From 67f0ba457c2dafd9077d80bd17d10857fe31a55d Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>

Date: Wed, 18 Mar 2020 16:44:49 +0100

Subject: [PATCH 1/2] Parametrized the sshd_use_approved_ciphers rule.

---

 .../ansible/shared.yml                        |  4 ++-

 .../sshd_use_approved_ciphers/bash/shared.sh  |  4 ++-

 .../sshd_use_approved_ciphers/oval/shared.xml | 33 ++++++++++++++++---

 .../sshd_use_approved_ciphers/rule.yml        |  3 +-

 .../tests/stig_comment.fail.sh                |  9 +++++

 .../tests/stig_correct_reduced_list.pass.sh   |  9 +++++

 .../tests/stig_correct_scrambled.pass.sh      |  9 +++++

 .../tests/stig_correct_value_full.pass.sh     |  9 +++++

 .../tests/stig_line_not_there.fail.sh         |  5 +++

 .../tests/stig_wrong_value.fail.sh            |  9 +++++

 .../tests/wrong_value.fail.sh                 |  2 +-

 .../sshd_use_approved_macs/rule.yml           |  1 +

 .../services/ssh/sshd_approved_ciphers.var    | 16 +++++++++

 rhel7/profiles/stig.profile                   |  1 +

 shared/macros.jinja                           |  5 +++

 15 files changed, 111 insertions(+), 8 deletions(-)

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh

 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh

 create mode 100644 linux_os/guide/services/ssh/sshd_approved_ciphers.var

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml

index ea05a8f896..ef331a843e 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml

@@ -3,4 +3,6 @@

 # strategy = restrict

 # complexity = low

 # disruption = low

-{{{ ansible_sshd_set(parameter="Ciphers", value="aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc") }}}

+- (xccdf-var sshd_approved_ciphers)

+

+{{{ ansible_sshd_set(parameter="Ciphers", value="{{ sshd_approved_ciphers }}") }}}

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh

index 2475923e6e..a294138272 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh

@@ -3,4 +3,6 @@

 # Include source function library.

 . /usr/share/scap-security-guide/remediation_functions

-replace_or_append '/etc/ssh/sshd_config' '^Ciphers' 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc' '@CCENUM@' '%s %s'

+populate sshd_approved_ciphers

+

+replace_or_append '/etc/ssh/sshd_config' '^Ciphers' "$sshd_approved_ciphers" '@CCENUM@' '%s %s'

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml

index 84c3c8aa48..19b63d404f 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml

@@ -32,14 +32,39 @@

       </criteria>

     </criteria>

   </definition>

-  

+

+  

   comment="tests the value of Ciphers setting in the /etc/ssh/sshd_config file"

   id="test_sshd_use_approved_ciphers" version="1">

     <ind:object object_ref="obj_sshd_use_approved_ciphers" />

-  </ind:textfilecontent54_test>

-  <ind:textfilecontent54_object id="obj_sshd_use_approved_ciphers" version="2">

+    <ind:state state_ref="ste_sshd_use_approved_ciphers" />

+  </ind:variable_test>

+

+  <ind:variable_object id="obj_sshd_use_approved_ciphers" version="1">

+    <ind:var_ref>var_sshd_config_ciphers</ind:var_ref>

+  </ind:variable_object>

+

+  <ind:variable_state comment="approved ciphers" id="ste_sshd_use_approved_ciphers" version="1">

+    <ind:value operation="equals" datatype="string" var_ref="var_sshd_approved_ciphers" var_check="at least one" />

+  </ind:variable_state>

+

+  <ind:textfilecontent54_object id="obj_sshd_config_ciphers" version="1">

     <ind:filepath>/etc/ssh/sshd_config</ind:filepath>

-    <ind:pattern operation="pattern match">^[\s]*(?i)Ciphers(?-i)[\s]+((aes128-ctr|aes192-ctr|aes256-ctr|aes128-cbc|aes192-cbc|aes256-cbc|3des-cbc|rijndael-cbc@lysator\.liu\.se),?)+[\s]*(?:|(?:#.*))?$</ind:pattern>

+    <ind:pattern operation="pattern match">^[\s]*(?i)Ciphers(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$</ind:pattern>

     <ind:instance datatype="int">1</ind:instance>

   </ind:textfilecontent54_object>

+

+  <local_variable id="var_sshd_config_ciphers" datatype="string" version="1" comment="Ciphers values splitted on comma">

+    <split delimiter=",">

+      <object_component item_field="subexpression" object_ref="obj_sshd_config_ciphers" />

+    </split>

+  </local_variable>

+

+  <local_variable id="var_sshd_approved_ciphers" datatype="string" version="1" comment="approved ciphers values splitted on comma">

+    <split delimiter=",">

+      <variable_component var_ref="sshd_approved_ciphers" />

+    </split>

+  </local_variable>

+

+  <external_variable comment="SSH Approved Ciphers by FIPS" datatype="string" id="sshd_approved_ciphers" version="1" />

 </def-group>

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml

index f85b9016f9..e043b12c93 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml

@@ -13,7 +13,7 @@ description: |-

     The man page <tt>sshd_config(5)</tt> contains a list of supported ciphers.

