|
 |
dac76a |
From 67f0ba457c2dafd9077d80bd17d10857fe31a55d Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
|
|
dac76a |
Date: Wed, 18 Mar 2020 16:44:49 +0100
|
|
|
dac76a |
Subject: [PATCH 1/2] Parametrized the sshd_use_approved_ciphers rule.
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../ansible/shared.yml | 4 ++-
|
|
|
dac76a |
.../sshd_use_approved_ciphers/bash/shared.sh | 4 ++-
|
|
|
dac76a |
.../sshd_use_approved_ciphers/oval/shared.xml | 33 ++++++++++++++++---
|
|
|
dac76a |
.../sshd_use_approved_ciphers/rule.yml | 3 +-
|
|
|
dac76a |
.../tests/stig_comment.fail.sh | 9 +++++
|
|
|
dac76a |
.../tests/stig_correct_reduced_list.pass.sh | 9 +++++
|
|
|
dac76a |
.../tests/stig_correct_scrambled.pass.sh | 9 +++++
|
|
|
dac76a |
.../tests/stig_correct_value_full.pass.sh | 9 +++++
|
|
|
dac76a |
.../tests/stig_line_not_there.fail.sh | 5 +++
|
|
|
dac76a |
.../tests/stig_wrong_value.fail.sh | 9 +++++
|
|
|
dac76a |
.../tests/wrong_value.fail.sh | 2 +-
|
|
|
dac76a |
.../sshd_use_approved_macs/rule.yml | 1 +
|
|
|
dac76a |
.../services/ssh/sshd_approved_ciphers.var | 16 +++++++++
|
|
|
dac76a |
rhel7/profiles/stig.profile | 1 +
|
|
|
dac76a |
shared/macros.jinja | 5 +++
|
|
|
dac76a |
15 files changed, 111 insertions(+), 8 deletions(-)
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/services/ssh/sshd_approved_ciphers.var
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml
|
|
|
dac76a |
index ea05a8f896..ef331a843e 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml
|
|
|
dac76a |
@@ -3,4 +3,6 @@
|
|
|
dac76a |
# strategy = restrict
|
|
|
dac76a |
# complexity = low
|
|
|
dac76a |
# disruption = low
|
|
|
dac76a |
-{{{ ansible_sshd_set(parameter="Ciphers", value="aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc") }}}
|
|
|
dac76a |
+- (xccdf-var sshd_approved_ciphers)
|
|
|
dac76a |
+
|
|
|
dac76a |
+{{{ ansible_sshd_set(parameter="Ciphers", value="{{ sshd_approved_ciphers }}") }}}
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh
|
|
|
dac76a |
index 2475923e6e..a294138272 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh
|
|
|
dac76a |
@@ -3,4 +3,6 @@
|
|
|
dac76a |
# Include source function library.
|
|
|
dac76a |
. /usr/share/scap-security-guide/remediation_functions
|
|
|
dac76a |
|
|
|
dac76a |
-replace_or_append '/etc/ssh/sshd_config' '^Ciphers' 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc' '@CCENUM@' '%s %s'
|
|
|
dac76a |
+populate sshd_approved_ciphers
|
|
|
dac76a |
+
|
|
|
dac76a |
+replace_or_append '/etc/ssh/sshd_config' '^Ciphers' "$sshd_approved_ciphers" '@CCENUM@' '%s %s'
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml
|
|
|
dac76a |
index 84c3c8aa48..19b63d404f 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml
|
|
|
dac76a |
@@ -32,14 +32,39 @@
|
|
|
dac76a |
</criteria>
|
|
|
dac76a |
</criteria>
|
|
|
dac76a |
</definition>
|
|
|
dac76a |
-
|
|
|
dac76a |
+
|
|
|
dac76a |
+
|
|
|
dac76a |
comment="tests the value of Ciphers setting in the /etc/ssh/sshd_config file"
|
|
|
dac76a |
id="test_sshd_use_approved_ciphers" version="1">
|
|
|
dac76a |
<ind:object object_ref="obj_sshd_use_approved_ciphers" />
|
|
|
dac76a |
- </ind:textfilecontent54_test>
