From 67f0ba457c2dafd9077d80bd17d10857fe31a55d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= Date: Wed, 18 Mar 2020 16:44:49 +0100 Subject: [PATCH 1/2] Parametrized the sshd_use_approved_ciphers rule. --- .../ansible/shared.yml | 4 ++- .../sshd_use_approved_ciphers/bash/shared.sh | 4 ++- .../sshd_use_approved_ciphers/oval/shared.xml | 33 ++++++++++++++++--- .../sshd_use_approved_ciphers/rule.yml | 3 +- .../tests/stig_comment.fail.sh | 9 +++++ .../tests/stig_correct_reduced_list.pass.sh | 9 +++++ .../tests/stig_correct_scrambled.pass.sh | 9 +++++ .../tests/stig_correct_value_full.pass.sh | 9 +++++ .../tests/stig_line_not_there.fail.sh | 5 +++ .../tests/stig_wrong_value.fail.sh | 9 +++++ .../tests/wrong_value.fail.sh | 2 +- .../sshd_use_approved_macs/rule.yml | 1 + .../services/ssh/sshd_approved_ciphers.var | 16 +++++++++ rhel7/profiles/stig.profile | 1 + shared/macros.jinja | 5 +++ 15 files changed, 111 insertions(+), 8 deletions(-) create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh create mode 100644 linux_os/guide/services/ssh/sshd_approved_ciphers.var diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml index ea05a8f896..ef331a843e 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml @@ -3,4 +3,6 @@ # strategy = restrict # complexity = low # disruption = low -{{{ ansible_sshd_set(parameter="Ciphers", value="aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc") }}} +- (xccdf-var sshd_approved_ciphers) + +{{{ ansible_sshd_set(parameter="Ciphers", value="{{ sshd_approved_ciphers }}") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh index 2475923e6e..a294138272 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh @@ -3,4 +3,6 @@ # Include source function library. . /usr/share/scap-security-guide/remediation_functions -replace_or_append '/etc/ssh/sshd_config' '^Ciphers' 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc' '@CCENUM@' '%s %s' +populate sshd_approved_ciphers + +replace_or_append '/etc/ssh/sshd_config' '^Ciphers' "$sshd_approved_ciphers" '@CCENUM@' '%s %s' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml index 84c3c8aa48..19b63d404f 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml @@ -32,14 +32,39 @@ - - - + + + + + var_sshd_config_ciphers + + + + + + + /etc/ssh/sshd_config - ^[\s]*(?i)Ciphers(?-i)[\s]+((aes128-ctr|aes192-ctr|aes256-ctr|aes128-cbc|aes192-cbc|aes256-cbc|3des-cbc|rijndael-cbc@lysator\.liu\.se),?)+[\s]*(?:|(?:#.*))?$ + ^[\s]*(?i)Ciphers(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$ 1 + + + + + + + + + + + + + + diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml index f85b9016f9..e043b12c93 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml @@ -13,7 +13,7 @@ description: |- The man page sshd_config(5) contains a list of supported ciphers. {{% if product in ["rhel7","ol7"] %}}

- The following ciphers are FIPS 140-2 certified on {{{ full_name }}}: + Only the following ciphers are FIPS 140-2 certified on {{{ full_name }}}:
- aes128-ctr
- aes192-ctr
- aes256-ctr @@ -31,6 +31,7 @@ description: |- {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}} {{% endif %}} {{% endif %}} + The rule is parametrized to use the following ciphers: {{{ sub_var_value("sshd_approved_ciphers") }}}. rationale: |- Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh new file mode 100644 index 0000000000..1be6371045 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_comment.fail.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# profiles = xccdf_org.ssgproject.content_profile_stig + +if grep -q "^Ciphers" /etc/ssh/sshd_config; then + sed -i "s/^Ciphers.*/# Ciphers aes128-ctr,aes192-ctr,aes256-ctr/" /etc/ssh/sshd_config +else + echo "# Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config +fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh new file mode 100644 index 0000000000..5393d96617 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_reduced_list.pass.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# profiles = xccdf_org.ssgproject.content_profile_stig + +if grep -q "^Ciphers" /etc/ssh/sshd_config; then + sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr/" /etc/ssh/sshd_config +else + echo "Ciphers aes128-ctr,aes192-ctr" >> /etc/ssh/sshd_config +fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh new file mode 100644 index 0000000000..cd1fbde03b --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_scrambled.pass.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# profiles = xccdf_org.ssgproject.content_profile_stig + +if grep -q "^Ciphers" /etc/ssh/sshd_config; then + sed -i "s/^Ciphers.