From 7da420a853591a6e994439a9ada2b88d6793e3e7 Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Tue, 29 Jun 2021 14:00:14 -0400 Subject: [PATCH 1/5] New rules for RHEL-08-010291 --- .../services/ssh/sshd_approved_ciphers.var | 2 +- .../ansible/shared.yml | 16 +++++ .../bash/shared.sh | 13 ++++ .../oval/shared.xml | 35 +++++++++++ .../rule.yml | 62 +++++++++++++++++++ .../tests/stig_correct.pass.sh | 15 +++++ .../tests/stig_correct_commented.fail.sh | 15 +++++ ...ct_followed_by_incorrect_commented.pass.sh | 18 ++++++ .../tests/stig_empty_file.fail.sh | 10 +++ .../tests/stig_empty_policy.fail.sh | 14 +++++ ...rect_followed_by_correct_commented.fail.sh | 19 ++++++ .../tests/stig_incorrect_policy.fail.sh | 15 +++++ .../tests/stig_missing_file.fail.sh | 11 ++++ .../ansible/shared.yml | 45 ++++++++++++++ .../bash/shared.sh | 25 ++++++++ .../oval/shared.xml | 35 +++++++++++ .../rule.yml | 62 +++++++++++++++++++ .../tests/rhel8_stig_correct.pass.sh | 17 +++++ .../tests/rhel8_stig_empty_policy.fail.sh | 7 +++ .../tests/rhel8_stig_incorrect_policy.fail.sh | 14 +++++ .../tests/rhel8_stig_missing_file.fail.sh | 11 ++++ products/rhel8/profiles/stig.profile | 6 ++ .../data/profile_stability/rhel8/stig.profile | 3 + .../profile_stability/rhel8/stig_gui.profile | 3 + 24 files changed, 472 insertions(+), 1 deletion(-) create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var index 46891daa619..a240bbbfaef 100644 --- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var +++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var @@ -11,6 +11,6 @@ operator: equals interactive: false options: - stig: aes128-ctr,aes192-ctr,aes256-ctr + stig: aes256-ctr,aes192-ctr,aes128-ctr default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se cis_rhel7: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml new file mode 100644 index 00000000000..badb5896cf2 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml @@ -0,0 +1,16 @@ +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora +# reboot = true +# strategy = restrict +# complexity = low +# disruption = low +{{{ ansible_instantiate_variables("sshd_approved_ciphers") }}} + +{{{ ansible_set_config_file( + msg='Configure SSH Daemon to Use FIPS 140-2 Validated MACs: openssh.config', + file='/etc/crypto-policies/back-ends/openssh.config', + parameter='Ciphers', + value="{{ sshd_approved_ciphers }}", + create='yes', + prefix_regex='^.*' + ) +}}} diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh new file mode 100644 index 00000000000..cdc66a8aac6 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh @@ -0,0 +1,13 @@ +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora +. /usr/share/scap-security-guide/remediation_functions +{{{ bash_instantiate_variables("sshd_approved_ciphers") }}} + +{{{ set_config_file( + path="/etc/crypto-policies/back-ends/openssh.config", + parameter="Ciphers", + value="${sshd_approved_ciphers}", + create=true, + insensitive=false, + prefix_regex="^.*" + ) +}}} diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml new file mode 100644 index 00000000000..1879e77398b --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml @@ -0,0 +1,35 @@ +{{%- set PATH = "/etc/crypto-policies/back-ends/openssh.config" -%}} + + + {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}} + + + + + + + + + + + + {{{ PATH }}} + ^Ciphers.*$ + 1 + + + + + + + + + Ciphers + + + + + + diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml new file mode 100644 index 00000000000..cd1553dbdb3 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml @@ -0,0 +1,62 @@ +documentation_complete: true + +prodtype: fedora,rhel8 + +title: 'Configure SSH Daemon to Use FIPS 140-2 Validated Ciphers: openssh.config' + +description: |- + Crypto Policies provide a centralized control over crypto algorithms usage of many packages. + OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be + set up incorrectly. + + To check that Crypto Policies settings for ciphers are configured correctly, ensure that + /etc/crypto-policies/back-ends/openssh.config contains the following + line and is not commented out: +
Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}
