From 7da420a853591a6e994439a9ada2b88d6793e3e7 Mon Sep 17 00:00:00 2001
From: Carlos Matos <cmatos@redhat.com>
Date: Tue, 29 Jun 2021 14:00:14 -0400
Subject: [PATCH 1/5] New rules for RHEL-08-010291
---
.../services/ssh/sshd_approved_ciphers.var | 2 +-
.../ansible/shared.yml | 16 +++++
.../bash/shared.sh | 13 ++++
.../oval/shared.xml | 35 +++++++++++
.../rule.yml | 62 +++++++++++++++++++
.../tests/stig_correct.pass.sh | 15 +++++
.../tests/stig_correct_commented.fail.sh | 15 +++++
...ct_followed_by_incorrect_commented.pass.sh | 18 ++++++
.../tests/stig_empty_file.fail.sh | 10 +++
.../tests/stig_empty_policy.fail.sh | 14 +++++
...rect_followed_by_correct_commented.fail.sh | 19 ++++++
.../tests/stig_incorrect_policy.fail.sh | 15 +++++
.../tests/stig_missing_file.fail.sh | 11 ++++
.../ansible/shared.yml | 45 ++++++++++++++
.../bash/shared.sh | 25 ++++++++
.../oval/shared.xml | 35 +++++++++++
.../rule.yml | 62 +++++++++++++++++++
.../tests/rhel8_stig_correct.pass.sh | 17 +++++
.../tests/rhel8_stig_empty_policy.fail.sh | 7 +++
.../tests/rhel8_stig_incorrect_policy.fail.sh | 14 +++++
.../tests/rhel8_stig_missing_file.fail.sh | 11 ++++
products/rhel8/profiles/stig.profile | 6 ++
.../data/profile_stability/rhel8/stig.profile | 3 +
.../profile_stability/rhel8/stig_gui.profile | 3 +
24 files changed, 472 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
diff --git a/linux_os/guide/services/ssh/sshd_approved_ciphers.var b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
index 46891daa619..a240bbbfaef 100644
--- a/linux_os/guide/services/ssh/sshd_approved_ciphers.var
+++ b/linux_os/guide/services/ssh/sshd_approved_ciphers.var
@@ -11,6 +11,6 @@ operator: equals
interactive: false
options:
- stig: aes128-ctr,aes192-ctr,aes256-ctr
+ stig: aes256-ctr,aes192-ctr,aes128-ctr
default: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
cis_rhel7: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
new file mode 100644
index 00000000000..badb5896cf2
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
@@ -0,0 +1,16 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ ansible_instantiate_variables("sshd_approved_ciphers") }}}
+
+{{{ ansible_set_config_file(
+ msg='Configure SSH Daemon to Use FIPS 140-2 Validated MACs: openssh.config',
+ file='/etc/crypto-policies/back-ends/openssh.config',
+ parameter='Ciphers',
+ value="{{ sshd_approved_ciphers }}",
+ create='yes',
+ prefix_regex='^.*'
+ )
+}}}
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh
new file mode 100644
index 00000000000..cdc66a8aac6
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh
@@ -0,0 +1,13 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+. /usr/share/scap-security-guide/remediation_functions
+{{{ bash_instantiate_variables("sshd_approved_ciphers") }}}
+
+{{{ set_config_file(
+ path="/etc/crypto-policies/back-ends/openssh.config",
+ parameter="Ciphers",
+ value="${sshd_approved_ciphers}",
+ create=true,
+ insensitive=false,
+ prefix_regex="^.*"
+ )
+}}}
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
new file mode 100644
index 00000000000..1879e77398b
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
@@ -0,0 +1,35 @@
+{{%- set PATH = "/etc/crypto-policies/back-ends/openssh.config" -%}}
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
+ <criteria operator="AND" comment="Test conditions - presence of the file plus.">
+ <criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD Ciphers" test_ref="test_{{{ rule_id }}}" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all"
+ comment="test the value of Ciphers setting in the {{{ PATH }}} file"
+ id="test_{{{ rule_id }}}" version="1">
+ <ind:object object_ref="obj_{{{ rule_id }}}" />
+ <ind:state state_ref="ste_{{{ rule_id }}}" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
+ <ind:filepath>{{{ PATH }}}</ind:filepath>
+ <ind:pattern operation="pattern match">^Ciphers.*$</ind:pattern>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state id="ste_{{{ rule_id }}}" version="1">
+ <ind:text var_ref="sshd_ciphers_crypto" operation="equals"></ind:text>
+ </ind:textfilecontent54_state>
+
+ <local_variable id="sshd_ciphers_crypto" datatype="string" comment="The regex of the directive" version="1">
+ <concat>
+ <literal_component>Ciphers </literal_component>
+ <variable_component var_ref="sshd_approved_ciphers"/>
+ </concat>
+ </local_variable>
+
+ <external_variable comment="SSH Approved Ciphers by FIPS" datatype="string" id="sshd_approved_ciphers" version="1" />
+</def-group>
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
new file mode 100644
index 00000000000..cd1553dbdb3
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
@@ -0,0 +1,62 @@
+documentation_complete: true
+
+prodtype: fedora,rhel8
+
+title: 'Configure SSH Daemon to Use FIPS 140-2 Validated Ciphers: openssh.config'
+
+description: |-
+ Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
+ OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
+ set up incorrectly.
