|
 |
f8899d |
diff --git a/linux_os/guide/services/ssh/ssh_client/group.yml b/linux_os/guide/services/ssh/ssh_client/group.yml
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..62ead28ee1
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/services/ssh/ssh_client/group.yml
|
|
|
f8899d |
@@ -0,0 +1,11 @@
|
|
|
f8899d |
+documentation_complete: true
|
|
|
f8899d |
+
|
|
|
f8899d |
+title: 'Configure OpenSSH Client if Necessary'
|
|
|
f8899d |
+
|
|
|
f8899d |
+description: |-
|
|
|
f8899d |
+ The following configuration changes apply to the SSH client. They can
|
|
|
f8899d |
+ improve security parameters relwevant to the client user, e.g. increasing
|
|
|
f8899d |
+ entropy while generating initialization vectors. Note that these changes
|
|
|
f8899d |
+ influence only the default SSH client configuration. Changes in this group
|
|
|
f8899d |
+ can be overridden by the client user by modifying files within the
|
|
|
f8899d |
+ ~/.ssh directory or by supplying parameters on the command line.
|
|
|
f8899d |
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/ansible/shared.yml
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..a9f579ae04
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/ansible/shared.yml
|
|
|
f8899d |
@@ -0,0 +1,19 @@
|
|
|
f8899d |
+# platform = Red Hat Enterprise Linux 8
|
|
|
f8899d |
+# reboot = false
|
|
|
f8899d |
+# strategy = configure
|
|
|
f8899d |
+# complexity = low
|
|
|
f8899d |
+# disruption = low
|
|
|
f8899d |
+
|
|
|
f8899d |
+- name: "Ensure that correct variable is exported in /etc/profile.d/cc-ssh-strong-rng.csh"
|
|
|
f8899d |
+ lineinfile:
|
|
|
f8899d |
+ path: /etc/profile.d/cc-ssh-strong-rng.csh
|
|
|
f8899d |
+ regexp: '^[\s]*setenv[\s]+SSH_USE_STRONG_RNG.*$'
|
|
|
f8899d |
+ line: 'setenv SSH_USE_STRONG_RNG 32'
|
|
|
f8899d |
+ state: present
|
|
|
f8899d |
+ create: yes
|
|
|
f8899d |
+
|
|
|
f8899d |
+- name: "Ensure that the configuration is not overridden in /etc/profile"
|
|
|
f8899d |
+ lineinfile:
|
|
|
f8899d |
+ path: /etc/profile
|
|
|
f8899d |
+ regexp: '^[\s]*setenv[\s]+SSH_USE_STRONG_RNG.*$'
|
|
|
f8899d |
+ state: absent
|
|
|
f8899d |
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/bash/shared.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/bash/shared.sh
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..a3b0b3a9c6
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/bash/shared.sh
|
|
|
f8899d |
@@ -0,0 +1,8 @@
|
|
|
f8899d |
+#!/bin/bash
|
|
|
f8899d |
+# platform = Red Hat Enterprise Linux 8
|
|
|
f8899d |
+
|
|
|
f8899d |
+# put line into the file
|
|
|
f8899d |
+echo "setenv SSH_USE_STRONG_RNG 32" > /etc/profile.d/cc-ssh-strong-rng.csh
|
|
|
f8899d |
+
|
|
|
f8899d |
+# remove eventual override in /etc/profile
|
|
|
f8899d |
+sed -i '/^[[:space:]]*setenv[[:space:]]\+SSH_USE_STRONG_RNG.*$/d' /etc/profile
|
|
|
f8899d |
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/oval/shared.xml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/oval/shared.xml
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..fe6d3a5f25
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/oval/shared.xml
|
|
|
f8899d |
@@ -0,0 +1,36 @@
|
|
|
f8899d |
+<def-group>
|
|
|
f8899d |
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
f8899d |
+ {{{ oval_metadata("Ensure the SSH_USE_STRONG_RNG environment variable is exported in /etc/profile.d/cc-ssh-strong-rng.csh and is not overridden in /etc/profile") }}}
|
|
|
f8899d |
+ <criteria comment="ssh client is configured to use strong entropy" operator="AND">
|
|
|
f8899d |
+ <criterion comment="check configuration in /etc/profile.d/cc-ssh-strong-rng.csh" test_ref="test_ssh_client_strong_rng_csh" />
