_instantiate_variables("sshd_approved_ciphers") }}}
|
||
|
+
|
||
|
+{{{ set_config_file(
|
||
|
+ path="/etc/crypto-policies/back-ends/openssh.config",
|
||
|
+ parameter="Ciphers",
|
||
|
+ value="${sshd_approved_ciphers}",
|
||
|
+ create=true,
|
||
|
+ insensitive=false,
|
||
|
+ prefix_regex="^.*"
|
||
|
+ )
|
||
|
+}}}
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
|
||
|
new file mode 100644
|
||
|
index 00000000000..1879e77398b
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
|
||
|
@@ -0,0 +1,35 @@
|
||
|
+{{%- set PATH = "/etc/crypto-policies/back-ends/openssh.config" -%}}
|
||
|
+<def-group>
|
||
|
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||
|
+ {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
|
||
|
+ <criteria operator="AND" comment="Test conditions - presence of the file plus.">
|
||
|
+ <criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD Ciphers" test_ref="test_{{{ rule_id }}}" />
|
||
|
+ </criteria>
|
||
|
+ </definition>
|
||
|
+
|
||
|
+ <ind:textfilecontent54_test check="all"
|
||
|
+ comment="test the value of Ciphers setting in the {{{ PATH }}} file"
|
||
|
+ id="test_{{{ rule_id }}}" version="1">
|
||
|
+ <ind:object object_ref="obj_{{{ rule_id }}}" />
|
||
|
+ <ind:state state_ref="ste_{{{ rule_id }}}" />
|
||
|
+ </ind:textfilecontent54_test>
|
||
|
+
|
||
|
+ <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
|
||
|
+ <ind:filepath>{{{ PATH }}}</ind:filepath>
|
||
|
+ <ind:pattern operation="pattern match">^Ciphers.*$</ind:pattern>
|
||
|
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||
|
+ </ind:textfilecontent54_object>
|
||
|
+
|
||
|
+ <ind:textfilecontent54_state id="ste_{{{ rule_id }}}" version="1">
|
||
|
+ <ind:text var_ref="sshd_ciphers_crypto" operation="equals"></ind:text>
|
||
|
+ </ind:textfilecontent54_state>
|
||
|
+
|
||
|
+ <local_variable id="sshd_ciphers_crypto" datatype="string" comment="The regex of the directive" version="1">
|
||
|
+ <concat>
|
||
|
+ <literal_component>Ciphers </literal_component>
|
||
|
+ <variable_component var_ref="sshd_approved_ciphers"/>
|
||
|
+ </concat>
|
||
|
+ </local_variable>
|
||
|
+
|
||
|
+ <external_variable comment="SSH Approved Ciphers by FIPS" datatype="string" id="sshd_approved_ciphers" version="1" />
|
||
|
+</def-group>
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
|
||
|
new file mode 100644
|
||
|
index 00000000000..cd1553dbdb3
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
|
||
|
@@ -0,0 +1,62 @@
|
||
|
+documentation_complete: true
|
||
|
+
|
||
|
+prodtype: fedora,rhel8
|
||
|
+
|
||
|
+title: 'Configure SSH Daemon to Use FIPS 140-2 Validated Ciphers: openssh.config'
|
||
|
+
|
||
|
+description: |-
|
||
|
+ Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
|
||
|
+ OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
|
||
|
+ set up incorrectly.
|
||
|
+
|
||
|
+ To check that Crypto Policies settings for ciphers are configured correctly, ensure that
|
||
|
+ <tt>/etc/crypto-policies/back-ends/openssh.config</tt> contains the following
|
||
|
+ line and is not commented out:
|
||
|
+ <pre>Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
|
||
|
+
|
||
|
+rationale: |-
|
||
|
+ Overriding the system crypto policy makes the behavior of the OpenSSH daemon
|
||
|
+ violate expectations, and makes system configuration more fragmented. By
|
||
|
+ specifying a cipher list with the order of ciphers being in a “strongest to
|
||
|
+ weakest” orientation, the system will automatically attempt to use the
|
||
|
+ strongest cipher for securing SSH connections.
|
||
|
+
|
||
|
+severity: medium
|
||
|
+
|
||
|
+identifiers:
|
||
|
+ cce@rhel8: CCE-85870-4
|
||
|
+
|
||
|
+references:
|
||
|
+ nist: AC-17(2)
|
||
|
+ srg: SRG-OS-000250-GPOS-00093
|
||
|
+ disa: CCI-001453
|
||
|
+ stigid@rhel8: RHEL-08-010291
|
||
|
+
|
||
|
+ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
|
||
|
+
|
||
|
+ocil: |-
|
||
|
+ To verify if the OpenSSH daemon uses defined Cipher suite in the Crypto Policy, run:
|
||
|
+ <pre>$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config</pre>
|
||
|
+ and verify that the line matches:
|
||
|
+ <pre>Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
|
||
|
+
|
||
|
+warnings:
|
||
|
+ - general: |-
|
||
|
+ The system needs to be rebooted for these changes to take effect.
|
||
|
+ - regulatory: |-
|
||
|
+ System Crypto Modules must be provided by a vendor that undergoes
|
||
|
+ FIPS-140 certifications.
|
||
|
+ FIPS-140 is applicable to all Federal agencies that use
|
||
|
+ cryptographic-based security systems to protect sensitive information
|
||
|
+ in computer and telecommunication systems (including voice systems) as
|
||
|
+ defined in Section 5131 of the Information Technology Management Reform
|
||
|
+ Act of 1996, Public Law 104-106. This standard shall be used in
|
||
|
+ designing and implementing cryptographic modules that Federal
|
||
|
+ departments and agencies operate or are operated for them under
|
||
|
+ contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
|
||
|
+ To meet this, the system has to have cryptographic software provided by
|
||
|
+ a vendor that has undergone this certification. This means providing
|
||
|
+ documentation, test results, design information, and independent third
|
||
|
+ party review by an accredited lab. While open source software is
|
||
|
+ capable of meeting this, it does not meet FIPS-140 unless the vendor
|
||
|
+ submits to this process.
