|
|
76240a |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
|
|
76240a |
index 194d7dfe2dc..b6c5e7f4b0d 100644
|
|
|
76240a |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
|
|
76240a |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
|
|
76240a |
@@ -37,7 +37,7 @@ ocil: |-
|
|
|
76240a |
MACs are in use, run the following command:
|
|
|
76240a |
$ sudo grep -i macs /etc/ssh/sshd_config
|
|
|
76240a |
The output should contain only following MACs (or a subset) in the exact order:
|
|
|
76240a |
- hmac-sha2-512,hmac-sha2-256
|
|
|
76240a |
+ MACs {{{ xccdf_value("sshd_approved_macs") }}}
|
|
|
76240a |
|
|
|
76240a |
warnings:
|
|
|
76240a |
- general: |-
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/ansible/shared.yml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..1c9dde77ee2
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/ansible/shared.yml
|
|
|
76240a |
@@ -0,0 +1,16 @@
|
|
|
76240a |
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
76240a |
+# reboot = true
|
|
|
76240a |
+# strategy = restrict
|
|
|
76240a |
+# complexity = low
|
|
|
76240a |
+# disruption = low
|
|
|
76240a |
+{{{ ansible_instantiate_variables("sshd_approved_macs") }}}
|
|
|
76240a |
+
|
|
|
76240a |
+{{{ ansible_set_config_file(
|
|
|
76240a |
+ msg='Configure SSH Daemon to Use FIPS 140-2 Validated MACs: openssh.config',
|
|
|
76240a |
+ file='/etc/crypto-policies/back-ends/openssh.config',
|
|
|
76240a |
+ parameter='MACs',
|
|
|
76240a |
+ value="{{ sshd_approved_macs }}",
|
|
|
76240a |
+ create='yes',
|
|
|
76240a |
+ prefix_regex='^.*'
|
|
|
76240a |
+ )
|
|
|
76240a |
+}}}
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/bash/shared.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..b26992ce183
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/bash/shared.sh
|
|
|
76240a |
@@ -0,0 +1,13 @@
|
|
|
76240a |
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
76240a |
+. /usr/share/scap-security-guide/remediation_functions
|
|
|
76240a |
+{{{ bash_instantiate_variables("sshd_approved_macs") }}}
|
|
|
76240a |
+
|
|
|
76240a |
+{{{ set_config_file(
|
|
|
76240a |
+ path="/etc/crypto-policies/back-ends/openssh.config",
|
|
|
76240a |
+ parameter="MACs",
|
|
|
76240a |
+ value="${sshd_approved_macs}",
|
|
|
76240a |
+ create=true,
|
|
|
76240a |
+ insensitive=false,
|
|
|
76240a |
+ prefix_regex="^.*"
|
|
|
76240a |
+ )
|
|
|
76240a |
+}}}
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/oval/shared.xml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..5239af10612
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/oval/shared.xml
|
|
|
76240a |
@@ -0,0 +1,35 @@
|
|
|
76240a |
+{{%- set PATH = "/etc/crypto-policies/back-ends/openssh.config" -%}}
|
|
|
76240a |
+<def-group>
|
|
|
76240a |
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
76240a |
+ {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
|
|
|
76240a |
+ <criteria operator="AND" comment="Test conditions - presence of the file plus.">
|
|
|
76240a |
+ <criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD MACs" test_ref="test_{{{ rule_id }}}" />
|
|
|
76240a |
+ </criteria>
|
|
|
76240a |
+ </definition>
|
|
|
76240a |
+
|
|
|
76240a |
+
|
|
|
76240a |
+ comment="test the value of MACs setting in the {{{ PATH }}} file"
|
|
|
76240a |
+ id="test_{{{ rule_id }}}" version="1">
|
|
|
76240a |
+ <ind:object object_ref="obj_{{{ rule_id }}}" />
|
|
|
76240a |
