From 7da420a853591a6e994439a9ada2b88d6793e3e7 Mon Sep 17 00:00:00 2001

From: Carlos Matos <cmatos@redhat.com>

Date: Tue, 29 Jun 2021 14:00:14 -0400

Subject: [PATCH 1/5] New rules for RHEL-08-010291

---

 .../services/ssh/sshd_approved_ciphers.var    |  2 +-

 .../ansible/shared.yml                        | 16 +++++

 .../bash/shared.sh                            | 13 ++++

 .../oval/shared.xml                           | 35 +++++++++++

 .../rule.yml                                  | 62 +++++++++++++++++++

 .../tests/stig_correct.pass.sh                | 15 +++++

 .../tests/stig_correct_commented.fail.sh      | 15 +++++

 ...ct_followed_by_incorrect_commented.pass.sh | 18 ++++++

 .../tests/stig_empty_file.fail.sh             | 10 +++

 .../tests/stig_empty_policy.fail.sh           | 14 +++++

 ...rect_followed_by_correct_commented.fail.sh | 19 ++++++

 .../tests/stig_incorrect_policy.fail.sh       | 15 +++++

 .../tests/stig_missing_file.fail.sh           | 11 ++++

 .../ansible/shared.yml                        | 45 ++++++++++++++

 .../bash/shared.sh                            | 25 ++++++++

 .../oval/shared.xml                           | 35 +++++++++++

 .../rule.yml                                  | 62 +++++++++++++++++++

 .../tests/rhel8_stig_correct.pass.sh          | 17 +++++

 .../tests/rhel8_stig_empty_policy.fail.sh     |  7 +++

 .../tests/rhel8_stig_incorrect_policy.fail.sh | 14 +++++

 .../tests/rhel8_stig_missing_file.fail.sh     | 11 ++++

 products/rhel8/profiles/stig.profile          |  6 ++

 .../data/profile_stability/rhel8/stig.profile |  3 +

 .../profile_stability/rhel8/stig_gui.profile  |  3 +

 24 files changed, 472 insertions(+), 1 deletion(-)

 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml

 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh

 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml

 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml

 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh

 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh

 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh

 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh

 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh

 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh

 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh

 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh

 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml

 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh

 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml

 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml

 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh

 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh

 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh

 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh

diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var

index 46891daa619..a240bbbfaef 100644

--- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var

+++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var

@@ -11,6 +11,6 @@ operator: equals

 interactive: false

 options:

-    stig: aes128-ctr,aes192-ctr,aes256-ctr

+    stig: aes256-ctr,aes192-ctr,aes128-ctr

     default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

     cis_rhel7: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml

new file mode 100644

index 00000000000..badb5896cf2

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml

@@ -0,0 +1,16 @@

+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora

+# reboot = true

+# strategy = restrict

+# complexity = low

+# disruption = low

+{{{ ansible_instantiate_variables("sshd_approved_ciphers") }}}

+

+{{{ ansible_set_config_file(

+        msg='Configure SSH Daemon to Use FIPS 140-2 Validated MACs: openssh.config',

+        file='/etc/crypto-policies/back-ends/openssh.config',

+        parameter='Ciphers',

+        value="{{ sshd_approved_ciphers }}",

+        create='yes',

+        prefix_regex='^.*'

+    )

+}}}

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh

new file mode 100644

index 00000000000..cdc66a8aac6

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh

@@ -0,0 +1,13 @@

+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora

+. /usr/share/scap-security-guide/remediation_functions

+{{{ bash_instantiate_variables("sshd_approved_ciphers") }}}

+

+{{{ set_config_file(

+        path="/etc/crypto-policies/back-ends/openssh.config",

+        parameter="Ciphers",

+        value="${sshd_approved_ciphers}",

+        create=true,

+        insensitive=false,

+        prefix_regex="^.*"

+	)

