|
|
362bfa |
From 7da420a853591a6e994439a9ada2b88d6793e3e7 Mon Sep 17 00:00:00 2001
|
|
|
362bfa |
From: Carlos Matos <cmatos@redhat.com>
|
|
|
362bfa |
Date: Tue, 29 Jun 2021 14:00:14 -0400
|
|
|
362bfa |
Subject: [PATCH 1/5] New rules for RHEL-08-010291
|
|
|
362bfa |
|
|
|
362bfa |
---
|
|
|
362bfa |
.../services/ssh/sshd_approved_ciphers.var | 2 +-
|
|
|
362bfa |
.../ansible/shared.yml | 16 +++++
|
|
|
362bfa |
.../bash/shared.sh | 13 ++++
|
|
|
362bfa |
.../oval/shared.xml | 35 +++++++++++
|
|
|
362bfa |
.../rule.yml | 62 +++++++++++++++++++
|
|
|
362bfa |
.../tests/stig_correct.pass.sh | 15 +++++
|
|
|
362bfa |
.../tests/stig_correct_commented.fail.sh | 15 +++++
|
|
|
362bfa |
...ct_followed_by_incorrect_commented.pass.sh | 18 ++++++
|
|
|
362bfa |
.../tests/stig_empty_file.fail.sh | 10 +++
|
|
|
362bfa |
.../tests/stig_empty_policy.fail.sh | 14 +++++
|
|
|
362bfa |
...rect_followed_by_correct_commented.fail.sh | 19 ++++++
|
|
|
362bfa |
.../tests/stig_incorrect_policy.fail.sh | 15 +++++
|
|
|
362bfa |
.../tests/stig_missing_file.fail.sh | 11 ++++
|
|
|
362bfa |
.../ansible/shared.yml | 45 ++++++++++++++
|
|
|
362bfa |
.../bash/shared.sh | 25 ++++++++
|
|
|
362bfa |
.../oval/shared.xml | 35 +++++++++++
|
|
|
362bfa |
.../rule.yml | 62 +++++++++++++++++++
|
|
|
362bfa |
.../tests/rhel8_stig_correct.pass.sh | 17 +++++
|
|
|
362bfa |
.../tests/rhel8_stig_empty_policy.fail.sh | 7 +++
|
|
|
362bfa |
.../tests/rhel8_stig_incorrect_policy.fail.sh | 14 +++++
|
|
|
362bfa |
.../tests/rhel8_stig_missing_file.fail.sh | 11 ++++
|
|
|
362bfa |
products/rhel8/profiles/stig.profile | 6 ++
|
|
|
362bfa |
.../data/profile_stability/rhel8/stig.profile | 3 +
|
|
|
362bfa |
.../profile_stability/rhel8/stig_gui.profile | 3 +
|
|
|
362bfa |
24 files changed, 472 insertions(+), 1 deletion(-)
|
|
|
362bfa |
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
|
|
|
362bfa |
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh
|
|
|
362bfa |
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
|
|
|
362bfa |
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
|
|
|
362bfa |
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
|
|
|
362bfa |
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
|
|
|
362bfa |
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
|
|
|
362bfa |
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh
|
|
|
362bfa |
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh
|
|
|
362bfa |
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
|
|
|
362bfa |
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh
|
|
|
362bfa |
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh
|
|
|
362bfa |
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
|
|
|
362bfa |
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
|
|
|
362bfa |
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
|
|
|
362bfa |
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
|
|
362bfa |
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
|
|
|
362bfa |
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
|
|
|
362bfa |
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
|
|
|
362bfa |
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
|
|
|
362bfa |
|
|
|
362bfa |
diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
|
|
|
362bfa |
index 46891daa619..a240bbbfaef 100644
|
|
|
362bfa |
--- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var
|
|
|
362bfa |
+++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
|
|
|
362bfa |
@@ -11,6 +11,6 @@ operator: equals
|
|
|
362bfa |
interactive: false
|
|
|
362bfa |
|
|
|
362bfa |
options:
|
|
|
362bfa |
- stig: aes128-ctr,aes192-ctr,aes256-ctr
|
|
|
362bfa |
+ stig: aes256-ctr,aes192-ctr,aes128-ctr
|
|
|
362bfa |
default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
|
|
|
362bfa |
cis_rhel7: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
|
|
|
362bfa |
new file mode 100644
|
|
|
362bfa |
index 00000000000..badb5896cf2
|
|
|
362bfa |
--- /dev/null
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
|
|
|
362bfa |
@@ -0,0 +1,16 @@
|
|
|
362bfa |
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
362bfa |
+# reboot = true
|
|
|
362bfa |
+# strategy = restrict
|
|
|
362bfa |
+# complexity = low
|
|
|
362bfa |
+# disruption = low
|
|
|
362bfa |
+{{{ ansible_instantiate_variables("sshd_approved_ciphers") }}}
|
|
|
362bfa |
+
|
|
|
362bfa |
+{{{ ansible_set_config_file(
|
|
|
362bfa |
+ msg='Configure SSH Daemon to Use FIPS 140-2 Validated MACs: openssh.config',
|
|
|
362bfa |
+ file='/etc/crypto-policies/back-ends/openssh.config',
|
|
|
362bfa |
+ parameter='Ciphers',
|
|
|
362bfa |
+ value="{{ sshd_approved_ciphers }}",
|
|
|
362bfa |
+ create='yes',
|
|
|
362bfa |
+ prefix_regex='^.*'
|
|
|
362bfa |
+ )
|
|
|
362bfa |
+}}}
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh
|
|
|
362bfa |
new file mode 100644
|
|
|
362bfa |
index 00000000000..cdc66a8aac6
|
|
|
362bfa |
--- /dev/null
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh
|
|
|
362bfa |
@@ -0,0 +1,13 @@
|
|
|
362bfa |
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
362bfa |
+. /usr/share/scap-security-guide/remediation_functions
|
|
|
362bfa |
+{{{ bash_instantiate_variables("sshd_approved_ciphers") }}}
|
|
|
362bfa |
+
|
|
|
362bfa |
+{{{ set_config_file(
|
|
|
362bfa |
+ path="/etc/crypto-policies/back-ends/openssh.config",
|
|
|
362bfa |
+ parameter="Ciphers",
|
|
|
362bfa |
+ value="${sshd_approved_ciphers}",
|
|
|
362bfa |
+ create=true,
|
|
|
362bfa |
+ insensitive=false,
|
|
|
362bfa |
+ prefix_regex="^.*"
|
|
|
362bfa |
+ )
|
|
|
362bfa |
+}}}
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
|
|
|
362bfa |
new file mode 100644
|
|
|
362bfa |
index 00000000000..1879e77398b
|
|
|
362bfa |
--- /dev/null
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
|
|
|
362bfa |
@@ -0,0 +1,35 @@
|
|
|
362bfa |
+{{%- set PATH = "/etc/crypto-policies/back-ends/openssh.config" -%}}
|
|
|
362bfa |
+<def-group>
|
|
|
362bfa |
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
362bfa |
+ {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
|
|
|
362bfa |
+ <criteria operator="AND" comment="Test conditions - presence of the file plus.">
|
|
|
362bfa |
+ <criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD Ciphers" test_ref="test_{{{ rule_id }}}" />
|
|
|
362bfa |
+ </criteria>
|
|
|
362bfa |
+ </definition>
|
|
|
362bfa |
+
|
|
|
362bfa |
+
|
|
|
362bfa |
+ comment="test the value of Ciphers setting in the {{{ PATH }}} file"
|
|
|
362bfa |
+ id="test_{{{ rule_id }}}" version="1">
|
|
|
362bfa |
+ <ind:object object_ref="obj_{{{ rule_id }}}" />
|
|
|
362bfa |
+ <ind:state state_ref="ste_{{{ rule_id }}}" />
|
|
|
362bfa |
+ </ind:textfilecontent54_test>
|
|
|
362bfa |
+
|
|
|
362bfa |
+ <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
|
|
|
362bfa |
+ <ind:filepath>{{{ PATH }}}</ind:filepath>
|
|
|
362bfa |
+ <ind:pattern operation="pattern match">^Ciphers.*$</ind:pattern>
|
|
|
362bfa |
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
|
|
362bfa |
+ </ind:textfilecontent54_object>
|
|
|
362bfa |
+
|
|
|
362bfa |
+ <ind:textfilecontent54_state id="ste_{{{ rule_id }}}" version="1">
|
|
|
362bfa |
+ <ind:text var_ref="sshd_ciphers_crypto" operation="equals"></ind:text>
|
|
|
362bfa |
+ </ind:textfilecontent54_state>
|
|
|
362bfa |
+
|
|
|
362bfa |
+ <local_variable id="sshd_ciphers_crypto" datatype="string" comment="The regex of the directive" version="1">
|
|
|
362bfa |
+ <concat>
|
|
|
362bfa |
+ <literal_component>Ciphers </literal_component>
|
|
|
362bfa |
+ <variable_component var_ref="sshd_approved_ciphers"/>
|
|
|
362bfa |
+ </concat>
|
|
|
362bfa |
+ </local_variable>
|
|
|
362bfa |
+
|
|
|
362bfa |
+ <external_variable comment="SSH Approved Ciphers by FIPS" datatype="string" id="sshd_approved_ciphers" version="1" />
|
|
|
362bfa |
+</def-group>
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
|
|
|
362bfa |
new file mode 100644
|
|
|
362bfa |
index 00000000000..cd1553dbdb3
|
|
|
362bfa |
--- /dev/null
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
|
|
|
362bfa |
@@ -0,0 +1,62 @@
|
|
|
362bfa |
+documentation_complete: true
|
|
|
362bfa |
+
|
|
|
362bfa |
+prodtype: fedora,rhel8
|
|
|
362bfa |
+
|
|
|
362bfa |
+title: 'Configure SSH Daemon to Use FIPS 140-2 Validated Ciphers: openssh.config'
|
|
|
362bfa |
+
|
|
|
362bfa |
+description: |-
|
|
|
362bfa |
+ Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
|
|
|
362bfa |
+ OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
|
|
|
362bfa |
+ set up incorrectly.