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
|
||
|
new file mode 100644
|
||
|
index 00000000000..0a27a7e0984
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
|
||
|
@@ -0,0 +1,15 @@
|
||
|
+#!/bin/bash
|
||
|
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||
|
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
||
|
+
|
||
|
+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
|
||
|
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
||
|
+
|
||
|
+# Ensure directory + file is there
|
||
|
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
||
|
+
|
||
|
+if [[ -f $configfile ]]; then
|
||
|
+ sed -i "s/^.*Ciphers.*$/Ciphers ${sshd_approved_ciphers}/" $configfile
|
||
|
+else
|
||
|
+ echo "Ciphers ${sshd_approved_ciphers}" > "$configfile"
|
||
|
+fi
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
|
||
|
new file mode 100644
|
||
|
index 00000000000..5cadd95ba38
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
|
||
|
@@ -0,0 +1,15 @@
|
||
|
+#!/bin/bash
|
||
|
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||
|
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
||
|
+
|
||
|
+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
|
||
|
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
||
|
+
|
||
|
+# Ensure directory + file is there
|
||
|
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
||
|
+
|
||
|
+if [[ -f $configfile ]]; then
|
||
|
+ sed -i "s/^.*Ciphers.*$/#Ciphers ${sshd_approved_ciphers}/" $configfile
|
||
|
+else
|
||
|
+ echo "#Ciphers ${sshd_approved_ciphers}" > "$configfile"
|
||
|
+fi
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
|
||
|
new file mode 100644
|
||
|
index 00000000000..26220063757
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
|
||
|
@@ -0,0 +1,18 @@
|
||
|
+#!/bin/bash
|
||
|
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||
|
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
||
|
+
|
||
|
+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
|
||
|
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
||
|
+
|
||
|
+# Ensure directory + file is there
|
||
|
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
||
|
+
|
||
|
+if [[ -f $configfile ]]; then
|
||
|
+ sed -i "s/^.*Ciphers.*$/Ciphers ${sshd_approved_ciphers}/" $configfile
|
||
|
+else
|
||
|
+ echo "Ciphers ${sshd_approved_ciphers}" > "$configfile"
|
||
|
+fi
|
||
|
+
|
||
|
+# follow up with incorrect
|
||
|
+echo "#Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr" >> $configfile
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh
|
||
|
new file mode 100644
|
||
|
index 00000000000..55ef3f58422
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh
|
||
|
@@ -0,0 +1,10 @@
|
||
|
+#!/bin/bash
|
||
|
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||
|
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
||
|
+
|
||
|
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
||
|
+
|
||
|
+# Ensure directory + file is there
|
||
|
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
||
|
+
|
||
|
+echo "" > $configfile
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh
|
||
|
new file mode 100644
|
||
|
index 00000000000..7105441ad80
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh
|
||
|
@@ -0,0 +1,14 @@
|
||
|
+#!/bin/bash
|
||
|
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||
|
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
||
|
+
|
||
|
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
||
|
+
|
||
|
+# Ensure directory + file is there
|
||
|
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
||
|
+
|
||
|
+if [[ -f $configfile ]]; then
|
||
|
+ sed -i "s/^.*Ciphers.*$/Ciphers /" $configfile
|
||
|
+else
|
||
|
+ echo "Ciphers " > "$configfile"
|
||
|
+fi
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
|
||
|
new file mode 100644
|
||
|
index 00000000000..195f5e8d8ed
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
|
||
|
@@ -0,0 +1,19 @@
|
||
|
+#!/bin/bash
|
||
|
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||
|
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
||
|
+
|
||
|
+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
|
||
|
+incorrect_sshd_approved_ciphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr
|
||
|
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
||
|
+
|
||
|
+# Ensure directory + file is there
|
||
|
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
||
|
+
|
||
|
+if [[ -f $configfile ]]; then
|
||
|
