Blame SOURCES/scap-security-guide-0.1.50-parametrize_sshd_approved_ciphers.patch

247868
From 67f0ba457c2dafd9077d80bd17d10857fe31a55d Mon Sep 17 00:00:00 2001
247868
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
247868
Date: Wed, 18 Mar 2020 16:44:49 +0100
247868
Subject: [PATCH 1/2] Parametrized the sshd_use_approved_ciphers rule.
247868
247868
---
247868
 .../ansible/shared.yml                        |  4 ++-
247868
 .../sshd_use_approved_ciphers/bash/shared.sh  |  4 ++-
247868
 .../sshd_use_approved_ciphers/oval/shared.xml | 33 ++++++++++++++++---
247868
 .../sshd_use_approved_ciphers/rule.yml        |  3 +-
247868
 .../tests/stig_comment.fail.sh                |  9 +++++
247868
 .../tests/stig_correct_reduced_list.pass.sh   |  9 +++++
247868
 .../tests/stig_correct_scrambled.pass.sh      |  9 +++++
247868
 .../tests/stig_correct_value_full.pass.sh     |  9 +++++
247868
 .../tests/stig_line_not_there.fail.sh         |  5 +++
247868
 .../tests/stig_wrong_value.fail.sh            |  9 +++++
247868
 .../tests/wrong_value.fail.sh                 |  2 +-
247868
 .../sshd_use_approved_macs/rule.yml           |  1 +
247868
 .../services/ssh/sshd_approved_ciphers.var    | 16 +++++++++
247868
 rhel7/profiles/stig.profile                   |  1 +
247868
 shared/macros.jinja                           |  5 +++
247868
 15 files changed, 111 insertions(+), 8 deletions(-)
247868
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh
247868
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh
247868
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh
247868
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh
247868
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh
247868
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh
247868
 create mode 100644 linux_os/guide/services/ssh/sshd_approved_ciphers.var
247868
247868
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml
247868
index ea05a8f896..ef331a843e 100644
247868
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml
247868
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml
247868
@@ -3,4 +3,6 @@
247868
 # strategy = restrict
247868
 # complexity = low
247868
 # disruption = low
247868
-{{{ ansible_sshd_set(parameter="Ciphers", value="aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc") }}}
247868
+- (xccdf-var sshd_approved_ciphers)
247868
+
247868
+{{{ ansible_sshd_set(parameter="Ciphers", value="{{ sshd_approved_ciphers }}") }}}
247868
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh
247868
index 2475923e6e..a294138272 100644
247868
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh
247868
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh
247868
@@ -3,4 +3,6 @@
247868
 # Include source function library.
247868
 . /usr/share/scap-security-guide/remediation_functions
247868
 
247868
-replace_or_append '/etc/ssh/sshd_config' '^Ciphers' 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc' '@CCENUM@' '%s %s'
247868
+populate sshd_approved_ciphers
247868
+
247868
+replace_or_append '/etc/ssh/sshd_config' '^Ciphers' "$sshd_approved_ciphers" '@CCENUM@' '%s %s'
247868
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml
247868
index 84c3c8aa48..19b63d404f 100644
247868
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml
247868
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml
247868
@@ -32,14 +32,39 @@
247868
       </criteria>
247868
     </criteria>
247868
   </definition>
247868
-  
247868
+
247868
+  
247868
   comment="tests the value of Ciphers setting in the /etc/ssh/sshd_config file"
247868
   id="test_sshd_use_approved_ciphers" version="1">
247868
     <ind:object object_ref="obj_sshd_use_approved_ciphers" />
247868
-  </ind:textfilecontent54_test>
247868
-  <ind:textfilecontent54_object id="obj_sshd_use_approved_ciphers" version="2">
247868
+    <ind:state state_ref="ste_sshd_use_approved_ciphers" />
247868
+  </ind:variable_test>
247868
+
247868
+  <ind:variable_object id="obj_sshd_use_approved_ciphers" version="1">
247868
+    <ind:var_ref>var_sshd_config_ciphers</ind:var_ref>
247868
+  </ind:variable_object>
247868
+
247868
+  <ind:variable_state comment="approved ciphers" id="ste_sshd_use_approved_ciphers" version="1">
247868
+    <ind:value operation="equals" datatype="string" var_ref="var_sshd_approved_ciphers" var_check="at least one" />
247868
+  </ind:variable_state>
247868
+
247868
+  <ind:textfilecontent54_object id="obj_sshd_config_ciphers" version="1">
247868
     <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
247868
-    <ind:pattern operation="pattern match">^[\s]*(?i)Ciphers(?-i)[\s]+((aes128-ctr|aes192-ctr|aes256-ctr|aes128-cbc|aes192-cbc|aes256-cbc|3des-cbc|rijndael-cbc@lysator\.liu\.se),?)+[\s]*(?:|(?:#.*))?$</ind:pattern>
247868
+    <ind:pattern operation="pattern match">^[\s]*(?i)Ciphers(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$</ind:pattern>
247868
     <ind:instance datatype="int">1</ind:instance>
247868
   </ind:textfilecontent54_object>
247868
+
247868
+  <local_variable id="var_sshd_config_ciphers" datatype="string" version="1" comment="Ciphers values splitted on comma">
247868
+    <split delimiter=",">
247868
+      <object_component item_field="subexpression" object_ref="obj_sshd_config_ciphers" />
247868
+    </split>
247868
+  </local_variable>
247868
+
247868
+  <local_variable id="var_sshd_approved_ciphers" datatype="string" version="1" comment="approved ciphers values splitted on comma">
247868
+    <split delimiter=",">
247868
+      <variable_component var_ref="sshd_approved_ciphers" />
247868
+    </split>
247868
+  </local_variable>
247868
+
247868
+  <external_variable comment="SSH Approved Ciphers by FIPS" datatype="string" id="sshd_approved_ciphers" version="1" />
247868
 </def-group>
247868
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
247868
index f85b9016f9..e043b12c93 100644
247868
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
247868
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
247868
@@ -13,7 +13,7 @@ description: |-
247868
     The man page <tt>sshd_config(5)</tt> contains a list of supported ciphers.
247868
 {{% if product in ["rhel7","ol7"] %}}
247868
     