+}}}

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml

new file mode 100644

index 00000000000..1879e77398b

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml

@@ -0,0 +1,35 @@

+{{%- set PATH = "/etc/crypto-policies/back-ends/openssh.config" -%}}

+<def-group>

+  <definition class="compliance" id="{{{ rule_id }}}" version="1">

+    {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}

+    <criteria operator="AND" comment="Test conditions - presence of the file plus.">

+      <criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD Ciphers" test_ref="test_{{{ rule_id }}}" />

+    </criteria>

+  </definition>

+

+  

+  comment="test the value of Ciphers setting in the {{{ PATH }}} file"

+  id="test_{{{ rule_id }}}" version="1">

+    <ind:object object_ref="obj_{{{ rule_id }}}" />

+    <ind:state state_ref="ste_{{{ rule_id }}}" />

+  </ind:textfilecontent54_test>

+

+  <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">

+    <ind:filepath>{{{ PATH }}}</ind:filepath>

+    <ind:pattern operation="pattern match">^Ciphers.*$</ind:pattern>

+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>

+  </ind:textfilecontent54_object>

+

+  <ind:textfilecontent54_state id="ste_{{{ rule_id }}}" version="1">

+    <ind:text var_ref="sshd_ciphers_crypto" operation="equals"></ind:text>

+  </ind:textfilecontent54_state>

+

+  <local_variable id="sshd_ciphers_crypto" datatype="string" comment="The regex of the directive" version="1">

+    <concat>

+      <literal_component>Ciphers </literal_component>

+      <variable_component var_ref="sshd_approved_ciphers"/>

+    </concat>

+  </local_variable>

+

+  <external_variable comment="SSH Approved Ciphers by FIPS" datatype="string" id="sshd_approved_ciphers" version="1" />

+</def-group>

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml

new file mode 100644

index 00000000000..cd1553dbdb3

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml

@@ -0,0 +1,62 @@

+documentation_complete: true

+

+prodtype: fedora,rhel8

+

+title: 'Configure SSH Daemon to Use FIPS 140-2 Validated Ciphers: openssh.config'

+

+description: |-

+    Crypto Policies provide a centralized control over crypto algorithms usage of many packages.

+    OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be

+    set up incorrectly.

+

+    To check that Crypto Policies settings for ciphers are configured correctly, ensure that

+    <tt>/etc/crypto-policies/back-ends/openssh.config</tt> contains the following

+    line and is not commented out:

+    
Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}

+

+rationale: |-

+    Overriding the system crypto policy makes the behavior of the OpenSSH daemon

+    violate expectations, and makes system configuration more fragmented. By

+    specifying a cipher list with the order of ciphers being in a “strongest to

+    weakest” orientation, the system will automatically attempt to use the

+    strongest cipher for securing SSH connections.

+

+severity: medium

+

+identifiers:

+    cce@rhel8: CCE-85870-4

+

+references:

+    nist: AC-17(2)

+    srg: SRG-OS-000250-GPOS-00093

+    disa: CCI-001453

+    stigid@rhel8: RHEL-08-010291

+

+ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'

+

+ocil: |-

+    To verify if the OpenSSH daemon uses defined Cipher suite in the Crypto Policy, run:

+    
$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config

+    and verify that the line matches:

+    
Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}

+

+warnings:

+    - general: |-

+        The system needs to be rebooted for these changes to take effect.

+    - regulatory: |-

+        System Crypto Modules must be provided by a vendor that undergoes

+        FIPS-140 certifications.

+        FIPS-140 is applicable to all Federal agencies that use

+        cryptographic-based security systems to protect sensitive information

+        in computer and telecommunication systems (including voice systems) as

+        defined in Section 5131 of the Information Technology Management Reform

+        Act of 1996, Public Law 104-106. This standard shall be used in

+        designing and implementing cryptographic modules that Federal

+        departments and agencies operate or are operated for them under

+        contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}

+        To meet this, the system has to have cryptographic software provided by

+        a vendor that has undergone this certification. This means providing

+        documentation, test results, design information, and independent third

+        party review by an accredited lab. While open source software is

+        capable of meeting this, it does not meet FIPS-140 unless the vendor

+        submits to this process.