|
|
|
f8899d |
+ <criterion comment="check that the configuration is not overridden in /etc/profile" test_ref="test_ssh_client_strong_rng_csh_not_overridden" />
|
|
|
f8899d |
+ </criteria>
|
|
|
f8899d |
+ </definition>
|
|
|
f8899d |
+
|
|
|
f8899d |
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check correct entropy configuration in /etc/profile.d/cc-ssh-strong-rng.csh" id="test_ssh_client_strong_rng_csh" version="1">
|
|
|
f8899d |
+ <ind:object object_ref="obj_ssh_client_strong_rng_csh"/>
|
|
|
f8899d |
+ <ind:state state_ref="state_ssh_client_strong_rng_csh" />
|
|
|
f8899d |
+ </ind:textfilecontent54_test>
|
|
|
f8899d |
+
|
|
|
f8899d |
+ <ind:textfilecontent54_object id="obj_ssh_client_strong_rng_csh" version="1">
|
|
|
f8899d |
+ <ind:filepath>/etc/profile.d/cc-ssh-strong-rng.csh</ind:filepath>
|
|
|
f8899d |
+ <ind:pattern operation="pattern match">^[\s]*setenv[\s]+SSH_USE_STRONG_RNG[\s]+([\d]+)$</ind:pattern>
|
|
|
f8899d |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
f8899d |
+ </ind:textfilecontent54_object>
|
|
|
f8899d |
+
|
|
|
f8899d |
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="check that the configuration is not overridden in /etc/profile" id="test_ssh_client_strong_rng_csh_not_overridden" version="1">
|
|
|
f8899d |
+ <ind:object object_ref="obj_ssh_client_strong_rng_csh_not_overridden"/>
|
|
|
f8899d |
+ </ind:textfilecontent54_test>
|
|
|
f8899d |
+
|
|
|
f8899d |
+ <ind:textfilecontent54_object id="obj_ssh_client_strong_rng_csh_not_overridden" version="1">
|
|
|
f8899d |
+ <ind:filepath>/etc/profile</ind:filepath>
|
|
|
f8899d |
+ <ind:pattern operation="pattern match">^[\s]*setenv[\s]+SSH_USE_STRONG_RNG.*$</ind:pattern>
|
|
|
f8899d |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
f8899d |
+ </ind:textfilecontent54_object>
|
|
|
f8899d |
+
|
|
|
f8899d |
+
|
|
|
f8899d |
+ version="1">
|
|
|
f8899d |
+ <ind:subexpression datatype="int" operation="greater than or equal">32</ind:subexpression>
|
|
|
f8899d |
+ </ind:textfilecontent54_state>
|
|
|
f8899d |
+
|
|
|
f8899d |
+</def-group>
|
|
|
f8899d |
\ No newline at end of file
|
|
|
f8899d |
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/rule.yml
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..a2b9bfa37d
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/rule.yml
|
|
|
f8899d |
@@ -0,0 +1,36 @@
|
|
|
f8899d |
+documentation_complete: true
|
|
|
f8899d |
+
|
|
|
f8899d |
+prodtype: rhel8
|
|
|
f8899d |
+
|
|
|
f8899d |
+title: 'SSH client uses strong entropy to seed (for CSH like shells)'
|
|
|
f8899d |
+
|
|
|
f8899d |
+description: |-
|
|
|
f8899d |
+ To set up SSH client to use entropy from a high-quality source, make sure
|
|
|
f8899d |
+ that the appropriate shell environment variable is configured. The
|
|
|
f8899d |
+ <tt>SSH_USE_STRONG_RNG</tt> environment variable determines how many bytes
|
|
|
f8899d |
+ of entropy to use. Make sure that the file
|
|
|
f8899d |
+ <tt>/etc/profile.d/cc-ssh-strong-rng.csh</tt> contains line
|
|
|
f8899d |
+ setenv SSH_USE_STRONG_RNG 32 .
|
|
|
f8899d |
+
|
|
|
f8899d |
+rationale: |-
|
|
|
f8899d |
+ Some SSH implementations use the openssl library for entropy, which by default, doesn't use high-entropy sources.
|
|
|
f8899d |
+ Randomness is needed to generate considerably more secure data-encryption keys. Plaintext padding, initialization vectors
|
|
|
f8899d |
+ in encryption algorithms, and high-quality entropy eliminates the possibility that the output of
|
|
|
f8899d |
+ the random number generator used by SSH would be known to potential attackers.