+ +rationale: |- + Overriding the system crypto policy makes the behavior of the OpenSSH daemon + violate expectations, and makes system configuration more fragmented. By + specifying a cipher list with the order of ciphers being in a “strongest to + weakest” orientation, the system will automatically attempt to use the + strongest cipher for securing SSH connections. + +severity: medium + +identifiers: + cce@rhel8: CCE-85870-4 + +references: + nist: AC-17(2) + srg: SRG-OS-000250-GPOS-00093 + disa: CCI-001453 + stigid@rhel8: RHEL-08-010291 + +ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly' + +ocil: |- + To verify if the OpenSSH daemon uses defined Cipher suite in the Crypto Policy, run: +
$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config
+ and verify that the line matches: +
Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}
+ +warnings: + - general: |- + The system needs to be rebooted for these changes to take effect. + - regulatory: |- + System Crypto Modules must be provided by a vendor that undergoes + FIPS-140 certifications. + FIPS-140 is applicable to all Federal agencies that use + cryptographic-based security systems to protect sensitive information + in computer and telecommunication systems (including voice systems) as + defined in Section 5131 of the Information Technology Management Reform + Act of 1996, Public Law 104-106. This standard shall be used in + designing and implementing cryptographic modules that Federal + departments and agencies operate or are operated for them under + contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}} + To meet this, the system has to have cryptographic software provided by + a vendor that has undergone this certification. This means providing + documentation, test results, design information, and independent third + party review by an accredited lab. While open source software is + capable of meeting this, it does not meet FIPS-140 unless the vendor + submits to this process. diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh new file mode 100644 index 00000000000..0a27a7e0984 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr +configfile=/etc/crypto-policies/back-ends/openssh.config + +# Ensure directory + file is there +test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends + +if [[ -f $configfile ]]; then + sed -i "s/^.*Ciphers.*$/Ciphers ${sshd_approved_ciphers}/" $configfile +else + echo "Ciphers ${sshd_approved_ciphers}" > "$configfile" +fi diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh new file mode 100644 index 00000000000..5cadd95ba38 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr +configfile=/etc/crypto-policies/back-ends/openssh.config + +# Ensure directory + file is there +test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends + +if [[ -f $configfile ]]; then + sed -i "s/^.*Ciphers.*$/#Ciphers ${sshd_approved_ciphers}/" $configfile +else + echo "#Ciphers ${sshd_approved_ciphers}" > "$configfile" +fi diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh new file mode 100644 index 00000000000..26220063757 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr +configfile=/etc/crypto-policies/back-ends/openssh.config + +# Ensure directory + file is there +test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends + +if [[ -f $configfile ]]; then + sed -i "s/^.*Ciphers.*$/Ciphers ${sshd_approved_ciphers}/" $configfile +else + echo "Ciphers ${sshd_approved_ciphers}" > "$configfile" +fi + +# follow up with incorrect +echo "#Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr" >> $configfile diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh new file mode 100644 index 00000000000..55ef3f58422 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +configfile=/etc/crypto-policies/back-ends/openssh.config + +# Ensure directory + file is there +test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends + +echo "" > $configfile diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh new file mode 100644 index 00000000000..7105441ad80 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh @@ -0,0 +1,14 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +configfile=/etc/crypto-policies/back-ends/openssh.config + +# Ensure directory + file is there +test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends + +if [[ -f $configfile ]]; then + sed -i "s/^.*Ciphers.*$/Ciphers /" $configfile +else + echo "Ciphers " > "$configfile" +fi diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh new file mode 100644 index 00000000000..195f5e8d8ed --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr +incorrect_sshd_approved_ciphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr +configfile=/etc/crypto-policies/back-ends/openssh.config + +# Ensure directory + file is there +test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends + +if [[ -f $configfile ]]; then + sed -i "s/^.