From 8bf82a98ae80879d2b1800ae0d5bc19b6c5cab3c Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>

Date: Thu, 14 Nov 2019 18:04:39 +0100

Subject: [PATCH 1/2] Fix RHEL7 rules sshd_use_strong_macs and

 sshd_use_strong_ciphers.

- Implemented Bash remediations according to rule description.

- Synced sshd_use_strong_ciphers OVAL according with the rule description.

---

 .../ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh     | 3 +++

 .../ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml    | 2 +-

 .../ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh        | 4 ++++

 3 files changed, 8 insertions(+), 1 deletion(-)

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh

new file mode 100644

index 0000000000..69c1f3eead

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh

@@ -0,0 +1,3 @@

+# platform = multi_platform_all

+

+{{{ bash_sshd_config_set(parameter="Ciphers", value="aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr") }}}

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml

index 3adae19c5a..0b20f775ce 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml

@@ -1 +1 @@

-{{{ oval_sshd_config(parameter="Ciphers", value="((chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com|aes256-ctr|aes128-ctr),?)") }}}

+{{{ oval_sshd_config(parameter="Ciphers", value="((aes128-ctr|aes192-ctr|aes256-ctr|chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com|aes256-ctr|aes128-ctr),?)") }}}

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh

new file mode 100644

index 0000000000..f77be04a1b

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh

@@ -0,0 +1,4 @@

+# platform = multi_platform_all

+

+{{{ bash_sshd_config_set(parameter="MACs", value="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160") }}}

+

From 32c5bdbfc532d36bae5aaf0e0510b8516373598e Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>

Date: Fri, 15 Nov 2019 14:44:25 +0100

Subject: [PATCH 2/2] Fixed sshd_use_strong_ciphers.

- Fixed ciphers rule description metadata and bash remediation - removed duplicate ciphers.

- Fixed ciphers rule OVAL.

---

 .../ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh   | 2 +-

 .../ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml  | 2 +-

 .../ssh/ssh_server/sshd_use_strong_ciphers/rule.yml         | 3 +--

 7 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh

index 69c1f3eead..d30e534064 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh

@@ -1,3 +1,3 @@

 # platform = multi_platform_all

-{{{ bash_sshd_config_set(parameter="Ciphers", value="aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr") }}}

+{{{ bash_sshd_config_set(parameter="Ciphers", value="aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com") }}}

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml

index 0b20f775ce..474cb49979 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml

@@ -1 +1 @@

-{{{ oval_sshd_config(parameter="Ciphers", value="((aes128-ctr|aes192-ctr|aes256-ctr|chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com|aes256-ctr|aes128-ctr),?)") }}}

+{{{ oval_sshd_config(parameter="Ciphers", value="((aes128-ctr|aes192-ctr|aes256-ctr|chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com),?)+") }}}

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml

index d4b61cedb9..90e11c0d99 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml

@@ -9,8 +9,7 @@ description: |-

     Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.

     The following line in <tt>/etc/ssh/sshd_config</tt>

     demonstrates use of those ciphers:

-    
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

-    
chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr

+    
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

     The man page <tt>sshd_config(5)</tt> contains a list of supported ciphers.

 rationale: |-