scap-security-guide/SOURCES/scap-security-guide-0.1.58-rhel8_stig_08_010290-PR_7151.patch
2021-09-10 04:19:00 +00:00

688 lines
31 KiB
Diff

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
index 194d7dfe2dc..b6c5e7f4b0d 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
@@ -37,7 +37,7 @@ ocil: |-
MACs are in use, run the following command:
<pre>$ sudo grep -i macs /etc/ssh/sshd_config</pre>
The output should contain only following MACs (or a subset) in the exact order:
- <pre>hmac-sha2-512,hmac-sha2-256</pre>
+ <pre>MACs {{{ xccdf_value("sshd_approved_macs") }}}</pre>
warnings:
- general: |-
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/ansible/shared.yml
new file mode 100644
index 00000000000..1c9dde77ee2
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/ansible/shared.yml
@@ -0,0 +1,16 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ ansible_instantiate_variables("sshd_approved_macs") }}}
+
+{{{ ansible_set_config_file(
+ msg='Configure SSH Daemon to Use FIPS 140-2 Validated MACs: openssh.config',
+ file='/etc/crypto-policies/back-ends/openssh.config',
+ parameter='MACs',
+ value="{{ sshd_approved_macs }}",
+ create='yes',
+ prefix_regex='^.*'
+ )
+}}}
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/bash/shared.sh
new file mode 100644
index 00000000000..b26992ce183
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/bash/shared.sh
@@ -0,0 +1,13 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+. /usr/share/scap-security-guide/remediation_functions
+{{{ bash_instantiate_variables("sshd_approved_macs") }}}
+
+{{{ set_config_file(
+ path="/etc/crypto-policies/back-ends/openssh.config",
+ parameter="MACs",
+ value="${sshd_approved_macs}",
+ create=true,
+ insensitive=false,
+ prefix_regex="^.*"
+ )
+}}}
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/oval/shared.xml
new file mode 100644
index 00000000000..5239af10612
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/oval/shared.xml
@@ -0,0 +1,35 @@
+{{%- set PATH = "/etc/crypto-policies/back-ends/openssh.config" -%}}
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
+ <criteria operator="AND" comment="Test conditions - presence of the file plus.">
+ <criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD MACs" test_ref="test_{{{ rule_id }}}" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all"
+ comment="test the value of MACs setting in the {{{ PATH }}} file"
+ id="test_{{{ rule_id }}}" version="1">
+ <ind:object object_ref="obj_{{{ rule_id }}}" />
+ <ind:state state_ref="ste_{{{ rule_id }}}" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
+ <ind:filepath>{{{ PATH }}}</ind:filepath>
+ <ind:pattern operation="pattern match">^MACs.*$</ind:pattern>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state id="ste_{{{ rule_id }}}" version="1">
+ <ind:text var_ref="sshd_macs_crypto" operation="equals"></ind:text>
+ </ind:textfilecontent54_state>
+
+ <local_variable id="sshd_macs_crypto" datatype="string" comment="The regex of the directive" version="1">
+ <concat>
+ <literal_component>MACs </literal_component>
+ <variable_component var_ref="sshd_approved_macs"/>
+ </concat>
+ </local_variable>
+
+ <external_variable comment="SSH Approved MACs by FIPS" datatype="string" id="sshd_approved_macs" version="1" />
+</def-group>
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
new file mode 100644
index 00000000000..1aeb987db2d
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
@@ -0,0 +1,60 @@
+documentation_complete: true
+
+prodtype: fedora,rhel8
+
+title: 'Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config'
+
+description: |-
+ Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
+ OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
+ set up incorrectly.
+
+ To check that Crypto Policies settings are configured correctly, ensure that
+ <tt>/etc/crypto-policies/back-ends/openssh.config</tt> contains the following
+ line and is not commented out:
+ <tt>MACs hmac-sha2-512,hmac-sha2-256</tt>
+
+rationale: |-
+ Overriding the system crypto policy makes the behavior of the OpenSSH
+ client violate expectations, and makes system configuration more
+ fragmented.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: CCE-85870-4
+
+references:
+ disa: CCI-001453
+ nist: AC-17(2)
+ srg: SRG-OS-000250-GPOS-00093
+ stigid@rhel8: RHEL-08-010290
+
+ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly'
+
+ocil: |-
+ To verify if the OpenSSH client uses defined MACs in the Crypto Policy, run:
+ <pre>$ grep -i macs /etc/crypto-policies/back-ends/openssh.config</pre>
+ and verify that the line matches:
+ <pre>MACs hmac-sha2-512,hmac-sha2-256</pre>
+
+warnings:
+ - general: |-
+ The system needs to be rebooted for these changes to take effect.
