|
|
b5e178 |
From 5f8f98024f8955a0327b67f873923757a51d082c Mon Sep 17 00:00:00 2001
|
|
|
b5e178 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
b5e178 |
Date: Tue, 19 Jan 2021 12:32:07 +0100
|
|
|
b5e178 |
Subject: [PATCH 1/7] add rule and remediations
|
|
|
b5e178 |
|
|
|
b5e178 |
---
|
|
|
b5e178 |
.../ansible/shared.yml | 13 +++++
|
|
|
b5e178 |
.../bash/shared.sh | 7 +++
|
|
|
b5e178 |
.../oval/shared.xml | 38 +++++++++++++
|
|
|
b5e178 |
.../rule.yml | 57 +++++++++++++++++++
|
|
|
b5e178 |
shared/references/cce-redhat-avail.txt | 1 -
|
|
|
b5e178 |
5 files changed, 115 insertions(+), 1 deletion(-)
|
|
|
b5e178 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
|
|
|
b5e178 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
|
|
b5e178 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
|
|
b5e178 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
|
|
b5e178 |
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..cefba7db05
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
|
|
|
b5e178 |
@@ -0,0 +1,13 @@
|
|
|
b5e178 |
+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
|
|
|
b5e178 |
+# reboot = false
|
|
|
b5e178 |
+# strategy = restrict
|
|
|
b5e178 |
+# complexity = low
|
|
|
b5e178 |
+# disruption = low
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+- name: "Configure sshd to use approved MACs"
|
|
|
b5e178 |
+ lineinfile:
|
|
|
b5e178 |
+ path: /etc/ssh/sshd_config
|
|
|
b5e178 |
+ line: 'MACs hmac-sha2-512,hmac-sha2-256'
|
|
|
b5e178 |
+ state: present
|
|
|
b5e178 |
+ regexp: '^[\s]*MACs[\s]+(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$'
|
|
|
b5e178 |
+ create: True
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..c76190fb96
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
|
|
b5e178 |
@@ -0,0 +1,7 @@
|
|
|
b5e178 |
+# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+if grep -q -P '^[[:space:]]*MACs[[:space:]]+' /etc/ssh/sshd_config; then
|
|
|
b5e178 |
+ sed -i 's/^\s*MACs.*/MACs hmac-sha2-512,hmac-sha2-256/' /etc/ssh/sshd_config
|
|
|
b5e178 |
+else
|
|
|
b5e178 |
+ echo "MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
|
|
|
b5e178 |
+fi
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..d7fbd9f0ed
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
|
|
b5e178 |
@@ -0,0 +1,38 @@
|
|
|
b5e178 |
+<def-group>
|
|
|
b5e178 |
+ <definition class="compliance" id="sshd_use_approved_macs_ordered_stig" version="1">
|
|
|
b5e178 |
+ {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
|
|
|
b5e178 |
+ <criteria operator="AND">
|
|
|
b5e178 |
+ <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ operator="OR">
|
|
|
b5e178 |
+ <criteria comment="sshd is not installed" operator="AND">
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ definition_ref="sshd_not_required_or_unset" />
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ definition_ref="package_openssh-server_removed" />
|
|
|
b5e178 |
+ </criteria>
|
|
|
b5e178 |
+ <criteria comment="sshd is installed and configured" operator="AND">
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ definition_ref="sshd_required_or_unset" />
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ definition_ref="package_openssh-server_installed" />
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ test_ref="test_sshd_use_approved_macs_ordered_stig" />
|
|
|
b5e178 |
+ </criteria>
|
|
|
b5e178 |
+ </criteria>
|
|
|
b5e178 |
+ </criteria>
|
|
|
b5e178 |
+ </definition>
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ comment="tests the value of MACs setting in the /etc/ssh/sshd_config file"
|
|
|
b5e178 |
+ id="test_sshd_use_approved_macs_ordered_stig" version="1">
|
|
|
b5e178 |
+ <ind:object object_ref="obj_sshd_use_approved_macs_ordered_stig" />
|
|
|
b5e178 |
+ </ind:textfilecontent54_test>
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ <ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1">
|
|
|
b5e178 |
+ <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
|
|
|
b5e178 |
+ <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$</ind:pattern>
|
|
|
b5e178 |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
b5e178 |
+ </ind:textfilecontent54_object>
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+</def-group>
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..dc9f7dca7c
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
|
|
|
b5e178 |
@@ -0,0 +1,57 @@
|
|
|
b5e178 |
+documentation_complete: true
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+prodtype: rhel7
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+title: 'Use Only FIPS 140-2 Validated MACs'
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+description: |-
|
|
|
b5e178 |
+ Limit the MACs to those hash algorithms which are FIPS-approved.