|
|
|
dac76a |
- <ind:textfilecontent54_object id="obj_sshd_use_approved_ciphers" version="2">
|
|
|
dac76a |
+ <ind:state state_ref="ste_sshd_use_approved_ciphers" />
|
|
|
dac76a |
+ </ind:variable_test>
|
|
|
dac76a |
+
|
|
|
dac76a |
+ <ind:variable_object id="obj_sshd_use_approved_ciphers" version="1">
|
|
|
dac76a |
+ <ind:var_ref>var_sshd_config_ciphers</ind:var_ref>
|
|
|
dac76a |
+ </ind:variable_object>
|
|
|
dac76a |
+
|
|
|
dac76a |
+ <ind:variable_state comment="approved ciphers" id="ste_sshd_use_approved_ciphers" version="1">
|
|
|
dac76a |
+ <ind:value operation="equals" datatype="string" var_ref="var_sshd_approved_ciphers" var_check="at least one" />
|
|
|
dac76a |
+ </ind:variable_state>
|
|
|
dac76a |
+
|
|
|
dac76a |
+ <ind:textfilecontent54_object id="obj_sshd_config_ciphers" version="1">
|
|
|
dac76a |
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
|
|
|
dac76a |
- <ind:pattern operation="pattern match">^[\s]*(?i)Ciphers(?-i)[\s]+((aes128-ctr|aes192-ctr|aes256-ctr|aes128-cbc|aes192-cbc|aes256-cbc|3des-cbc|rijndael-cbc@lysator\.liu\.se),?)+[\s]*(?:|(?:#.*))?$</ind:pattern>
|
|
|
dac76a |
+ <ind:pattern operation="pattern match">^[\s]*(?i)Ciphers(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$</ind:pattern>
|
|
|
dac76a |
<ind:instance datatype="int">1</ind:instance>
|
|
|
dac76a |
</ind:textfilecontent54_object>
|
|
|
dac76a |
+
|
|
|
dac76a |
+ <local_variable id="var_sshd_config_ciphers" datatype="string" version="1" comment="Ciphers values splitted on comma">
|
|
|
dac76a |
+ <split delimiter=",">
|
|
|
dac76a |
+ <object_component item_field="subexpression" object_ref="obj_sshd_config_ciphers" />
|
|
|
dac76a |
+ </split>
|
|
|
dac76a |
+ </local_variable>
|
|
|
dac76a |
+
|
|
|
dac76a |
+ <local_variable id="var_sshd_approved_ciphers" datatype="string" version="1" comment="approved ciphers values splitted on comma">
|
|
|
dac76a |
+ <split delimiter=",">
|
|
|
dac76a |
+ <variable_component var_ref="sshd_approved_ciphers" />
|
|
|
dac76a |
+ </split>
|
|
|
dac76a |
+ </local_variable>
|
|
|
dac76a |
+
|
|
|
dac76a |
+ <external_variable comment="SSH Approved Ciphers by FIPS" datatype="string" id="sshd_approved_ciphers" version="1" />
|
|
|
dac76a |
</def-group>
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
|
|
dac76a |
index f85b9016f9..e043b12c93 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
|
|
|
dac76a |
@@ -13,7 +13,7 @@ description: |-
|
|
|
dac76a |
The man page <tt>sshd_config(5)</tt> contains a list of supported ciphers.
|
|
|
dac76a |
{{% if product in ["rhel7","ol7"] %}}
|
|
|
dac76a |
|
|
|
dac76a |
- The following ciphers are FIPS 140-2 certified on {{{ full_name }}}:
|
|
|
dac76a |
+ Only the following ciphers are FIPS 140-2 certified on {{{ full_name }}}:
|
|
|
dac76a |
- aes128-ctr
|
|
|
dac76a |
- aes192-ctr
|
|
|
dac76a |
- aes256-ctr
|
|
|
dac76a |
@@ -31,6 +31,7 @@ description: |-
|
|
|
dac76a |
{{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}}
|
|
|
dac76a |
{{% endif %}}
|
|
|
dac76a |
{{% endif %}}
|
|
|
dac76a |
+ The rule is parametrized to use the following ciphers: {{{ sub_var_value("sshd_approved_ciphers") }}}.