*Ciphers.*$/Ciphers ${incorrect_sshd_approved_ciphers}/" $configfile +else + echo "Ciphers ${incorrect_sshd_approved_ciphers}" > "$configfile" +fi + +# follow up with correct value +echo "Ciphers ${sshd_approved_ciphers}" >> $configfile diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh new file mode 100644 index 00000000000..92bd4ed9c5a --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +incorrect_sshd_approved_ciphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc +configfile=/etc/crypto-policies/back-ends/openssh.config + +# Ensure directory + file is there +test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends + +if [[ -f $configfile ]]; then + sed -i "s/^.*Ciphers.*$/Ciphers ${incorrect_sshd_approved_ciphers}/" $configfile +else + echo "Ciphers ${incorrect_sshd_approved_ciphers}" > "$configfile" +fi diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh new file mode 100644 index 00000000000..2138caad319 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +configfile=/etc/crypto-policies/back-ends/openssh.config + +# Ensure directory + file is there +test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends + +# If file exists, remove it +test -f $configfile && rm -f $configfile diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml new file mode 100644 index 00000000000..7532ba51639 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml @@ -0,0 +1,45 @@ +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora +# reboot = true +# strategy = restrict +# complexity = low +# disruption = low +{{{ ansible_instantiate_variables("sshd_approved_ciphers") }}} + +- name: "{{{ rule_title }}}: Set facts" + set_fact: + path: /etc/crypto-policies/back-ends/opensshserver.config + correct_value: "-oCiphers={{ sshd_approved_ciphers }}" + +- name: "{{{ rule_title }}}: Stat" + stat: + path: "{{ path }}" + follow: yes + register: opensshserver_file + +- name: "{{{ rule_title }}}: Create" + lineinfile: + path: "{{ path }}" + line: "{{ correct_value }}" + create: yes + when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length + +- name: "{{{ rule_title }}}" + block: + - name: "Existing value check" + lineinfile: + path: "{{ path }}" + create: false + regexp: "{{ correct_value }}" + state: absent + check_mode: true + changed_when: false + register: opensshserver + + - name: "Update/Correct value" + replace: + path: "{{ path }}" + regexp: (-oCiphers=\S+) + replace: "{{ correct_value }}" + when: opensshserver.found is defined and opensshserver.found != 1 + + when: opensshserver_file.stat.exists and opensshserver_file.stat.size > correct_value|length diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh new file mode 100644 index 00000000000..1bc022f93b6 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh @@ -0,0 +1,25 @@ +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora +. /usr/share/scap-security-guide/remediation_functions +{{{ bash_instantiate_variables("sshd_approved_ciphers") }}} + +CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config +correct_value="-oCiphers=${sshd_approved_ciphers}" + +grep -q ${correct_value} ${CONF_FILE} + +if [[ $? -ne 0 ]]; then + # We need to get the existing value, using PCRE to maintain same regex + existing_value=$(grep -Po '(-oCiphers=\S+)' ${CONF_FILE}) + + if [[ ! -z ${existing_value} ]]; then + # replace existing_value with correct_value + sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE} + else + # ***NOTE*** # + # This probably means this file is not here or it's been modified + # unintentionally. + # ********** # + # echo correct_value to end + echo ${correct_value} >> ${CONF_FILE} + fi +fi diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml new file mode 100644 index 00000000000..92ad7ce3d3f --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml @@ -0,0 +1,35 @@ +{{%- set PATH = "/etc/crypto-policies/back-ends/opensshserver.config" -%}} + + + {{{ oval_metadata("Limit the Message Authentication Codes (Ciphers) to those which are FIPS-approved.") }}} + + + + + + + + + + + + {{{ PATH }}} + ^.*(-oCiphers=\S+).