|
|
|
b5e178 |
+ The following line in <tt>/etc/ssh/sshd_config</tt>
|
|
|
b5e178 |
+ demonstrates use of FIPS-approved MACs:
|
|
|
b5e178 |
+ MACs hmac-sha2-512,hmac-sha2-256
|
|
|
b5e178 |
+ This rule ensures that there are configured MACs mentioned
|
|
|
b5e178 |
+ above (or their subset), keeping the given order of algorithms.
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+rationale: |-
|
|
|
b5e178 |
+ DoD Information Systems are required to use FIPS-approved cryptographic hash
|
|
|
b5e178 |
+ functions. The only SSHv2 hash algorithms meeting this requirement is SHA2.
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+severity: medium
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+identifiers:
|
|
|
b5e178 |
+ cce@rhel7: CCE-83398-8
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+references:
|
|
|
b5e178 |
+ disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
|
|
|
b5e178 |
+ srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174
|
|
|
b5e178 |
+ stigid@rhel7: RHEL-07-040400
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algorithms'
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ocil: |-
|
|
|
b5e178 |
+ Only FIPS-approved MACs should be used. To verify that only FIPS-approved
|
|
|
b5e178 |
+ MACs are in use, run the following command:
|
|
|
b5e178 |
+ $ sudo grep -i macs /etc/ssh/sshd_config
|
|
|
b5e178 |
+ The output should contain only following MACs (or a subset) in the exact order:
|
|
|
b5e178 |
+ hmac-sha2-512,hmac-sha2-256
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+warnings:
|
|
|
b5e178 |
+ - general: |-
|
|
|
b5e178 |
+ The system needs to be rebooted for these changes to take effect.
|
|
|
b5e178 |
+ - regulatory: |-
|
|
|
b5e178 |
+ System Crypto Modules must be provided by a vendor that undergoes
|
|
|
b5e178 |
+ FIPS-140 certifications.
|
|
|
b5e178 |
+ FIPS-140 is applicable to all Federal agencies that use
|
|
|
b5e178 |
+ cryptographic-based security systems to protect sensitive information
|
|
|
b5e178 |
+ in computer and telecommunication systems (including voice systems) as
|
|
|
b5e178 |
+ defined in Section 5131 of the Information Technology Management Reform
|
|
|
b5e178 |
+ Act of 1996, Public Law 104-106. This standard shall be used in
|
|
|
b5e178 |
+ designing and implementing cryptographic modules that Federal
|
|
|
b5e178 |
+ departments and agencies operate or are operated for them under
|
|
|
b5e178 |
+ contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}
|
|
|
b5e178 |
+ To meet this, the system has to have cryptographic software provided by
|
|
|
b5e178 |
+ a vendor that has undergone this certification. This means providing
|
|
|
b5e178 |
+ documentation, test results, design information, and independent third
|
|
|
b5e178 |
+ party review by an accredited lab. While open source software is
|
|
|
b5e178 |
+ capable of meeting this, it does not meet FIPS-140 unless the vendor
|
|
|
b5e178 |
+ submits to this process.