+ sed -i "s/^.*Ciphers.*$/Ciphers ${incorrect_sshd_approved_ciphers}/" $configfile
|
||
|
+else
|
||
|
+ echo "Ciphers ${incorrect_sshd_approved_ciphers}" > "$configfile"
|
||
|
+fi
|
||
|
+
|
||
|
+# follow up with correct value
|
||
|
+echo "Ciphers ${sshd_approved_ciphers}" >> $configfile
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh
|
||
|
new file mode 100644
|
||
|
index 00000000000..92bd4ed9c5a
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh
|
||
|
@@ -0,0 +1,15 @@
|
||
|
+#!/bin/bash
|
||
|
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||
|
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
||
|
+
|
||
|
+incorrect_sshd_approved_ciphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc
|
||
|
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
||
|
+
|
||
|
+# Ensure directory + file is there
|
||
|
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
||
|
+
|
||
|
+if [[ -f $configfile ]]; then
|
||
|
+ sed -i "s/^.*Ciphers.*$/Ciphers ${incorrect_sshd_approved_ciphers}/" $configfile
|
||
|
+else
|
||
|
+ echo "Ciphers ${incorrect_sshd_approved_ciphers}" > "$configfile"
|
||
|
+fi
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh
|
||
|
new file mode 100644
|
||
|
index 00000000000..2138caad319
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh
|
||
|
@@ -0,0 +1,11 @@
|
||
|
+#!/bin/bash
|
||
|
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
||
|
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
||
|
+
|
||
|
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
||
|
+
|
||
|
+# Ensure directory + file is there
|
||
|
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
||
|
+
|
||
|
+# If file exists, remove it
|
||
|
+test -f $configfile && rm -f $configfile
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
|
||
|
new file mode 100644
|
||
|
index 00000000000..7532ba51639
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
|
||
|
@@ -0,0 +1,45 @@
|
||
|
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
|
||
|
+# reboot = true
|
||
|
+# strategy = restrict
|
||
|
+# complexity = low
|
||
|
+# disruption = low
|
||
|
+{{{ ansible_instantiate_variables("sshd_approved_ciphers") }}}
|
||
|
+
|
||
|
+- name: "{{{ rule_title }}}: Set facts"
|
||
|
+ set_fact:
|
||
|
+ path: /etc/crypto-policies/back-ends/opensshserver.config
|
||
|
+ correct_value: "-oCiphers={{ sshd_approved_ciphers }}"
|
||
|
+
|
||
|
+- name: "{{{ rule_title }}}: Stat"
|
||
|
+ stat:
|
||
|
+ path: "{{ path }}"
|
||
|
+ follow: yes
|
||
|
+ register: opensshserver_file
|
||
|
+
|
||
|
+- name: "{{{ rule_title }}}: Create"
|
||
|
+ lineinfile:
|
||
|
+ path: "{{ path }}"
|
||
|
+ line: "{{ correct_value }}"
|
||
|
+ create: yes
|
||
|
+ when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length
|
||
|
+
|
||
|
+- name: "{{{ rule_title }}}"
|
||
|
+ block:
|
||
|
+ - name: "Existing value check"
|
||
|
+ lineinfile:
|
||
|
+ path: "{{ path }}"
|
||
|
+ create: false
|
||
|
+ regexp: "{{ correct_value }}"
|
||
|
+ state: absent
|
||
|
+ check_mode: true
|
||
|
+ changed_when: false
|
||
|
+ register: opensshserver
|
||
|
+
|
||
|
+ - name: "Update/Correct value"
|
||
|
+ replace:
|
||
|
+ path: "{{ path }}"
|
||
|
+ regexp: (-oCiphers=\S+)
|
||
|
+ replace: "{{ correct_value }}"
|
||
|
+ when: opensshserver.found is defined and opensshserver.found != 1
|
||
|
+
|
||
|
+ when: opensshserver_file.stat.exists and opensshserver_file.stat.size > correct_value|length
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
|
||
|
new file mode 100644
|
||
|
index 00000000000..1bc022f93b6
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
|
||
|
@@ -0,0 +1,25 @@
|
||
|
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
|
||
|
+. /usr/share/scap-security-guide/remediation_functions
|
||
|
+{{{ bash_instantiate_variables("sshd_approved_ciphers") }}}
|
||
|
+
|
||
|
+CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
|
||
|
+correct_value="-oCiphers=${sshd_approved_ciphers}"
|
||
|
+
|
||
|
+grep -q ${correct_value} ${CONF_FILE}
|
||
|
+
|
||
|
+if [[ $? -ne 0 ]]; then
|
||
|
+ # We need to get the existing value, using PCRE to maintain same regex
|
||
|
+ existing_value=$(grep -Po '(-oCiphers=\S+)' ${CONF_FILE})
|
||
|
+
|
||
|
+ if [[ ! -z ${existing_value} ]]; then
|
||
|
+ # replace existing_value with correct_value
|
||
|
+ sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
|
||
|
+ else
|
||
|
+ # ***NOTE*** #
|
||
|
+ # This probably means this file is not here or it's been modified
|
||
|
+ # unintentionally.