+
+ To check that Crypto Policies settings for ciphers are configured correctly, ensure that
+ <tt>/etc/crypto-policies/back-ends/openssh.config</tt> contains the following
+ line and is not commented out:
+ <pre>Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
+
+rationale: |-
+ Overriding the system crypto policy makes the behavior of the OpenSSH daemon
+ violate expectations, and makes system configuration more fragmented. By
+ specifying a cipher list with the order of ciphers being in a “strongest to
+ weakest” orientation, the system will automatically attempt to use the
+ strongest cipher for securing SSH connections.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: CCE-85870-4
+
+references:
+ nist: AC-17(2)
+ srg: SRG-OS-000250-GPOS-00093
+ disa: CCI-001453
+ stigid@rhel8: RHEL-08-010291
+
+ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
+
+ocil: |-
+ To verify if the OpenSSH daemon uses defined Cipher suite in the Crypto Policy, run:
+ <pre>$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config</pre>
+ and verify that the line matches:
+ <pre>Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
+
+warnings:
+ - general: |-
+ The system needs to be rebooted for these changes to take effect.
+ - regulatory: |-
+ System Crypto Modules must be provided by a vendor that undergoes
+ FIPS-140 certifications.
+ FIPS-140 is applicable to all Federal agencies that use
+ cryptographic-based security systems to protect sensitive information
+ in computer and telecommunication systems (including voice systems) as
+ defined in Section 5131 of the Information Technology Management Reform
+ Act of 1996, Public Law 104-106. This standard shall be used in
+ designing and implementing cryptographic modules that Federal
+ departments and agencies operate or are operated for them under
+ contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
+ To meet this, the system has to have cryptographic software provided by
+ a vendor that has undergone this certification. This means providing
+ documentation, test results, design information, and independent third
+ party review by an accredited lab. While open source software is
+ capable of meeting this, it does not meet FIPS-140 unless the vendor
+ submits to this process.
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
new file mode 100644
index 00000000000..0a27a7e0984
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct.pass.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+ sed -i "s/^.*Ciphers.*$/Ciphers ${sshd_approved_ciphers}/" $configfile
+else
+ echo "Ciphers ${sshd_approved_ciphers}" > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
new file mode 100644
index 00000000000..5cadd95ba38
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_commented.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+ sed -i "s/^.*Ciphers.*$/#Ciphers ${sshd_approved_ciphers}/" $configfile
+else
+ echo "#Ciphers ${sshd_approved_ciphers}" > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
new file mode 100644
index 00000000000..26220063757
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_correct_followed_by_incorrect_commented.pass.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+ sed -i "s/^.*Ciphers.*$/Ciphers ${sshd_approved_ciphers}/" $configfile
+else
+ echo "Ciphers ${sshd_approved_ciphers}" > "$configfile"
+fi
+
+# follow up with incorrect
+echo "#Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr" >> $configfile
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh
new file mode 100644
index 00000000000..55ef3f58422
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_file.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+echo "" > $configfile
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh
new file mode 100644
index 00000000000..7105441ad80
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_empty_policy.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+ sed -i "s/^.*Ciphers.*$/Ciphers /" $configfile
+else
+ echo "Ciphers " > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
new file mode 100644
index 00000000000..195f5e8d8ed
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
+incorrect_sshd_approved_ciphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+ sed -i "s/^.*Ciphers.*$/Ciphers ${incorrect_sshd_approved_ciphers}/" $configfile
+else
+ echo "Ciphers ${incorrect_sshd_approved_ciphers}" > "$configfile"
+fi
+
+# follow up with correct value
+echo "Ciphers ${sshd_approved_ciphers}" >> $configfile
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh
new file mode 100644
index 00000000000..92bd4ed9c5a
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_policy.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+incorrect_sshd_approved_ciphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+ sed -i "s/^.*Ciphers.*$/Ciphers ${incorrect_sshd_approved_ciphers}/" $configfile