*/Ciphers aes192-ctr,aes128-ctr,aes256-ctr/" /etc/ssh/sshd_config +else + echo "Ciphers aes192-ctr,aes128-ctr,aes256-ctr" >> /etc/ssh/sshd_config +fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh new file mode 100644 index 0000000000..ad6d9f887c --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_correct_value_full.pass.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# profiles = xccdf_org.ssgproject.content_profile_stig + +if grep -q "^Ciphers" /etc/ssh/sshd_config; then + sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/" /etc/ssh/sshd_config +else + echo 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr' >> /etc/ssh/sshd_config +fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh new file mode 100644 index 0000000000..f73d82e221 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_line_not_there.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +# profiles = xccdf_org.ssgproject.content_profile_stig + +sed -i "/^Ciphers.*/d" /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh new file mode 100644 index 0000000000..46b437944f --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/stig_wrong_value.fail.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# profiles = xccdf_org.ssgproject.content_profile_stig + +if grep -q "^Ciphers" /etc/ssh/sshd_config; then + sed -i "s/^Ciphers.*/# Ciphers aes128-ctr,aes192-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc/" /etc/ssh/sshd_config +else + echo "Ciphers aes128-ctr,aes192-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc" >> /etc/ssh/sshd_config +fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh index 550c55968b..ffd8eda6e8 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/tests/wrong_value.fail.sh @@ -5,5 +5,5 @@ if grep -q "^Ciphers" /etc/ssh/sshd_config; then sed -i "s/^Ciphers.*/# Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config else - echo "Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config + echo "# Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml index b64be010cd..6a582c9577 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml @@ -32,6 +32,7 @@ description: |- {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}} {{% endif %}} {{% endif %}} + The rule is parametrized to use the following MACs: {{{ sub_var_value("sshd_approved_macs") }}}. rationale: |- DoD Information Systems are required to use FIPS-approved cryptographic hash diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var new file mode 100644 index 0000000000..66d0776949 --- /dev/null +++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var @@ -0,0 +1,16 @@ +documentation_complete: true + +title: 'SSH Approved ciphers by FIPS' + +description: "Specify the FIPS approved ciphers \n\tthat are used for data integrity protection by the SSH server." + +type: string + +operator: equals + +interactive: false + +options: + stig: aes128-ctr,aes192-ctr,aes256-ctr + default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se + diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile index e148325d3e..9b6ecfa543 100644 --- a/rhel7/profiles/stig.profile +++ b/rhel7/profiles/stig.profile @@ -228,6 +228,7 @@ selections: - install_antivirus - accounts_max_concurrent_login_sessions - configure_firewalld_ports + - sshd_approved_ciphers=stig - sshd_use_approved_ciphers - accounts_tmout - sshd_enable_warning_banner diff --git a/shared/macros.jinja b/shared/macros.jinja index edbaeeb56c..d80eeb69b3 100644 --- a/shared/macros.jinja +++ b/shared/macros.jinja @@ -35,6 +35,11 @@ ocil_clause: "the {{{ option }}} is not present in the output line, or there is {{%- endmacro %}} +{{% macro sub_var_value(varname) -%}} + +{{%- endmacro %}} + + {{% macro complete_ocil_entry_mount_option(point, option) -%}} ocil: | {{{ ocil_mount_option(point, option) | indent(4) }}} From 12eca02a6d16d723c90fb95b21d9992af53befab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= Date: Thu, 19 Mar 2020 09:56:35 +0100 Subject: [PATCH 2/2] Streamlined description by removing ineffective escape sequences. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Jan Černý --- linux_os/guide/services/ssh/sshd_approved_ciphers.var | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var index 66d0776949..30e58336ce 100644 --- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var +++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var @@ -2,7 +2,7 @@ documentation_complete: true title: 'SSH Approved ciphers by FIPS' -description: "Specify the FIPS approved ciphers \n\tthat are used for data integrity protection by the SSH server." +description: "Specify the FIPS approved ciphers that are used for data integrity protection by the SSH server." type: string @@ -13,4 +13,3 @@ interactive: false options: stig: aes128-ctr,aes192-ctr,aes256-ctr default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se -