|
||
|
+ # ********** #
|
||
|
+ # echo correct_value to end
|
||
|
+ echo ${correct_value} >> ${CONF_FILE}
|
||
|
+ fi
|
||
|
+fi
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
|
||
|
new file mode 100644
|
||
|
index 00000000000..92ad7ce3d3f
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
|
||
|
@@ -0,0 +1,35 @@
|
||
|
+{{%- set PATH = "/etc/crypto-policies/back-ends/opensshserver.config" -%}}
|
||
|
+<def-group>
|
||
|
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||
|
+ {{{ oval_metadata("Limit the Message Authentication Codes (Ciphers) to those which are FIPS-approved.") }}}
|
||
|
+ <criteria operator="AND" comment="Test conditions - presence of the file plus.">
|
||
|
+ <criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD Ciphers" test_ref="test_{{{ rule_id }}}" />
|
||
|
+ </criteria>
|
||
|
+ </definition>
|
||
|
+
|
||
|
+ <ind:textfilecontent54_test check="all"
|
||
|
+ comment="test the value of Ciphers setting in the {{{ PATH }}} file"
|
||
|
+ id="test_{{{ rule_id }}}" version="1">
|
||
|
+ <ind:object object_ref="obj_{{{ rule_id }}}" />
|
||
|
+ <ind:state state_ref="ste_{{{ rule_id }}}" />
|
||
|
+ </ind:textfilecontent54_test>
|
||
|
+
|
||
|
+ <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
|
||
|
+ <ind:filepath>{{{ PATH }}}</ind:filepath>
|
||
|
+ <ind:pattern operation="pattern match">^.*(-oCiphers=\S+).*$</ind:pattern>
|
||
|
+ <ind:instance operation="equals" datatype="int">1</ind:instance>
|
||
|
+ </ind:textfilecontent54_object>
|
||
|
+
|
||
|
+ <ind:textfilecontent54_state id="ste_{{{ rule_id }}}" version="1">
|
||
|
+ <ind:subexpression var_ref="sshd_ciphers_crypto_opensshserver" operation="equals" />
|
||
|
+ </ind:textfilecontent54_state>
|
||
|
+
|
||
|
+ <local_variable id="sshd_ciphers_crypto_opensshserver" datatype="string" comment="The regex of the directive" version="1">
|
||
|
+ <concat>
|
||
|
+ <literal_component>-oCiphers=</literal_component>
|
||
|
+ <variable_component var_ref="sshd_approved_ciphers"/>
|
||
|
+ </concat>
|
||
|
+ </local_variable>
|
||
|
+
|
||
|
+ <external_variable comment="SSH Approved Ciphers by FIPS" datatype="string" id="sshd_approved_ciphers" version="1" />
|
||
|
+</def-group>
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
||
|
new file mode 100644
|
||
|
index 00000000000..877c6f38db0
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
||
|
@@ -0,0 +1,62 @@
|
||
|
+documentation_complete: true
|
||
|
+
|
||
|
+prodtype: rhel8
|
||
|
+
|
||
|
+title: 'Configure SSH Daemon to Use FIPS 140-2 Validated MACs: opensshserver.config'
|
||
|
+
|
||
|
+description: |-
|
||
|
+ Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
|
||
|
+ OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
|
||
|
+ set up incorrectly.
|
||
|
+
|
||
|
+ To check that Crypto Policies settings for ciphers are configured correctly, ensure that
|
||
|
+ <tt>/etc/crypto-policies/back-ends/opensshserver.config</tt> contains the following
|
||
|
+ text and is not commented out:
|
||
|
+ <pre>-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
|
||
|
+
|
||
|
+rationale: |-
|
||
|
+ Overriding the system crypto policy makes the behavior of the OpenSSH daemon
|
||
|
+ violate expectations, and makes system configuration more fragmented. By
|
||
|
+ specifying a cipher list with the order of ciphers being in a “strongest to
|
||
|
+ weakest” orientation, the system will automatically attempt to use the
|
||
|
+ strongest cipher for securing SSH connections.
|
||
|
+
|
||
|
+severity: medium
|
||
|
+
|
||
|
+identifiers:
|
||
|
+ cce@rhel8: CCE-85871-2
|
||
|
+
|
||
|
+references:
|
||
|
+ nist: AC-17(2)
|
||
|
+ srg: SRG-OS-000250-GPOS-00093
|
||
|
+ disa: CCI-001453
|
||
|
+ stigid@rhel8: RHEL-08-010290
|
||
|
+
|
||
|
+ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
|
||
|
+
|
||
|
+ocil: |-
|
||
|
+ To verify if the OpenSSH daemon uses defined MACs in the Crypto Policy, run:
|
||
|
+ <pre>$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config</pre>
|
||
|
+ and verify that the line matches:
|
||
|
+ <pre>-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
|
||
|
+
|
||
|
+warnings:
|
||
|
+ - general: |-
|
||
|
+ The system needs to be rebooted for these changes to take effect.
|
||
|
+ - regulatory: |-
|
||
|
+ System Crypto Modules must be provided by a vendor that undergoes
|
||
|
+ FIPS-140 certifications.
|
||
|
+ FIPS-140 is applicable to all Federal agencies that use
|
||
|
+ cryptographic-based security systems to protect sensitive information
|
||
|
+ in computer and telecommunication systems (including voice systems) as
|
||
|
+ defined in Section 5131 of the Information Technology Management Reform
|
||
|
+ Act of 1996, Public Law 104-106. This standard shall be used in
|
||
|
+ designing and implementing cryptographic modules that Federal
|
||
|
+ departments and agencies operate or are operated for them under
|
||
|
+ contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
|
||
|
+ To meet this, the system has to have cryptographic software provided by
|
||
|
+ a vendor that has undergone this certification. This means providing
|
||
|
+ documentation, test results, design information, and independent third
|
||
|
+ party review by an accredited lab. While open source software is
|
||
|
+ capable of meeting this, it does not meet FIPS-140 unless the vendor
|
||
|
+ submits to this process.