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh

new file mode 100644

index 00000000000..0a27a7e0984

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh

@@ -0,0 +1,15 @@

+#!/bin/bash

+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr

+configfile=/etc/crypto-policies/back-ends/openssh.config

+

+# Ensure directory + file is there

+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends

+

+if [[ -f $configfile ]]; then

+    sed -i "s/^.*Ciphers.*$/Ciphers ${sshd_approved_ciphers}/" $configfile

+else

+    echo "Ciphers ${sshd_approved_ciphers}" > "$configfile"

+fi

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh

new file mode 100644

index 00000000000..5cadd95ba38

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh

@@ -0,0 +1,15 @@

+#!/bin/bash

+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr

+configfile=/etc/crypto-policies/back-ends/openssh.config

+

+# Ensure directory + file is there

+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends

+

+if [[ -f $configfile ]]; then

+    sed -i "s/^.*Ciphers.*$/#Ciphers ${sshd_approved_ciphers}/" $configfile

+else

+    echo "#Ciphers ${sshd_approved_ciphers}" > "$configfile"

+fi

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh

new file mode 100644

index 00000000000..26220063757

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh

@@ -0,0 +1,18 @@

+#!/bin/bash

+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr

+configfile=/etc/crypto-policies/back-ends/openssh.config

+

+# Ensure directory + file is there

+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends

+

+if [[ -f $configfile ]]; then

+    sed -i "s/^.*Ciphers.*$/Ciphers ${sshd_approved_ciphers}/" $configfile

+else

+    echo "Ciphers ${sshd_approved_ciphers}" > "$configfile"

+fi

+

+# follow up with incorrect

+echo "#Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr" >> $configfile

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh

new file mode 100644

index 00000000000..55ef3f58422

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh

@@ -0,0 +1,10 @@

+#!/bin/bash

+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+configfile=/etc/crypto-policies/back-ends/openssh.config

+

+# Ensure directory + file is there

+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends

+

+echo "" > $configfile

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh

new file mode 100644

index 00000000000..7105441ad80

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh

@@ -0,0 +1,14 @@

+#!/bin/bash

+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+configfile=/etc/crypto-policies/back-ends/openssh.config

+

+# Ensure directory + file is there

+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends

+

+if [[ -f $configfile ]]; then

+    sed -i "s/^.*Ciphers.*$/Ciphers /" $configfile

+else

+    echo "Ciphers " > "$configfile"

+fi

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh

new file mode 100644

index 00000000000..195f5e8d8ed

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh

@@ -0,0 +1,19 @@

+#!/bin/bash

+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr

+incorrect_sshd_approved_ciphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr

+configfile=/etc/crypto-policies/back-ends/openssh.config

+

+# Ensure directory + file is there

+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends

+

+if [[ -f $configfile ]]; then

+    sed -i "s/^.*Ciphers.*$/Ciphers ${incorrect_sshd_approved_ciphers}/" $configfile

+else

+    echo "Ciphers ${incorrect_sshd_approved_ciphers}" > "$configfile"

+fi

+

+# follow up with correct value

+echo "Ciphers ${sshd_approved_ciphers}" >> $configfile

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh

new file mode 100644

index 00000000000..92bd4ed9c5a

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh

@@ -0,0 +1,15 @@

+#!/bin/bash

+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+incorrect_sshd_approved_ciphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc

+configfile=/etc/crypto-policies/back-ends/openssh.config

+

+# Ensure directory + file is there

+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends

+

+if [[ -f $configfile ]]; then

+    sed -i "s/^.*Ciphers.*$/Ciphers ${incorrect_sshd_approved_ciphers}/" $configfile

+else

+    echo "Ciphers ${incorrect_sshd_approved_ciphers}" > "$configfile"

+fi

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh

new file mode 100644

index 00000000000..2138caad319

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh

@@ -0,0 +1,11 @@

+#!/bin/bash

+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+configfile=/etc/crypto-policies/back-ends/openssh.config