+ - regulatory: |-
+ System Crypto Modules must be provided by a vendor that undergoes
+ FIPS-140 certifications.
+ FIPS-140 is applicable to all Federal agencies that use
+ cryptographic-based security systems to protect sensitive information
+ in computer and telecommunication systems (including voice systems) as
+ defined in Section 5131 of the Information Technology Management Reform
+ Act of 1996, Public Law 104-106. This standard shall be used in
+ designing and implementing cryptographic modules that Federal
+ departments and agencies operate or are operated for them under
+ contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
+ To meet this, the system has to have cryptographic software provided by
+ a vendor that has undergone this certification. This means providing
+ documentation, test results, design information, and independent third
+ party review by an accredited lab. While open source software is
+ capable of meeting this, it does not meet FIPS-140 unless the vendor
+ submits to this process.
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
new file mode 100644
index 00000000000..5a4b6887cba
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+ sed -i "s/^.*MACs.*$/MACs ${sshd_approved_macs}/" $configfile
+else
+ echo "MACs ${sshd_approved_macs}" > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
new file mode 100644
index 00000000000..e713d254f9c
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+ sed -i "s/^.*MACs.*$/#MACs ${sshd_approved_macs}/" $configfile
+else
+ echo "#MACs ${sshd_approved_macs}" > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
new file mode 100644
index 00000000000..b8a63bec194
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+ sed -i "s/^.*MACs.*$/MACs ${sshd_approved_macs}/" $configfile
+else
+ echo "MACs ${sshd_approved_macs}" > "$configfile"
+fi
+
+# follow up with incorrect
+echo "#MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512" >> $configfile
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh
new file mode 100644
index 00000000000..55ef3f58422
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+echo "" > $configfile
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh
new file mode 100644
index 00000000000..9980a45681c
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+ sed -i "s/^.*MACs.*$/MACs /" $configfile
+else
+ echo "MACs " > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
new file mode 100644
index 00000000000..d1303d60746
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
+incorrect_sshd_approved_macs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+ sed -i "s/^.*MACs.*$/MACs ${incorrect_sshd_approved_macs}/" $configfile
+else
+ echo "MACs ${incorrect_sshd_approved_macs}" > "$configfile"
+fi
+
+# follow up with correct value
+echo "MACs ${sshd_approved_macs}" >> $configfile
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh
new file mode 100644
index 00000000000..8b21af46896
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+ sed -i "s/^.*MACs.*$/MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512/" $configfile
+else
+ echo "MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512" > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh
new file mode 100644
index 00000000000..2138caad319
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+# If file exists, remove it
+test -f $configfile && rm -f $configfile
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/ansible/shared.yml
new file mode 100644
index 00000000000..5ed618586ae
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/ansible/shared.yml
@@ -0,0 +1,45 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ ansible_instantiate_variables("sshd_approved_macs") }}}
+
+- name: "{{{ rule_title }}}: Set facts"
+ set_fact:
+ path: /etc/crypto-policies/back-ends/opensshserver.config
+ correct_value: "-oMACs={{ sshd_approved_macs }}"
+
+- name: "{{{ rule_title }}}: Stat"
+ stat:
+ path: "{{ path }}"
+ follow: yes
+ register: opensshserver_file
+
+- name: "{{{ rule_title }}}: Create"
+ lineinfile:
+ path: "{{ path }}"
+ line: "CRYPTO_POLICY='{{ correct_value }}'"
+ create: yes
+ when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length
+
+- name: "{{{ rule_title }}}"
+ block:
+ - name: "Existing value check"
+ lineinfile:
+ path: "{{ path }}"
+ create: false
+ regexp: "{{ correct_value }}"
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: opensshserver
+
+ - name: "Update/Correct value"
+ replace:
+ path: "{{ path }}"
+ regexp: (-oMACs=\S+)
+ replace: "{{ correct_value }}"
+ when: opensshserver.found is defined and opensshserver.found != 1
+
+ when: opensshserver_file.stat.exists and opensshserver_file.stat.size > correct_value|length
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/bash/shared.sh
new file mode 100644
index 00000000000..790a2951bab
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/bash/shared.sh
@@ -0,0 +1,31 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+. /usr/share/scap-security-guide/remediation_functions
+{{{ bash_instantiate_variables("sshd_approved_macs") }}}
+
+CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
+correct_value="-oMACs=${sshd_approved_macs}"
+
+# Test if file exists
+test -f ${CONF_FILE} || touch ${CONF_FILE}
+
+# Ensure CRYPTO_POLICY is not commented out
+sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE}
+
+grep -q "'${correct_value}'" ${CONF_FILE}
+
+if [[ $? -ne 0 ]]; then
+ # We need to get the existing value, using PCRE to maintain same regex
+ existing_value=$(grep -Po '(-oMACs=\S+)' ${CONF_FILE})
+
+ if [[ ! -z ${existing_value} ]]; then
+ # replace existing_value with correct_value
+ sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
+ else
+ # ***NOTE*** #
+ # This probably means this file is not here or it's been modified
+ # unintentionally.