 {{% if product in ["rhel7","ol7"] %}}

-    The following ciphers are FIPS 140-2 certified on {{{ full_name }}}:

+    Only the following ciphers are FIPS 140-2 certified on {{{ full_name }}}:

     
- aes128-ctr

     
- aes192-ctr

     
- aes256-ctr

@@ -31,6 +31,7 @@ description: |-

     {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}}

     {{% endif %}}

 {{% endif %}}

+    The rule is parametrized to use the following ciphers: {{{ sub_var_value("sshd_approved_ciphers") }}}.

 rationale: |-

     Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh

new file mode 100644

index 0000000000..1be6371045

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh

@@ -0,0 +1,9 @@

+#!/bin/bash

+

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+if grep -q "^Ciphers" /etc/ssh/sshd_config; then

+	sed -i "s/^Ciphers.*/# Ciphers aes128-ctr,aes192-ctr,aes256-ctr/" /etc/ssh/sshd_config

+else

+	echo "# Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config

+fi

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh

new file mode 100644

index 0000000000..5393d96617

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh

@@ -0,0 +1,9 @@

+#!/bin/bash

+

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+if grep -q "^Ciphers" /etc/ssh/sshd_config; then

+	sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr/" /etc/ssh/sshd_config

+else

+	echo "Ciphers aes128-ctr,aes192-ctr" >> /etc/ssh/sshd_config

+fi

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh

new file mode 100644

index 0000000000..cd1fbde03b

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh

@@ -0,0 +1,9 @@

+#!/bin/bash

+

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+if grep -q "^Ciphers" /etc/ssh/sshd_config; then

+	sed -i "s/^Ciphers.*/Ciphers aes192-ctr,aes128-ctr,aes256-ctr/" /etc/ssh/sshd_config

+else

+	echo "Ciphers aes192-ctr,aes128-ctr,aes256-ctr" >> /etc/ssh/sshd_config

+fi

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh

new file mode 100644

index 0000000000..ad6d9f887c

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh

@@ -0,0 +1,9 @@

+#!/bin/bash

+

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+if grep -q "^Ciphers" /etc/ssh/sshd_config; then

+	sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/" /etc/ssh/sshd_config

+else

+	echo 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr' >> /etc/ssh/sshd_config

+fi

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh

new file mode 100644

index 0000000000..f73d82e221

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh

@@ -0,0 +1,5 @@

+#!/bin/bash

+

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+sed -i "/^Ciphers.*/d" /etc/ssh/sshd_config

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh

new file mode 100644

index 0000000000..46b437944f

--- /dev/null

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh

@@ -0,0 +1,9 @@

+#!/bin/bash

+

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+if grep -q "^Ciphers" /etc/ssh/sshd_config; then

+	sed -i "s/^Ciphers.*/# Ciphers aes128-ctr,aes192-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc/" /etc/ssh/sshd_config

+else

+	echo "Ciphers aes128-ctr,aes192-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc" >> /etc/ssh/sshd_config

+fi

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh

index 550c55968b..ffd8eda6e8 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh

@@ -5,5 +5,5 @@

 if grep -q "^Ciphers" /etc/ssh/sshd_config; then

 	sed -i "s/^Ciphers.*/# Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config

 else

-	echo "Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config

+	echo "# Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config

 fi

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml

index b64be010cd..6a582c9577 100644

--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml

+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml

@@ -32,6 +32,7 @@ description: |-

     {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}}

     {{% endif %}}

 {{% endif %}}

+    The rule is parametrized to use the following MACs: {{{ sub_var_value("sshd_approved_macs") }}}.

 rationale: |-

     DoD Information Systems are required to use FIPS-approved cryptographic hash

diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var

new file mode 100644

index 0000000000..66d0776949

--- /dev/null

+++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var

@@ -0,0 +1,16 @@

+documentation_complete: true

+

+title: 'SSH Approved ciphers by FIPS'

+

+description: "Specify the FIPS approved ciphers \n\tthat are used for data integrity protection by the SSH server."

+

+type: string

+

+operator: equals

+

+interactive: false

+

+options:

+    stig: aes128-ctr,aes192-ctr,aes256-ctr

+    default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

+

diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile

index e148325d3e..9b6ecfa543 100644

--- a/rhel7/profiles/stig.profile

+++ b/rhel7/profiles/stig.profile

@@ -228,6 +228,7 @@ selections:

     - install_antivirus

     - accounts_max_concurrent_login_sessions

     - configure_firewalld_ports

+    - sshd_approved_ciphers=stig

     - sshd_use_approved_ciphers

     - accounts_tmout

     - sshd_enable_warning_banner

diff --git a/shared/macros.jinja b/shared/macros.jinja

index edbaeeb56c..d80eeb69b3 100644

--- a/shared/macros.jinja

+++ b/shared/macros.jinja

@@ -35,6 +35,11 @@ ocil_clause: "the {{{ option }}} is not present in the output line, or there is

 {{%- endmacro %}}

+{{% macro sub_var_value(varname) -%}}

+<sub idref="{{{ varname }}}" />

+{{%- endmacro %}}

+

+

 {{% macro complete_ocil_entry_mount_option(point, option) -%}}

 ocil: |

     {{{ ocil_mount_option(point, option) | indent(4) }}}

From 12eca02a6d16d723c90fb95b21d9992af53befab Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matej.tyc@gmail.com>

Date: Thu, 19 Mar 2020 09:56:35 +0100

Subject: [PATCH 2/2] Streamlined description by removing ineffective escape

 sequences.

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Co-Authored-By: Jan Černý <jcerny@redhat.com>

---

 linux_os/guide/services/ssh/sshd_approved_ciphers.var | 3 +--

 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var

index 66d0776949..30e58336ce 100644

--- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var

+++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var

@@ -2,7 +2,7 @@ documentation_complete: true

 title: 'SSH Approved ciphers by FIPS'

-description: "Specify the FIPS approved ciphers \n\tthat are used for data integrity protection by the SSH server."

+description: "Specify the FIPS approved ciphers that are used for data integrity protection by the SSH server."

 type: string

@@ -13,4 +13,3 @@ interactive: false

 options:

     stig: aes128-ctr,aes192-ctr,aes256-ctr

     default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

-