247868
-    The following ciphers are FIPS 140-2 certified on {{{ full_name }}}:
247868
+    Only the following ciphers are FIPS 140-2 certified on {{{ full_name }}}:
247868
     
- aes128-ctr
247868
     
- aes192-ctr
247868
     
- aes256-ctr
247868
@@ -31,6 +31,7 @@ description: |-
247868
     {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}}
247868
     {{% endif %}}
247868
 {{% endif %}}
247868
+    The rule is parametrized to use the following ciphers: {{{ sub_var_value("sshd_approved_ciphers") }}}.
247868
 
247868
 rationale: |-
247868
     Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
247868
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh
247868
new file mode 100644
247868
index 0000000000..1be6371045
247868
--- /dev/null
247868
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh
247868
@@ -0,0 +1,9 @@
247868
+#!/bin/bash
247868
+
247868
+# profiles = xccdf_org.ssgproject.content_profile_stig
247868
+
247868
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
247868
+	sed -i "s/^Ciphers.*/# Ciphers aes128-ctr,aes192-ctr,aes256-ctr/" /etc/ssh/sshd_config
247868
+else
247868
+	echo "# Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config
247868
+fi
247868
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh
247868
new file mode 100644
247868
index 0000000000..5393d96617
247868
--- /dev/null
247868
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh
247868
@@ -0,0 +1,9 @@
247868
+#!/bin/bash
247868
+
247868
+# profiles = xccdf_org.ssgproject.content_profile_stig
247868
+
247868
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
247868
+	sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr/" /etc/ssh/sshd_config
247868
+else
247868
+	echo "Ciphers aes128-ctr,aes192-ctr" >> /etc/ssh/sshd_config
247868
+fi
247868
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh
247868
new file mode 100644
247868
index 0000000000..cd1fbde03b
247868
--- /dev/null
247868
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh
247868
@@ -0,0 +1,9 @@
247868
+#!/bin/bash
247868
+
247868
+# profiles = xccdf_org.ssgproject.content_profile_stig
247868
+
247868
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
247868
+	sed -i "s/^Ciphers.*/Ciphers aes192-ctr,aes128-ctr,aes256-ctr/" /etc/ssh/sshd_config
247868
+else
247868
+	echo "Ciphers aes192-ctr,aes128-ctr,aes256-ctr" >> /etc/ssh/sshd_config
247868
+fi
247868
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh
247868
new file mode 100644
247868
index 0000000000..ad6d9f887c
247868
--- /dev/null
247868
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh
247868
@@ -0,0 +1,9 @@
247868
+#!/bin/bash
247868
+
247868
+# profiles = xccdf_org.ssgproject.content_profile_stig
247868
+
247868
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
247868
+	sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/" /etc/ssh/sshd_config
247868
+else
247868
+	echo 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr' >> /etc/ssh/sshd_config
247868
+fi
247868
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh
247868
new file mode 100644
247868
index 0000000000..f73d82e221
247868
--- /dev/null
247868
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh
247868
@@ -0,0 +1,5 @@
247868
+#!/bin/bash
247868
+
247868
+# profiles = xccdf_org.ssgproject.content_profile_stig
247868
+
247868
+sed -i "/^Ciphers.*/d" /etc/ssh/sshd_config
247868
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh
247868
new file mode 100644
247868
index 0000000000..46b437944f
247868
--- /dev/null
247868
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh
247868
@@ -0,0 +1,9 @@
247868
+#!/bin/bash
247868
+
247868
+# profiles = xccdf_org.ssgproject.content_profile_stig
247868
+
247868
+if grep -q "^Ciphers" /etc/ssh/sshd_config; then
247868
+	sed -i "s/^Ciphers.*/# Ciphers aes128-ctr,aes192-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc/" /etc/ssh/sshd_config
247868
+else
247868
+	echo "Ciphers aes128-ctr,aes192-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc" >> /etc/ssh/sshd_config
247868
+fi
247868
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh
247868
index 550c55968b..ffd8eda6e8 100644
247868
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh
247868
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh
247868
@@ -5,5 +5,5 @@
247868
 if grep -q "^Ciphers" /etc/ssh/sshd_config; then
247868
 	sed -i "s/^Ciphers.*/# Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config
247868
 else
247868
-	echo "Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config
247868
+	echo "# Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config
247868
 fi
247868
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
247868
index b64be010cd..6a582c9577 100644
247868
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
247868
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
247868
@@ -32,6 +32,7 @@ description: |-
247868
     {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}}
247868
     {{% endif %}}
247868
 {{% endif %}}
247868
+    The rule is parametrized to use the following MACs: {{{ sub_var_value("sshd_approved_macs") }}}.
247868
 