|
|
|
f8899d |
+
|
|
|
f8899d |
+severity: medium
|
|
|
f8899d |
+
|
|
|
f8899d |
+identifiers:
|
|
|
f8899d |
+ cce@rhel8: CCE-83349-1
|
|
|
f8899d |
+
|
|
|
f8899d |
+references:
|
|
|
f8899d |
+ ospp: FCS_CKM.1.1
|
|
|
f8899d |
+ srg: SRG-OS-000480-GPOS-00227
|
|
|
f8899d |
+
|
|
|
f8899d |
+ocil_clause: 'SSH client is not configured to use 32 bytes of entropy or more'
|
|
|
f8899d |
+
|
|
|
f8899d |
+ocil: |-
|
|
|
f8899d |
+ Run the following command to verify that SSH client is configured to use 32 bytes of entropy:
|
|
|
f8899d |
+ grep SSH_USE_STRONG_RNG /etc/profile.d/cc-ssh-strong-rng.csh
|
|
|
f8899d |
+ It should return the following output:
|
|
|
f8899d |
+ setenv SSH_USE_STRONG_RNG 32 .
|
|
|
f8899d |
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/correct.pass.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/correct.pass.sh
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..4cfafa9f96
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/correct.pass.sh
|
|
|
f8899d |
@@ -0,0 +1,3 @@
|
|
|
f8899d |
+#!/bin/bash
|
|
|
f8899d |
+
|
|
|
f8899d |
+echo "setenv SSH_USE_STRONG_RNG 32" > /etc/profile.d/cc-ssh-strong-rng.csh
|
|
|
f8899d |
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/file_missing.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/file_missing.fail.sh
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..c2fead5697
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/file_missing.fail.sh
|
|
|
f8899d |
@@ -0,0 +1,3 @@
|
|
|
f8899d |
+#!/bin/bash
|
|
|
f8899d |
+
|
|
|
f8899d |
+rm -f /etc/profile.d/cc-ssh-strong-rng.csh
|
|
|
f8899d |
\ No newline at end of file
|
|
|
f8899d |
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_commented.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_commented.fail.sh
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..4a0d26165b
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_commented.fail.sh
|
|
|
f8899d |
@@ -0,0 +1,3 @@
|
|
|
f8899d |
+#!/bin/bash
|
|
|
f8899d |
+
|
|
|
f8899d |
+echo "#setenv SSH_USE_STRONG_RNG 32" > /etc/profile.d/cc-ssh-strong-rng.csh
|
|
|
f8899d |
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_followed_by_wrong_line.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_followed_by_wrong_line.fail.sh
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..5fbccb5f29
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_followed_by_wrong_line.fail.sh
|
|
|
f8899d |
@@ -0,0 +1,4 @@
|
|
|
f8899d |
+#!/bin/bash
|
|
|
f8899d |
+
|
|
|
f8899d |
+echo "setenv SSH_USE_STRONG_RNG 32" > /etc/profile.d/cc-ssh-strong-rng.csh
|
|
|
f8899d |
+echo "setenv SSH_USE_STRONG_RNG 8" >> /etc/profile.d/cc-ssh-strong-rng.csh
|
|
|
f8899d |
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_overridden_in_etc_profile.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_overridden_in_etc_profile.fail.sh
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..d93d1151f8
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/line_overridden_in_etc_profile.fail.sh
|
|
|
f8899d |
@@ -0,0 +1,4 @@
|
|
|
f8899d |
+#!/bin/bash
|
|
|
f8899d |
+
|
|
|
f8899d |
+echo "setenv SSH_USE_STRONG_RNG 32" >> /etc/profile.d/cc-ssh-strong-rng.csh
|
|
|
f8899d |
+echo "setenv SSH_USE_STRONG_RNG 8" >> /etc/profile
|
|
|
f8899d |
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/use_more_entropy.pass.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/use_more_entropy.pass.sh
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..d73f22ce5d
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/tests/use_more_entropy.pass.sh
|
|
|
f8899d |
@@ -0,0 +1,3 @@
|
|
|
f8899d |
+#!/bin/bash
|
|
|
f8899d |
+
|
|
|
f8899d |
+echo "setenv SSH_USE_STRONG_RNG 64" > /etc/profile.d/cc-ssh-strong-rng.csh
|
|
|
f8899d |
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/ansible/shared.yml
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..d19ee819c0