+ # ********** #
+ # echo correct_value to end
+ echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}
+ fi
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/oval/shared.xml
new file mode 100644
index 00000000000..18028157032
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/oval/shared.xml
@@ -0,0 +1,35 @@
+{{%- set PATH = "/etc/crypto-policies/back-ends/opensshserver.config" -%}}
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
+ <criteria operator="AND" comment="Test conditions - presence of the file plus.">
+ <criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD MACs" test_ref="test_{{{ rule_id }}}" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all"
+ comment="test the value of MACs setting in the {{{ PATH }}} file"
+ id="test_{{{ rule_id }}}" version="1">
+ <ind:object object_ref="obj_{{{ rule_id }}}" />
+ <ind:state state_ref="ste_{{{ rule_id }}}" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
+ <ind:filepath>{{{ PATH }}}</ind:filepath>
+ <ind:pattern operation="pattern match">^(?!#).*(-oMACs=\S+).+$</ind:pattern>
+ <ind:instance operation="equals" datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state id="ste_{{{ rule_id }}}" version="1">
+ <ind:subexpression var_ref="sshd_macs_crypto_opensshserver" operation="equals" />
+ </ind:textfilecontent54_state>
+
+ <local_variable id="sshd_macs_crypto_opensshserver" datatype="string" comment="The regex of the directive" version="1">
+ <concat>
+ <literal_component>-oMACs=</literal_component>
+ <variable_component var_ref="sshd_approved_macs"/>
+ </concat>
+ </local_variable>
+
+ <external_variable comment="SSH Approved MACs by FIPS" datatype="string" id="sshd_approved_macs" version="1" />
+</def-group>
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml
new file mode 100644
index 00000000000..0fd107a1bbe
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml
@@ -0,0 +1,60 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config'
+
+description: |-
+ Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
+ OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
+ set up incorrectly.
+
+ To check that Crypto Policies settings are configured correctly, ensure that
+ <tt>/etc/crypto-policies/back-ends/opensshserver.config</tt> contains the following
+ text and is not commented out:
+ <tt>-oMACS=hmac-sha2-512,hmac-sha2-256</tt>
+
+rationale: |-
+ Overriding the system crypto policy makes the behavior of the OpenSSH
+ server violate expectations, and makes system configuration more
+ fragmented.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: CCE-85899-3
+
+references:
+ disa: CCI-001453
+ nist: AC-17(2)
+ srg: SRG-OS-000250-GPOS-00093
+ stigid@rhel8: RHEL-08-010290
+
+ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
+
+ocil: |-
+ To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run:
+ <pre>$ grep -Po '(-oMACs=\S+)' /etc/crypto-policies/back-ends/opensshserver.config</pre>
+ and verify that the line matches:
+ <pre>-oMACS=hmac-sha2-512,hmac-sha2-256</pre>
+
+warnings:
+ - general: |-
+ The system needs to be rebooted for these changes to take effect.
+ - regulatory: |-
+ System Crypto Modules must be provided by a vendor that undergoes
+ FIPS-140 certifications.