+

+# Ensure directory + file is there

+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends

+

+# If file exists, remove it

+test -f $configfile && rm -f $configfile

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml

new file mode 100644

index 00000000000..7532ba51639

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml

@@ -0,0 +1,45 @@

+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora

+# reboot = true

+# strategy = restrict

+# complexity = low

+# disruption = low

+{{{ ansible_instantiate_variables("sshd_approved_ciphers") }}}

+

+- name: "{{{ rule_title }}}: Set facts"

+  set_fact:

+    path: /etc/crypto-policies/back-ends/opensshserver.config

+    correct_value: "-oCiphers={{ sshd_approved_ciphers }}"

+

+- name: "{{{ rule_title }}}: Stat"

+  stat:

+    path: "{{ path }}"

+    follow: yes

+  register: opensshserver_file

+

+- name: "{{{ rule_title }}}: Create"

+  lineinfile:

+    path: "{{ path }}"

+    line: "{{ correct_value }}"

+    create: yes

+  when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length

+

+- name: "{{{ rule_title }}}"

+  block:

+    - name: "Existing value check"

+      lineinfile:

+        path: "{{ path }}"

+        create: false

+        regexp: "{{ correct_value }}"

+        state: absent

+      check_mode: true

+      changed_when: false

+      register: opensshserver

+

+    - name: "Update/Correct value"

+      replace:

+        path: "{{ path }}"

+        regexp: (-oCiphers=\S+)

+        replace: "{{ correct_value }}"

+      when: opensshserver.found is defined and opensshserver.found != 1

+

+  when: opensshserver_file.stat.exists and opensshserver_file.stat.size > correct_value|length

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh

new file mode 100644

index 00000000000..1bc022f93b6

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh

@@ -0,0 +1,25 @@

+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora

+. /usr/share/scap-security-guide/remediation_functions

+{{{ bash_instantiate_variables("sshd_approved_ciphers") }}}

+

+CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config

+correct_value="-oCiphers=${sshd_approved_ciphers}"

+

+grep -q ${correct_value} ${CONF_FILE}

+

+if [[ $? -ne 0 ]]; then

+    # We need to get the existing value, using PCRE to maintain same regex

+    existing_value=$(grep -Po '(-oCiphers=\S+)' ${CONF_FILE})

+

+    if [[ ! -z ${existing_value} ]]; then

+        # replace existing_value with correct_value

+        sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}

+    else

+        # ***NOTE*** #

+        # This probably means this file is not here or it's been modified

+        # unintentionally.

+        # ********** #

+        # echo correct_value to end

+        echo ${correct_value} >> ${CONF_FILE}

+    fi

+fi

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml

new file mode 100644

index 00000000000..92ad7ce3d3f

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml

@@ -0,0 +1,35 @@

+{{%- set PATH = "/etc/crypto-policies/back-ends/opensshserver.config" -%}}

+<def-group>

+  <definition class="compliance" id="{{{ rule_id }}}" version="1">

+    {{{ oval_metadata("Limit the Message Authentication Codes (Ciphers) to those which are FIPS-approved.") }}}

+    <criteria operator="AND" comment="Test conditions - presence of the file plus.">

+      <criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD Ciphers" test_ref="test_{{{ rule_id }}}" />

+    </criteria>

+  </definition>

+

+  

+  comment="test the value of Ciphers setting in the {{{ PATH }}} file"

+  id="test_{{{ rule_id }}}" version="1">

+    <ind:object object_ref="obj_{{{ rule_id }}}" />

+    <ind:state state_ref="ste_{{{ rule_id }}}" />

+  </ind:textfilecontent54_test>

+

+  <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">

+    <ind:filepath>{{{ PATH }}}</ind:filepath>

+    <ind:pattern operation="pattern match">^.*(-oCiphers=\S+).*$</ind:pattern>

+    <ind:instance operation="equals" datatype="int">1</ind:instance>

+  </ind:textfilecontent54_object>

+

+  <ind:textfilecontent54_state id="ste_{{{ rule_id }}}" version="1">

+    <ind:subexpression var_ref="sshd_ciphers_crypto_opensshserver" operation="equals" />