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/ansible/shared.yml
|
|
|
f8899d |
@@ -0,0 +1,19 @@
|
|
|
f8899d |
+# platform = Red Hat Enterprise Linux 8
|
|
|
f8899d |
+# reboot = false
|
|
|
f8899d |
+# strategy = configure
|
|
|
f8899d |
+# complexity = low
|
|
|
f8899d |
+# disruption = low
|
|
|
f8899d |
+
|
|
|
f8899d |
+- name: "Ensure that correct variable is exported in /etc/profile.d/cc-ssh-strong-rng.sh"
|
|
|
f8899d |
+ lineinfile:
|
|
|
f8899d |
+ path: /etc/profile.d/cc-ssh-strong-rng.sh
|
|
|
f8899d |
+ regexp: '^[\s]*export[\s]+SSH_USE_STRONG_RNG=.*$'
|
|
|
f8899d |
+ line: 'export SSH_USE_STRONG_RNG=32'
|
|
|
f8899d |
+ state: present
|
|
|
f8899d |
+ create: yes
|
|
|
f8899d |
+
|
|
|
f8899d |
+- name: "Ensure that the configuration is not overridden in /etc/profile"
|
|
|
f8899d |
+ lineinfile:
|
|
|
f8899d |
+ path: /etc/profile
|
|
|
f8899d |
+ regexp: '^[\s]*export[\s]+SSH_USE_STRONG_RNG=.*$'
|
|
|
f8899d |
+ state: absent
|
|
|
f8899d |
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/bash/shared.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/bash/shared.sh
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..07e45f1dfa
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/bash/shared.sh
|
|
|
f8899d |
@@ -0,0 +1,8 @@
|
|
|
f8899d |
+#!/bin/bash
|
|
|
f8899d |
+# platform = Red Hat Enterprise Linux 8
|
|
|
f8899d |
+
|
|
|
f8899d |
+# put line into the file
|
|
|
f8899d |
+echo "export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh
|
|
|
f8899d |
+
|
|
|
f8899d |
+# remove eventual override in /etc/profile
|
|
|
f8899d |
+sed -i '/^[[:space:]]*export[[:space:]]\+SSH_USE_STRONG_RNG=.*$/d' /etc/profile
|
|
|
f8899d |
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/oval/shared.xml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/oval/shared.xml
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..23bda9bf83
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/oval/shared.xml
|
|
|
f8899d |
@@ -0,0 +1,36 @@
|
|
|
f8899d |
+<def-group>
|
|
|
f8899d |
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
f8899d |
+ {{{ oval_metadata("Ensure the SSH_USE_STRONG_RNG environment variable is exported in /etc/profile.d/cc-ssh-strong-rng.sh and is not overridden in /etc/profile") }}}
|
|
|
f8899d |
+ <criteria comment="ssh client is configured to use strong entropy" operator="AND">
|
|
|
f8899d |
+ <criterion comment="check configuration in /etc/profile.d/cc-ssh-strong-rng.sh" test_ref="test_ssh_client_strong_rng_sh" />
|
|
|
f8899d |
+ <criterion comment="check that the configuration is not overridden in /etc/profile" test_ref="test_ssh_client_strong_rng_sh_not_overridden" />
|
|
|
f8899d |
+ </criteria>
|
|
|
f8899d |
+ </definition>
|
|
|
f8899d |
+
|
|
|
f8899d |
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check correct entropy configuration in /etc/profile.d/cc-ssh-strong-rng.sh" id="test_ssh_client_strong_rng_sh" version="1">
|
|
|
f8899d |
+ <ind:object object_ref="obj_ssh_client_strong_rng_sh"/>
|
|
|
f8899d |
+ <ind:state state_ref="state_ssh_client_strong_rng_sh" />
|
|
|
f8899d |
+ </ind:textfilecontent54_test>
|
|
|
f8899d |
+
|
|
|
f8899d |
+ <ind:textfilecontent54_object id="obj_ssh_client_strong_rng_sh" version="1">
|
|
|
f8899d |
+ <ind:filepath>/etc/profile.d/cc-ssh-strong-rng.sh</ind:filepath>
|
|
|
f8899d |
+ <ind:pattern operation="pattern match">^[\s]*export[\s]+SSH_USE_STRONG_RNG=([\d]+)$</ind:pattern>
|
|
|
f8899d |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
f8899d |
+ </ind:textfilecontent54_object>
|
|
|
f8899d |
+
|
|
|
f8899d |
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="check that the configuration is not overridden in /etc/profile" id="test_ssh_client_strong_rng_sh_not_overridden" version="1">
|
|
|
f8899d |
+ <ind:object object_ref="obj_ssh_client_strong_rng_sh_not_overridden"/>
|
|
|
f8899d |
+ </ind:textfilecontent54_test>
|
|