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..1be6371045
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,9 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
dac76a |
+
|
|
|
dac76a |
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
|
|
dac76a |
+ sed -i "s/^Ciphers.*/# Ciphers aes128-ctr,aes192-ctr,aes256-ctr/" /etc/ssh/sshd_config
|
|
|
dac76a |
+else
|
|
|
dac76a |
+ echo "# Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config
|
|
|
dac76a |
+fi
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..5393d96617
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh
|
|
|
dac76a |
@@ -0,0 +1,9 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
dac76a |
+
|
|
|
dac76a |
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
|
|
dac76a |
+ sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr/" /etc/ssh/sshd_config
|
|
|
dac76a |
+else
|
|
|
dac76a |
+ echo "Ciphers aes128-ctr,aes192-ctr" >> /etc/ssh/sshd_config
|
|
|
dac76a |
+fi
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..cd1fbde03b
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh
|
|
|
dac76a |
@@ -0,0 +1,9 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
dac76a |
+
|
|
|
dac76a |
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
|
|
dac76a |
+ sed -i "s/^Ciphers.*/Ciphers aes192-ctr,aes128-ctr,aes256-ctr/" /etc/ssh/sshd_config
|
|
|
dac76a |
+else
|
|
|
dac76a |
+ echo "Ciphers aes192-ctr,aes128-ctr,aes256-ctr" >> /etc/ssh/sshd_config
|
|
|
dac76a |
+fi
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..ad6d9f887c
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh
|
|
|
dac76a |
@@ -0,0 +1,9 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
dac76a |
+
|
|
|
dac76a |
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
|
|
dac76a |
+ sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/" /etc/ssh/sshd_config
|
|
|
dac76a |
+else
|
|
|
dac76a |
+ echo 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr' >> /etc/ssh/sshd_config
|
|
|
dac76a |
+fi
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..f73d82e221
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,5 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
dac76a |
+
|
|
|
dac76a |
+sed -i "/^Ciphers.*/d" /etc/ssh/sshd_config
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..46b437944f
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,9 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
dac76a |
+
|
|
|
dac76a |
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
|
|
dac76a |
+ sed -i "s/^Ciphers.*/# Ciphers aes128-ctr,aes192-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc/" /etc/ssh/sshd_config
|
|
|
dac76a |
+else
|
|
|
dac76a |
+ echo "Ciphers aes128-ctr,aes192-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc" >> /etc/ssh/sshd_config
|
|
|
dac76a |
+fi
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh
|
|
|
dac76a |
index 550c55968b..ffd8eda6e8 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh
|
|
|
dac76a |
@@ -5,5 +5,5 @@
|
|
|
dac76a |
if grep -q "^Ciphers" /etc/ssh/sshd_config; then
|
|
|
dac76a |
sed -i "s/^Ciphers.*/# Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config
|
|
|
dac76a |
else
|
|
|
dac76a |
- echo "Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config
|
|
|
dac76a |
+ echo "# Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config
|
|
|
dac76a |
fi
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
|
|
dac76a |
index b64be010cd..6a582c9577 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
|
|
dac76a |
@@ -32,6 +32,7 @@ description: |-
|
|
|
dac76a |
{{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}}
|
|
|
dac76a |
{{% endif %}}
|
|
|
dac76a |
{{% endif %}}
|
|
|
dac76a |
+ The rule is parametrized to use the following MACs: {{{ sub_var_value("sshd_approved_macs") }}}.
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
DoD Information Systems are required to use FIPS-approved cryptographic hash
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..66d0776949
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
|
|
|
dac76a |
@@ -0,0 +1,16 @@
|
|
|
dac76a |
+documentation_complete: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+title: 'SSH Approved ciphers by FIPS'
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: "Specify the FIPS approved ciphers \n\tthat are used for data integrity protection by the SSH server."