|
|
|
362bfa |
+
|
|
|
362bfa |
+ To check that Crypto Policies settings for ciphers are configured correctly, ensure that
|
|
|
362bfa |
+ <tt>/etc/crypto-policies/back-ends/openssh.config</tt> contains the following
|
|
|
362bfa |
+ line and is not commented out:
|
|
|
362bfa |
+ Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}
|
|
|
362bfa |
+
|
|
|
362bfa |
+rationale: |-
|
|
|
362bfa |
+ Overriding the system crypto policy makes the behavior of the OpenSSH daemon
|
|
|
362bfa |
+ violate expectations, and makes system configuration more fragmented. By
|
|
|
362bfa |
+ specifying a cipher list with the order of ciphers being in a “strongest to
|
|
|
362bfa |
+ weakest” orientation, the system will automatically attempt to use the
|
|
|
362bfa |
+ strongest cipher for securing SSH connections.
|
|
|
362bfa |
+
|
|
|
362bfa |
+severity: medium
|
|
|
362bfa |
+
|
|
|
362bfa |
+identifiers:
|
|
|
362bfa |
+ cce@rhel8: CCE-85870-4
|
|
|
362bfa |
+
|
|
|
362bfa |
+references:
|
|
|
362bfa |
+ nist: AC-17(2)
|
|
|
362bfa |
+ srg: SRG-OS-000250-GPOS-00093
|
|
|
362bfa |
+ disa: CCI-001453
|
|
|
362bfa |
+ stigid@rhel8: RHEL-08-010291
|
|
|
362bfa |
+
|
|
|
362bfa |
+ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
|
|
|
362bfa |
+
|
|
|
362bfa |
+ocil: |-
|
|
|
362bfa |
+ To verify if the OpenSSH daemon uses defined Cipher suite in the Crypto Policy, run:
|
|
|
362bfa |
+ $ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config
|
|
|
362bfa |
+ and verify that the line matches:
|
|
|
362bfa |
+ Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}
|
|
|
362bfa |
+
|
|
|
362bfa |
+warnings:
|
|
|
362bfa |
+ - general: |-
|
|
|
362bfa |
+ The system needs to be rebooted for these changes to take effect.
|
|
|
362bfa |
+ - regulatory: |-
|
|
|
362bfa |
+ System Crypto Modules must be provided by a vendor that undergoes
|
|
|
362bfa |
+ FIPS-140 certifications.
|
|
|
362bfa |
+ FIPS-140 is applicable to all Federal agencies that use
|
|
|
362bfa |
+ cryptographic-based security systems to protect sensitive information
|
|
|
362bfa |
+ in computer and telecommunication systems (including voice systems) as
|
|
|
362bfa |
+ defined in Section 5131 of the Information Technology Management Reform
|
|
|
362bfa |
+ Act of 1996, Public Law 104-106. This standard shall be used in
|
|
|
362bfa |
+ designing and implementing cryptographic modules that Federal
|
|
|
362bfa |
+ departments and agencies operate or are operated for them under
|
|
|
362bfa |
+ contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}
|
|
|
362bfa |
+ To meet this, the system has to have cryptographic software provided by
|
|
|
362bfa |
+ a vendor that has undergone this certification. This means providing
|
|
|
362bfa |
+ documentation, test results, design information, and independent third
|
|
|
362bfa |
+ party review by an accredited lab. While open source software is
|
|
|
362bfa |
+ capable of meeting this, it does not meet FIPS-140 unless the vendor
|
|
|
362bfa |
+ submits to this process.