|
f8899d |
+
|
|
|
f8899d |
+ <ind:textfilecontent54_object id="obj_ssh_client_strong_rng_sh_not_overridden" version="1">
|
|
|
f8899d |
+ <ind:filepath>/etc/profile</ind:filepath>
|
|
|
f8899d |
+ <ind:pattern operation="pattern match">^[\s]*export[\s]+SSH_USE_STRONG_RNG=.*$</ind:pattern>
|
|
|
f8899d |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
f8899d |
+ </ind:textfilecontent54_object>
|
|
|
f8899d |
+
|
|
|
f8899d |
+
|
|
|
f8899d |
+ version="1">
|
|
|
f8899d |
+ <ind:subexpression datatype="int" operation="greater than or equal">32</ind:subexpression>
|
|
|
f8899d |
+ </ind:textfilecontent54_state>
|
|
|
f8899d |
+
|
|
|
f8899d |
+</def-group>
|
|
|
f8899d |
\ No newline at end of file
|
|
|
f8899d |
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/rule.yml
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..3de4df0a2e
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/rule.yml
|
|
|
f8899d |
@@ -0,0 +1,36 @@
|
|
|
f8899d |
+documentation_complete: true
|
|
|
f8899d |
+
|
|
|
f8899d |
+prodtype: rhel8
|
|
|
f8899d |
+
|
|
|
f8899d |
+title: 'SSH client uses strong entropy to seed (Bash-like shells)'
|
|
|
f8899d |
+
|
|
|
f8899d |
+description: |-
|
|
|
f8899d |
+ To set up SSH client to use entropy from a high-quality source, make sure
|
|
|
f8899d |
+ that the appropriate shell environment variable is configured. The
|
|
|
f8899d |
+ <tt>SSH_USE_STRONG_RNG</tt> environment variable determines how many bytes
|
|
|
f8899d |
+ of entropy to use. Make sure that the file
|
|
|
f8899d |
+ <tt>/etc/profile.d/cc-ssh-strong-rng.sh</tt> contains line
|
|
|
f8899d |
+ export SSH_USE_STRONG_RNG=32 .
|
|
|
f8899d |
+
|
|
|
f8899d |
+rationale: |-
|
|
|
f8899d |
+ Some SSH implementations use the openssl library for entropy, which by default, doesn't use high-entropy sources.
|
|
|
f8899d |
+ Randomness is needed to generate considerably more secure data-encryption keys. Plaintext padding, initialization vectors
|
|
|
f8899d |
+ in encryption algorithms, and high-quality entropy eliminates the possibility that the output of
|
|
|
f8899d |
+ the random number generator used by SSH would be known to potential attackers.
|
|
|
f8899d |
+
|
|
|
f8899d |
+severity: medium
|
|
|
f8899d |
+
|
|
|
f8899d |
+identifiers:
|
|
|
f8899d |
+ cce@rhel8: CCE-83346-7
|
|
|
f8899d |
+
|
|
|
f8899d |
+references:
|
|
|
f8899d |
+ ospp: FCS_CKM.1.1
|
|
|
f8899d |
+ srg: SRG-OS-000480-GPOS-00227
|
|
|
f8899d |
+
|
|
|
f8899d |
+ocil_clause: 'SSH client is not configured to use 32 bytes of entropy or more'
|
|
|
f8899d |
+
|
|
|
f8899d |
+ocil: |-
|
|
|
f8899d |
+ Run the following command to verify that SSH client is configured to use 32 bytes of entropy:
|
|
|
f8899d |
+ grep SSH_USE_STRONG_RNG /etc/profile.d/cc-ssh-strong-rng.sh
|
|
|
f8899d |
+ The output should be:
|
|
|
f8899d |
+ export SSH_USE_STRONG_RNG=32
|
|
|
f8899d |
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/correct.pass.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/correct.pass.sh
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..8dc01bb3b5
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/correct.pass.sh
|
|
|
f8899d |
@@ -0,0 +1,3 @@
|
|
|
f8899d |
+#!/bin/bash
|
|
|
f8899d |
+
|
|
|
f8899d |
+echo "export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh
|
|
|
f8899d |
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/file_missing.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/file_missing.fail.sh
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..feab751995
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/file_missing.fail.sh
|
|
|
f8899d |
@@ -0,0 +1,3 @@
|
|
|
f8899d |
+#!/bin/bash
|
|
|
f8899d |
+
|
|
|
f8899d |
+rm -f /etc/profile.d/cc-ssh-strong-rng.sh
|
|
|
f8899d |
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_commented.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_commented.fail.sh