+else
+ echo "Ciphers ${incorrect_sshd_approved_ciphers}" > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh
new file mode 100644
index 00000000000..2138caad319
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_missing_file.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/openssh.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+# If file exists, remove it
+test -f $configfile && rm -f $configfile
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
new file mode 100644
index 00000000000..7532ba51639
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
@@ -0,0 +1,45 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ ansible_instantiate_variables("sshd_approved_ciphers") }}}
+
+- name: "{{{ rule_title }}}: Set facts"
+ set_fact:
+ path: /etc/crypto-policies/back-ends/opensshserver.config
+ correct_value: "-oCiphers={{ sshd_approved_ciphers }}"
+
+- name: "{{{ rule_title }}}: Stat"
+ stat:
+ path: "{{ path }}"
+ follow: yes
+ register: opensshserver_file
+
+- name: "{{{ rule_title }}}: Create"
+ lineinfile:
+ path: "{{ path }}"
+ line: "{{ correct_value }}"
+ create: yes
+ when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length
+
+- name: "{{{ rule_title }}}"
+ block:
+ - name: "Existing value check"
+ lineinfile:
+ path: "{{ path }}"
+ create: false
+ regexp: "{{ correct_value }}"
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: opensshserver
+
+ - name: "Update/Correct value"
+ replace:
+ path: "{{ path }}"
+ regexp: (-oCiphers=\S+)
+ replace: "{{ correct_value }}"
+ when: opensshserver.found is defined and opensshserver.found != 1
+
+ when: opensshserver_file.stat.exists and opensshserver_file.stat.size > correct_value|length
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
new file mode 100644
index 00000000000..1bc022f93b6
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
@@ -0,0 +1,25 @@
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora
+. /usr/share/scap-security-guide/remediation_functions
+{{{ bash_instantiate_variables("sshd_approved_ciphers") }}}
+
+CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
+correct_value="-oCiphers=${sshd_approved_ciphers}"
+
+grep -q ${correct_value} ${CONF_FILE}
+
+if [[ $? -ne 0 ]]; then
+ # We need to get the existing value, using PCRE to maintain same regex
+ existing_value=$(grep -Po '(-oCiphers=\S+)' ${CONF_FILE})
+
+ if [[ ! -z ${existing_value} ]]; then
+ # replace existing_value with correct_value
+ sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
+ else
+ # ***NOTE*** #
+ # This probably means this file is not here or it's been modified
+ # unintentionally.
+ # ********** #
+ # echo correct_value to end
+ echo ${correct_value} >> ${CONF_FILE}
+ fi
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
new file mode 100644
index 00000000000..92ad7ce3d3f
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
@@ -0,0 +1,35 @@
+{{%- set PATH = "/etc/crypto-policies/back-ends/opensshserver.config" -%}}
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("Limit the Message Authentication Codes (Ciphers) to those which are FIPS-approved.") }}}
+ <criteria operator="AND" comment="Test conditions - presence of the file plus.">
+ <criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD Ciphers" test_ref="test_{{{ rule_id }}}" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all"
+ comment="test the value of Ciphers setting in the {{{ PATH }}} file"
+ id="test_{{{ rule_id }}}" version="1">
+ <ind:object object_ref="obj_{{{ rule_id }}}" />
+ <ind:state state_ref="ste_{{{ rule_id }}}" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
+ <ind:filepath>{{{ PATH }}}</ind:filepath>
+ <ind:pattern operation="pattern match">^.*(-oCiphers=\S+).*$</ind:pattern>
+ <ind:instance operation="equals" datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state id="ste_{{{ rule_id }}}" version="1">
+ <ind:subexpression var_ref="sshd_ciphers_crypto_opensshserver" operation="equals" />
+ </ind:textfilecontent54_state>
+
+ <local_variable id="sshd_ciphers_crypto_opensshserver" datatype="string" comment="The regex of the directive" version="1">
+ <concat>
+ <literal_component>-oCiphers=</literal_component>
+ <variable_component var_ref="sshd_approved_ciphers"/>
+ </concat>
+ </local_variable>
+
+ <external_variable comment="SSH Approved Ciphers by FIPS" datatype="string" id="sshd_approved_ciphers" version="1" />
+</def-group>
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
new file mode 100644
index 00000000000..877c6f38db0
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
@@ -0,0 +1,62 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Configure SSH Daemon to Use FIPS 140-2 Validated MACs: opensshserver.config'
+
+description: |-
+ Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
+ OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
+ set up incorrectly.