|
|
|
dac76a |
+
|
|
|
dac76a |
+type: string
|
|
|
dac76a |
+
|
|
|
dac76a |
+operator: equals
|
|
|
dac76a |
+
|
|
|
dac76a |
+interactive: false
|
|
|
dac76a |
+
|
|
|
dac76a |
+options:
|
|
|
dac76a |
+ stig: aes128-ctr,aes192-ctr,aes256-ctr
|
|
|
dac76a |
+ default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
|
|
|
dac76a |
+
|
|
|
dac76a |
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
|
|
|
dac76a |
index e148325d3e..9b6ecfa543 100644
|
|
|
dac76a |
--- a/rhel7/profiles/stig.profile
|
|
|
dac76a |
+++ b/rhel7/profiles/stig.profile
|
|
|
dac76a |
@@ -228,6 +228,7 @@ selections:
|
|
|
dac76a |
- install_antivirus
|
|
|
dac76a |
- accounts_max_concurrent_login_sessions
|
|
|
dac76a |
- configure_firewalld_ports
|
|
|
dac76a |
+ - sshd_approved_ciphers=stig
|
|
|
dac76a |
- sshd_use_approved_ciphers
|
|
|
dac76a |
- accounts_tmout
|
|
|
dac76a |
- sshd_enable_warning_banner
|
|
|
dac76a |
diff --git a/shared/macros.jinja b/shared/macros.jinja
|
|
|
dac76a |
index edbaeeb56c..d80eeb69b3 100644
|
|
|
dac76a |
--- a/shared/macros.jinja
|
|
|
dac76a |
+++ b/shared/macros.jinja
|
|
|
dac76a |
@@ -35,6 +35,11 @@ ocil_clause: "the {{{ option }}} is not present in the output line, or there is
|
|
|
dac76a |
{{%- endmacro %}}
|
|
|
dac76a |
|
|
|
dac76a |
|
|
|
dac76a |
+{{% macro sub_var_value(varname) -%}}
|
|
|
dac76a |
+<sub idref="{{{ varname }}}" />
|
|
|
dac76a |
+{{%- endmacro %}}
|
|
|
dac76a |
+
|
|
|
dac76a |
+
|
|
|
dac76a |
{{% macro complete_ocil_entry_mount_option(point, option) -%}}
|
|
|
dac76a |
ocil: |
|
|
|
dac76a |
{{{ ocil_mount_option(point, option) | indent(4) }}}
|
|
|
dac76a |
|
|
|
dac76a |
From 12eca02a6d16d723c90fb95b21d9992af53befab Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matej.tyc@gmail.com>
|
|
|
dac76a |
Date: Thu, 19 Mar 2020 09:56:35 +0100
|
|
|
dac76a |
Subject: [PATCH 2/2] Streamlined description by removing ineffective escape
|
|
|
dac76a |
sequences.
|
|
|
dac76a |
MIME-Version: 1.0
|
|
|
dac76a |
Content-Type: text/plain; charset=UTF-8
|
|
|
dac76a |
Content-Transfer-Encoding: 8bit
|
|
|
dac76a |
|
|
|
dac76a |
Co-Authored-By: Jan Černý <jcerny@redhat.com>
|
|
|
dac76a |
---
|
|
|
dac76a |
linux_os/guide/services/ssh/sshd_approved_ciphers.var | 3 +--
|
|
|
dac76a |
1 file changed, 1 insertion(+), 2 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
|
|
|
dac76a |
index 66d0776949..30e58336ce 100644
|
|
|
dac76a |
--- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var
|
|
|
dac76a |
+++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
|
|
|
dac76a |
@@ -2,7 +2,7 @@ documentation_complete: true
|
|
|
dac76a |
|
|
|
dac76a |
title: 'SSH Approved ciphers by FIPS'
|
|
|
dac76a |
|
|
|
dac76a |
-description: "Specify the FIPS approved ciphers \n\tthat are used for data integrity protection by the SSH server."
|
|
|
dac76a |
+description: "Specify the FIPS approved ciphers that are used for data integrity protection by the SSH server."
|
|
|
dac76a |
|
|
|
dac76a |
type: string
|
|
|
dac76a |
|
|
|
dac76a |
@@ -13,4 +13,3 @@ interactive: false
|
|
|
dac76a |
options:
|
|
|
dac76a |
stig: aes128-ctr,aes192-ctr,aes256-ctr
|
|
|
dac76a |
default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
|
|
|
dac76a |
-
|