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
|
||
|
new file mode 100644
|
||
|
index 00000000000..1a8911d523c
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
|
||
|
@@ -0,0 +1,17 @@
|
||
|
+#!/bin/bash
|
||
|
+# platform = Red Hat Enterprise Linux 8
|
||
|
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
||
|
+
|
||
|
+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
|
||
|
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
|
||
|
+correct_value="-oCiphers=${sshd_approved_ciphers}"
|
||
|
+
|
||
|
+# Ensure directory + file is there
|
||
|
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
||
|
+
|
||
|
+# Proceed when file exists
|
||
|
+if [[ -f $configfile ]]; then
|
||
|
+ sed -i -r "s/-oCiphers=\S+/${correct_value}/" $configfile
|
||
|
+else
|
||
|
+ echo "${correct_value}" > "$configfile"
|
||
|
+fi
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
|
||
|
new file mode 100644
|
||
|
index 00000000000..3dde1479296
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
|
||
|
@@ -0,0 +1,7 @@
|
||
|
+#!/bin/bash
|
||
|
+# platform = Red Hat Enterprise Linux 8
|
||
|
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
||
|
+
|
||
|
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
|
||
|
+
|
||
|
+echo "" > "$configfile"
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
|
||
|
new file mode 100644
|
||
|
index 00000000000..f97f54db502
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
|
||
|
@@ -0,0 +1,14 @@
|
||
|
+#!/bin/bash
|
||
|
+# platform = Red Hat Enterprise Linux 8
|
||
|
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
||
|
+
|
||
|
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
|
||
|
+
|
||
|
+# Ensure directory + file is there
|
||
|
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
||
|
+
|
||
|
+if [[ -f $configfile ]]; then
|
||
|
+ sed -i -r "s/-oCiphers=\S+/-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc/" $configfile
|
||
|
+else
|
||
|
+ echo "-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc" > "$configfile"
|
||
|
+fi
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
|
||
|
new file mode 100644
|
||
|
index 00000000000..11e596ced87
|
||
|
--- /dev/null
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
|
||
|
@@ -0,0 +1,11 @@
|
||
|
+#!/bin/bash
|
||
|
+# platform = Red Hat Enterprise Linux 8
|
||
|
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
||
|
+
|
||
|
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
|
||
|
+
|
||
|
+# Ensure directory + file is there
|
||
|
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
||
|
+
|
||
|
+# If file exists, remove it
|
||
|
+test -f $configfile && rm -f $configfile
|
||
|
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||
|
index 28b47cca487..a3783efafd6 100644
|
||
|
--- a/products/rhel8/profiles/stig.profile
|
||
|
+++ b/products/rhel8/profiles/stig.profile
|
||
|
@@ -50,7 +50,11 @@ selections:
|
||
|
- var_password_pam_retry=3
|
||
|
- var_password_pam_minlen=15
|
||
|
- var_sshd_set_keepalive=0
|
||
|
+<<<<<<< HEAD
|
||
|
- sshd_approved_macs=stig
|
||
|
+=======
|
||
|
+ - sshd_approved_ciphers=stig
|
||
|
+>>>>>>> 4d62df6b2 (New rules for RHEL-08-010291)
|
||
|
- sshd_idle_timeout_value=10_minutes
|
||
|
- var_accounts_passwords_pam_faillock_deny=3
|
||
|
- var_accounts_passwords_pam_faillock_fail_interval=900
|
||
|
@@ -185,6 +189,8 @@ selections:
|
||
|
- harden_sshd_macs_opensshserver_conf_crypto_policy
|
||
|
|
||
|
# RHEL-08-010291
|
||
|
+ - harden_sshd_ciphers_openssh_conf_crypto_policy
|
||
|
+ - harden_sshd_ciphers_opensshserver_conf_crypto_policy
|
||
|
|
||
|
# RHEL-08-010292
|
||
|
- sshd_use_strong_rng
|
||
|
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||
|
index 393051a34ea..05335cc38fb 100644
|
||
|
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||
|
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||
|
@@ -147,6 +147,8 @@ selections:
|
||
|
- grub2_vsyscall_argument
|
||
|
- harden_sshd_macs_openssh_conf_crypto_policy
|
||
|
- harden_sshd_macs_opensshserver_conf_crypto_policy
|
||
|
+- harden_sshd_ciphers_openssh_conf_crypto_policy
|
||
|
+- harden_sshd_ciphers_opensshserver_conf_crypto_policy
|
||
|
- install_smartcard_packages
|
||
|
- installed_OS_is_vendor_supported
|
||
|
- kerberos_disable_no_keytab
|
||
|
@@ -328,6 +330,7 @@ selections:
|
||
|
- var_password_pam_retry=3
|
||
|
- var_sshd_set_keepalive=0
|
||
|
- sshd_approved_macs=stig
|
||
|
+- sshd_approved_ciphers=stig
|
||
|
- sshd_idle_timeout_value=10_minutes
|
||
|
- var_accounts_passwords_pam_faillock_deny=3
|
||
|
- var_accounts_passwords_pam_faillock_fail_interval=900
|
||
|
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||
|
index de82fb34518..a0adc835a0d 100644
|
||
|
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||
|
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||
|
@@ -158,6 +158,8 @@ selections:
|
||
|
- grub2_vsyscall_argument
|
||
|
- harden_sshd_macs_openssh_conf_crypto_policy
|
||
|
- harden_sshd_macs_opensshserver_conf_crypto_policy
|
||
|
+- harden_sshd_ciphers_openssh_conf_crypto_policy
|
||
|
+- harden_sshd_ciphers_opensshserver_conf_crypto_policy
|
||
|
- install_smartcard_packages
|
||
|
- installed_OS_is_vendor_supported
|
||
|
- kerberos_disable_no_keytab
|
||
|
@@ -338,6 +340,7 @@ selections:
|
||
|
- var_password_pam_retry=3
|
||
|
- var_sshd_set_keepalive=0
|
||
|
- sshd_approved_macs=stig
|
||
|
+- sshd_approved_ciphers=stig
|
||
|
- sshd_idle_timeout_value=10_minutes
|
||
|