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
|
|
|
362bfa |
new file mode 100644
|
|
|
362bfa |
index 00000000000..0a27a7e0984
|
|
|
362bfa |
--- /dev/null
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
|
|
|
362bfa |
@@ -0,0 +1,15 @@
|
|
|
362bfa |
+#!/bin/bash
|
|
|
362bfa |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
362bfa |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
362bfa |
+
|
|
|
362bfa |
+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
|
|
|
362bfa |
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
|
|
362bfa |
+
|
|
|
362bfa |
+# Ensure directory + file is there
|
|
|
362bfa |
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
|
|
362bfa |
+
|
|
|
362bfa |
+if [[ -f $configfile ]]; then
|
|
|
362bfa |
+ sed -i "s/^.*Ciphers.*$/Ciphers ${sshd_approved_ciphers}/" $configfile
|
|
|
362bfa |
+else
|
|
|
362bfa |
+ echo "Ciphers ${sshd_approved_ciphers}" > "$configfile"
|
|
|
362bfa |
+fi
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
|
|
|
362bfa |
new file mode 100644
|
|
|
362bfa |
index 00000000000..5cadd95ba38
|
|
|
362bfa |
--- /dev/null
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
|
|
|
362bfa |
@@ -0,0 +1,15 @@
|
|
|
362bfa |
+#!/bin/bash
|
|
|
362bfa |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
362bfa |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
362bfa |
+
|
|
|
362bfa |
+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
|
|
|
362bfa |
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
|
|
362bfa |
+
|
|
|
362bfa |
+# Ensure directory + file is there
|
|
|
362bfa |
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
|
|
362bfa |
+
|
|
|
362bfa |
+if [[ -f $configfile ]]; then
|
|
|
362bfa |
+ sed -i "s/^.*Ciphers.*$/#Ciphers ${sshd_approved_ciphers}/" $configfile
|
|
|
362bfa |
+else
|
|
|
362bfa |
+ echo "#Ciphers ${sshd_approved_ciphers}" > "$configfile"
|
|
|
362bfa |
+fi
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
|
|
|
362bfa |
new file mode 100644
|
|
|
362bfa |
index 00000000000..26220063757
|
|
|
362bfa |
--- /dev/null
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
|
|
|
362bfa |
@@ -0,0 +1,18 @@
|
|
|
362bfa |
+#!/bin/bash
|
|
|
362bfa |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
362bfa |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
362bfa |
+
|
|
|
362bfa |
+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
|
|
|
362bfa |
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
|
|
362bfa |
+
|
|
|
362bfa |
+# Ensure directory + file is there
|
|
|
362bfa |
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
|
|
362bfa |
+
|
|
|
362bfa |
+if [[ -f $configfile ]]; then
|
|
|
362bfa |
+ sed -i "s/^.*Ciphers.*$/Ciphers ${sshd_approved_ciphers}/" $configfile
|
|
|
362bfa |
+else
|
|
|
362bfa |
+ echo "Ciphers ${sshd_approved_ciphers}" > "$configfile"
|
|
|
362bfa |
+fi
|
|
|
362bfa |
+
|
|
|
362bfa |
+# follow up with incorrect
|
|
|
362bfa |
+echo "#Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr" >> $configfile
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh
|
|
|
362bfa |
new file mode 100644
|
|
|
362bfa |
index 00000000000..55ef3f58422
|
|
|
362bfa |
--- /dev/null
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh
|
|
|
362bfa |
@@ -0,0 +1,10 @@
|
|
|
362bfa |
+#!/bin/bash
|
|
|
362bfa |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
362bfa |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
362bfa |
+
|
|
|
362bfa |
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
|
|
362bfa |
+
|
|
|
362bfa |
+# Ensure directory + file is there
|
|
|
362bfa |
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
|
|
362bfa |
+
|
|
|
362bfa |
+echo "" > $configfile
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh
|
|
|
362bfa |
new file mode 100644
|
|
|
362bfa |
index 00000000000..7105441ad80
|
|
|
362bfa |
--- /dev/null
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh
|
|
|
362bfa |
@@ -0,0 +1,14 @@
|
|
|
362bfa |
+#!/bin/bash
|
|
|
362bfa |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
362bfa |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
362bfa |
+
|
|
|
362bfa |
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
|
|
362bfa |
+
|
|
|
362bfa |
+# Ensure directory + file is there
|
|
|
362bfa |
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
|
|
362bfa |
+
|
|
|
362bfa |
+if [[ -f $configfile ]]; then
|
|
|
362bfa |
+ sed -i "s/^.*Ciphers.*$/Ciphers /" $configfile
|
|
|
362bfa |
+else
|
|
|
362bfa |
+ echo "Ciphers " > "$configfile"
|
|
|
362bfa |
+fi
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
|
|
|
362bfa |
new file mode 100644
|
|
|
362bfa |
index 00000000000..195f5e8d8ed
|
|
|
362bfa |
--- /dev/null
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
|
|
|
362bfa |
@@ -0,0 +1,19 @@
|
|
|
362bfa |
+#!/bin/bash
|
|
|
362bfa |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
362bfa |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
362bfa |
+
|
|
|
362bfa |
+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
|
|
|
362bfa |
+incorrect_sshd_approved_ciphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr
|
|
|
362bfa |
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
|
|
362bfa |
+
|
|
|
362bfa |
+# Ensure directory + file is there
|
|
|
362bfa |
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
|
|
362bfa |
+
|
|
|
362bfa |
+if [[ -f $configfile ]]; then
|
|
|
362bfa |
+ sed -i "s/^.*Ciphers.*$/Ciphers ${incorrect_sshd_approved_ciphers}/" $configfile
|
|
|
362bfa |
+else
|
|
|
362bfa |
+ echo "Ciphers ${incorrect_sshd_approved_ciphers}" > "$configfile"
|
|
|
362bfa |
+fi
|
|
|
362bfa |
+
|
|
|
362bfa |
+# follow up with correct value
|
|
|
362bfa |
+echo "Ciphers ${sshd_approved_ciphers}" >> $configfile
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh
|
|
|
362bfa |
new file mode 100644
|
|
|
362bfa |
index 00000000000..92bd4ed9c5a
|
|
|
362bfa |
--- /dev/null
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh
|
|
|
362bfa |
@@ -0,0 +1,15 @@
|
|
|
362bfa |
+#!/bin/bash
|
|
|
362bfa |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
362bfa |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
362bfa |
+
|
|
|
362bfa |
+incorrect_sshd_approved_ciphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc
|
|
|
362bfa |
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
|
|
362bfa |
+
|
|
|
362bfa |
+# Ensure directory + file is there
|
|
|
362bfa |
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
|
|
362bfa |
+
|
|
|
362bfa |
+if [[ -f $configfile ]]; then
|
|
|
362bfa |
+ sed -i "s/^.*Ciphers.*$/Ciphers ${incorrect_sshd_approved_ciphers}/" $configfile
|
|
|
362bfa |
+else
|
|
|
362bfa |
+ echo "Ciphers ${incorrect_sshd_approved_ciphers}" > "$configfile"
|
|
|
362bfa |
+fi
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh
|
|
|
362bfa |
new file mode 100644
|
|
|
362bfa |
index 00000000000..2138caad319
|
|
|
362bfa |
--- /dev/null
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh
|
|
|
362bfa |
@@ -0,0 +1,11 @@
|
|
|
362bfa |
+#!/bin/bash
|
|
|
362bfa |
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
362bfa |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
362bfa |
+
|
|
|
362bfa |
+configfile=/etc/crypto-policies/back-ends/openssh.config
|
|
|
362bfa |
+
|
|
|
362bfa |
+# Ensure directory + file is there
|
|
|
362bfa |
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
|
|
362bfa |
+
|
|
|
362bfa |
+# If file exists, remove it
|
|
|
362bfa |
