diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml index 194d7dfe2dc..b6c5e7f4b0d 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml @@ -37,7 +37,7 @@ ocil: |- MACs are in use, run the following command:
$ sudo grep -i macs /etc/ssh/sshd_configThe output should contain only following MACs (or a subset) in the exact order: -
hmac-sha2-512,hmac-sha2-256+
MACs {{{ xccdf_value("sshd_approved_macs") }}}warnings: - general: |- diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/ansible/shared.yml new file mode 100644 index 00000000000..1c9dde77ee2 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/ansible/shared.yml @@ -0,0 +1,16 @@ +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora +# reboot = true +# strategy = restrict +# complexity = low +# disruption = low +{{{ ansible_instantiate_variables("sshd_approved_macs") }}} + +{{{ ansible_set_config_file( + msg='Configure SSH Daemon to Use FIPS 140-2 Validated MACs: openssh.config', + file='/etc/crypto-policies/back-ends/openssh.config', + parameter='MACs', + value="{{ sshd_approved_macs }}", + create='yes', + prefix_regex='^.*' + ) +}}} diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/bash/shared.sh new file mode 100644 index 00000000000..b26992ce183 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/bash/shared.sh @@ -0,0 +1,13 @@ +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora +. /usr/share/scap-security-guide/remediation_functions +{{{ bash_instantiate_variables("sshd_approved_macs") }}} + +{{{ set_config_file( + path="/etc/crypto-policies/back-ends/openssh.config", + parameter="MACs", + value="${sshd_approved_macs}", + create=true, + insensitive=false, + prefix_regex="^.*" + ) +}}} diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/oval/shared.xml new file mode 100644 index 00000000000..5239af10612 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/oval/shared.xml @@ -0,0 +1,35 @@ +{{%- set PATH = "/etc/crypto-policies/back-ends/openssh.config" -%}} +
$ grep -i macs /etc/crypto-policies/back-ends/openssh.config+ and verify that the line matches: +
MACs hmac-sha2-512,hmac-sha2-256+ +warnings: + - general: |- + The system needs to be rebooted for these changes to take effect. + - regulatory: |- + System Crypto Modules must be provided by a vendor that undergoes + FIPS-140 certifications. + FIPS-140 is applicable to all Federal agencies that use + cryptographic-based security systems to protect sensitive information + in computer and telecommunication systems (including voice systems) as + defined in Section 5131 of the Information Technology Management Reform + Act of 1996, Public Law 104-106. This standard shall be used in + designing and implementing cryptographic modules that Federal + departments and agencies operate or are operated for them under + contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}} + To meet this, the system has to have cryptographic software provided by + a vendor that has undergone this certification. This means providing + documentation, test results, design information, and independent third + party review by an accredited lab. While open source software is + capable of meeting this, it does not meet FIPS-140 unless the vendor + submits to this process. diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh new file mode 100644 index 00000000000..5a4b6887cba --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +sshd_approved_macs=hmac-sha2-512,hmac-sha2-256 +configfile=/etc/crypto-policies/back-ends/openssh.config + +# Ensure directory + file is there +test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends + +if [[ -f $configfile ]]; then + sed -i "s/^.*MACs.*$/MACs ${sshd_approved_macs}/" $configfile +else + echo "MACs ${sshd_approved_macs}" > "$configfile" +fi diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh new file mode 100644 index 00000000000..e713d254f9c --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +sshd_approved_macs=hmac-sha2-512,hmac-sha2-256 +configfile=/etc/crypto-policies/back-ends/openssh.config + +# Ensure directory + file is there +test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends + +if [[ -f $configfile ]]; then + sed -i "s/^.*MACs.*$/#MACs ${sshd_approved_macs}/" $configfile +else + echo "#MACs ${sshd_approved_macs}" > "$configfile" +fi diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh new file mode 100644 index 00000000000..b8a63bec194 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +sshd_approved_macs=hmac-sha2-512,hmac-sha2-256 +configfile=/etc/crypto-policies/back-ends/openssh.config + +# Ensure directory + file is there +test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends + +if [[ -f $configfile ]]; then + sed -i "s/^.*MACs.*$/MACs ${sshd_approved_macs}/" $configfile +else + echo "MACs ${sshd_approved_macs}" > "$configfile" +fi + +# follow up with incorrect +echo "#MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512" >> $configfile diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh new file mode 100644 index 00000000000..55ef3f58422 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +configfile=/etc/crypto-policies/back-ends/openssh.config + +# Ensure directory + file is there +test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends + +echo "" > $configfile diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh new file mode 100644 index 00000000000..9980a45681c --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh @@ -0,0 +1,14 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +configfile=/etc/crypto-policies/back-ends/openssh.config + +# Ensure directory + file is there +test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends + +if [[ -f $configfile ]]; then + sed -i "s/^.