- var_accounts_passwords_pam_faillock_deny=3
|
||
|
- var_accounts_passwords_pam_faillock_fail_interval=900
|
||
|
|
||
|
From c943e715615de1aa957d62d239e532f86ef0959e Mon Sep 17 00:00:00 2001
|
||
|
From: Carlos Matos <cmatos@redhat.com>
|
||
|
Date: Tue, 29 Jun 2021 14:04:49 -0400
|
||
|
Subject: [PATCH 2/5] replaced MACs with Ciphers
|
||
|
|
||
|
---
|
||
|
.../ansible/shared.yml | 2 +-
|
||
|
.../oval/shared.xml | 2 +-
|
||
|
.../oval/shared.xml | 2 +-
|
||
|
3 files changed, 3 insertions(+), 3 deletions(-)
|
||
|
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
|
||
|
index badb5896cf2..956a19f3025 100644
|
||
|
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
|
||
|
@@ -6,7 +6,7 @@
|
||
|
{{{ ansible_instantiate_variables("sshd_approved_ciphers") }}}
|
||
|
|
||
|
{{{ ansible_set_config_file(
|
||
|
- msg='Configure SSH Daemon to Use FIPS 140-2 Validated MACs: openssh.config',
|
||
|
+ msg='Configure SSH Daemon to Use FIPS 140-2 Validated Ciphers: openssh.config',
|
||
|
file='/etc/crypto-policies/back-ends/openssh.config',
|
||
|
parameter='Ciphers',
|
||
|
value="{{ sshd_approved_ciphers }}",
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
|
||
|
index 1879e77398b..9b3b4f1995d 100644
|
||
|
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
|
||
|
@@ -1,7 +1,7 @@
|
||
|
{{%- set PATH = "/etc/crypto-policies/back-ends/openssh.config" -%}}
|
||
|
<def-group>
|
||
|
<definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||
|
- {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
|
||
|
+ {{{ oval_metadata("Limit the Ciphers to those which are FIPS-approved.") }}}
|
||
|
<criteria operator="AND" comment="Test conditions - presence of the file plus.">
|
||
|
<criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD Ciphers" test_ref="test_{{{ rule_id }}}" />
|
||
|
</criteria>
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
|
||
|
index 92ad7ce3d3f..3afbc1619a4 100644
|
||
|
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
|
||
|
@@ -1,7 +1,7 @@
|
||
|
{{%- set PATH = "/etc/crypto-policies/back-ends/opensshserver.config" -%}}
|
||
|
<def-group>
|
||
|
<definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||
|
- {{{ oval_metadata("Limit the Message Authentication Codes (Ciphers) to those which are FIPS-approved.") }}}
|
||
|
+ {{{ oval_metadata("Limit the Ciphers to those which are FIPS-approved.") }}}
|
||
|
<criteria operator="AND" comment="Test conditions - presence of the file plus.">
|
||
|
<criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD Ciphers" test_ref="test_{{{ rule_id }}}" />
|
||
|
</criteria>
|
||
|
|
||
|
From 26383895dfffc5e643295301c052ccd3d77cb906 Mon Sep 17 00:00:00 2001
|
||
|
From: Carlos Matos <cmatos@redhat.com>
|
||
|
Date: Mon, 19 Jul 2021 09:33:38 -0400
|
||
|
Subject: [PATCH 3/5] Fixed issue with oval not checking for commented out
|
||
|
line, and updated remediations
|
||
|
|
||
|
---
|
||
|
.../rule.yml | 8 ++++----
|
||
|
.../ansible/shared.yml | 2 +-
|
||
|
.../bash/shared.sh | 10 ++++++++--
|
||
|
.../oval/shared.xml | 2 +-
|
||
|
.../rule.yml | 6 +++---
|
||
|
5 files changed, 17 insertions(+), 11 deletions(-)
|
||
|
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
|
||
|
index cd1553dbdb3..d626ec6e260 100644
|
||
|
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
|
||
|
@@ -2,7 +2,7 @@ documentation_complete: true
|
||
|
|
||
|
prodtype: fedora,rhel8
|
||
|
|
||
|
-title: 'Configure SSH Daemon to Use FIPS 140-2 Validated Ciphers: openssh.config'
|
||
|
+title: 'Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config'
|
||
|
|
||
|
description: |-
|
||
|
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
|
||
|
@@ -15,7 +15,7 @@ description: |-
|
||
|
<pre>Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
|
||
|
|
||
|
rationale: |-
|
||
|
- Overriding the system crypto policy makes the behavior of the OpenSSH daemon
|
||
|
+ Overriding the system crypto policy makes the behavior of the OpenSSH client
|
||
|
violate expectations, and makes system configuration more fragmented. By
|
||
|
specifying a cipher list with the order of ciphers being in a “strongest to
|
||
|
weakest” orientation, the system will automatically attempt to use the
|
||
|
@@ -32,10 +32,10 @@ references:
|
||
|
disa: CCI-001453
|
||
|
stigid@rhel8: RHEL-08-010291
|
||
|
|
||
|
-ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
|
||
|
+ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly'
|
||
|
|
||
|
ocil: |-
|
||
|
- To verify if the OpenSSH daemon uses defined Cipher suite in the Crypto Policy, run:
|
||
|
+ To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run:
|
||
|
<pre>$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config</pre>
|
||
|
and verify that the line matches:
|
||
|
<pre>Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
|
||
|
index 7532ba51639..3e637f37e69 100644
|
||
|
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
|
||
|
@@ -19,7 +19,7 @@
|
||
|
- name: "{{{ rule_title }}}: Create"
|
||
|
lineinfile:
|
||
|
path: "{{ path }}"
|
||
|
- line: "{{ correct_value }}"
|
||
|
+ line: "CRYPTO_POLICY='{{ correct_value }}'"
|
||
|
create: yes
|
||
|
when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length
|
||
|
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
|
||
|
index 1bc022f93b6..eaa4463caad 100644
|
||
|
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
|
||
|
@@ -5,7 +5,13 @@
|
||
|
CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
|
||
|
correct_value="-oCiphers=${sshd_approved_ciphers}"
