From 5f4e807cb6e54744ad69cd1e7d622c85ae4e8803 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= Date: Thu, 21 Nov 2019 16:28:23 +0100 Subject: [PATCH 1/2] Updated the e8 profile for RHEL8. - removed obsolete SSHD settings. - added rules for crypto policies. --- rhel8/profiles/e8.profile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rhel8/profiles/e8.profile b/rhel8/profiles/e8.profile index 53b4c156e2..f0f19a4708 100644 --- a/rhel8/profiles/e8.profile +++ b/rhel8/profiles/e8.profile @@ -123,14 +123,16 @@ selections: - sshd_print_last_log - sshd_use_priv_separation - sshd_do_not_permit_user_env - - sshd_disable_rhosts_rsa - sshd_disable_rhosts - - sshd_allow_only_protocol2 - sshd_set_loglevel_info - sshd_disable_empty_passwords - sshd_disable_user_known_hosts - sshd_enable_strictmodes + - var_system_crypto_policy=default + - configure_crypto_policy + - configure_ssh_crypto_policy + ### Application whitelisting - package_fapolicyd_installed - service_fapolicyd_enabled From 659326a1d4db99dc30c4807b5b5ce4c97db37709 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= Date: Mon, 25 Nov 2019 16:42:37 +0100 Subject: [PATCH 2/2] Update the crypto policy and rationale. --- rhel8/profiles/e8.profile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rhel8/profiles/e8.profile b/rhel8/profiles/e8.profile index f0f19a4708..f78e908482 100644 --- a/rhel8/profiles/e8.profile +++ b/rhel8/profiles/e8.profile @@ -129,7 +129,10 @@ selections: - sshd_disable_user_known_hosts - sshd_enable_strictmodes - - var_system_crypto_policy=default + # The E8 profile bans usage of SHA-1, and as of 11/2019 the FUTURE crypto policy is the only one that ensures this. + # TODO: Re-evaluate after another crypto policies become available. + # See also: https://www.cyber.gov.au/ism/guidelines-using-cryptography + - var_system_crypto_policy=future - configure_crypto_policy - configure_ssh_crypto_policy