*MACs.*$/MACs /" $configfile +else + echo "MACs " > "$configfile" +fi diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh new file mode 100644 index 00000000000..d1303d60746 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +sshd_approved_macs=hmac-sha2-512,hmac-sha2-256 +incorrect_sshd_approved_macs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 +configfile=/etc/crypto-policies/back-ends/openssh.config + +# Ensure directory + file is there +test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends + +if [[ -f $configfile ]]; then + sed -i "s/^.*MACs.*$/MACs ${incorrect_sshd_approved_macs}/" $configfile +else + echo "MACs ${incorrect_sshd_approved_macs}" > "$configfile" +fi + +# follow up with correct value +echo "MACs ${sshd_approved_macs}" >> $configfile diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh new file mode 100644 index 00000000000..8b21af46896 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh @@ -0,0 +1,14 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +configfile=/etc/crypto-policies/back-ends/openssh.config + +# Ensure directory + file is there +test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends + +if [[ -f $configfile ]]; then + sed -i "s/^.*MACs.*$/MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512/" $configfile +else + echo "MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512" > "$configfile" +fi diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh new file mode 100644 index 00000000000..2138caad319 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +configfile=/etc/crypto-policies/back-ends/openssh.config + +# Ensure directory + file is there +test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends + +# If file exists, remove it +test -f $configfile && rm -f $configfile diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/ansible/shared.yml new file mode 100644 index 00000000000..5ed618586ae --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/ansible/shared.yml @@ -0,0 +1,45 @@ +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora +# reboot = true +# strategy = restrict +# complexity = low +# disruption = low +{{{ ansible_instantiate_variables("sshd_approved_macs") }}} + +- name: "{{{ rule_title }}}: Set facts" + set_fact: + path: /etc/crypto-policies/back-ends/opensshserver.config + correct_value: "-oMACs={{ sshd_approved_macs }}" + +- name: "{{{ rule_title }}}: Stat" + stat: + path: "{{ path }}" + follow: yes + register: opensshserver_file + +- name: "{{{ rule_title }}}: Create" + lineinfile: + path: "{{ path }}" + line: "CRYPTO_POLICY='{{ correct_value }}'" + create: yes + when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length + +- name: "{{{ rule_title }}}" + block: + - name: "Existing value check" + lineinfile: + path: "{{ path }}" + create: false + regexp: "{{ correct_value }}" + state: absent + check_mode: true + changed_when: false + register: opensshserver + + - name: "Update/Correct value" + replace: + path: "{{ path }}" + regexp: (-oMACs=\S+) + replace: "{{ correct_value }}" + when: opensshserver.found is defined and opensshserver.found != 1 + + when: opensshserver_file.stat.exists and opensshserver_file.stat.size > correct_value|length diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/bash/shared.sh new file mode 100644 index 00000000000..790a2951bab --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/bash/shared.sh @@ -0,0 +1,31 @@ +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora +. /usr/share/scap-security-guide/remediation_functions +{{{ bash_instantiate_variables("sshd_approved_macs") }}} + +CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config +correct_value="-oMACs=${sshd_approved_macs}" + +# Test if file exists +test -f ${CONF_FILE} || touch ${CONF_FILE} + +# Ensure CRYPTO_POLICY is not commented out +sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE} + +grep -q "'${correct_value}'" ${CONF_FILE} + +if [[ $? -ne 0 ]]; then + # We need to get the existing value, using PCRE to maintain same regex + existing_value=$(grep -Po '(-oMACs=\S+)' ${CONF_FILE}) + + if [[ ! -z ${existing_value} ]]; then + # replace existing_value with correct_value + sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE} + else + # ***NOTE*** # + # This probably means this file is not here or it's been modified + # unintentionally. + # ********** # + # echo correct_value to end + echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE} + fi +fi diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/oval/shared.xml new file mode 100644 index 00000000000..18028157032 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/oval/shared.xml @@ -0,0 +1,35 @@ +{{%- set PATH = "/etc/crypto-policies/back-ends/opensshserver.config" -%}} +
$ grep -Po '(-oMACs=\S+)' /etc/crypto-policies/back-ends/opensshserver.config+ and verify that the line matches: +