*$ + 1 + + + + + + + + + -oCiphers= + + + + + + diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml new file mode 100644 index 00000000000..877c6f38db0 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml @@ -0,0 +1,62 @@ +documentation_complete: true + +prodtype: rhel8 + +title: 'Configure SSH Daemon to Use FIPS 140-2 Validated MACs: opensshserver.config' + +description: |- + Crypto Policies provide a centralized control over crypto algorithms usage of many packages. + OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be + set up incorrectly. + + To check that Crypto Policies settings for ciphers are configured correctly, ensure that + /etc/crypto-policies/back-ends/opensshserver.config contains the following + text and is not commented out: +
-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}
+ +rationale: |- + Overriding the system crypto policy makes the behavior of the OpenSSH daemon + violate expectations, and makes system configuration more fragmented. By + specifying a cipher list with the order of ciphers being in a “strongest to + weakest” orientation, the system will automatically attempt to use the + strongest cipher for securing SSH connections. + +severity: medium + +identifiers: + cce@rhel8: CCE-85871-2 + +references: + nist: AC-17(2) + srg: SRG-OS-000250-GPOS-00093 + disa: CCI-001453 + stigid@rhel8: RHEL-08-010290 + +ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly' + +ocil: |- + To verify if the OpenSSH daemon uses defined MACs in the Crypto Policy, run: +
$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config
+ and verify that the line matches: +
-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}
+ +warnings: + - general: |- + The system needs to be rebooted for these changes to take effect. + - regulatory: |- + System Crypto Modules must be provided by a vendor that undergoes + FIPS-140 certifications. + FIPS-140 is applicable to all Federal agencies that use + cryptographic-based security systems to protect sensitive information + in computer and telecommunication systems (including voice systems) as + defined in Section 5131 of the Information Technology Management Reform + Act of 1996, Public Law 104-106. This standard shall be used in + designing and implementing cryptographic modules that Federal + departments and agencies operate or are operated for them under + contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}} + To meet this, the system has to have cryptographic software provided by + a vendor that has undergone this certification. This means providing + documentation, test results, design information, and independent third + party review by an accredited lab. While open source software is + capable of meeting this, it does not meet FIPS-140 unless the vendor + submits to this process. diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh new file mode 100644 index 00000000000..1a8911d523c --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh @@ -0,0 +1,17 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr +configfile=/etc/crypto-policies/back-ends/opensshserver.config +correct_value="-oCiphers=${sshd_approved_ciphers}" + +# Ensure directory + file is there +test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends + +# Proceed when file exists +if [[ -f $configfile ]]; then + sed -i -r "s/-oCiphers=\S+/${correct_value}/" $configfile +else + echo "${correct_value}" > "$configfile" +fi diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh new file mode 100644 index 00000000000..3dde1479296 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +configfile=/etc/crypto-policies/back-ends/opensshserver.config + +echo "" > "$configfile" diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh new file mode 100644 index 00000000000..f97f54db502 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh @@ -0,0 +1,14 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +configfile=/etc/crypto-policies/back-ends/opensshserver.config + +# Ensure directory + file is there +test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends + +if [[ -f $configfile ]]; then + sed -i -r "s/-oCiphers=\S+/-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc/" $configfile +else + echo "-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc" > "$configfile" +fi diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh new file mode 100644 index 00000000000..11e596ced87 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_stig + +configfile=/etc/crypto-policies/back-ends/opensshserver.config + +# Ensure directory + file is there +test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends + +# If file exists, remove it +test -f $configfile && rm -f $configfile diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 28b47cca487..a3783efafd6 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -50,7 +50,11 @@ selections: - var_password_pam_retry=3 - var_password_pam_minlen=15 - var_sshd_set_keepalive=0 +<<<<<<< HEAD - sshd_approved_macs=stig +======= + - sshd_approved_ciphers=stig +>>>>>>> 4d62df6b2 (New rules for RHEL-08-010291) - sshd_idle_timeout_value=10_minutes - var_accounts_passwords_pam_faillock_deny=3 - var_accounts_passwords_pam_faillock_fail_interval=900 @@ -185,6 +189,8 @@ selections: - harden_sshd_macs_opensshserver_conf_crypto_policy # RHEL-08-010291 + - harden_sshd_ciphers_openssh_conf_crypto_policy + - harden_sshd_ciphers_opensshserver_conf_crypto_policy # RHEL-08-010292 - sshd_use_strong_rng diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 393051a34ea..05335cc38fb 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -147,6 +147,8 @@ selections: - grub2_vsyscall_argument - harden_sshd_macs_openssh_conf_crypto_policy - harden_sshd_macs_opensshserver_conf_crypto_policy +- harden_sshd_ciphers_openssh_conf_crypto_policy +- harden_sshd_ciphers_opensshserver_conf_crypto_policy - install_smartcard_packages - installed_OS_is_vendor_supported - kerberos_disable_no_keytab @@ -328,6 +330,7 @@ selections: - var_password_pam_retry=3 - var_sshd_set_keepalive=0 - sshd_approved_macs=stig +- sshd_approved_ciphers=stig - sshd_idle_timeout_value=10_minutes - var_accounts_passwords_pam_faillock_deny=3 - var_accounts_passwords_pam_faillock_fail_interval=900 diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index de82fb34518..a0adc835a0d 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -158,6 +158,8 @@ selections: - grub2_vsyscall_argument - harden_sshd_macs_openssh_conf_crypto_policy - harden_sshd_macs_opensshserver_conf_crypto_policy +- harden_sshd_ciphers_openssh_conf_crypto_policy +- harden_sshd_ciphers_opensshserver_conf_crypto_policy - install_smartcard_packages - installed_OS_is_vendor_supported - kerberos_disable_no_keytab @@ -338,6 +340,7 @@ selections: - var_password_pam_retry=3 - var_sshd_set_keepalive=0 - sshd_approved_macs=stig +- sshd_approved_ciphers=stig - sshd_idle_timeout_value=10_minutes - var_accounts_passwords_pam_faillock_deny=3 - var_accounts_passwords_pam_faillock_fail_interval=900 From c943e715615de1aa957d62d239e532f86ef0959e Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Tue, 29 Jun 2021 14:04:49 -0400 Subject: [PATCH 2/5] replaced MACs with Ciphers --- .../ansible/shared.yml | 2 +- .../oval/shared.xml | 2 +- .../oval/shared.xml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml index badb5896cf2..956a19f3025 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml @@ -6,7 +6,7 @@ {{{ ansible_instantiate_variables("sshd_approved_ciphers") }}} {{{ ansible_set_config_file( - msg='Configure SSH Daemon to Use FIPS 140-2 Validated MACs: openssh.config', + msg='Configure SSH Daemon to Use FIPS 140-2 Validated Ciphers: openssh.config', file='/etc/crypto-policies/back-ends/openssh.config', parameter='Ciphers', value="{{ sshd_approved_ciphers }}", diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml index 1879e77398b..9b3b4f1995d 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml @@ -1,7 +1,7 @@ {{%- set PATH = "/etc/crypto-policies/back-ends/openssh.config" -%}} - {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}} + {{{ oval_metadata("Limit the Ciphers to those which are FIPS-approved.") }}} diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml index 92ad7ce3d3f..3afbc1619a4 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml @@ -1,7 +1,7 @@ {{%- set PATH = "/etc/crypto-policies/back-ends/opensshserver.config" -%}} - {{{ oval_metadata("Limit the Message Authentication Codes (Ciphers) to those which are FIPS-approved.") }}} + {{{ oval_metadata("Limit the Ciphers to those which are FIPS-approved.") }}} From 26383895dfffc5e643295301c052ccd3d77cb906 Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Mon, 19 Jul 2021 09:33:38 -0400 Subject: [PATCH 3/5] Fixed issue with oval not checking for commented out line, and updated remediations --- .../rule.yml | 8 ++++---- .../ansible/shared.yml | 2 +- .../bash/shared.sh | 10 ++++++++-- .../oval/shared.xml | 2 +- .../rule.yml | 6 +++--- 5 files changed, 17 insertions(+), 11 deletions(-) diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml index cd1553dbdb3..d626ec6e260 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true prodtype: fedora,rhel8 -title: 'Configure SSH Daemon to Use FIPS 140-2 Validated Ciphers: openssh.config' +title: 'Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config' description: |- Crypto Policies provide a centralized control over crypto algorithms usage of many packages. @@ -15,7 +15,7 @@ description: |-
Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}
rationale: |- - Overriding the system crypto policy makes the behavior of the OpenSSH daemon + Overriding the system crypto policy makes the behavior of the OpenSSH client violate expectations, and makes system configuration more fragmented. By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the @@ -32,10 +32,10 @@ references: disa: CCI-001453 stigid@rhel8: RHEL-08-010291 -ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly' +ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly' ocil: |- - To verify if the OpenSSH daemon uses defined Cipher suite in the Crypto Policy, run: + To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run:
$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config
and verify that the line matches:
Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml index 7532ba51639..3e637f37e69 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml @@ -19,7 +19,7 @@ - name: "{{{ rule_title }}}: Create" lineinfile: path: "{{ path }}" - line: "{{ correct_value }}" + line: "CRYPTO_POLICY='{{ correct_value }}'" create: yes when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh index 1bc022f93b6..eaa4463caad 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh @@ -5,7 +5,13 @@ CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config correct_value="-oCiphers=${sshd_approved_ciphers}" -grep -q ${correct_value} ${CONF_FILE} +# Test if file exists +test -f ${CONF_FILE} || touch ${CONF_FILE} + +# Ensure CRYPTO_POLICY is not commented out +sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE} + +grep -q "'${correct_value}'" ${CONF_FILE} if [[ $? -ne 0 ]]; then # We need to get the existing value, using PCRE to maintain same regex @@ -20,6 +26,6 @@ if [[ $? -ne 0 ]]; then # unintentionally. # ********** # # echo correct_value to end - echo ${correct_value} >> ${CONF_FILE} + echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE} fi fi diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml index 3afbc1619a4..53919eaae7f 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml @@ -16,7 +16,7 @@ {{{ PATH }}} - ^.*(-oCiphers=\S+).*$ + ^(?!#).*(-oCiphers=\S+).*$ 1 diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml index 877c6f38db0..0aac8e2038d 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true prodtype: rhel8 -title: 'Configure SSH Daemon to Use FIPS 140-2 Validated MACs: opensshserver.config' +title: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config' description: |- Crypto Policies provide a centralized control over crypto algorithms usage of many packages. @@ -15,7 +15,7 @@ description: |-
-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}
rationale: |- - Overriding the system crypto policy makes the behavior of the OpenSSH daemon + Overriding the system crypto policy makes the behavior of the OpenSSH server violate expectations, and makes system configuration more fragmented. By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the @@ -35,7 +35,7 @@ references: ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly' ocil: |- - To verify if the OpenSSH daemon uses defined MACs in the Crypto Policy, run: + To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run:
$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config
and verify that the line matches:
-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}
From 7967125f58de7e6843002d674fab90c4429452f3 Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Mon, 19 Jul 2021 09:53:28 -0400 Subject: [PATCH 4/5] Replace MACs verbiage with ciphers --- .../rule.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml index 0aac8e2038d..81ee763831d 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true prodtype: rhel8 -title: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config' +title: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config' description: |- Crypto Policies provide a centralized control over crypto algorithms usage of many packages. @@ -35,7 +35,7 @@ references: ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly' ocil: |- - To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run: + To verify if the OpenSSH server uses defined ciphers in the Crypto Policy, run:
$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config
and verify that the line matches:
-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}
From ab21f2d59db725f07b70e3e748ebc96c34e23b79 Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Tue, 20 Jul 2021 09:01:50 -0400 Subject: [PATCH 5/5] Sorted refs, updated test scenario, fixed duplicate CCE --- .../harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml | 4 ++-- .../stig_incorrect_followed_by_correct_commented.fail.sh | 2 +- .../rule.yml | 4 ++-- products/rhel8/profiles/stig.profile | 3 --- shared/references/cce-redhat-avail.txt | 2 -- tests/data/profile_stability/rhel8/stig.profile | 4 ++-- tests/data/profile_stability/rhel8/stig_gui.profile | 4 ++-- 7 files changed, 9 insertions(+), 14 deletions(-) diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml index d626ec6e260..0aa310d9245 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml @@ -24,12 +24,12 @@ rationale: |- severity: medium identifiers: - cce@rhel8: CCE-85870-4 + cce@rhel8: CCE-85902-5 references: + disa: CCI-001453 nist: AC-17(2) srg: SRG-OS-000250-GPOS-00093 - disa: CCI-001453 stigid@rhel8: RHEL-08-010291 ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly' diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh index 195f5e8d8ed..6ad1f4fd0f3 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh @@ -16,4 +16,4 @@ else fi # follow up with correct value -echo "Ciphers ${sshd_approved_ciphers}" >> $configfile +echo "#Ciphers ${sshd_approved_ciphers}" >> $configfile diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml index 81ee763831d..b56f2421f22 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml @@ -24,12 +24,12 @@ rationale: |- severity: medium identifiers: - cce@rhel8: CCE-85871-2 + cce@rhel8: CCE-85897-7 references: + disa: CCI-001453 nist: AC-17(2) srg: SRG-OS-000250-GPOS-00093 - disa: CCI-001453 stigid@rhel8: RHEL-08-010290 ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly' diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index a3783efafd6..7270a8f91f2 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -50,11 +50,8 @@ selections: - var_password_pam_retry=3 - var_password_pam_minlen=15 - var_sshd_set_keepalive=0 -<<<<<<< HEAD - sshd_approved_macs=stig -======= - sshd_approved_ciphers=stig ->>>>>>> 4d62df6b2 (New rules for RHEL-08-010291) - sshd_idle_timeout_value=10_minutes - var_accounts_passwords_pam_faillock_deny=3 - var_accounts_passwords_pam_faillock_fail_interval=900 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 036d34cea1d..665f903ead4 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -33,11 +33,9 @@ CCE-85892-8 CCE-85893-6 CCE-85895-1 CCE-85896-9 -CCE-85897-7 CCE-85898-5 CCE-85900-9 CCE-85901-7 -CCE-85902-5 CCE-85903-3 CCE-85904-1 CCE-85905-8 diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 05335cc38fb..7d59cfff625 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -145,10 +145,10 @@ selections: - grub2_uefi_admin_username - grub2_uefi_password - grub2_vsyscall_argument -- harden_sshd_macs_openssh_conf_crypto_policy -- harden_sshd_macs_opensshserver_conf_crypto_policy - harden_sshd_ciphers_openssh_conf_crypto_policy - harden_sshd_ciphers_opensshserver_conf_crypto_policy +- harden_sshd_macs_openssh_conf_crypto_policy +- harden_sshd_macs_opensshserver_conf_crypto_policy - install_smartcard_packages - installed_OS_is_vendor_supported - kerberos_disable_no_keytab diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index a0adc835a0d..2c2daad6f6d 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -156,10 +156,10 @@ selections: - grub2_uefi_admin_username - grub2_uefi_password - grub2_vsyscall_argument -- harden_sshd_macs_openssh_conf_crypto_policy -- harden_sshd_macs_opensshserver_conf_crypto_policy - harden_sshd_ciphers_openssh_conf_crypto_policy - harden_sshd_ciphers_opensshserver_conf_crypto_policy +- harden_sshd_macs_openssh_conf_crypto_policy +- harden_sshd_macs_opensshserver_conf_crypto_policy - install_smartcard_packages - installed_OS_is_vendor_supported - kerberos_disable_no_keytab