From fd95afe448b8fee2ed35baad929eed3470aad51e Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 18 Jan 2021 14:33:45 +0100 Subject: [PATCH 01/11] add rule --- .../ansible/shared.yml | 13 ++++ .../bash/shared.sh | 7 +++ .../oval/shared.xml | 38 +++++++++++ .../rule.yml | 63 +++++++++++++++++++ 4 files changed, 121 insertions(+) create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/ansible/shared.yml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/bash/shared.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/rule.yml diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/ansible/shared.yml new file mode 100644 index 000000000000..4796a2eab1ca --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/ansible/shared.yml @@ -0,0 +1,13 @@ +# platform = Red Hat Enterprise Linux 7,Oracle Linux 7 +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +- name: "Configure sshd to use approved ciphers" + lineinfile: + path: /etc/ssh/sshd_config + line: 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' + state: present + regexp: '^[\s]*[Cc]iphers[\s]+(aes256-ctr(?=[\w,-@]+|$),?)?(aes192-ctr(?=[\w,-@]+|$),?)?(aes128-ctr(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$' + create: True diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/bash/shared.sh new file mode 100644 index 000000000000..6a7ea28df737 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/bash/shared.sh @@ -0,0 +1,7 @@ +# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7 + +if grep -q -P '^[[:space:]]*[Cc]iphers[[:space:]]+' /etc/ssh/sshd_config; then + sed -i 's/^[\s]*[Cc]iphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config +else + echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config +fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/oval/shared.xml new file mode 100644 index 000000000000..cb37672ed463 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/oval/shared.xml @@ -0,0 +1,38 @@ + + + {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.") }}} + + + + + + + + + + + + + + + + + + + + + + /etc/ssh/sshd_config + ^[\s]*(?i)Ciphers(?-i)[\s]+(aes256-ctr(?=[\w,-@]+|$),?)?(aes192-ctr(?=[\w,-@]+|$),?)?(aes128-ctr(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$ + 1 + + + diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/rule.yml new file mode 100644 index 000000000000..425e0c7dcfe3 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/rule.yml @@ -0,0 +1,63 @@ +documentation_complete: true + +prodtype: rhel7 + +title: 'Use Only FIPS 140-2 Validated Ciphers' + +description: |- + Limit the ciphers to those algorithms which are FIPS-approved. + The following line in /etc/ssh/sshd_config + demonstrates use of FIPS-approved ciphers: + 
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
+ This rule ensures that there are configured ciphers mentioned above (or dheir subset), keeping the given order of algorithms. + +rationale: |- + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore + cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. +
+ Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to + cryptographic modules. +
+ FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules + utilize authentication that meets industry and government requirements. For government systems, this allows + Security Levels 1, 2, 3, or 4 for use on {{{ full_name }}}. + +severity: medium + +identifiers: + cce@rhel7: CCE-83392-1 + +references: + disa: CCI-000068,CCI-000366,CCI-000803,CCI-000877,CCI-002890,CCI-003123 + srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174 + stigid@rhel7: RHEL-07-040110 + +ocil_clause: 'FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved' + +ocil: |- + Only FIPS ciphers should be used. To verify that only FIPS-approved + ciphers are in use, run the following command: + 
$ sudo grep Ciphers /etc/ssh/sshd_config
+ The output should contain only following ciphers (or a subset) in the exact order: + 
aes256-ctr,aes192-ctr,aes128-ctr
+ +warnings: + - general: |- + The system needs to be rebooted for these changes to take effect. + - regulatory: |- + System Crypto Modules must be provided by a vendor that undergoes + FIPS-140 certifications. + FIPS-140 is applicable to all Federal agencies that use + cryptographic-based security systems to protect sensitive information + in computer and telecommunication systems (including voice systems) as + defined in Section 5131 of the Information Technology Management Reform + Act of 1996, Public Law 104-106. This standard shall be used in + designing and implementing cryptographic modules that Federal + departments and agencies operate or are operated for them under + contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}} + To meet this, the system has to have cryptographic software provided by + a vendor that has undergone this certification. This means providing + documentation, test results, design information, and independent third + party review by an accredited lab. While open source software is + capable of meeting this, it does not meet FIPS-140 unless the vendor + submits to this process. From 374f8559b09b4085d69bf29107415859a82554da Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 18 Jan 2021 14:34:01 +0100 Subject: [PATCH 02/11] add tests --- .../tests/comment.fail.sh | 7 +++++++ .../tests/correct_reduced_list.pass.sh | 7 +++++++ .../tests/correct_scrambled.fail.sh | 7 +++++++ .../tests/correct_value.pass.sh | 7 +++++++ .../tests/line_not_there.fail.sh | 3 +++ .../tests/wrong_value.fail.sh | 7 +++++++ 6 files changed, 38 insertions(+) create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/comment.fail.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/correct_reduced_list.pass.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/correct_scrambled.fail.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/correct_value.pass.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/line_not_there.fail.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/wrong_value.fail.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/comment.fail.sh new file mode 100644 index 000000000000..daff7d7c5383 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/comment.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +if grep -q "^Ciphers" /etc/ssh/sshd_config; then + sed -i "s/^Ciphers.