+
+ To check that Crypto Policies settings for ciphers are configured correctly, ensure that
+ <tt>/etc/crypto-policies/back-ends/opensshserver.config</tt> contains the following
+ text and is not commented out:
+ <pre>-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
+
+rationale: |-
+ Overriding the system crypto policy makes the behavior of the OpenSSH daemon
+ violate expectations, and makes system configuration more fragmented. By
+ specifying a cipher list with the order of ciphers being in a “strongest to
+ weakest” orientation, the system will automatically attempt to use the
+ strongest cipher for securing SSH connections.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: CCE-85871-2
+
+references:
+ nist: AC-17(2)
+ srg: SRG-OS-000250-GPOS-00093
+ disa: CCI-001453
+ stigid@rhel8: RHEL-08-010290
+
+ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
+
+ocil: |-
+ To verify if the OpenSSH daemon uses defined MACs in the Crypto Policy, run:
+ <pre>$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config</pre>
+ and verify that the line matches:
+ <pre>-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
+
+warnings:
+ - general: |-
+ The system needs to be rebooted for these changes to take effect.
+ - regulatory: |-
+ System Crypto Modules must be provided by a vendor that undergoes
+ FIPS-140 certifications.
+ FIPS-140 is applicable to all Federal agencies that use
+ cryptographic-based security systems to protect sensitive information
+ in computer and telecommunication systems (including voice systems) as
+ defined in Section 5131 of the Information Technology Management Reform
+ Act of 1996, Public Law 104-106. This standard shall be used in
+ designing and implementing cryptographic modules that Federal
+ departments and agencies operate or are operated for them under
+ contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
+ To meet this, the system has to have cryptographic software provided by
+ a vendor that has undergone this certification. This means providing
+ documentation, test results, design information, and independent third
+ party review by an accredited lab. While open source software is
+ capable of meeting this, it does not meet FIPS-140 unless the vendor
+ submits to this process.
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
new file mode 100644
index 00000000000..1a8911d523c
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+sshd_approved_ciphers=aes256-ctr,aes192-ctr,aes128-ctr
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+correct_value="-oCiphers=${sshd_approved_ciphers}"
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+# Proceed when file exists
+if [[ -f $configfile ]]; then
+ sed -i -r "s/-oCiphers=\S+/${correct_value}/" $configfile
+else
+ echo "${correct_value}" > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
new file mode 100644
index 00000000000..3dde1479296
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+echo "" > "$configfile"
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
new file mode 100644
index 00000000000..f97f54db502
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+ sed -i -r "s/-oCiphers=\S+/-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc/" $configfile
+else
+ echo "-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc" > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
new file mode 100644
index 00000000000..11e596ced87
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+# If file exists, remove it
+test -f $configfile && rm -f $configfile
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 28b47cca487..a3783efafd6 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -50,7 +50,11 @@ selections:
- var_password_pam_retry=3
- var_password_pam_minlen=15
- var_sshd_set_keepalive=0
+<<<<<<< HEAD
- sshd_approved_macs=stig
+=======
+ - sshd_approved_ciphers=stig
+>>>>>>> 4d62df6b2 (New rules for RHEL-08-010291)
- sshd_idle_timeout_value=10_minutes
- var_accounts_passwords_pam_faillock_deny=3
- var_accounts_passwords_pam_faillock_fail_interval=900
@@ -185,6 +189,8 @@ selections:
- harden_sshd_macs_opensshserver_conf_crypto_policy
# RHEL-08-010291
+ - harden_sshd_ciphers_openssh_conf_crypto_policy
+ - harden_sshd_ciphers_opensshserver_conf_crypto_policy
# RHEL-08-010292
- sshd_use_strong_rng
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 393051a34ea..05335cc38fb 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -147,6 +147,8 @@ selections:
- grub2_vsyscall_argument
- harden_sshd_macs_openssh_conf_crypto_policy
- harden_sshd_macs_opensshserver_conf_crypto_policy
+- harden_sshd_ciphers_openssh_conf_crypto_policy
+- harden_sshd_ciphers_opensshserver_conf_crypto_policy
- install_smartcard_packages
- installed_OS_is_vendor_supported
- kerberos_disable_no_keytab
@@ -328,6 +330,7 @@ selections:
- var_password_pam_retry=3
- var_sshd_set_keepalive=0
- sshd_approved_macs=stig
+- sshd_approved_ciphers=stig
- sshd_idle_timeout_value=10_minutes
- var_accounts_passwords_pam_faillock_deny=3
- var_accounts_passwords_pam_faillock_fail_interval=900
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index de82fb34518..a0adc835a0d 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -158,6 +158,8 @@ selections:
- grub2_vsyscall_argument
- harden_sshd_macs_openssh_conf_crypto_policy
- harden_sshd_macs_opensshserver_conf_crypto_policy
+- harden_sshd_ciphers_openssh_conf_crypto_policy
+- harden_sshd_ciphers_opensshserver_conf_crypto_policy
- install_smartcard_packages
- installed_OS_is_vendor_supported
- kerberos_disable_no_keytab
@@ -338,6 +340,7 @@ selections:
- var_password_pam_retry=3
- var_sshd_set_keepalive=0
- sshd_approved_macs=stig
+- sshd_approved_ciphers=stig
- sshd_idle_timeout_value=10_minutes
- var_accounts_passwords_pam_faillock_deny=3
- var_accounts_passwords_pam_faillock_fail_interval=900
From c943e715615de1aa957d62d239e532f86ef0959e Mon Sep 17 00:00:00 2001
From: Carlos Matos <cmatos@redhat.com>
Date: Tue, 29 Jun 2021 14:04:49 -0400
Subject: [PATCH 2/5] replaced MACs with Ciphers
---
.../ansible/shared.yml | 2 +-
.../oval/shared.xml | 2 +-
.../oval/shared.xml | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
index badb5896cf2..956a19f3025 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml
@@ -6,7 +6,7 @@
{{{ ansible_instantiate_variables("sshd_approved_ciphers") }}}
{{{ ansible_set_config_file(
- msg='Configure SSH Daemon to Use FIPS 140-2 Validated MACs: openssh.config',
+ msg='Configure SSH Daemon to Use FIPS 140-2 Validated Ciphers: openssh.config',
file='/etc/crypto-policies/back-ends/openssh.config',
parameter='Ciphers',
value="{{ sshd_approved_ciphers }}",
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
index 1879e77398b..9b3b4f1995d 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml
@@ -1,7 +1,7 @@
{{%- set PATH = "/etc/crypto-policies/back-ends/openssh.config" -%}}
<def-group>
<definition class="compliance" id="{{{ rule_id }}}" version="1">
- {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
+ {{{ oval_metadata("Limit the Ciphers to those which are FIPS-approved.") }}}
<criteria operator="AND" comment="Test conditions - presence of the file plus.">
<criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD Ciphers" test_ref="test_{{{ rule_id }}}" />
</criteria>
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
index 92ad7ce3d3f..3afbc1619a4 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
@@ -1,7 +1,7 @@
{{%- set PATH = "/etc/crypto-policies/back-ends/opensshserver.config" -%}}
<def-group>
<definition class="compliance" id="{{{ rule_id }}}" version="1">
- {{{ oval_metadata("Limit the Message Authentication Codes (Ciphers) to those which are FIPS-approved.") }}}
+ {{{ oval_metadata("Limit the Ciphers to those which are FIPS-approved.") }}}
<criteria operator="AND" comment="Test conditions - presence of the file plus.">
<criterion comment="Check that {{{ PATH }}} contains FIPS-approved SSHD Ciphers" test_ref="test_{{{ rule_id }}}" />
</criteria>
From 26383895dfffc5e643295301c052ccd3d77cb906 Mon Sep 17 00:00:00 2001
From: Carlos Matos <cmatos@redhat.com>
Date: Mon, 19 Jul 2021 09:33:38 -0400
Subject: [PATCH 3/5] Fixed issue with oval not checking for commented out
line, and updated remediations
---
.../rule.yml | 8 ++++----
.../ansible/shared.yml | 2 +-
.../bash/shared.sh | 10 ++++++++--
.../oval/shared.xml | 2 +-
.../rule.yml | 6 +++---
5 files changed, 17 insertions(+), 11 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
index cd1553dbdb3..d626ec6e260 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
prodtype: fedora,rhel8
-title: 'Configure SSH Daemon to Use FIPS 140-2 Validated Ciphers: openssh.config'
+title: 'Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config'
description: |-
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -15,7 +15,7 @@ description: |-