-oMACS=hmac-sha2-512,hmac-sha2-256+ +warnings: + - general: |- + The system needs to be rebooted for these changes to take effect. + - regulatory: |- + System Crypto Modules must be provided by a vendor that undergoes + FIPS-140 certifications. + FIPS-140 is applicable to all Federal agencies that use + cryptographic-based security systems to protect sensitive information + in computer and telecommunication systems (including voice systems) as + defined in Section 5131 of the Information Technology Management Reform + Act of 1996, Public Law 104-106. This standard shall be used in + designing and implementing cryptographic modules that Federal + departments and agencies operate or are operated for them under + contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}} + To meet this, the system has to have cryptographic software provided by + a vendor that has undergone this certification. This means providing + documentation, test results, design information, and independent third + party review by an accredited lab. While open source software is + capable of meeting this, it does not meet FIPS-140 unless the vendor + submits to this process. diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh new file mode 100644 index 00000000000..14da92218dc --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh @@ -0,0 +1,17 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +sshd_approved_macs=hmac-sha2-512,hmac-sha2-256 +configfile=/etc/crypto-policies/back-ends/opensshserver.config +correct_value="-oMACs=${sshd_approved_macs}" + +# Ensure directory + file is there +test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends + +# Proceed when file exists +if [[ -f $configfile ]]; then + sed -i -r "s/-oMACs=\S+/${correct_value}/" $configfile +else + echo "${correct_value}" > "$configfile" +fi diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh new file mode 100644 index 00000000000..3dde1479296 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +configfile=/etc/crypto-policies/back-ends/opensshserver.config + +echo "" > "$configfile" diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh new file mode 100644 index 00000000000..a50a0fc02bf --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh @@ -0,0 +1,14 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +configfile=/etc/crypto-policies/back-ends/opensshserver.config + +# Ensure directory + file is there +test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends + +if [[ -f $configfile ]]; then + sed -i -r "s/-oMACs=\S+/-oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com/" $configfile +else + echo "-oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com" > "$configfile" +fi diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh new file mode 100644 index 00000000000..11e596ced87 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +configfile=/etc/crypto-policies/back-ends/opensshserver.config + +# Ensure directory + file is there +test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends + +# If file exists, remove it +test -f $configfile && rm -f $configfile diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 6372d13cfc9..28b47cca487 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -50,6 +50,7 @@ selections: - var_password_pam_retry=3 - var_password_pam_minlen=15 - var_sshd_set_keepalive=0 + - sshd_approved_macs=stig - sshd_idle_timeout_value=10_minutes - var_accounts_passwords_pam_faillock_deny=3 - var_accounts_passwords_pam_faillock_fail_interval=900 @@ -174,11 +175,17 @@ selections: # RHEL-08-010260 - file_groupowner_var_log + # *** SHARED *** # # RHEL-08-010290 && RHEL-08-010291 - ### NOTE: This will get split out in future STIG releases, as well as we will break - ### these rules up to be more flexible in meeting the requirements. + # *** SHARED *** # - configure_ssh_crypto_policy + # RHEL-08-010290 + - harden_sshd_macs_openssh_conf_crypto_policy + - harden_sshd_macs_opensshserver_conf_crypto_policy + + # RHEL-08-010291 + # RHEL-08-010292 - sshd_use_strong_rng diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 24e81491683..036d34cea1d 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -10,7 +10,6 @@ CCE-85866-2 CCE-85867-0 CCE-85868-8 CCE-85869-6 -CCE-85870-4 CCE-85872-0 CCE-85873-8 CCE-85874-6 @@ -36,7 +35,6 @@ CCE-85895-1 CCE-85896-9 CCE-85897-7 CCE-85898-5 -CCE-85899-3 CCE-85900-9 CCE-85901-7 CCE-85902-5 diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 32f1a24a7a4..393051a34ea 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -145,6 +145,8 @@ selections: - grub2_uefi_admin_username - grub2_uefi_password - grub2_vsyscall_argument +- harden_sshd_macs_openssh_conf_crypto_policy +- harden_sshd_macs_opensshserver_conf_crypto_policy - install_smartcard_packages - installed_OS_is_vendor_supported - kerberos_disable_no_keytab @@ -325,6 +327,7 @@ selections: - var_password_pam_lcredit=1 - var_password_pam_retry=3 - var_sshd_set_keepalive=0 +- sshd_approved_macs=stig - sshd_idle_timeout_value=10_minutes - var_accounts_passwords_pam_faillock_deny=3 - var_accounts_passwords_pam_faillock_fail_interval=900 diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index d6a27c67dc0..de82fb34518 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -156,6 +156,8 @@ selections: - grub2_uefi_admin_username - grub2_uefi_password - grub2_vsyscall_argument +- harden_sshd_macs_openssh_conf_crypto_policy +- harden_sshd_macs_opensshserver_conf_crypto_policy - install_smartcard_packages - installed_OS_is_vendor_supported - kerberos_disable_no_keytab @@ -335,6 +337,7 @@ selections: - var_password_pam_lcredit=1 - var_password_pam_retry=3 - var_sshd_set_keepalive=0 +- sshd_approved_macs=stig - sshd_idle_timeout_value=10_minutes - var_accounts_passwords_pam_faillock_deny=3 - var_accounts_passwords_pam_faillock_fail_interval=900