|
|
|
b5e178 |
From 18ea3b8671e15c06a5c1c864d9d1d67f4262189e Mon Sep 17 00:00:00 2001
|
|
|
b5e178 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
b5e178 |
Date: Tue, 19 Jan 2021 12:32:25 +0100
|
|
|
b5e178 |
Subject: [PATCH 2/7] add tests
|
|
|
b5e178 |
|
|
|
b5e178 |
---
|
|
|
b5e178 |
.../tests/comment.fail.sh | 7 +++++++
|
|
|
b5e178 |
.../tests/correct_reduced_list.pass.sh | 7 +++++++
|
|
|
b5e178 |
.../tests/correct_scrambled.fail.sh | 7 +++++++
|
|
|
b5e178 |
.../tests/correct_value.pass.sh | 7 +++++++
|
|
|
b5e178 |
.../tests/line_not_there.fail.sh | 3 +++
|
|
|
b5e178 |
.../tests/no_parameters.fail.sh | 7 +++++++
|
|
|
b5e178 |
.../tests/wrong_value.fail.sh | 7 +++++++
|
|
|
b5e178 |
7 files changed, 45 insertions(+)
|
|
|
b5e178 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh
|
|
|
b5e178 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh
|
|
|
b5e178 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh
|
|
|
b5e178 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh
|
|
|
b5e178 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh
|
|
|
b5e178 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh
|
|
|
b5e178 |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh
|
|
|
b5e178 |
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..26bf18234c
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh
|
|
|
b5e178 |
@@ -0,0 +1,7 @@
|
|
|
b5e178 |
+#!/bin/bash
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
|
|
b5e178 |
+ sed -i "s/^MACs.*/# MACs hmac-sha2-512,hmac-sha2-256/" /etc/ssh/sshd_config
|
|
|
b5e178 |
+else
|
|
|
b5e178 |
+ echo "# ciphers MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
|
|
|
b5e178 |
+fi
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..0d922cdee9
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh
|
|
|
b5e178 |
@@ -0,0 +1,7 @@
|
|
|
b5e178 |
+#!/bin/bash
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
|
|
b5e178 |
+ sed -i "s/^MACs.*/MACs hmac-sha2-512/" /etc/ssh/sshd_config
|
|
|
b5e178 |
+else
|
|
|
b5e178 |
+ echo "MACs hmac-sha2-512" >> /etc/ssh/sshd_config
|
|
|
b5e178 |
+fi
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..ce3f459352
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh
|
|
|
b5e178 |
@@ -0,0 +1,7 @@
|
|
|
b5e178 |
+#!/bin/bash
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
|
|
b5e178 |
+ sed -i "s/^MACs.*/MACs hmac-sha2-256,hmac-sha2-512/" /etc/ssh/sshd_config
|
|
|
b5e178 |
+else
|
|
|
b5e178 |
+ echo "MACs hmac-sha2-256,hmac-sha2-512" >> /etc/ssh/sshd_config
|
|
|
b5e178 |
+fi
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..19da7102a7
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh
|
|
|
b5e178 |
@@ -0,0 +1,7 @@
|
|
|
b5e178 |
+#!/bin/bash
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
|
|
b5e178 |
+ sed -i "s/^MACs.*/MACs hmac-sha2-512,hmac-sha2-256/" /etc/ssh/sshd_config
|
|
|
b5e178 |
+else
|
|
|
b5e178 |
+ echo 'MACs hmac-sha2-512,hmac-sha2-256' >> /etc/ssh/sshd_config
|
|
|
b5e178 |
+fi
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..fd1f19347a
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh
|
|
|
b5e178 |
@@ -0,0 +1,3 @@
|
|
|
b5e178 |
+#!/bin/bash
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+sed -i "/^MACs.*/d" /etc/ssh/sshd_config
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..44c07c6de0