<pre>Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
rationale: |-
- Overriding the system crypto policy makes the behavior of the OpenSSH daemon
+ Overriding the system crypto policy makes the behavior of the OpenSSH client
violate expectations, and makes system configuration more fragmented. By
specifying a cipher list with the order of ciphers being in a “strongest to
weakest” orientation, the system will automatically attempt to use the
@@ -32,10 +32,10 @@ references:
disa: CCI-001453
stigid@rhel8: RHEL-08-010291
-ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
+ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly'
ocil: |-
- To verify if the OpenSSH daemon uses defined Cipher suite in the Crypto Policy, run:
+ To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run:
<pre>$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config</pre>
and verify that the line matches:
<pre>Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
index 7532ba51639..3e637f37e69 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml
@@ -19,7 +19,7 @@
- name: "{{{ rule_title }}}: Create"
lineinfile:
path: "{{ path }}"
- line: "{{ correct_value }}"
+ line: "CRYPTO_POLICY='{{ correct_value }}'"
create: yes
when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
index 1bc022f93b6..eaa4463caad 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh
@@ -5,7 +5,13 @@
CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
correct_value="-oCiphers=${sshd_approved_ciphers}"
-grep -q ${correct_value} ${CONF_FILE}
+# Test if file exists
+test -f ${CONF_FILE} || touch ${CONF_FILE}
+
+# Ensure CRYPTO_POLICY is not commented out
+sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE}
+
+grep -q "'${correct_value}'" ${CONF_FILE}
if [[ $? -ne 0 ]]; then
# We need to get the existing value, using PCRE to maintain same regex
@@ -20,6 +26,6 @@ if [[ $? -ne 0 ]]; then
# unintentionally.
# ********** #
# echo correct_value to end
- echo ${correct_value} >> ${CONF_FILE}
+ echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}
fi
fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
index 3afbc1619a4..53919eaae7f 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
@@ -16,7 +16,7 @@
<ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
<ind:filepath>{{{ PATH }}}</ind:filepath>
- <ind:pattern operation="pattern match">^.*(-oCiphers=\S+).*$</ind:pattern>
+ <ind:pattern operation="pattern match">^(?!#).*(-oCiphers=\S+).*$</ind:pattern>
<ind:instance operation="equals" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
index 877c6f38db0..0aac8e2038d 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
prodtype: rhel8
-title: 'Configure SSH Daemon to Use FIPS 140-2 Validated MACs: opensshserver.config'
+title: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config'
description: |-
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -15,7 +15,7 @@ description: |-
<pre>-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
rationale: |-
- Overriding the system crypto policy makes the behavior of the OpenSSH daemon
+ Overriding the system crypto policy makes the behavior of the OpenSSH server
violate expectations, and makes system configuration more fragmented. By
specifying a cipher list with the order of ciphers being in a “strongest to
weakest” orientation, the system will automatically attempt to use the
@@ -35,7 +35,7 @@ references:
ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
ocil: |-
- To verify if the OpenSSH daemon uses defined MACs in the Crypto Policy, run:
+ To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run:
<pre>$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config</pre>
and verify that the line matches:
<pre>-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
From 7967125f58de7e6843002d674fab90c4429452f3 Mon Sep 17 00:00:00 2001
From: Carlos Matos <cmatos@redhat.com>
Date: Mon, 19 Jul 2021 09:53:28 -0400
Subject: [PATCH 4/5] Replace MACs verbiage with ciphers
---
.../rule.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
index 0aac8e2038d..81ee763831d 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
prodtype: rhel8
-title: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config'
+title: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config'
description: |-
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -35,7 +35,7 @@ references:
ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
ocil: |-
- To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run:
+ To verify if the OpenSSH server uses defined ciphers in the Crypto Policy, run:
<pre>$ grep -Po '(-oCiphers=\S+)' /etc/crypto-policies/back-ends/opensshserver.config</pre>
and verify that the line matches:
<pre>-oCiphers={{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
From ab21f2d59db725f07b70e3e748ebc96c34e23b79 Mon Sep 17 00:00:00 2001
From: Carlos Matos <cmatos@redhat.com>
Date: Tue, 20 Jul 2021 09:01:50 -0400
Subject: [PATCH 5/5] Sorted refs, updated test scenario, fixed duplicate CCE
---
.../harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml | 4 ++--
.../stig_incorrect_followed_by_correct_commented.fail.sh | 2 +-
.../rule.yml | 4 ++--
products/rhel8/profiles/stig.profile | 3 ---
shared/references/cce-redhat-avail.txt | 2 --
tests/data/profile_stability/rhel8/stig.profile | 4 ++--
tests/data/profile_stability/rhel8/stig_gui.profile | 4 ++--
7 files changed, 9 insertions(+), 14 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
index d626ec6e260..0aa310d9245 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
@@ -24,12 +24,12 @@ rationale: |-
severity: medium
identifiers:
- cce@rhel8: CCE-85870-4
+ cce@rhel8: CCE-85902-5
references:
+ disa: CCI-001453
nist: AC-17(2)
srg: SRG-OS-000250-GPOS-00093
- disa: CCI-001453
stigid@rhel8: RHEL-08-010291
ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly'
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
index 195f5e8d8ed..6ad1f4fd0f3 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/tests/stig_incorrect_followed_by_correct_commented.fail.sh
@@ -16,4 +16,4 @@ else
fi
# follow up with correct value
-echo "Ciphers ${sshd_approved_ciphers}" >> $configfile
+echo "#Ciphers ${sshd_approved_ciphers}" >> $configfile
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
index 81ee763831d..b56f2421f22 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/rule.yml
@@ -24,12 +24,12 @@ rationale: |-
severity: medium
identifiers:
- cce@rhel8: CCE-85871-2
+ cce@rhel8: CCE-85897-7
references:
+ disa: CCI-001453
nist: AC-17(2)
srg: SRG-OS-000250-GPOS-00093
- disa: CCI-001453
stigid@rhel8: RHEL-08-010290
ocil_clause: 'Crypto Policy for OpenSSH Server is not configured correctly'
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index a3783efafd6..7270a8f91f2 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -50,11 +50,8 @@ selections:
- var_password_pam_retry=3
- var_password_pam_minlen=15
- var_sshd_set_keepalive=0
-<<<<<<< HEAD
- sshd_approved_macs=stig
-=======
- sshd_approved_ciphers=stig
->>>>>>> 4d62df6b2 (New rules for RHEL-08-010291)
- sshd_idle_timeout_value=10_minutes
- var_accounts_passwords_pam_faillock_deny=3
- var_accounts_passwords_pam_faillock_fail_interval=900
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 036d34cea1d..665f903ead4 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -33,11 +33,9 @@ CCE-85892-8
CCE-85893-6
CCE-85895-1
CCE-85896-9
-CCE-85897-7
CCE-85898-5
CCE-85900-9
CCE-85901-7
-CCE-85902-5
CCE-85903-3
CCE-85904-1
CCE-85905-8
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 05335cc38fb..7d59cfff625 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -145,10 +145,10 @@ selections:
- grub2_uefi_admin_username
- grub2_uefi_password
- grub2_vsyscall_argument
-- harden_sshd_macs_openssh_conf_crypto_policy
-- harden_sshd_macs_opensshserver_conf_crypto_policy
- harden_sshd_ciphers_openssh_conf_crypto_policy
- harden_sshd_ciphers_opensshserver_conf_crypto_policy
+- harden_sshd_macs_openssh_conf_crypto_policy
+- harden_sshd_macs_opensshserver_conf_crypto_policy
- install_smartcard_packages
- installed_OS_is_vendor_supported
- kerberos_disable_no_keytab
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index a0adc835a0d..2c2daad6f6d 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -156,10 +156,10 @@ selections:
- grub2_uefi_admin_username
- grub2_uefi_password
- grub2_vsyscall_argument
-- harden_sshd_macs_openssh_conf_crypto_policy
-- harden_sshd_macs_opensshserver_conf_crypto_policy
- harden_sshd_ciphers_openssh_conf_crypto_policy
- harden_sshd_ciphers_opensshserver_conf_crypto_policy
+- harden_sshd_macs_openssh_conf_crypto_policy
+- harden_sshd_macs_opensshserver_conf_crypto_policy
- install_smartcard_packages
- installed_OS_is_vendor_supported
- kerberos_disable_no_keytab