+  </ind:textfilecontent54_state>

+

+  <local_variable id="sshd_ciphers_crypto_opensshserver" datatype="string" comment="The regex of the directive" version="1">

+    <concat>

+      <literal_component>-oCiphers=</literal_component>

+      <variable_component var_ref="sshd_approved_ciphers"/>

+    </concat>

+  </local_variable>

+

+  <external_variable comment="SSH Approved Ciphers by FIPS" datatype="string" id="sshd_approved_ciphers" version="1" />

+</def-group>

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml

new file mode 100644

index 00000000000..877c6f38db0

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml

@@ -0,0 +1,62 @@

+documentation_complete: true

+

+prodtype: rhel8

+

+title: 'Configure SSH Daemon to Use FIPS 140-2 Validated MACs: opensshserver.config'

+

+description: |-

+    Crypto Policies provide a centralized control over crypto algorithms usage of many packages.

+    OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be

+    set up incorrectly.

+

+    To check that Crypto Policies settings for ciphers are configured correctly, ensure that

+    <tt>/etc/crypto-policies/back-ends/opensshserver.config</tt> contains the following

+    text and is not commented out:

+    
-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}

+

+rationale: |-

+    Overriding the system crypto policy makes the behavior of the OpenSSH daemon

+    violate expectations, and makes system configuration more fragmented. By

+    specifying a cipher list with the order of ciphers being in a “strongest to

+    weakest” orientation, the system will automatically attempt to use the

+    strongest cipher for securing SSH connections.

+

+severity: medium

+

+identifiers:

+    cce@rhel8: CCE-85871-2

+

+references:

+    nist: AC-17(2)

+    srg: SRG-OS-000250-GPOS-00093

+    disa: CCI-001453

+    stigid@rhel8: RHEL-08-010290

+

+ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'

+

+ocil: |-

+    To verify if the OpenSSH daemon uses defined MACs in the Crypto Policy, run:

+    
$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config

+    and verify that the line matches:

+    
-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}

+

+warnings:

+    - general: |-

+        The system needs to be rebooted for these changes to take effect.

+    - regulatory: |-

+        System Crypto Modules must be provided by a vendor that undergoes

+        FIPS-140 certifications.

+        FIPS-140 is applicable to all Federal agencies that use

+        cryptographic-based security systems to protect sensitive information

+        in computer and telecommunication systems (including voice systems) as

+        defined in Section 5131 of the Information Technology Management Reform

+        Act of 1996, Public Law 104-106. This standard shall be used in

+        designing and implementing cryptographic modules that Federal

+        departments and agencies operate or are operated for them under

+        contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}

+        To meet this, the system has to have cryptographic software provided by

+        a vendor that has undergone this certification. This means providing

+        documentation, test results, design information, and independent third

+        party review by an accredited lab. While open source software is

+        capable of meeting this, it does not meet FIPS-140 unless the vendor

+        submits to this process.

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh

new file mode 100644

index 00000000000..1a8911d523c

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh

@@ -0,0 +1,17 @@

+#!/bin/bash

+# platform = Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr

+configfile=/etc/crypto-policies/back-ends/opensshserver.config

+correct_value="-oCiphers=${sshd_approved_ciphers}"

+

+# Ensure directory + file is there

+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends

+

+# Proceed when file exists

+if [[ -f $configfile ]]; then

+    sed -i -r "s/-oCiphers=\S+/${correct_value}/" $configfile

+else

+    echo "${correct_value}" > "$configfile"

+fi

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh

new file mode 100644

index 00000000000..3dde1479296

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh

@@ -0,0 +1,7 @@

+#!/bin/bash

+# platform = Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+configfile=/etc/crypto-policies/back-ends/opensshserver.config

+

+echo "" > "$configfile"

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh

new file mode 100644

index 00000000000..f97f54db502

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh

@@ -0,0 +1,14 @@

+#!/bin/bash

+# platform = Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+configfile=/etc/crypto-policies/back-ends/opensshserver.config