+ <ind:state state_ref="ste_{{{ rule_id }}}" />
|
|
|
76240a |
+ </ind:textfilecontent54_test>
|
|
|
76240a |
+
|
|
|
76240a |
+ <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
|
|
|
76240a |
+ <ind:filepath>{{{ PATH }}}</ind:filepath>
|
|
|
76240a |
+ <ind:pattern operation="pattern match">^MACs.*$</ind:pattern>
|
|
|
76240a |
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
|
|
76240a |
+ </ind:textfilecontent54_object>
|
|
|
76240a |
+
|
|
|
76240a |
+ <ind:textfilecontent54_state id="ste_{{{ rule_id }}}" version="1">
|
|
|
76240a |
+ <ind:text var_ref="sshd_macs_crypto" operation="equals"></ind:text>
|
|
|
76240a |
+ </ind:textfilecontent54_state>
|
|
|
76240a |
+
|
|
|
76240a |
+ <local_variable id="sshd_macs_crypto" datatype="string" comment="The regex of the directive" version="1">
|
|
|
76240a |
+ <concat>
|
|
|
76240a |
+ <literal_component>MACs </literal_component>
|
|
|
76240a |
+ <variable_component var_ref="sshd_approved_macs"/>
|
|
|
76240a |
+ </concat>
|
|
|
76240a |
+ </local_variable>
|
|
|
76240a |
+
|
|
|
76240a |
+ <external_variable comment="SSH Approved MACs by FIPS" datatype="string" id="sshd_approved_macs" version="1" />
|
|
|
76240a |
+</def-group>
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..1aeb987db2d
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/rule.yml
|
|
|
76240a |
@@ -0,0 +1,60 @@
|
|
|
76240a |
+documentation_complete: true
|
|
|
76240a |
+
|
|
|
76240a |
+prodtype: fedora,rhel8
|
|
|
76240a |
+
|
|
|
76240a |
+title: 'Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config'
|
|
|
76240a |
+
|
|
|
76240a |
+description: |-
|
|
|
76240a |
+ Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
|
|
|
76240a |
+ OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
|
|
|
76240a |
+ set up incorrectly.
|
|
|
76240a |
+
|
|
|
76240a |
+ To check that Crypto Policies settings are configured correctly, ensure that
|
|
|
76240a |
+ <tt>/etc/crypto-policies/back-ends/openssh.config</tt> contains the following
|
|
|
76240a |
+ line and is not commented out:
|
|
|
76240a |
+ <tt>MACs hmac-sha2-512,hmac-sha2-256</tt>
|
|
|
76240a |
+
|
|
|
76240a |
+rationale: |-
|
|
|
76240a |
+ Overriding the system crypto policy makes the behavior of the OpenSSH
|
|
|
76240a |
+ client violate expectations, and makes system configuration more
|
|
|
76240a |
+ fragmented.
|
|
|
76240a |
+
|
|
|
76240a |
+severity: medium
|
|
|
76240a |
+
|
|
|
76240a |
+identifiers:
|
|
|
76240a |
+ cce@rhel8: CCE-85870-4
|
|
|
76240a |
+
|
|
|
76240a |
+references:
|
|
|
76240a |
+ disa: CCI-001453
|
|
|
76240a |
+ nist: AC-17(2)
|
|
|
76240a |
+ srg: SRG-OS-000250-GPOS-00093
|
|
|
76240a |
+ stigid@rhel8: RHEL-08-010290
|
|
|
76240a |
+
|
|
|
76240a |
+ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly'
|
|
|
76240a |
+
|
|
|
76240a |
+ocil: |-
|
|
|
76240a |
+ To verify if the OpenSSH client uses defined MACs in the Crypto Policy, run:
|
|
|
76240a |
+ $ grep -i macs /etc/crypto-policies/back-ends/openssh.config
|
|
|
76240a |
+ and verify that the line matches:
|
|
|
76240a |
+ MACs hmac-sha2-512,hmac-sha2-256
|
|
|
76240a |
+
|
|
|
76240a |
+warnings:
|
|
|
76240a |
+ - general: |-
|
|
|
76240a |
+ The system needs to be rebooted for these changes to take effect.
|
|
|
76240a |
+ - regulatory: |-
|
|
|
76240a |
+ System Crypto Modules must be provided by a vendor that undergoes
|
|
|
76240a |
+ FIPS-140 certifications.