+test -f $configfile && rm -f $configfile
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
|
|
|
362bfa |
new file mode 100644
|
|
|
362bfa |
index 00000000000..7532ba51639
|
|
|
362bfa |
--- /dev/null
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
|
|
|
362bfa |
@@ -0,0 +1,45 @@
|
|
|
362bfa |
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
362bfa |
+# reboot = true
|
|
|
362bfa |
+# strategy = restrict
|
|
|
362bfa |
+# complexity = low
|
|
|
362bfa |
+# disruption = low
|
|
|
362bfa |
+{{{ ansible_instantiate_variables("sshd_approved_ciphers") }}}
|
|
|
362bfa |
+
|
|
|
362bfa |
+- name: "{{{ rule_title }}}: Set facts"
|
|
|
362bfa |
+ set_fact:
|
|
|
362bfa |
+ path: /etc/crypto-policies/back-ends/opensshserver.config
|
|
|
362bfa |
+ correct_value: "-oCiphers={{ sshd_approved_ciphers }}"
|
|
|
362bfa |
+
|
|
|
362bfa |
+- name: "{{{ rule_title }}}: Stat"
|
|
|
362bfa |
+ stat:
|
|
|
362bfa |
+ path: "{{ path }}"
|
|
|
362bfa |
+ follow: yes
|
|
|
362bfa |
+ register: opensshserver_file
|
|
|
362bfa |
+
|
|
|
362bfa |
+- name: "{{{ rule_title }}}: Create"
|
|
|
362bfa |
+ lineinfile:
|
|
|
362bfa |
+ path: "{{ path }}"
|
|
|
362bfa |
+ line: "{{ correct_value }}"
|
|
|
362bfa |
+ create: yes
|
|
|
362bfa |
+ when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length
|
|
|
362bfa |
+
|
|
|
362bfa |
+- name: "{{{ rule_title }}}"
|
|
|
362bfa |
+ block:
|
|
|
362bfa |
+ - name: "Existing value check"
|
|
|
362bfa |
+ lineinfile:
|
|
|
362bfa |
+ path: "{{ path }}"
|
|
|
362bfa |
+ create: false
|
|
|
362bfa |
+ regexp: "{{ correct_value }}"
|
|
|
362bfa |
+ state: absent
|
|
|
362bfa |
+ check_mode: true
|
|
|
362bfa |
+ changed_when: false
|
|
|
362bfa |
+ register: opensshserver
|
|
|
362bfa |
+
|
|
|
362bfa |
+ - name: "Update/Correct value"
|
|
|
362bfa |
+ replace:
|
|
|
362bfa |
+ path: "{{ path }}"
|
|
|
362bfa |
+ regexp: (-oCiphers=\S+)
|
|
|
362bfa |
+ replace: "{{ correct_value }}"
|
|
|
362bfa |
+ when: opensshserver.found is defined and opensshserver.found != 1
|
|
|
362bfa |
+
|
|
|
362bfa |
+ when: opensshserver_file.stat.exists and opensshserver_file.stat.size > correct_value|length
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
|
|
|
362bfa |
new file mode 100644
|
|
|
362bfa |
index 00000000000..1bc022f93b6
|
|
|
362bfa |
--- /dev/null
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
|
|
|
362bfa |
@@ -0,0 +1,25 @@
|
|
|
362bfa |
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
362bfa |
+. /usr/share/scap-security-guide/remediation_functions
|
|
|
362bfa |
+{{{ bash_instantiate_variables("sshd_approved_ciphers") }}}
|
|
|
362bfa |
+
|
|
|
362bfa |
+CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
|
|
|
362bfa |
+correct_value="-oCiphers=${sshd_approved_ciphers}"
|
|
|
362bfa |
+
|
|
|
362bfa |
+grep -q ${correct_value} ${CONF_FILE}
|
|
|
362bfa |
+
|
|
|
362bfa |
+if [[ $? -ne 0 ]]; then
|
|
|
362bfa |
+ # We need to get the existing value, using PCRE to maintain same regex
|
|
|
362bfa |
+ existing_value=$(grep -Po '(-oCiphers=\S+)' ${CONF_FILE})
|
|
|
362bfa |
+
|
|
|
362bfa |
+ if [[ ! -z ${existing_value} ]]; then
|
|
|
362bfa |
+ # replace existing_value with correct_value
|
|
|
362bfa |
+ sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
|
|
|
362bfa |
+ else
|
|
|
362bfa |
+ # ***NOTE*** #
|
|
|
362bfa |
+ # This probably means this file is not here or it's been modified
|
|
|
362bfa |
+ # unintentionally.
|
|
|
362bfa |
+ # ********** #
|
|
|
362bfa |
+ # echo correct_value to end
|
|
|
362bfa |
+ echo ${correct_value} >> ${CONF_FILE}
|
|
|
362bfa |
+ fi
|
|
|
362bfa |
+fi
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
|
|
|
362bfa |
new file mode 100644
|
|
|
362bfa |
index 00000000000..92ad7ce3d3f
|
|
|
362bfa |
--- /dev/null
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
|
|
|
362bfa |
@@ -0,0 +1,35 @@
|
|
|
362bfa |
+{{%- set PATH = "/etc/crypto-policies/back-ends/opensshserver.config" -%}}
|
|
|
362bfa |
+<def-group>
|
|
|
362bfa |
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
362bfa |
+ {{{ oval_metadata("Limit the Message Authentication Codes (Ciphers) to those which are FIPS-approved.") }}}
|
|
|
362bfa |
+ <criteria operator="AND" comment="Test conditions - presence of the file plus.">
|
|
|
362bfa |
+ <criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD Ciphers" test_ref="test_{{{ rule_id }}}" />
|
|
|
362bfa |
+ </criteria>
|
|
|
362bfa |
+ </definition>
|
|
|
362bfa |
+
|
|
|
362bfa |
+
|
|
|
362bfa |
+ comment="test the value of Ciphers setting in the {{{ PATH }}} file"
|
|
|
362bfa |
+ id="test_{{{ rule_id }}}" version="1">
|
|
|
362bfa |
+ <ind:object object_ref="obj_{{{ rule_id }}}" />
|
|
|
362bfa |
+ <ind:state state_ref="ste_{{{ rule_id }}}" />
|
|
|
362bfa |
+ </ind:textfilecontent54_test>
|
|
|
362bfa |
+
|
|
|
362bfa |
+ <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
|
|
|
362bfa |
+ <ind:filepath>{{{ PATH }}}</ind:filepath>
|
|
|
362bfa |
+ <ind:pattern operation="pattern match">^.*(-oCiphers=\S+).*$</ind:pattern>
|
|
|
362bfa |
+ <ind:instance operation="equals" datatype="int">1</ind:instance>
|
|
|
362bfa |
+ </ind:textfilecontent54_object>
|
|
|
362bfa |
+
|
|
|
362bfa |
+ <ind:textfilecontent54_state id="ste_{{{ rule_id }}}" version="1">
|
|
|
362bfa |
+ <ind:subexpression var_ref="sshd_ciphers_crypto_opensshserver" operation="equals" />
|
|
|
362bfa |
+ </ind:textfilecontent54_state>
|
|
|
362bfa |
+
|
|
|
362bfa |
+ <local_variable id="sshd_ciphers_crypto_opensshserver" datatype="string" comment="The regex of the directive" version="1">
|
|
|
362bfa |
+ <concat>
|
|
|
362bfa |
+ <literal_component>-oCiphers=</literal_component>
|
|
|
362bfa |
+ <variable_component var_ref="sshd_approved_ciphers"/>
|
|
|
362bfa |
+ </concat>
|
|
|
362bfa |
+ </local_variable>
|
|
|
362bfa |
+
|
|
|
362bfa |
+ <external_variable comment="SSH Approved Ciphers by FIPS" datatype="string" id="sshd_approved_ciphers" version="1" />
|
|
|
362bfa |
+</def-group>
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
|
|
362bfa |
new file mode 100644
|
|
|
362bfa |
index 00000000000..877c6f38db0
|
|
|
362bfa |
--- /dev/null
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
|
|
362bfa |
@@ -0,0 +1,62 @@
|
|
|
362bfa |
+documentation_complete: true
|
|
|
362bfa |
+
|
|
|
362bfa |
+prodtype: rhel8
|
|
|
362bfa |
+
|
|
|
362bfa |
+title: 'Configure SSH Daemon to Use FIPS 140-2 Validated MACs: opensshserver.config'
|
|
|
362bfa |
+
|
|
|
362bfa |
+description: |-
|
|
|
362bfa |
+ Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
|
|
|
362bfa |
+ OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
|
|
|
362bfa |
+ set up incorrectly.
|
|
|
362bfa |
+
|
|
|
362bfa |
+ To check that Crypto Policies settings for ciphers are configured correctly, ensure that
|
|
|
362bfa |
+ <tt>/etc/crypto-policies/back-ends/opensshserver.config</tt> contains the following
|
|
|
362bfa |
+ text and is not commented out:
|
|
|
362bfa |
+ -oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}
|
|
|
362bfa |
+
|
|
|
362bfa |
+rationale: |-
|
|
|
362bfa |
+ Overriding the system crypto policy makes the behavior of the OpenSSH daemon
|
|
|
362bfa |
+ violate expectations, and makes system configuration more fragmented. By
|
|
|
362bfa |
+ specifying a cipher list with the order of ciphers being in a “strongest to
|
|
|
362bfa |
+ weakest” orientation, the system will automatically attempt to use the
|
|
|
362bfa |
+ strongest cipher for securing SSH connections.