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh
|
|
|
b5e178 |
@@ -0,0 +1,7 @@
|
|
|
b5e178 |
+#!/bin/bash
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
|
|
b5e178 |
+ sed -i "s/^MACs.*/MACs /" /etc/ssh/sshd_config
|
|
|
b5e178 |
+else
|
|
|
b5e178 |
+ echo 'MACs ' >> /etc/ssh/sshd_config
|
|
|
b5e178 |
+fi
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..cf56cd228f
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh
|
|
|
b5e178 |
@@ -0,0 +1,7 @@
|
|
|
b5e178 |
+#!/bin/bash
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+if grep -q "^MACs" /etc/ssh/sshd_config; then
|
|
|
b5e178 |
+ sed -i "s/^MACs.*/MACs hmac-sha2-512,hmac-sha2-256,blahblah/" /etc/ssh/sshd_config
|
|
|
b5e178 |
+else
|
|
|
b5e178 |
+ echo "MACs hmac-sha2-512,hmac-sha2-256,blahblah" >> /etc/ssh/sshd_config
|
|
|
b5e178 |
+fi
|
|
|
b5e178 |
|
|
|
b5e178 |
From a334b4b434adf92c94b8bd6bb888751782e70ad3 Mon Sep 17 00:00:00 2001
|
|
|
b5e178 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
b5e178 |
Date: Tue, 19 Jan 2021 12:32:58 +0100
|
|
|
b5e178 |
Subject: [PATCH 3/7] modify rhel7 stig profile
|
|
|
b5e178 |
|
|
|
b5e178 |
---
|
|
|
b5e178 |
rhel7/profiles/stig.profile | 3 +--
|
|
|
b5e178 |
1 file changed, 1 insertion(+), 2 deletions(-)
|
|
|
b5e178 |
|
|
|
b5e178 |
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
|
|
|
b5e178 |
index 6c06a8ede6..17c781d3eb 100644
|
|
|
b5e178 |
--- a/rhel7/profiles/stig.profile
|
|
|
b5e178 |
+++ b/rhel7/profiles/stig.profile
|
|
|
b5e178 |
@@ -28,7 +28,6 @@ selections:
|
|
|
b5e178 |
- inactivity_timeout_value=15_minutes
|
|
|
b5e178 |
- var_screensaver_lock_delay=5_seconds
|
|
|
b5e178 |
- sshd_idle_timeout_value=10_minutes
|
|
|
b5e178 |
- - sshd_approved_macs=stig
|
|
|
b5e178 |
- var_accounts_fail_delay=4
|
|
|
b5e178 |
- var_selinux_state=enforcing
|
|
|
b5e178 |
- var_selinux_policy_name=targeted
|
|
|
b5e178 |
@@ -259,7 +258,7 @@ selections:
|
|
|
b5e178 |
- sshd_print_last_log
|
|
|
b5e178 |
- sshd_disable_root_login
|
|
|
b5e178 |
- sshd_allow_only_protocol2
|
|
|
b5e178 |
- - sshd_use_approved_macs
|
|
|
b5e178 |
+ - sshd_use_approved_macs_ordered_stig
|
|
|
b5e178 |
- file_permissions_sshd_pub_key
|
|
|
b5e178 |
- file_permissions_sshd_private_key
|
|
|
b5e178 |
- sshd_disable_gssapi_auth
|
|
|
b5e178 |
|
|
|
b5e178 |
From df71fc735efa8754a73fab5d355d422c6e0ffa53 Mon Sep 17 00:00:00 2001
|
|
|
b5e178 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
b5e178 |
Date: Tue, 19 Jan 2021 12:33:10 +0100
|
|
|
b5e178 |
Subject: [PATCH 4/7] remove rhel7 stigid from sshd_use_approved_macs
|
|
|
b5e178 |
|
|
|
b5e178 |
---
|
|
|
b5e178 |
.../services/ssh/ssh_server/sshd_use_approved_macs/rule.yml | 1 -
|
|
|
b5e178 |
1 file changed, 1 deletion(-)
|
|
|
b5e178 |
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
|
|
b5e178 |
index 394c733f51..d47eb443f5 100644
|
|
|
b5e178 |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
|
|
b5e178 |
@@ -54,7 +54,6 @@ references:
|
|
|
b5e178 |
nist-csf: PR.AC-1,PR.AC-3,PR.DS-5,PR.PT-4
|
|
|
b5e178 |
srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174
|
|
|
b5e178 |
vmmsrg: SRG-OS-000033-VMM-000140,SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000480-VMM-002000,SRG-OS-000396-VMM-001590
|
|
|
b5e178 |
- stigid@rhel7: RHEL-07-040400
|
|
|
b5e178 |
stigid@sle12: SLES-12-030180
|
|
|
b5e178 |
isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.6,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
|
|
|
b5e178 |
isa-62443-2009: 4.3.3.5.1,4.3.3.6.6
|
|
|
b5e178 |
|
|
|
b5e178 |
From 9c24aaaba67f0123a82335672fd25aacd913caa4 Mon Sep 17 00:00:00 2001
|
|
|
b5e178 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
b5e178 |
Date: Thu, 21 Jan 2021 11:43:16 +0100
|
|
|
b5e178 |
Subject: [PATCH 5/7] simplify regex
|
|
|
b5e178 |
|
|
|
b5e178 |
---
|
|
|
b5e178 |
.../sshd_use_approved_macs_ordered_stig/oval/shared.xml | 2 +-
|
|
|
b5e178 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
b5e178 |
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
|
|
b5e178 |
index d7fbd9f0ed..5973488661 100644
|
|
|
b5e178 |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
|
|
b5e178 |
@@ -31,7 +31,7 @@
|
|
|
b5e178 |
|
|
|
b5e178 |
<ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1">
|
|
|
b5e178 |
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
|
|
|
b5e178 |
- <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$</ind:pattern>
|
|
|
b5e178 |
+ <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern>
|
|
|
b5e178 |
<ind:instance datatype="int">1</ind:instance>
|
|
|
b5e178 |
</ind:textfilecontent54_object>
|
|
|
b5e178 |
|
|
|
b5e178 |
|
|
|
b5e178 |
From e3973f4c2988308a2d1a18e67a730a059f791336 Mon Sep 17 00:00:00 2001
|
|
|
b5e178 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
b5e178 |
Date: Thu, 21 Jan 2021 11:55:19 +0100
|
|
|
b5e178 |
Subject: [PATCH 6/7] make bash remediation more readable
|
|
|
b5e178 |
|
|
|
b5e178 |
---
|
|
|
b5e178 |
.../sshd_use_approved_macs_ordered_stig/bash/shared.sh | 2 +-
|
|
|
b5e178 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
b5e178 |
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
|
|
b5e178 |
index c76190fb96..f8f6f39bee 100644
|
|
|
b5e178 |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7
|
|
|
b5e178 |
|
|
|
b5e178 |
-if grep -q -P '^[[:space:]]*MACs[[:space:]]+' /etc/ssh/sshd_config; then
|
|
|
b5e178 |
+if grep -q -P '^\s*MACs\s+' /etc/ssh/sshd_config; then
|
|
|
b5e178 |
sed -i 's/^\s*MACs.*/MACs hmac-sha2-512,hmac-sha2-256/' /etc/ssh/sshd_config
|
|
|
b5e178 |
else
|
|
|
b5e178 |
echo "MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
|
|
|
b5e178 |
|
|
|
b5e178 |
From e5c379ac8cbd7bd42b116d3a5473a78406a662fd Mon Sep 17 00:00:00 2001
|
|
|
b5e178 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
b5e178 |
Date: Thu, 21 Jan 2021 13:05:18 +0100
|
|
|
b5e178 |
Subject: [PATCH 7/7] one more small fix to oval regex
|
|
|
b5e178 |
|
|
|
b5e178 |
---
|
|
|
b5e178 |
.../sshd_use_approved_macs_ordered_stig/oval/shared.xml | 2 +-
|
|
|
b5e178 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
b5e178 |
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
|
|
b5e178 |
index 5973488661..b5443b07c4 100644
|
|
|
b5e178 |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
|
|
|
b5e178 |
@@ -31,7 +31,7 @@
|
|
|
b5e178 |
|
|
|
b5e178 |
<ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1">
|
|
|
b5e178 |
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
|
|
|
b5e178 |
- <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern>
|
|
|
b5e178 |
+ <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern>
|
|
|
b5e178 |
<ind:instance datatype="int">1</ind:instance>
|
|
|
b5e178 |
</ind:textfilecontent54_object>
|
|
|
b5e178 |
|