|
|
|
76240a |
+ FIPS-140 is applicable to all Federal agencies that use
|
|
|
76240a |
+ cryptographic-based security systems to protect sensitive information
|
|
|
76240a |
+ in computer and telecommunication systems (including voice systems) as
|
|
|
76240a |
+ defined in Section 5131 of the Information Technology Management Reform
|
|
|
76240a |
+ Act of 1996, Public Law 104-106. This standard shall be used in
|
|
|
76240a |
+ designing and implementing cryptographic modules that Federal
|
|
|
76240a |
+ departments and agencies operate or are operated for them under
|
|
|
76240a |
+ contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}
|
|
|
76240a |
+ To meet this, the system has to have cryptographic software provided by
|
|
|
76240a |
+ a vendor that has undergone this certification. This means providing
|
|
|
76240a |
+ documentation, test results, design information, and independent third
|
|
|
76240a |
+ party review by an accredited lab. While open source software is
|
|
|
76240a |
+ capable of meeting this, it does not meet FIPS-140 unless the vendor
|
|
|
76240a |
+ submits to this process.
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..5a4b6887cba
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
|
|
|
76240a |
@@ -0,0 +1,15 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
76240a |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
76240a |
+
|
|
|
76240a |
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
|
|
|
76240a |
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
|
|
76240a |
+
|
|
|
76240a |
+# Ensure directory + file is there
|
|
|
76240a |
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
|
|
76240a |
+
|
|
|
76240a |
+if [[ -f $configfile ]]; then
|
|
|
76240a |
+ sed -i "s/^.*MACs.*$/MACs ${sshd_approved_macs}/" $configfile
|
|
|
76240a |
+else
|
|
|
76240a |
+ echo "MACs ${sshd_approved_macs}" > "$configfile"
|
|
|
76240a |
+fi
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..e713d254f9c
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
|
|
|
76240a |
@@ -0,0 +1,15 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
76240a |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
76240a |
+
|
|
|
76240a |
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
|
|
|
76240a |
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
|
|
76240a |
+
|
|
|
76240a |
+# Ensure directory + file is there
|
|
|
76240a |
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
|
|
76240a |
+
|
|
|
76240a |
+if [[ -f $configfile ]]; then
|
|
|
76240a |
+ sed -i "s/^.*MACs.*$/#MACs ${sshd_approved_macs}/" $configfile
|
|
|
76240a |
+else
|
|
|
76240a |
+ echo "#MACs ${sshd_approved_macs}" > "$configfile"
|
|
|
76240a |
+fi
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..b8a63bec194
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
|
|
|
76240a |
@@ -0,0 +1,18 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
76240a |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
76240a |
+
|
|
|
76240a |
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
|
|
|
76240a |
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
|
|
76240a |
+
|
|
|
76240a |
+# Ensure directory + file is there
|
|
|
76240a |
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
|
|
76240a |
+
|
|
|
76240a |
+if [[ -f $configfile ]]; then
|
|
|
76240a |
+ sed -i "s/^.*MACs.*$/MACs ${sshd_approved_macs}/" $configfile
|
|
|
76240a |
+else
|
|
|
76240a |
+ echo "MACs ${sshd_approved_macs}" > "$configfile"
|
|
|
76240a |
+fi
|
|
|
76240a |
+
|
|
|
76240a |
+# follow up with incorrect
|
|
|
76240a |
+echo "#MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512" >> $configfile
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..55ef3f58422
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh
|
|
|
76240a |
@@ -0,0 +1,10 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
76240a |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
76240a |
+
|
|
|
76240a |
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
|
|
76240a |
+
|
|
|
76240a |
+# Ensure directory + file is there
|
|
|
76240a |
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
|
|
76240a |
+
|
|
|
76240a |