|
|
|
362bfa |
+
|
|
|
362bfa |
+severity: medium
|
|
|
362bfa |
+
|
|
|
362bfa |
+identifiers:
|
|
|
362bfa |
+ cce@rhel8: CCE-85871-2
|
|
|
362bfa |
+
|
|
|
362bfa |
+references:
|
|
|
362bfa |
+ nist: AC-17(2)
|
|
|
362bfa |
+ srg: SRG-OS-000250-GPOS-00093
|
|
|
362bfa |
+ disa: CCI-001453
|
|
|
362bfa |
+ stigid@rhel8: RHEL-08-010290
|
|
|
362bfa |
+
|
|
|
362bfa |
+ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
|
|
|
362bfa |
+
|
|
|
362bfa |
+ocil: |-
|
|
|
362bfa |
+ To verify if the OpenSSH daemon uses defined MACs in the Crypto Policy, run:
|
|
|
362bfa |
+ $ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config
|
|
|
362bfa |
+ and verify that the line matches:
|
|
|
362bfa |
+ -oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}
|
|
|
362bfa |
+
|
|
|
362bfa |
+warnings:
|
|
|
362bfa |
+ - general: |-
|
|
|
362bfa |
+ The system needs to be rebooted for these changes to take effect.
|
|
|
362bfa |
+ - regulatory: |-
|
|
|
362bfa |
+ System Crypto Modules must be provided by a vendor that undergoes
|
|
|
362bfa |
+ FIPS-140 certifications.
|
|
|
362bfa |
+ FIPS-140 is applicable to all Federal agencies that use
|
|
|
362bfa |
+ cryptographic-based security systems to protect sensitive information
|
|
|
362bfa |
+ in computer and telecommunication systems (including voice systems) as
|
|
|
362bfa |
+ defined in Section 5131 of the Information Technology Management Reform
|
|
|
362bfa |
+ Act of 1996, Public Law 104-106. This standard shall be used in
|
|
|
362bfa |
+ designing and implementing cryptographic modules that Federal
|
|
|
362bfa |
+ departments and agencies operate or are operated for them under
|
|
|
362bfa |
+ contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}
|
|
|
362bfa |
+ To meet this, the system has to have cryptographic software provided by
|
|
|
362bfa |
+ a vendor that has undergone this certification. This means providing
|
|
|
362bfa |
+ documentation, test results, design information, and independent third
|
|
|
362bfa |
+ party review by an accredited lab. While open source software is
|
|
|
362bfa |
+ capable of meeting this, it does not meet FIPS-140 unless the vendor
|
|
|
362bfa |
+ submits to this process.
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
|
|
|
362bfa |
new file mode 100644
|
|
|
362bfa |
index 00000000000..1a8911d523c
|
|
|
362bfa |
--- /dev/null
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
|
|
|
362bfa |
@@ -0,0 +1,17 @@
|
|
|
362bfa |
+#!/bin/bash
|
|
|
362bfa |
+# platform = Red Hat Enterprise Linux 8
|
|
|
362bfa |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
362bfa |
+
|
|
|
362bfa |
+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
|
|
|
362bfa |
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
|
|
|
362bfa |
+correct_value="-oCiphers=${sshd_approved_ciphers}"
|
|
|
362bfa |
+
|
|
|
362bfa |
+# Ensure directory + file is there
|
|
|
362bfa |
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
|
|
362bfa |
+
|
|
|
362bfa |
+# Proceed when file exists
|
|
|
362bfa |
+if [[ -f $configfile ]]; then
|
|
|
362bfa |
+ sed -i -r "s/-oCiphers=\S+/${correct_value}/" $configfile
|
|
|
362bfa |
+else
|
|
|
362bfa |
+ echo "${correct_value}" > "$configfile"
|
|
|
362bfa |
+fi
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
|
|
|
362bfa |
new file mode 100644
|
|
|
362bfa |
index 00000000000..3dde1479296
|
|
|
362bfa |
--- /dev/null
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
|
|
|
362bfa |
@@ -0,0 +1,7 @@
|
|
|
362bfa |
+#!/bin/bash
|
|
|
362bfa |
+# platform = Red Hat Enterprise Linux 8
|
|
|
362bfa |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
362bfa |
+
|
|
|
362bfa |
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
|
|
|
362bfa |
+
|
|
|
362bfa |
+echo "" > "$configfile"
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
|
|
|
362bfa |
new file mode 100644
|
|
|
362bfa |
index 00000000000..f97f54db502
|
|
|
362bfa |
--- /dev/null
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
|
|
|
362bfa |
@@ -0,0 +1,14 @@
|
|
|
362bfa |
+#!/bin/bash
|
|
|
362bfa |
+# platform = Red Hat Enterprise Linux 8
|
|
|
362bfa |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
362bfa |
+
|
|
|
362bfa |
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
|
|
|
362bfa |
+
|
|
|
362bfa |
+# Ensure directory + file is there
|
|
|
362bfa |
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
|
|
362bfa |
+
|
|
|
362bfa |
+if [[ -f $configfile ]]; then
|
|
|
362bfa |
+ sed -i -r "s/-oCiphers=\S+/-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc/" $configfile
|
|
|
362bfa |
+else
|
|
|
362bfa |
+ echo "-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc" > "$configfile"
|
|
|
362bfa |
+fi
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
|
|
|
362bfa |
new file mode 100644
|
|
|
362bfa |
index 00000000000..11e596ced87
|
|
|
362bfa |
--- /dev/null
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
|
|
|
362bfa |
@@ -0,0 +1,11 @@
|
|
|
362bfa |
+#!/bin/bash
|
|
|
362bfa |
+# platform = Red Hat Enterprise Linux 8
|
|
|
362bfa |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
362bfa |
+
|
|
|
362bfa |
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
|
|
|
362bfa |
+
|
|
|
362bfa |
+# Ensure directory + file is there
|
|
|
362bfa |
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
|
|
|
362bfa |
+
|
|
|
362bfa |
+# If file exists, remove it
|
|
|
362bfa |
+test -f $configfile && rm -f $configfile
|
|
|
362bfa |
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
|
362bfa |
index 28b47cca487..a3783efafd6 100644
|
|
|
362bfa |
--- a/products/rhel8/profiles/stig.profile
|
|
|
362bfa |
+++ b/products/rhel8/profiles/stig.profile
|
|
|
362bfa |
@@ -50,7 +50,11 @@ selections:
|
|
|
362bfa |
- var_password_pam_retry=3
|
|
|
362bfa |
- var_password_pam_minlen=15
|
|
|
362bfa |
- var_sshd_set_keepalive=0
|
|
|
362bfa |
+<<<<<<< HEAD
|
|
|
362bfa |
- sshd_approved_macs=stig
|
|
|
362bfa |
+=======
|
|
|
362bfa |
+ - sshd_approved_ciphers=stig
|
|
|
362bfa |
+>>>>>>> 4d62df6b2 (New rules for RHEL-08-010291)
|
|
|
362bfa |
- sshd_idle_timeout_value=10_minutes
|
|
|
362bfa |
- var_accounts_passwords_pam_faillock_deny=3
|
|
|
362bfa |
- var_accounts_passwords_pam_faillock_fail_interval=900
|
|
|
362bfa |
@@ -185,6 +189,8 @@ selections:
|
|
|
362bfa |
- harden_sshd_macs_opensshserver_conf_crypto_policy
|
|
|
362bfa |
|
|
|
362bfa |
# RHEL-08-010291
|
|
|
362bfa |
+ - harden_sshd_ciphers_openssh_conf_crypto_policy
|
|
|
362bfa |