|
||
|
|
||
|
-grep -q ${correct_value} ${CONF_FILE}
|
||
|
+# Test if file exists
|
||
|
+test -f ${CONF_FILE} || touch ${CONF_FILE}
|
||
|
+
|
||
|
+# Ensure CRYPTO_POLICY is not commented out
|
||
|
+sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE}
|
||
|
+
|
||
|
+grep -q "'${correct_value}'" ${CONF_FILE}
|
||
|
|
||
|
if [[ $? -ne 0 ]]; then
|
||
|
# We need to get the existing value, using PCRE to maintain same regex
|
||
|
@@ -20,6 +26,6 @@ if [[ $? -ne 0 ]]; then
|
||
|
# unintentionally.
|
||
|
# ********** #
|
||
|
# echo correct_value to end
|
||
|
- echo ${correct_value} >> ${CONF_FILE}
|
||
|
+ echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}
|
||
|
fi
|
||
|
fi
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
|
||
|
index 3afbc1619a4..53919eaae7f 100644
|
||
|
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
|
||
|
@@ -16,7 +16,7 @@
|
||
|
|
||
|
<ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
|
||
|
<ind:filepath>{{{ PATH }}}</ind:filepath>
|
||
|
- <ind:pattern operation="pattern match">^.*(-oCiphers=\S+).*$</ind:pattern>
|
||
|
+ <ind:pattern operation="pattern match">^(?!#).*(-oCiphers=\S+).*$</ind:pattern>
|
||
|
<ind:instance operation="equals" datatype="int">1</ind:instance>
|
||
|
</ind:textfilecontent54_object>
|
||
|
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
||
|
index 877c6f38db0..0aac8e2038d 100644
|
||
|
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
||
|
@@ -2,7 +2,7 @@ documentation_complete: true
|
||
|
|
||
|
prodtype: rhel8
|
||
|
|
||
|
-title: 'Configure SSH Daemon to Use FIPS 140-2 Validated MACs: opensshserver.config'
|
||
|
+title: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config'
|
||
|
|
||
|
description: |-
|
||
|
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
|
||
|
@@ -15,7 +15,7 @@ description: |-
|
||
|
<pre>-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
|
||
|
|
||
|
rationale: |-
|
||
|
- Overriding the system crypto policy makes the behavior of the OpenSSH daemon
|
||
|
+ Overriding the system crypto policy makes the behavior of the OpenSSH server
|
||
|
violate expectations, and makes system configuration more fragmented. By
|
||
|
specifying a cipher list with the order of ciphers being in a “strongest to
|
||
|
weakest” orientation, the system will automatically attempt to use the
|
||
|
@@ -35,7 +35,7 @@ references:
|
||
|
ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
|
||
|
|
||
|
ocil: |-
|
||
|
- To verify if the OpenSSH daemon uses defined MACs in the Crypto Policy, run:
|
||
|
+ To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run:
|
||
|
<pre>$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config</pre>
|
||
|
and verify that the line matches:
|
||
|
<pre>-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
|
||
|
|
||
|
From 7967125f58de7e6843002d674fab90c4429452f3 Mon Sep 17 00:00:00 2001
|
||
|
From: Carlos Matos <cmatos@redhat.com>
|
||
|
Date: Mon, 19 Jul 2021 09:53:28 -0400
|
||
|
Subject: [PATCH 4/5] Replace MACs verbiage with ciphers
|
||
|
|
||
|
---
|
||
|
.../rule.yml | 4 ++--
|
||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
||
|
index 0aac8e2038d..81ee763831d 100644
|
||
|
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
||
|
@@ -2,7 +2,7 @@ documentation_complete: true
|
||
|
|
||
|
prodtype: rhel8
|
||
|
|
||
|
-title: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config'
|
||
|
+title: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config'
|
||
|
|
||
|
description: |-
|
||
|
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
|
||
|
@@ -35,7 +35,7 @@ references:
|
||
|
ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
|
||
|
|
||
|
ocil: |-
|
||
|
- To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run:
|
||
|
+ To verify if the OpenSSH server uses defined ciphers in the Crypto Policy, run:
|
||
|
<pre>$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config</pre>
|
||
|
and verify that the line matches:
|
||
|
<pre>-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
|
||
|
|
||
|
From ab21f2d59db725f07b70e3e748ebc96c34e23b79 Mon Sep 17 00:00:00 2001
|
||
|
From: Carlos Matos <cmatos@redhat.com>
|
||
|
Date: Tue, 20 Jul 2021 09:01:50 -0400
|
||
|
Subject: [PATCH 5/5] Sorted refs, updated test scenario, fixed duplicate CCE
|
||
|
|
||
|
---
|
||
|
.../harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml | 4 ++--
|
||
|
.../stig_incorrect_followed_by_correct_commented.fail.sh | 2 +-
|
||
|
.../rule.yml | 4 ++--
|
||
|
products/rhel8/profiles/stig.profile | 3 ---