+echo "" > $configfile
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..9980a45681c
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh
|
|
|
76240a |
@@ -0,0 +1,14 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
76240a |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
76240a |
+
|
|
|
76240a |
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
|
|
76240a |
+
|
|
|
76240a |
+# Ensure directory + file is there
|
|
|
76240a |
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
|
|
76240a |
+
|
|
|
76240a |
+if [[ -f $configfile ]]; then
|
|
|
76240a |
+ sed -i "s/^.*MACs.*$/MACs /" $configfile
|
|
|
76240a |
+else
|
|
|
76240a |
+ echo "MACs " > "$configfile"
|
|
|
76240a |
+fi
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..d1303d60746
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
|
|
|
76240a |
@@ -0,0 +1,19 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
76240a |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
76240a |
+
|
|
|
76240a |
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
|
|
|
76240a |
+incorrect_sshd_approved_macs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
|
|
|
76240a |
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
|
|
76240a |
+
|
|
|
76240a |
+# Ensure directory + file is there
|
|
|
76240a |
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
|
|
76240a |
+
|
|
|
76240a |
+if [[ -f $configfile ]]; then
|
|
|
76240a |
+ sed -i "s/^.*MACs.*$/MACs ${incorrect_sshd_approved_macs}/" $configfile
|
|
|
76240a |
+else
|
|
|
76240a |
+ echo "MACs ${incorrect_sshd_approved_macs}" > "$configfile"
|
|
|
76240a |
+fi
|
|
|
76240a |
+
|
|
|
76240a |
+# follow up with correct value
|
|
|
76240a |
+echo "MACs ${sshd_approved_macs}" >> $configfile
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..8b21af46896
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh
|
|
|
76240a |
@@ -0,0 +1,14 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
76240a |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
76240a |
+
|
|
|
76240a |
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
|
|
76240a |
+
|
|
|
76240a |
+# Ensure directory + file is there
|
|
|
76240a |
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
|
|
76240a |
+
|
|
|
76240a |
+if [[ -f $configfile ]]; then
|
|
|
76240a |
+ sed -i "s/^.*MACs.*$/MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512/" $configfile
|
|
|
76240a |
+else
|
|
|
76240a |
+ echo "MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512" > "$configfile"
|
|
|
76240a |
+fi
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..2138caad319
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh
|
|
|
76240a |
@@ -0,0 +1,11 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
76240a |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
76240a |
+
|
|
|
76240a |
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
|
|
76240a |
+
|
|
|
76240a |
+# Ensure directory + file is there
|
|
|
76240a |
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
|
|
76240a |
+
|
|
|
76240a |
+# If file exists, remove it
|
|
|
76240a |
+test -f $configfile && rm -f $configfile
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/ansible/shared.yml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..5ed618586ae
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/ansible/shared.yml
|
|
|
76240a |
@@ -0,0 +1,45 @@
|
|
|
76240a |
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
76240a |
+# reboot = true
|
|
|
76240a |
+# strategy = restrict
|
|
|
76240a |
+# complexity = low
|
|
|
76240a |
+# disruption = low
|
|
|
76240a |
+{{{ ansible_instantiate_variables("sshd_approved_macs") }}}
|
|
|
76240a |
+
|
|
|
76240a |
+- name: "{{{ rule_title }}}: Set facts"
|
|
|
76240a |
+ set_fact:
|
|
|
76240a |
+ path: /etc/crypto-policies/back-ends/opensshserver.config
|
|
|
76240a |
+ correct_value: "-oMACs={{ sshd_approved_macs }}"
|
|
|
76240a |
+
|
|
|
76240a |
+- name: "{{{ rule_title }}}: Stat"
|
|
|
76240a |
+ stat:
|
|
|
76240a |
+ path: "{{ path }}"
|
|
|
76240a |
+ follow: yes
|
|
|
76240a |
+ register: opensshserver_file
|
|
|
76240a |
+
|
|
|
76240a |
+- name: "{{{ rule_title }}}: Create"
|
|
|
76240a |