247868
 rationale: |-
247868
     DoD Information Systems are required to use FIPS-approved cryptographic hash
247868
diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
247868
new file mode 100644
247868
index 0000000000..66d0776949
247868
--- /dev/null
247868
+++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
247868
@@ -0,0 +1,16 @@
247868
+documentation_complete: true
247868
+
247868
+title: 'SSH Approved ciphers by FIPS'
247868
+
247868
+description: "Specify the FIPS approved ciphers \n\tthat are used for data integrity protection by the SSH server."
247868
+
247868
+type: string
247868
+
247868
+operator: equals
247868
+
247868
+interactive: false
247868
+
247868
+options:
247868
+    stig: aes128-ctr,aes192-ctr,aes256-ctr
247868
+    default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
247868
+
247868
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
247868
index e148325d3e..9b6ecfa543 100644
247868
--- a/rhel7/profiles/stig.profile
247868
+++ b/rhel7/profiles/stig.profile
247868
@@ -228,6 +228,7 @@ selections:
247868
     - install_antivirus
247868
     - accounts_max_concurrent_login_sessions
247868
     - configure_firewalld_ports
247868
+    - sshd_approved_ciphers=stig
247868
     - sshd_use_approved_ciphers
247868
     - accounts_tmout
247868
     - sshd_enable_warning_banner
247868
diff --git a/shared/macros.jinja b/shared/macros.jinja
247868
index edbaeeb56c..d80eeb69b3 100644
247868
--- a/shared/macros.jinja
247868
+++ b/shared/macros.jinja
247868
@@ -35,6 +35,11 @@ ocil_clause: "the {{{ option }}} is not present in the output line, or there is
247868
 {{%- endmacro %}}
247868
 
247868
 
247868
+{{% macro sub_var_value(varname) -%}}
247868
+<sub idref="{{{ varname }}}" />
247868
+{{%- endmacro %}}
247868
+
247868
+
247868
 {{% macro complete_ocil_entry_mount_option(point, option) -%}}
247868
 ocil: |
247868
     {{{ ocil_mount_option(point, option) | indent(4) }}}
247868
247868
From 12eca02a6d16d723c90fb95b21d9992af53befab Mon Sep 17 00:00:00 2001
247868
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matej.tyc@gmail.com>
247868
Date: Thu, 19 Mar 2020 09:56:35 +0100
247868
Subject: [PATCH 2/2] Streamlined description by removing ineffective escape
247868
 sequences.
247868
MIME-Version: 1.0
247868
Content-Type: text/plain; charset=UTF-8
247868
Content-Transfer-Encoding: 8bit
247868
247868
Co-Authored-By: Jan Černý <jcerny@redhat.com>
247868
---
247868
 linux_os/guide/services/ssh/sshd_approved_ciphers.var | 3 +--
247868
 1 file changed, 1 insertion(+), 2 deletions(-)
247868
247868
diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
247868
index 66d0776949..30e58336ce 100644
247868
--- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var
247868
+++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
247868
@@ -2,7 +2,7 @@ documentation_complete: true
247868
 
247868
 title: 'SSH Approved ciphers by FIPS'
247868
 
247868
-description: "Specify the FIPS approved ciphers \n\tthat are used for data integrity protection by the SSH server."
247868
+description: "Specify the FIPS approved ciphers that are used for data integrity protection by the SSH server."
247868
 
247868
 type: string
247868
 
247868
@@ -13,4 +13,3 @@ interactive: false
247868
 options:
247868
     stig: aes128-ctr,aes192-ctr,aes256-ctr
247868
     default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
247868
-