|
||
|
shared/references/cce-redhat-avail.txt | 2 --
|
||
|
tests/data/profile_stability/rhel8/stig.profile | 4 ++--
|
||
|
tests/data/profile_stability/rhel8/stig_gui.profile | 4 ++--
|
||
|
7 files changed, 9 insertions(+), 14 deletions(-)
|
||
|
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
|
||
|
index d626ec6e260..0aa310d9245 100644
|
||
|
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
|
||
|
@@ -24,12 +24,12 @@ rationale: |-
|
||
|
severity: medium
|
||
|
|
||
|
identifiers:
|
||
|
- cce@rhel8: CCE-85870-4
|
||
|
+ cce@rhel8: CCE-85902-5
|
||
|
|
||
|
references:
|
||
|
+ disa: CCI-001453
|
||
|
nist: AC-17(2)
|
||
|
srg: SRG-OS-000250-GPOS-00093
|
||
|
- disa: CCI-001453
|
||
|
stigid@rhel8: RHEL-08-010291
|
||
|
|
||
|
ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly'
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
|
||
|
index 195f5e8d8ed..6ad1f4fd0f3 100644
|
||
|
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
|
||
|
@@ -16,4 +16,4 @@ else
|
||
|
fi
|
||
|
|
||
|
# follow up with correct value
|
||
|
-echo "Ciphers ${sshd_approved_ciphers}" >> $configfile
|
||
|
+echo "#Ciphers ${sshd_approved_ciphers}" >> $configfile
|
||
|
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
||
|
index 81ee763831d..b56f2421f22 100644
|
||
|
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
||
|
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
||
|
@@ -24,12 +24,12 @@ rationale: |-
|
||
|
severity: medium
|
||
|
|
||
|
identifiers:
|
||
|
- cce@rhel8: CCE-85871-2
|
||
|
+ cce@rhel8: CCE-85897-7
|
||
|
|
||
|
references:
|
||
|
+ disa: CCI-001453
|
||
|
nist: AC-17(2)
|
||
|
srg: SRG-OS-000250-GPOS-00093
|
||
|
- disa: CCI-001453
|
||
|
stigid@rhel8: RHEL-08-010290
|
||
|
|
||
|
ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
|
||
|
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||
|
index a3783efafd6..7270a8f91f2 100644
|
||
|
--- a/products/rhel8/profiles/stig.profile
|
||
|
+++ b/products/rhel8/profiles/stig.profile
|
||
|
@@ -50,11 +50,8 @@ selections:
|
||
|
- var_password_pam_retry=3
|
||
|
- var_password_pam_minlen=15
|
||
|
- var_sshd_set_keepalive=0
|
||
|
-<<<<<<< HEAD
|
||
|
- sshd_approved_macs=stig
|
||
|
-=======
|
||
|
- sshd_approved_ciphers=stig
|
||
|
->>>>>>> 4d62df6b2 (New rules for RHEL-08-010291)
|
||
|
- sshd_idle_timeout_value=10_minutes
|
||
|
- var_accounts_passwords_pam_faillock_deny=3
|
||
|
- var_accounts_passwords_pam_faillock_fail_interval=900
|
||
|
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||
|
index 036d34cea1d..665f903ead4 100644
|
||
|
--- a/shared/references/cce-redhat-avail.txt
|
||
|
+++ b/shared/references/cce-redhat-avail.txt
|
||
|
@@ -33,11 +33,9 @@ CCE-85892-8
|
||
|
CCE-85893-6
|
||
|
CCE-85895-1
|
||
|
CCE-85896-9
|
||
|
-CCE-85897-7
|
||
|
CCE-85898-5
|
||
|
CCE-85900-9
|
||
|
CCE-85901-7
|
||
|
-CCE-85902-5
|
||
|
CCE-85903-3
|
||
|
CCE-85904-1
|
||
|
CCE-85905-8
|
||
|
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||
|
index 05335cc38fb..7d59cfff625 100644
|
||
|
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||
|
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||
|
@@ -145,10 +145,10 @@ selections:
|
||
|
- grub2_uefi_admin_username
|
||
|
- grub2_uefi_password
|
||
|
- grub2_vsyscall_argument
|
||
|
-- harden_sshd_macs_openssh_conf_crypto_policy
|
||
|
-- harden_sshd_macs_opensshserver_conf_crypto_policy
|
||
|
- harden_sshd_ciphers_openssh_conf_crypto_policy
|
||
|
- harden_sshd_ciphers_opensshserver_conf_crypto_policy
|
||
|
+- harden_sshd_macs_openssh_conf_crypto_policy
|
||
|
+- harden_sshd_macs_opensshserver_conf_crypto_policy
|
||
|
- install_smartcard_packages
|
||
|
- installed_OS_is_vendor_supported
|
||
|
- kerberos_disable_no_keytab
|
||
|
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||
|
index a0adc835a0d..2c2daad6f6d 100644
|
||
|
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||
|
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||
|
@@ -156,10 +156,10 @@ selections:
|
||
|
- grub2_uefi_admin_username
|
||
|
- grub2_uefi_password
|
||
|
- grub2_vsyscall_argument
|
||
|
-- harden_sshd_macs_openssh_conf_crypto_policy
|
||
|
-- harden_sshd_macs_opensshserver_conf_crypto_policy
|
||
|
- harden_sshd_ciphers_openssh_conf_crypto_policy
|
||
|
- harden_sshd_ciphers_opensshserver_conf_crypto_policy
|
||
|
+- harden_sshd_macs_openssh_conf_crypto_policy
|
||
|
+- harden_sshd_macs_opensshserver_conf_crypto_policy
|
||
|
- install_smartcard_packages
|
||
|
- installed_OS_is_vendor_supported
|
||
|
- kerberos_disable_no_keytab
|