+ - harden_sshd_ciphers_opensshserver_conf_crypto_policy
|
|
|
362bfa |
|
|
|
362bfa |
# RHEL-08-010292
|
|
|
362bfa |
- sshd_use_strong_rng
|
|
|
362bfa |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
362bfa |
index 393051a34ea..05335cc38fb 100644
|
|
|
362bfa |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
362bfa |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
362bfa |
@@ -147,6 +147,8 @@ selections:
|
|
|
362bfa |
- grub2_vsyscall_argument
|
|
|
362bfa |
- harden_sshd_macs_openssh_conf_crypto_policy
|
|
|
362bfa |
- harden_sshd_macs_opensshserver_conf_crypto_policy
|
|
|
362bfa |
+- harden_sshd_ciphers_openssh_conf_crypto_policy
|
|
|
362bfa |
+- harden_sshd_ciphers_opensshserver_conf_crypto_policy
|
|
|
362bfa |
- install_smartcard_packages
|
|
|
362bfa |
- installed_OS_is_vendor_supported
|
|
|
362bfa |
- kerberos_disable_no_keytab
|
|
|
362bfa |
@@ -328,6 +330,7 @@ selections:
|
|
|
362bfa |
- var_password_pam_retry=3
|
|
|
362bfa |
- var_sshd_set_keepalive=0
|
|
|
362bfa |
- sshd_approved_macs=stig
|
|
|
362bfa |
+- sshd_approved_ciphers=stig
|
|
|
362bfa |
- sshd_idle_timeout_value=10_minutes
|
|
|
362bfa |
- var_accounts_passwords_pam_faillock_deny=3
|
|
|
362bfa |
- var_accounts_passwords_pam_faillock_fail_interval=900
|
|
|
362bfa |
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
362bfa |
index de82fb34518..a0adc835a0d 100644
|
|
|
362bfa |
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
362bfa |
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
362bfa |
@@ -158,6 +158,8 @@ selections:
|
|
|
362bfa |
- grub2_vsyscall_argument
|
|
|
362bfa |
- harden_sshd_macs_openssh_conf_crypto_policy
|
|
|
362bfa |
- harden_sshd_macs_opensshserver_conf_crypto_policy
|
|
|
362bfa |
+- harden_sshd_ciphers_openssh_conf_crypto_policy
|
|
|
362bfa |
+- harden_sshd_ciphers_opensshserver_conf_crypto_policy
|
|
|
362bfa |
- install_smartcard_packages
|
|
|
362bfa |
- installed_OS_is_vendor_supported
|
|
|
362bfa |
- kerberos_disable_no_keytab
|
|
|
362bfa |
@@ -338,6 +340,7 @@ selections:
|
|
|
362bfa |
- var_password_pam_retry=3
|
|
|
362bfa |
- var_sshd_set_keepalive=0
|
|
|
362bfa |
- sshd_approved_macs=stig
|
|
|
362bfa |
+- sshd_approved_ciphers=stig
|
|
|
362bfa |
- sshd_idle_timeout_value=10_minutes
|
|
|
362bfa |
- var_accounts_passwords_pam_faillock_deny=3
|
|
|
362bfa |
- var_accounts_passwords_pam_faillock_fail_interval=900
|
|
|
362bfa |
|
|
|
362bfa |
From c943e715615de1aa957d62d239e532f86ef0959e Mon Sep 17 00:00:00 2001
|
|
|
362bfa |
From: Carlos Matos <cmatos@redhat.com>
|
|
|
362bfa |
Date: Tue, 29 Jun 2021 14:04:49 -0400
|
|
|
362bfa |
Subject: [PATCH 2/5] replaced MACs with Ciphers
|
|
|
362bfa |
|
|
|
362bfa |
---
|
|
|
362bfa |
.../ansible/shared.yml | 2 +-
|
|
|
362bfa |
.../oval/shared.xml | 2 +-
|
|
|
362bfa |
.../oval/shared.xml | 2 +-
|
|
|
362bfa |
3 files changed, 3 insertions(+), 3 deletions(-)
|
|
|
362bfa |
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
|
|
|
362bfa |
index badb5896cf2..956a19f3025 100644
|
|
|
362bfa |
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
|
|
|
362bfa |
@@ -6,7 +6,7 @@
|
|
|
362bfa |
{{{ ansible_instantiate_variables("sshd_approved_ciphers") }}}
|
|
|
362bfa |
|
|
|
362bfa |
{{{ ansible_set_config_file(
|
|
|
362bfa |
- msg='Configure SSH Daemon to Use FIPS 140-2 Validated MACs: openssh.config',
|
|
|
362bfa |
+ msg='Configure SSH Daemon to Use FIPS 140-2 Validated Ciphers: openssh.config',
|
|
|
362bfa |
file='/etc/crypto-policies/back-ends/openssh.config',
|
|
|
362bfa |
parameter='Ciphers',
|
|
|
362bfa |
value="{{ sshd_approved_ciphers }}",
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
|
|
|
362bfa |
index 1879e77398b..9b3b4f1995d 100644
|
|
|
362bfa |
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
|
|
|
362bfa |
@@ -1,7 +1,7 @@
|
|
|
362bfa |
{{%- set PATH = "/etc/crypto-policies/back-ends/openssh.config" -%}}
|
|
|
362bfa |
<def-group>
|
|
|
362bfa |
<definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
362bfa |
- {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
|
|
|
362bfa |
+ {{{ oval_metadata("Limit the Ciphers to those which are FIPS-approved.") }}}
|
|
|
362bfa |
<criteria operator="AND" comment="Test conditions - presence of the file plus.">
|
|
|
362bfa |
<criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD Ciphers" test_ref="test_{{{ rule_id }}}" />
|
|
|
362bfa |
</criteria>
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
|
|
|
362bfa |
index 92ad7ce3d3f..3afbc1619a4 100644
|
|
|
362bfa |
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
|
|
|
362bfa |
@@ -1,7 +1,7 @@
|
|
|
362bfa |
{{%- set PATH = "/etc/crypto-policies/back-ends/opensshserver.config" -%}}
|
|
|
362bfa |
<def-group>
|
|
|
362bfa |
<definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
362bfa |
- {{{ oval_metadata("Limit the Message Authentication Codes (Ciphers) to those which are FIPS-approved.") }}}
|
|
|
362bfa |
+ {{{ oval_metadata("Limit the Ciphers to those which are FIPS-approved.") }}}
|
|
|
362bfa |
<criteria operator="AND" comment="Test conditions - presence of the file plus.">
|
|
|
362bfa |
<criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD Ciphers" test_ref="test_{{{ rule_id }}}" />
|
|
|
362bfa |
</criteria>
|
|
|
362bfa |
|
|
|
362bfa |
From 26383895dfffc5e643295301c052ccd3d77cb906 Mon Sep 17 00:00:00 2001
|
|
|
362bfa |
From: Carlos Matos <cmatos@redhat.com>
|
|
|
362bfa |
Date: Mon, 19 Jul 2021 09:33:38 -0400
|
|
|
362bfa |
Subject: [PATCH 3/5] Fixed issue with oval not checking for commented out
|
|
|
362bfa |
line, and updated remediations
|
|
|
362bfa |
|
|
|
362bfa |
---
|
|
|
362bfa |
.../rule.yml | 8 ++++----
|
|
|
362bfa |
.../ansible/shared.yml | 2 +-
|
|
|
362bfa |
.../bash/shared.sh | 10 ++++++++--
|
|
|
362bfa |
.../oval/shared.xml | 2 +-
|
|
|
362bfa |
.../rule.yml | 6 +++---
|
|
|
362bfa |
5 files changed, 17 insertions(+), 11 deletions(-)
|
|
|
362bfa |
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
|
|
|
362bfa |
index cd1553dbdb3..d626ec6e260 100644
|
|
|
362bfa |
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
|
|
|
362bfa |
@@ -2,7 +2,7 @@ documentation_complete: true
|
|
|
362bfa |
|
|
|
362bfa |
prodtype: fedora,rhel8
|
|
|
362bfa |
|
|
|
362bfa |
-title: 'Configure SSH Daemon to Use FIPS 140-2 Validated Ciphers: openssh.config'
|
|
|
362bfa |
+title: 'Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config'
|
|
|
362bfa |
|
|
|
362bfa |
description: |-
|
|
|
362bfa |
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
