Blob Blame History Raw
From 8bf82a98ae80879d2b1800ae0d5bc19b6c5cab3c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 14 Nov 2019 18:04:39 +0100
Subject: [PATCH 1/2] Fix RHEL7 rules sshd_use_strong_macs and
 sshd_use_strong_ciphers.

- Implemented Bash remediations according to rule description.
- Synced sshd_use_strong_ciphers OVAL according with the rule description.
---
 .../ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh     | 3 +++
 .../ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml    | 2 +-
 .../ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh        | 4 ++++
 3 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh
new file mode 100644
index 0000000000..69c1f3eead
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_all
+
+{{{ bash_sshd_config_set(parameter="Ciphers", value="aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml
index 3adae19c5a..0b20f775ce 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml
@@ -1 +1 @@
-{{{ oval_sshd_config(parameter="Ciphers", value="((chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com|aes256-ctr|aes128-ctr),?)") }}}
+{{{ oval_sshd_config(parameter="Ciphers", value="((aes128-ctr|aes192-ctr|aes256-ctr|chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com|aes256-ctr|aes128-ctr),?)") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh
new file mode 100644
index 0000000000..f77be04a1b
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+{{{ bash_sshd_config_set(parameter="MACs", value="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160") }}}
+

From 32c5bdbfc532d36bae5aaf0e0510b8516373598e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 15 Nov 2019 14:44:25 +0100
Subject: [PATCH 2/2] Fixed sshd_use_strong_ciphers.

- Fixed ciphers rule description metadata and bash remediation - removed duplicate ciphers.
- Fixed ciphers rule OVAL.
---
 .../ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh   | 2 +-
 .../ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml  | 2 +-
 .../ssh/ssh_server/sshd_use_strong_ciphers/rule.yml         | 3 +--
 7 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh
index 69c1f3eead..d30e534064 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh
@@ -1,3 +1,3 @@
 # platform = multi_platform_all
 
-{{{ bash_sshd_config_set(parameter="Ciphers", value="aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr") }}}
+{{{ bash_sshd_config_set(parameter="Ciphers", value="aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml
index 0b20f775ce..474cb49979 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml
@@ -1 +1 @@
-{{{ oval_sshd_config(parameter="Ciphers", value="((aes128-ctr|aes192-ctr|aes256-ctr|chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com|aes256-ctr|aes128-ctr),?)") }}}
+{{{ oval_sshd_config(parameter="Ciphers", value="((aes128-ctr|aes192-ctr|aes256-ctr|chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com),?)+") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml
index d4b61cedb9..90e11c0d99 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml
@@ -9,8 +9,7 @@ description: |-
     Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
     The following line in <tt>/etc/ssh/sshd_config</tt>
     demonstrates use of those ciphers:
-    <pre>Ciphers aes128-ctr,aes192-ctr,aes256-ctr</pre>
-    <pre>chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr</pre>
+    <pre>Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr</pre>
     The man page <tt>sshd_config(5)</tt> contains a list of supported ciphers.
 
 rationale: |-