+ lineinfile:
|
|
|
76240a |
+ path: "{{ path }}"
|
|
|
76240a |
+ line: "CRYPTO_POLICY='{{ correct_value }}'"
|
|
|
76240a |
+ create: yes
|
|
|
76240a |
+ when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length
|
|
|
76240a |
+
|
|
|
76240a |
+- name: "{{{ rule_title }}}"
|
|
|
76240a |
+ block:
|
|
|
76240a |
+ - name: "Existing value check"
|
|
|
76240a |
+ lineinfile:
|
|
|
76240a |
+ path: "{{ path }}"
|
|
|
76240a |
+ create: false
|
|
|
76240a |
+ regexp: "{{ correct_value }}"
|
|
|
76240a |
+ state: absent
|
|
|
76240a |
+ check_mode: true
|
|
|
76240a |
+ changed_when: false
|
|
|
76240a |
+ register: opensshserver
|
|
|
76240a |
+
|
|
|
76240a |
+ - name: "Update/Correct value"
|
|
|
76240a |
+ replace:
|
|
|
76240a |
+ path: "{{ path }}"
|
|
|
76240a |
+ regexp: (-oMACs=\S+)
|
|
|
76240a |
+ replace: "{{ correct_value }}"
|
|
|
76240a |
+ when: opensshserver.found is defined and opensshserver.found != 1
|
|
|
76240a |
+
|
|
|
76240a |
+ when: opensshserver_file.stat.exists and opensshserver_file.stat.size > correct_value|length
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/bash/shared.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..790a2951bab
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/bash/shared.sh
|
|
|
76240a |
@@ -0,0 +1,31 @@
|
|
|
76240a |
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
76240a |
+. /usr/share/scap-security-guide/remediation_functions
|
|
|
76240a |
+{{{ bash_instantiate_variables("sshd_approved_macs") }}}
|
|
|
76240a |
+
|
|
|
76240a |
+CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
|
|
|
76240a |
+correct_value="-oMACs=${sshd_approved_macs}"
|
|
|
76240a |
+
|
|
|
76240a |
+# Test if file exists
|
|
|
76240a |
+test -f ${CONF_FILE} || touch ${CONF_FILE}
|
|
|
76240a |
+
|
|
|
76240a |
+# Ensure CRYPTO_POLICY is not commented out
|
|
|
76240a |
+sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE}
|
|
|
76240a |
+
|
|
|
76240a |
+grep -q "'${correct_value}'" ${CONF_FILE}
|
|
|
76240a |
+
|
|
|
76240a |
+if [[ $? -ne 0 ]]; then
|
|
|
76240a |
+ # We need to get the existing value, using PCRE to maintain same regex
|
|
|
76240a |
+ existing_value=$(grep -Po '(-oMACs=\S+)' ${CONF_FILE})
|
|
|
76240a |
+
|
|
|
76240a |
+ if [[ ! -z ${existing_value} ]]; then
|
|
|
76240a |
+ # replace existing_value with correct_value
|
|
|
76240a |
+ sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
|
|
|
76240a |
+ else
|
|
|
76240a |
+ # ***NOTE*** #
|
|
|
76240a |
+ # This probably means this file is not here or it's been modified
|
|
|
76240a |
+ # unintentionally.
|
|
|
76240a |
+ # ********** #
|
|
|
76240a |
+ # echo correct_value to end
|
|
|
76240a |
+ echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}
|
|
|
76240a |
+ fi
|
|
|
76240a |
+fi
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/oval/shared.xml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..18028157032
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/oval/shared.xml
|
|
|
76240a |
@@ -0,0 +1,35 @@
|
|
|
76240a |
+{{%- set PATH = "/etc/crypto-policies/back-ends/opensshserver.config" -%}}
|
|
|
76240a |
+<def-group>
|
|
|
76240a |
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
76240a |
+ {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
|
|
|
76240a |
+ <criteria operator="AND" comment="Test conditions - presence of the file plus.">
|
|
|
76240a |
+ <criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD MACs" test_ref="test_{{{ rule_id }}}" />
|
|
|
76240a |
+ </criteria>
|
|
|
76240a |
+ </definition>
|
|
|
76240a |
+
|
|
|
76240a |
+
|
|
|
76240a |
+ comment="test the value of MACs setting in the {{{ PATH }}} file"
|
|
|
76240a |
+ id="test_{{{ rule_id }}}" version="1">
|
|
|
76240a |
+ <ind:object object_ref="obj_{{{ rule_id }}}" />
|
|
|
76240a |
+ <ind:state state_ref="ste_{{{ rule_id }}}" />
|
|
|
76240a |
+ </ind:textfilecontent54_test>
|
|
|
76240a |
+
|
|
|
76240a |
+ <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
|
|
|
76240a |
+ <ind:filepath>{{{ PATH }}}</ind:filepath>
|
|
|
76240a |
+ <ind:pattern operation="pattern match">^(?!#).*(-oMACs=\S+).+$</ind:pattern>
|
|
|
76240a |
+ <ind:instance operation="equals" datatype="int">1</ind:instance>