|
|
|
362bfa |
@@ -15,7 +15,7 @@ description: |-
|
|
|
362bfa |
Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}
|
|
|
362bfa |
|
|
|
362bfa |
rationale: |-
|
|
|
362bfa |
- Overriding the system crypto policy makes the behavior of the OpenSSH daemon
|
|
|
362bfa |
+ Overriding the system crypto policy makes the behavior of the OpenSSH client
|
|
|
362bfa |
violate expectations, and makes system configuration more fragmented. By
|
|
|
362bfa |
specifying a cipher list with the order of ciphers being in a “strongest to
|
|
|
362bfa |
weakest” orientation, the system will automatically attempt to use the
|
|
|
362bfa |
@@ -32,10 +32,10 @@ references:
|
|
|
362bfa |
disa: CCI-001453
|
|
|
362bfa |
stigid@rhel8: RHEL-08-010291
|
|
|
362bfa |
|
|
|
362bfa |
-ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
|
|
|
362bfa |
+ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly'
|
|
|
362bfa |
|
|
|
362bfa |
ocil: |-
|
|
|
362bfa |
- To verify if the OpenSSH daemon uses defined Cipher suite in the Crypto Policy, run:
|
|
|
362bfa |
+ To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run:
|
|
|
362bfa |
$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config
|
|
|
362bfa |
and verify that the line matches:
|
|
|
362bfa |
Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
|
|
|
362bfa |
index 7532ba51639..3e637f37e69 100644
|
|
|
362bfa |
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
|
|
|
362bfa |
@@ -19,7 +19,7 @@
|
|
|
362bfa |
- name: "{{{ rule_title }}}: Create"
|
|
|
362bfa |
lineinfile:
|
|
|
362bfa |
path: "{{ path }}"
|
|
|
362bfa |
- line: "{{ correct_value }}"
|
|
|
362bfa |
+ line: "CRYPTO_POLICY='{{ correct_value }}'"
|
|
|
362bfa |
create: yes
|
|
|
362bfa |
when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length
|
|
|
362bfa |
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
|
|
|
362bfa |
index 1bc022f93b6..eaa4463caad 100644
|
|
|
362bfa |
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
|
|
|
362bfa |
@@ -5,7 +5,13 @@
|
|
|
362bfa |
CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
|
|
|
362bfa |
correct_value="-oCiphers=${sshd_approved_ciphers}"
|
|
|
362bfa |
|
|
|
362bfa |
-grep -q ${correct_value} ${CONF_FILE}
|
|
|
362bfa |
+# Test if file exists
|
|
|
362bfa |
+test -f ${CONF_FILE} || touch ${CONF_FILE}
|
|
|
362bfa |
+
|
|
|
362bfa |
+# Ensure CRYPTO_POLICY is not commented out
|
|
|
362bfa |
+sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE}
|
|
|
362bfa |
+
|
|
|
362bfa |
+grep -q "'${correct_value}'" ${CONF_FILE}
|
|
|
362bfa |
|
|
|
362bfa |
if [[ $? -ne 0 ]]; then
|
|
|
362bfa |
# We need to get the existing value, using PCRE to maintain same regex
|
|
|
362bfa |
@@ -20,6 +26,6 @@ if [[ $? -ne 0 ]]; then
|
|
|
362bfa |
# unintentionally.
|
|
|
362bfa |
# ********** #
|
|
|
362bfa |
# echo correct_value to end
|
|
|
362bfa |
- echo ${correct_value} >> ${CONF_FILE}
|
|
|
362bfa |
+ echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}
|
|
|
362bfa |
fi
|
|
|
362bfa |
fi
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
|
|
|
362bfa |
index 3afbc1619a4..53919eaae7f 100644
|
|
|
362bfa |
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
|
|
|
362bfa |
@@ -16,7 +16,7 @@
|
|
|
362bfa |
|
|
|
362bfa |
<ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
|
|
|
362bfa |
<ind:filepath>{{{ PATH }}}</ind:filepath>
|
|
|
362bfa |
- <ind:pattern operation="pattern match">^.*(-oCiphers=\S+).*$</ind:pattern>
|
|
|
362bfa |
+ <ind:pattern operation="pattern match">^(?!#).*(-oCiphers=\S+).*$</ind:pattern>
|
|
|
362bfa |
<ind:instance operation="equals" datatype="int">1</ind:instance>
|
|
|
362bfa |
</ind:textfilecontent54_object>
|
|
|
362bfa |
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
|
|
362bfa |
index 877c6f38db0..0aac8e2038d 100644
|
|
|
362bfa |
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
|
|
362bfa |
@@ -2,7 +2,7 @@ documentation_complete: true
|
|
|
362bfa |
|
|
|
362bfa |
prodtype: rhel8
|
|
|
362bfa |
|
|
|
362bfa |
-title: 'Configure SSH Daemon to Use FIPS 140-2 Validated MACs: opensshserver.config'
|
|
|
362bfa |
+title: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config'
|
|
|
362bfa |
|
|
|
362bfa |
description: |-
|
|
|
362bfa |
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
|
|
|
362bfa |
@@ -15,7 +15,7 @@ description: |-
|
|
|
362bfa |
-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}
|
|
|
362bfa |
|
|
|
362bfa |
rationale: |-
|
|
|
362bfa |
- Overriding the system crypto policy makes the behavior of the OpenSSH daemon
|
|
|
362bfa |
+ Overriding the system crypto policy makes the behavior of the OpenSSH server
|
|
|
362bfa |
violate expectations, and makes system configuration more fragmented. By
|
|
|
362bfa |
specifying a cipher list with the order of ciphers being in a “strongest to
|
|
|
362bfa |
weakest” orientation, the system will automatically attempt to use the
|
|
|
362bfa |
@@ -35,7 +35,7 @@ references:
|
|
|
362bfa |
ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
|
|
|
362bfa |
|
|
|
362bfa |
ocil: |-
|
|
|
362bfa |
- To verify if the OpenSSH daemon uses defined MACs in the Crypto Policy, run:
|
|
|
362bfa |
+ To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run:
|
|
|
362bfa |
$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config
|
|
|
362bfa |
and verify that the line matches:
|
|
|
362bfa |
-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}
|
|
|
362bfa |
|
|
|
362bfa |
From 7967125f58de7e6843002d674fab90c4429452f3 Mon Sep 17 00:00:00 2001
|
|
|
362bfa |
From: Carlos Matos <cmatos@redhat.com>
|
|
|
362bfa |
Date: Mon, 19 Jul 2021 09:53:28 -0400
|
|
|
362bfa |
Subject: [PATCH 4/5] Replace MACs verbiage with ciphers
|
|
|
362bfa |
|
|
|
362bfa |
---
|
|
|
362bfa |
.../rule.yml | 4 ++--
|
|
|
362bfa |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
362bfa |
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
|
|
362bfa |
index 0aac8e2038d..81ee763831d 100644
|
|
|
362bfa |
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
|
|
362bfa |
@@ -2,7 +2,7 @@ documentation_complete: true
|
|
|
362bfa |
|
|
|
362bfa |
prodtype: rhel8
|
|
|
362bfa |
|
|
|
362bfa |
-title: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config'
|
|
|
362bfa |
+title: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config'
|
|
|
362bfa |
|
|
|
362bfa |
description: |-
|
|
|
362bfa |
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
|
|
|
362bfa |
@@ -35,7 +35,7 @@ references:
|
|
|
362bfa |
ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
|
|
|
362bfa |
|
|
|
362bfa |
ocil: |-
|
|
|
362bfa |
- To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run:
|
|
|
362bfa |
+ To verify if the OpenSSH server uses defined ciphers in the Crypto Policy, run:
|
|
|
362bfa |
$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config
|
|
|
362bfa |
and verify that the line matches:
|
|
|
362bfa |
-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}
|
|
|
362bfa |
|
|
|
362bfa |
From ab21f2d59db725f07b70e3e748ebc96c34e23b79 Mon Sep 17 00:00:00 2001
|
|
|
362bfa |
From: Carlos Matos <cmatos@redhat.com>
|
|
|
362bfa |
Date: Tue, 20 Jul 2021 09:01:50 -0400
|
|
|
362bfa |
Subject: [PATCH 5/5] Sorted refs, updated test scenario, fixed duplicate CCE
|
|
|
362bfa |
|
|
|
362bfa |
---
|
|
|
362bfa |
.../harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml | 4 ++--
|
|
|
362bfa |
.../stig_incorrect_followed_by_correct_commented.fail.sh | 2 +-
|
|
|
362bfa |
.../rule.yml | 4 ++--
|
|
|
362bfa |
products/rhel8/profiles/stig.profile | 3 ---
|
|
|
362bfa |
shared/references/cce-redhat-avail.txt | 2 --
|
|
|
362bfa |
tests/data/profile_stability/rhel8/stig.profile | 4 ++--
|
|
|
362bfa |
tests/data/profile_stability/rhel8/stig_gui.profile | 4 ++--
|
|
|
362bfa |
7 files changed, 9 insertions(+), 14 deletions(-)
|
|
|
362bfa |
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
|
|
|
362bfa |
index d626ec6e260..0aa310d9245 100644
|
|
|
362bfa |
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
|
|
|
362bfa |
@@ -24,12 +24,12 @@ rationale: |-
|
|
|
362bfa |
severity: medium
|
|
|
362bfa |
|
|
|
362bfa |
identifiers:
|
|
|
362bfa |
- cce@rhel8: CCE-85870-4
|
|
|
362bfa |
+ cce@rhel8: CCE-85902-5
|
|
|
362bfa |
|
|
|
362bfa |
references:
|
|
|
362bfa |
+ disa: CCI-001453
|
|
|
362bfa |
nist: AC-17(2)
|
|
|
362bfa |
srg: SRG-OS-000250-GPOS-00093
|
|
|
362bfa |
- disa: CCI-001453
|
|
|
362bfa |
stigid@rhel8: RHEL-08-010291
|
|
|
362bfa |
|
|
|
362bfa |
ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly'
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
|
|
|
362bfa |
index 195f5e8d8ed..6ad1f4fd0f3 100644
|
|
|
362bfa |
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
|
|
|
362bfa |
@@ -16,4 +16,4 @@ else
|
|
|
362bfa |
fi
|
|
|
362bfa |
|
|
|
362bfa |
# follow up with correct value
|
|
|
362bfa |
-echo "Ciphers ${sshd_approved_ciphers}" >> $configfile
|
|
|
362bfa |
+echo "#Ciphers ${sshd_approved_ciphers}" >> $configfile
|
|
|
362bfa |
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
|
|
362bfa |
index 81ee763831d..b56f2421f22 100644
|
|
|
362bfa |
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
|
|
362bfa |
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
|
|
|
362bfa |
@@ -24,12 +24,12 @@ rationale: |-
|
|
|
362bfa |
severity: medium
|
|
|
362bfa |
|
|
|
362bfa |
identifiers:
|
|
|
362bfa |
- cce@rhel8: CCE-85871-2
|
|
|
362bfa |
+ cce@rhel8: CCE-85897-7
|
|
|
362bfa |
|
|
|
362bfa |
references:
|
|
|
362bfa |
+ disa: CCI-001453
|
|
|
362bfa |
nist: AC-17(2)
|
|
|
362bfa |
srg: SRG-OS-000250-GPOS-00093
|
|
|
362bfa |
- disa: CCI-001453
|
|
|
362bfa |
stigid@rhel8: RHEL-08-010290
|
|
|
362bfa |
|
|
|
362bfa |
ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
|
|
|
362bfa |
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
|
362bfa |
index a3783efafd6..7270a8f91f2 100644
|
|
|
362bfa |
--- a/products/rhel8/profiles/stig.profile
|
|
|
362bfa |
+++ b/products/rhel8/profiles/stig.profile
|
|
|
362bfa |
@@ -50,11 +50,8 @@ selections:
|
|
|
362bfa |
- var_password_pam_retry=3
|
|
|
362bfa |
- var_password_pam_minlen=15
|
|
|
362bfa |
- var_sshd_set_keepalive=0
|
|
|
362bfa |
-<<<<<<< HEAD
|
|
|
362bfa |
- sshd_approved_macs=stig
|
|
|
362bfa |
-=======
|
|
|
362bfa |
- sshd_approved_ciphers=stig
|
|
|
362bfa |
->>>>>>> 4d62df6b2 (New rules for RHEL-08-010291)
|
|
|
362bfa |
- sshd_idle_timeout_value=10_minutes
|
|
|
362bfa |
- var_accounts_passwords_pam_faillock_deny=3
|
|
|
362bfa |
- var_accounts_passwords_pam_faillock_fail_interval=900
|
|
|
362bfa |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
362bfa |
index 036d34cea1d..665f903ead4 100644
|
|
|
362bfa |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
362bfa |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
362bfa |
@@ -33,11 +33,9 @@ CCE-85892-8
|
|
|
362bfa |
CCE-85893-6
|
|
|
362bfa |
CCE-85895-1
|
|
|
362bfa |
CCE-85896-9
|
|
|
362bfa |
-CCE-85897-7
|
|
|
362bfa |
CCE-85898-5
|
|
|
362bfa |
CCE-85900-9
|
|
|
362bfa |
CCE-85901-7
|
|
|
362bfa |
-CCE-85902-5
|
|
|
362bfa |
CCE-85903-3
|
|
|
362bfa |
CCE-85904-1
|
|
|
362bfa |
CCE-85905-8
|
|
|
362bfa |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
362bfa |
index 05335cc38fb..7d59cfff625 100644
|
|
|
362bfa |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
362bfa |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
362bfa |
@@ -145,10 +145,10 @@ selections:
|
|
|
362bfa |
- grub2_uefi_admin_username
|
|
|
362bfa |
- grub2_uefi_password
|
|
|
362bfa |
- grub2_vsyscall_argument
|
|
|
362bfa |
-- harden_sshd_macs_openssh_conf_crypto_policy
|
|
|
362bfa |
-- harden_sshd_macs_opensshserver_conf_crypto_policy
|
|
|
362bfa |
- harden_sshd_ciphers_openssh_conf_crypto_policy
|
|
|
362bfa |
- harden_sshd_ciphers_opensshserver_conf_crypto_policy
|
|
|
362bfa |
+- harden_sshd_macs_openssh_conf_crypto_policy
|
|
|
362bfa |
+- harden_sshd_macs_opensshserver_conf_crypto_policy
|
|
|
362bfa |
- install_smartcard_packages
|
|
|
362bfa |
- installed_OS_is_vendor_supported
|
|
|
362bfa |
- kerberos_disable_no_keytab
|
|
|
362bfa |
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
362bfa |
index a0adc835a0d..2c2daad6f6d 100644
|
|
|
362bfa |
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
362bfa |
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
362bfa |
@@ -156,10 +156,10 @@ selections:
|
|
|
362bfa |
- grub2_uefi_admin_username
|
|
|
362bfa |
- grub2_uefi_password
|
|
|
362bfa |
- grub2_vsyscall_argument
|
|
|
362bfa |
-- harden_sshd_macs_openssh_conf_crypto_policy
|
|
|
362bfa |
-- harden_sshd_macs_opensshserver_conf_crypto_policy
|
|
|
362bfa |
- harden_sshd_ciphers_openssh_conf_crypto_policy
|
|
|
362bfa |
- harden_sshd_ciphers_opensshserver_conf_crypto_policy
|
|
|
362bfa |
+- harden_sshd_macs_openssh_conf_crypto_policy
|
|
|
362bfa |
+- harden_sshd_macs_opensshserver_conf_crypto_policy
|
|
|
362bfa |
- install_smartcard_packages
|
|
|
362bfa |
- installed_OS_is_vendor_supported
|
|
|
362bfa |
- kerberos_disable_no_keytab
|