+ FIPS-140 is applicable to all Federal agencies that use
+ cryptographic-based security systems to protect sensitive information
+ in computer and telecommunication systems (including voice systems) as
+ defined in Section 5131 of the Information Technology Management Reform
+ Act of 1996, Public Law 104-106. This standard shall be used in
+ designing and implementing cryptographic modules that Federal
+ departments and agencies operate or are operated for them under
+ contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
+ To meet this, the system has to have cryptographic software provided by
+ a vendor that has undergone this certification. This means providing
+ documentation, test results, design information, and independent third
+ party review by an accredited lab. While open source software is
+ capable of meeting this, it does not meet FIPS-140 unless the vendor
+ submits to this process.
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
new file mode 100644
index 00000000000..14da92218dc
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+correct_value="-oMACs=${sshd_approved_macs}"
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+# Proceed when file exists
+if [[ -f $configfile ]]; then
+ sed -i -r "s/-oMACs=\S+/${correct_value}/" $configfile
+else
+ echo "${correct_value}" > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
new file mode 100644
index 00000000000..3dde1479296
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+echo "" > "$configfile"
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
new file mode 100644
index 00000000000..a50a0fc02bf
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+ sed -i -r "s/-oMACs=\S+/-oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com/" $configfile
+else
+ echo "-oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com" > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
new file mode 100644
index 00000000000..11e596ced87
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+# If file exists, remove it
+test -f $configfile && rm -f $configfile
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 6372d13cfc9..28b47cca487 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -50,6 +50,7 @@ selections:
- var_password_pam_retry=3
- var_password_pam_minlen=15
- var_sshd_set_keepalive=0
+ - sshd_approved_macs=stig
- sshd_idle_timeout_value=10_minutes
- var_accounts_passwords_pam_faillock_deny=3
- var_accounts_passwords_pam_faillock_fail_interval=900
@@ -174,11 +175,17 @@ selections:
# RHEL-08-010260
- file_groupowner_var_log
+ # *** SHARED *** #
# RHEL-08-010290 && RHEL-08-010291
- ### NOTE: This will get split out in future STIG releases, as well as we will break
- ### these rules up to be more flexible in meeting the requirements.
+ # *** SHARED *** #
- configure_ssh_crypto_policy
+ # RHEL-08-010290
+ - harden_sshd_macs_openssh_conf_crypto_policy
+ - harden_sshd_macs_opensshserver_conf_crypto_policy
+
+ # RHEL-08-010291
+
# RHEL-08-010292
- sshd_use_strong_rng
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 24e81491683..036d34cea1d 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -10,7 +10,6 @@ CCE-85866-2
CCE-85867-0
CCE-85868-8
CCE-85869-6
-CCE-85870-4
CCE-85872-0
CCE-85873-8
CCE-85874-6
@@ -36,7 +35,6 @@ CCE-85895-1
CCE-85896-9
CCE-85897-7
CCE-85898-5
-CCE-85899-3
CCE-85900-9
CCE-85901-7
CCE-85902-5
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 32f1a24a7a4..393051a34ea 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -145,6 +145,8 @@ selections:
- grub2_uefi_admin_username
- grub2_uefi_password
- grub2_vsyscall_argument
+- harden_sshd_macs_openssh_conf_crypto_policy
+- harden_sshd_macs_opensshserver_conf_crypto_policy
- install_smartcard_packages
- installed_OS_is_vendor_supported
- kerberos_disable_no_keytab
@@ -325,6 +327,7 @@ selections:
- var_password_pam_lcredit=1
- var_password_pam_retry=3
- var_sshd_set_keepalive=0
+- sshd_approved_macs=stig
- sshd_idle_timeout_value=10_minutes
- var_accounts_passwords_pam_faillock_deny=3
- var_accounts_passwords_pam_faillock_fail_interval=900
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index d6a27c67dc0..de82fb34518 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -156,6 +156,8 @@ selections:
- grub2_uefi_admin_username
- grub2_uefi_password
- grub2_vsyscall_argument
+- harden_sshd_macs_openssh_conf_crypto_policy
+- harden_sshd_macs_opensshserver_conf_crypto_policy
- install_smartcard_packages
- installed_OS_is_vendor_supported
- kerberos_disable_no_keytab
@@ -335,6 +337,7 @@ selections:
- var_password_pam_lcredit=1
- var_password_pam_retry=3
- var_sshd_set_keepalive=0
+- sshd_approved_macs=stig
- sshd_idle_timeout_value=10_minutes
- var_accounts_passwords_pam_faillock_deny=3
- var_accounts_passwords_pam_faillock_fail_interval=900