|
|
|
76240a |
+ </ind:textfilecontent54_object>
|
|
|
76240a |
+
|
|
|
76240a |
+ <ind:textfilecontent54_state id="ste_{{{ rule_id }}}" version="1">
|
|
|
76240a |
+ <ind:subexpression var_ref="sshd_macs_crypto_opensshserver" operation="equals" />
|
|
|
76240a |
+ </ind:textfilecontent54_state>
|
|
|
76240a |
+
|
|
|
76240a |
+ <local_variable id="sshd_macs_crypto_opensshserver" datatype="string" comment="The regex of the directive" version="1">
|
|
|
76240a |
+ <concat>
|
|
|
76240a |
+ <literal_component>-oMACs=</literal_component>
|
|
|
76240a |
+ <variable_component var_ref="sshd_approved_macs"/>
|
|
|
76240a |
+ </concat>
|
|
|
76240a |
+ </local_variable>
|
|
|
76240a |
+
|
|
|
76240a |
+ <external_variable comment="SSH Approved MACs by FIPS" datatype="string" id="sshd_approved_macs" version="1" />
|
|
|
76240a |
+</def-group>
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..0fd107a1bbe
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml
|
|
|
76240a |
@@ -0,0 +1,60 @@
|
|
|
76240a |
+documentation_complete: true
|
|
|
76240a |
+
|
|
|
76240a |
+prodtype: rhel8
|
|
|
76240a |
+
|
|
|
76240a |
+title: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config'
|
|
|
76240a |
+
|
|
|
76240a |
+description: |-
|
|
|
76240a |
+ Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
|
|
|
76240a |
+ OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
|
|
|
76240a |
+ set up incorrectly.
|
|
|
76240a |
+
|
|
|
76240a |
+ To check that Crypto Policies settings are configured correctly, ensure that
|
|
|
76240a |
+ <tt>/etc/crypto-policies/back-ends/opensshserver.config</tt> contains the following
|
|
|
76240a |
+ text and is not commented out:
|
|
|
76240a |
+ <tt>-oMACS=hmac-sha2-512,hmac-sha2-256</tt>
|
|
|
76240a |
+
|
|
|
76240a |
+rationale: |-
|
|
|
76240a |
+ Overriding the system crypto policy makes the behavior of the OpenSSH
|
|
|
76240a |
+ server violate expectations, and makes system configuration more
|
|
|
76240a |
+ fragmented.
|
|
|
76240a |
+
|
|
|
76240a |
+severity: medium
|
|
|
76240a |
+
|
|
|
76240a |
+identifiers:
|
|
|
76240a |
+ cce@rhel8: CCE-85899-3
|
|
|
76240a |
+
|
|
|
76240a |
+references:
|
|
|
76240a |
+ disa: CCI-001453
|
|
|
76240a |
+ nist: AC-17(2)
|
|
|
76240a |
+ srg: SRG-OS-000250-GPOS-00093
|
|
|
76240a |
+ stigid@rhel8: RHEL-08-010290
|
|
|
76240a |
+
|
|
|
76240a |
+ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
|
|
|
76240a |
+
|
|
|
76240a |
+ocil: |-
|
|
|
76240a |
+ To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run:
|
|
|
76240a |
+ $ grep -Po '(-oMACs=\S+)' /etc/crypto-policies/back-ends/opensshserver.config
|
|
|
76240a |
+ and verify that the line matches:
|
|
|
76240a |
+ -oMACS=hmac-sha2-512,hmac-sha2-256
|
|
|
76240a |
+
|
|
|
76240a |
+warnings:
|
|
|
76240a |
+ - general: |-
|
|
|
76240a |
+ The system needs to be rebooted for these changes to take effect.
|
|
|
76240a |
+ - regulatory: |-
|
|
|
76240a |
+ System Crypto Modules must be provided by a vendor that undergoes
|
|
|
76240a |
+ FIPS-140 certifications.
|
|
|
76240a |
+ FIPS-140 is applicable to all Federal agencies that use
|
|
|
76240a |
+ cryptographic-based security systems to protect sensitive information
|
|
|
76240a |
+ in computer and telecommunication systems (including voice systems) as
|
|
|
76240a |
+ defined in Section 5131 of the Information Technology Management Reform
|
|
|
76240a |
+ Act of 1996, Public Law 104-106. This standard shall be used in
|
|
|
76240a |
+ designing and implementing cryptographic modules that Federal
|
|
|
76240a |
+ departments and agencies operate or are operated for them under
|
|
|
76240a |
+ contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}
|
|
|
76240a |
+ To meet this, the system has to have cryptographic software provided by
|
|
|
76240a |
+ a vendor that has undergone this certification. This means providing
|
|
|
76240a |
+ documentation, test results, design information, and independent third
|
|
|
76240a |
+ party review by an accredited lab. While open source software is
|
|
|
76240a |
+ capable of meeting this, it does not meet FIPS-140 unless the vendor
|
|
|
76240a |
+ submits to this process.