+

+# Ensure directory + file is there

+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends

+

+if [[ -f $configfile ]]; then

+    sed -i -r "s/-oCiphers=\S+/-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc/" $configfile

+else

+    echo "-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc" > "$configfile"

+fi

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh

new file mode 100644

index 00000000000..11e596ced87

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh

@@ -0,0 +1,11 @@

+#!/bin/bash

+# platform = Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+configfile=/etc/crypto-policies/back-ends/opensshserver.config

+

+# Ensure directory + file is there

+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends

+

+# If file exists, remove it

+test -f $configfile && rm -f $configfile

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 28b47cca487..a3783efafd6 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -50,7 +50,11 @@ selections:

     - var_password_pam_retry=3

     - var_password_pam_minlen=15

     - var_sshd_set_keepalive=0

+<<<<<<< HEAD

     - sshd_approved_macs=stig

+=======

+    - sshd_approved_ciphers=stig

+>>>>>>> 4d62df6b2 (New rules for RHEL-08-010291)

     - sshd_idle_timeout_value=10_minutes

     - var_accounts_passwords_pam_faillock_deny=3

     - var_accounts_passwords_pam_faillock_fail_interval=900

@@ -185,6 +189,8 @@ selections:

     - harden_sshd_macs_opensshserver_conf_crypto_policy

     # RHEL-08-010291

+    - harden_sshd_ciphers_openssh_conf_crypto_policy

+    - harden_sshd_ciphers_opensshserver_conf_crypto_policy

     # RHEL-08-010292

     - sshd_use_strong_rng

diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile

index 393051a34ea..05335cc38fb 100644

--- a/tests/data/profile_stability/rhel8/stig.profile

+++ b/tests/data/profile_stability/rhel8/stig.profile

@@ -147,6 +147,8 @@ selections:

 - grub2_vsyscall_argument

 - harden_sshd_macs_openssh_conf_crypto_policy

 - harden_sshd_macs_opensshserver_conf_crypto_policy

+- harden_sshd_ciphers_openssh_conf_crypto_policy

+- harden_sshd_ciphers_opensshserver_conf_crypto_policy

 - install_smartcard_packages

 - installed_OS_is_vendor_supported

 - kerberos_disable_no_keytab

@@ -328,6 +330,7 @@ selections:

 - var_password_pam_retry=3

 - var_sshd_set_keepalive=0

 - sshd_approved_macs=stig

+- sshd_approved_ciphers=stig

 - sshd_idle_timeout_value=10_minutes

 - var_accounts_passwords_pam_faillock_deny=3

 - var_accounts_passwords_pam_faillock_fail_interval=900

diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile

index de82fb34518..a0adc835a0d 100644

--- a/tests/data/profile_stability/rhel8/stig_gui.profile

+++ b/tests/data/profile_stability/rhel8/stig_gui.profile

@@ -158,6 +158,8 @@ selections:

 - grub2_vsyscall_argument

 - harden_sshd_macs_openssh_conf_crypto_policy

 - harden_sshd_macs_opensshserver_conf_crypto_policy

+- harden_sshd_ciphers_openssh_conf_crypto_policy

+- harden_sshd_ciphers_opensshserver_conf_crypto_policy

 - install_smartcard_packages

 - installed_OS_is_vendor_supported

 - kerberos_disable_no_keytab

@@ -338,6 +340,7 @@ selections:

 - var_password_pam_retry=3

 - var_sshd_set_keepalive=0

 - sshd_approved_macs=stig

+- sshd_approved_ciphers=stig

 - sshd_idle_timeout_value=10_minutes

 - var_accounts_passwords_pam_faillock_deny=3

 - var_accounts_passwords_pam_faillock_fail_interval=900

From c943e715615de1aa957d62d239e532f86ef0959e Mon Sep 17 00:00:00 2001

From: Carlos Matos <cmatos@redhat.com>

Date: Tue, 29 Jun 2021 14:04:49 -0400

Subject: [PATCH 2/5] replaced MACs with Ciphers

---

 .../ansible/shared.yml                                          | 2 +-

 .../oval/shared.xml                                             | 2 +-