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..f77cfabfe4
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_commented.fail.sh
|
|
|
f8899d |
@@ -0,0 +1,3 @@
|
|
|
f8899d |
+#!/bin/bash
|
|
|
f8899d |
+
|
|
|
f8899d |
+echo "#export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh
|
|
|
f8899d |
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_followed_by_wrong_line.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_followed_by_wrong_line.fail.sh
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..acbe72da2c
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_followed_by_wrong_line.fail.sh
|
|
|
f8899d |
@@ -0,0 +1,4 @@
|
|
|
f8899d |
+#!/bin/bash
|
|
|
f8899d |
+
|
|
|
f8899d |
+echo "export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh
|
|
|
f8899d |
+echo "export SSH_USE_STRONG_RNG=8" >> /etc/profile.d/cc-ssh-strong-rng.sh
|
|
|
f8899d |
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_overridden_in_etc_profile.fail.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_overridden_in_etc_profile.fail.sh
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..38ce27729d
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/line_overridden_in_etc_profile.fail.sh
|
|
|
f8899d |
@@ -0,0 +1,4 @@
|
|
|
f8899d |
+#!/bin/bash
|
|
|
f8899d |
+
|
|
|
f8899d |
+echo "export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh
|
|
|
f8899d |
+echo "export SSH_USE_STRONG_RNG=8" >> /etc/profile
|
|
|
f8899d |
diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/use_more_entropy.pass.sh b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/use_more_entropy.pass.sh
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..2b3b0fbeca
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_sh/tests/use_more_entropy.pass.sh
|
|
|
f8899d |
@@ -0,0 +1,3 @@
|
|
|
f8899d |
+#!/bin/bash
|
|
|
f8899d |
+
|
|
|
f8899d |
+echo "export SSH_USE_STRONG_RNG=64" > /etc/profile.d/cc-ssh-strong-rng.sh
|
|
|
f8899d |
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
|
|
|
f8899d |
index 687b948b34..755573a6f9 100644
|
|
|
f8899d |
--- a/rhel8/profiles/ospp.profile
|
|
|
f8899d |
+++ b/rhel8/profiles/ospp.profile
|
|
|
f8899d |
@@ -427,6 +427,10 @@ selections:
|
|
|
f8899d |
- var_ssh_client_rekey_limit_size=1G
|
|
|
f8899d |
- var_ssh_client_rekey_limit_time=1hour
|
|
|
f8899d |
|
|
|
f8899d |
+# configure ssh client to use strong entropy
|
|
|
f8899d |
+ - ssh_client_use_strong_rng_sh
|
|
|
f8899d |
+ - ssh_client_use_strong_rng_csh
|
|
|
f8899d |
+
|
|
|
f8899d |
# zIPl specific rules
|
|
|
f8899d |
- zipl_bls_entries_only
|
|
|
f8899d |
- zipl_bootmap_is_up_to_date
|
|
|
f8899d |
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
|
|
f8899d |
index 8bbc01f0d5..4bfb91de9d 100644
|
|
|
f8899d |
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
|
|
f8899d |
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
|
|
f8899d |
@@ -175,6 +175,8 @@ selections:
|
|
|
f8899d |
- service_systemd-coredump_disabled
|
|
|
f8899d |
- service_usbguard_enabled
|
|
|
f8899d |
- ssh_client_rekey_limit
|
|
|
f8899d |
+- ssh_client_use_strong_rng_csh
|
|
|
f8899d |
+- ssh_client_use_strong_rng_sh
|
|
|
f8899d |
- sshd_disable_empty_passwords
|
|
|
f8899d |
- sshd_disable_gssapi_auth
|
|
|
f8899d |
- sshd_disable_kerb_auth
|
|
|
f8899d |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
f8899d |
index e1915d648b..adace8fd54 100644
|
|
|
f8899d |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
f8899d |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
f8899d |
@@ -199,6 +199,8 @@ selections:
|
|
|
f8899d |
- service_usbguard_enabled
|
|
|
f8899d |
- smartcard_configure_cert_checking
|
|
|
f8899d |
- ssh_client_rekey_limit
|
|
|
f8899d |
+- ssh_client_use_strong_rng_csh
|
|
|
f8899d |
+- ssh_client_use_strong_rng_sh
|
|
|
f8899d |
- sshd_disable_empty_passwords
|
|
|
f8899d |
- sshd_disable_gssapi_auth
|
|
|
f8899d |
- sshd_disable_kerb_auth
|