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..14da92218dc
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
|
|
|
76240a |
@@ -0,0 +1,17 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+# platform = Red Hat Enterprise Linux 8
|
|
|
76240a |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
76240a |
+
|
|
|
76240a |
+sshd_approved_macs=hmac-sha2-512,hmac-sha2-256
|
|
|
76240a |
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
|
|
|
76240a |
+correct_value="-oMACs=${sshd_approved_macs}"
|
|
|
76240a |
+
|
|
|
76240a |
+# Ensure directory + file is there
|
|
|
76240a |
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
|
|
76240a |
+
|
|
|
76240a |
+# Proceed when file exists
|
|
|
76240a |
+if [[ -f $configfile ]]; then
|
|
|
76240a |
+ sed -i -r "s/-oMACs=\S+/${correct_value}/" $configfile
|
|
|
76240a |
+else
|
|
|
76240a |
+ echo "${correct_value}" > "$configfile"
|
|
|
76240a |
+fi
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..3dde1479296
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
|
|
|
76240a |
@@ -0,0 +1,7 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+# platform = Red Hat Enterprise Linux 8
|
|
|
76240a |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
76240a |
+
|
|
|
76240a |
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
|
|
|
76240a |
+
|
|
|
76240a |
+echo "" > "$configfile"
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..a50a0fc02bf
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
|
|
|
76240a |
@@ -0,0 +1,14 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+# platform = Red Hat Enterprise Linux 8
|
|
|
76240a |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
76240a |
+
|
|
|
76240a |
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
|
|
|
76240a |
+
|
|
|
76240a |
+# Ensure directory + file is there
|
|
|
76240a |
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
|
|
76240a |
+
|
|
|
76240a |
+if [[ -f $configfile ]]; then
|
|
|
76240a |
+ sed -i -r "s/-oMACs=\S+/-oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com/" $configfile
|
|
|
76240a |
+else
|
|
|
76240a |
+ echo "-oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com" > "$configfile"
|
|
|
76240a |
+fi
|
|
|
76240a |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..11e596ced87
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
|
|
|
76240a |
@@ -0,0 +1,11 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+# platform = Red Hat Enterprise Linux 8
|
|
|
76240a |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
76240a |
+
|
|
|
76240a |
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
|
|
|
76240a |
+
|
|
|
76240a |
+# Ensure directory + file is there
|
|
|
76240a |
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
|
|
76240a |
+
|
|
|
76240a |
+# If file exists, remove it
|
|
|
76240a |
+test -f $configfile && rm -f $configfile
|
|
|
76240a |
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
|
76240a |
index 6372d13cfc9..28b47cca487 100644
|
|
|
76240a |
--- a/products/rhel8/profiles/stig.profile
|
|
|
76240a |
+++ b/products/rhel8/profiles/stig.profile
|
|
|
76240a |
@@ -50,6 +50,7 @@ selections:
|
|
|
76240a |
- var_password_pam_retry=3
|
|
|
76240a |
- var_password_pam_minlen=15
|
|
|
76240a |
- var_sshd_set_keepalive=0
|
|
|
76240a |
+ - sshd_approved_macs=stig
|
|
|
76240a |
- sshd_idle_timeout_value=10_minutes
|
|
|
76240a |
- var_accounts_passwords_pam_faillock_deny=3
|
|
|
76240a |
- var_accounts_passwords_pam_faillock_fail_interval=900
|
|
|
76240a |
@@ -174,11 +175,17 @@ selections:
|
|
|
76240a |
# RHEL-08-010260
|
|
|
76240a |
- file_groupowner_var_log
|
|
|
76240a |
|
|
|
76240a |
+ # *** SHARED *** #
|
|
|
76240a |
# RHEL-08-010290 && RHEL-08-010291
|
|
|
76240a |
- ### NOTE: This will get split out in future STIG releases, as well as we will break
|
|
|
76240a |
- ### these rules up to be more flexible in meeting the requirements.
|
|
|
76240a |
+ # *** SHARED *** #
|
|
|
76240a |
- configure_ssh_crypto_policy
|
|
|
76240a |
|
|
|
76240a |
+ # RHEL-08-010290
|
|
|
76240a |
+ - harden_sshd_macs_openssh_conf_crypto_policy
|
|
|
76240a |
+ - harden_sshd_macs_opensshserver_conf_crypto_policy
|
|
|
76240a |
+
|
|
|
76240a |
+ # RHEL-08-010291
|
|
|
76240a |
+
|
|
|
76240a |
# RHEL-08-010292
|
|
|
76240a |
- sshd_use_strong_rng
|
|
|
76240a |
|
|
|
76240a |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
index 24e81491683..036d34cea1d 100644
|
|
|
76240a |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
@@ -10,7 +10,6 @@ CCE-85866-2
|
|
|
76240a |
CCE-85867-0
|
|
|
76240a |
CCE-85868-8
|
|
|
76240a |
CCE-85869-6
|
|
|
76240a |
-CCE-85870-4
|
|
|
76240a |
CCE-85872-0
|
|
|
76240a |
CCE-85873-8
|
|
|
76240a |
CCE-85874-6
|
|
|
76240a |
@@ -36,7 +35,6 @@ CCE-85895-1
|
|
|
76240a |
CCE-85896-9
|
|
|
76240a |
CCE-85897-7
|
|
|
76240a |
CCE-85898-5
|
|
|
76240a |
-CCE-85899-3
|
|
|
76240a |
CCE-85900-9
|
|
|
76240a |
CCE-85901-7
|
|
|
76240a |
CCE-85902-5
|
|
|
76240a |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
index 32f1a24a7a4..393051a34ea 100644
|
|
|
76240a |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
@@ -145,6 +145,8 @@ selections:
|
|
|
76240a |
- grub2_uefi_admin_username
|
|
|
76240a |
- grub2_uefi_password
|
|
|
76240a |
- grub2_vsyscall_argument
|
|
|
76240a |
+- harden_sshd_macs_openssh_conf_crypto_policy
|
|
|
76240a |
+- harden_sshd_macs_opensshserver_conf_crypto_policy
|
|
|
76240a |
- install_smartcard_packages
|
|
|
76240a |
- installed_OS_is_vendor_supported
|
|
|
76240a |
- kerberos_disable_no_keytab
|
|
|
76240a |
@@ -325,6 +327,7 @@ selections:
|
|
|
76240a |
- var_password_pam_lcredit=1
|
|
|
76240a |
- var_password_pam_retry=3
|
|
|
76240a |
- var_sshd_set_keepalive=0
|
|
|
76240a |
+- sshd_approved_macs=stig
|
|
|
76240a |
- sshd_idle_timeout_value=10_minutes
|
|
|
76240a |
- var_accounts_passwords_pam_faillock_deny=3
|
|
|
76240a |
- var_accounts_passwords_pam_faillock_fail_interval=900
|
|
|
76240a |
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
index d6a27c67dc0..de82fb34518 100644
|
|
|
76240a |
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
@@ -156,6 +156,8 @@ selections:
|
|
|
76240a |
- grub2_uefi_admin_username
|
|
|
76240a |
- grub2_uefi_password
|
|
|
76240a |
- grub2_vsyscall_argument
|
|
|
76240a |
+- harden_sshd_macs_openssh_conf_crypto_policy
|
|
|
76240a |
+- harden_sshd_macs_opensshserver_conf_crypto_policy
|
|
|
76240a |
- install_smartcard_packages
|
|
|
76240a |
- installed_OS_is_vendor_supported
|
|
|
76240a |
- kerberos_disable_no_keytab
|
|
|
76240a |
@@ -335,6 +337,7 @@ selections:
|
|
|
76240a |
- var_password_pam_lcredit=1
|
|
|
76240a |
- var_password_pam_retry=3
|
|
|
76240a |
- var_sshd_set_keepalive=0
|
|
|
76240a |
+- sshd_approved_macs=stig
|
|
|
76240a |
- sshd_idle_timeout_value=10_minutes
|
|
|
76240a |
- var_accounts_passwords_pam_faillock_deny=3
|
|
|
76240a |
- var_accounts_passwords_pam_faillock_fail_interval=900
|