*/# ciphers aes256-ctr,aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config +else + echo "# ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config +fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/correct_reduced_list.pass.sh new file mode 100644 index 000000000000..b9d22262afec --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/correct_reduced_list.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +if grep -q "^Ciphers" /etc/ssh/sshd_config; then + sed -i "s/^Ciphers.*/Ciphers aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config +else + echo "Ciphers aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config +fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/correct_scrambled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/correct_scrambled.fail.sh new file mode 100644 index 000000000000..b99d3832cd71 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/correct_scrambled.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +if grep -q "^Ciphers" /etc/ssh/sshd_config; then + sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/" /etc/ssh/sshd_config +else + echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config +fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/correct_value.pass.sh new file mode 100644 index 000000000000..6dfd54631c5f --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/correct_value.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +if grep -q "^Ciphers" /etc/ssh/sshd_config; then + sed -i "s/^Ciphers.*/ciphers aes256-ctr,aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config +else + echo 'ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config +fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/line_not_there.fail.sh new file mode 100644 index 000000000000..7b38914a1a6e --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/line_not_there.fail.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +sed -i "/^Ciphers.*/d" /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/wrong_value.fail.sh new file mode 100644 index 000000000000..a88f334b3fa2 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/wrong_value.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +if grep -q "^Ciphers" /etc/ssh/sshd_config; then + sed -i "s/^Ciphers.*/# Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config +else + echo "# Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config +fi From 8adc2633daacdbfbd92ccebeaf7b66a11e936904 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 18 Jan 2021 14:35:23 +0100 Subject: [PATCH 03/11] change rule in rhel7 stig profile --- rhel7/profiles/stig.profile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile index 6c06a8ede60d..b6c215f87046 100644 --- a/rhel7/profiles/stig.profile +++ b/rhel7/profiles/stig.profile @@ -239,8 +239,7 @@ selections: - install_antivirus - accounts_max_concurrent_login_sessions - configure_firewalld_ports - - sshd_approved_ciphers=stig - - sshd_use_approved_ciphers + - sshd_use_approved_ciphers_ordered - accounts_tmout - sshd_enable_warning_banner - sssd_ldap_start_tls From 9bfb8ade9e178accaedb5db0e07a4efac619a0af Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 18 Jan 2021 14:47:55 +0100 Subject: [PATCH 04/11] fix cce --- .../ssh/ssh_server/sshd_use_approved_ciphers_ordered/rule.yml | 2 +- shared/references/cce-redhat-avail.txt | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/rule.yml index 425e0c7dcfe3..8459c5008f78 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/rule.yml @@ -25,7 +25,7 @@ rationale: |- severity: medium identifiers: - cce@rhel7: CCE-83392-1 + cce@rhel7: CCE-83398-8 references: disa: CCI-000068,CCI-000366,CCI-000803,CCI-000877,CCI-002890,CCI-003123 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 2d36e8681efc..66196f1fa7bf 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -1,4 +1,3 @@ -CCE-83398-8 CCE-83399-6 CCE-83405-1 CCE-83406-9 From 7416341897274b0d6324f83822dccedcefcca134 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 18 Jan 2021 14:52:38 +0100 Subject: [PATCH 05/11] remove stigid from old rule --- .../services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml index abcebf60c746..50c7d689af94 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml @@ -61,7 +61,6 @@ references: nist-csf: PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.AC-7,PR.IP-1,PR.PT-1,PR.PT-3,PR.PT-4 srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174 vmmsrg: SRG-OS-000033-VMM-000140,SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000396-VMM-001590 - stigid@rhel7: RHEL-07-040110 isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6' isa-62443-2009: 4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO11.04,APO13.01,BAI03.05,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.06,DSS06.10,MEA02.01 From 1b3f46f0315ecc8a587c9bf9b7e59272d048ab80 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 18 Jan 2021 15:43:06 +0100 Subject: [PATCH 06/11] change rule id --- .../ansible/shared.yml | 0 .../bash/shared.sh | 0 .../oval/shared.xml | 10 +++++----- .../rule.yml | 0 .../tests/comment.fail.sh | 0 .../tests/correct_reduced_list.pass.sh | 0 .../tests/correct_scrambled.fail.sh | 0 .../tests/correct_value.pass.sh | 0 .../tests/line_not_there.fail.sh | 0 .../tests/wrong_value.fail.sh | 0 rhel7/profiles/stig.profile | 2 +- 11 files changed, 6 insertions(+), 6 deletions(-) rename linux_os/guide/services/ssh/ssh_server/{sshd_use_approved_ciphers_ordered => sshd_use_approved_ciphers_ordered_stig}/ansible/shared.yml (100%) rename linux_os/guide/services/ssh/ssh_server/{sshd_use_approved_ciphers_ordered => sshd_use_approved_ciphers_ordered_stig}/bash/shared.sh (100%) rename linux_os/guide/services/ssh/ssh_server/{sshd_use_approved_ciphers_ordered => sshd_use_approved_ciphers_ordered_stig}/oval/shared.xml (90%) rename linux_os/guide/services/ssh/ssh_server/{sshd_use_approved_ciphers_ordered => sshd_use_approved_ciphers_ordered_stig}/rule.yml (100%) rename linux_os/guide/services/ssh/ssh_server/{sshd_use_approved_ciphers_ordered => sshd_use_approved_ciphers_ordered_stig}/tests/comment.fail.sh (100%) rename linux_os/guide/services/ssh/ssh_server/{sshd_use_approved_ciphers_ordered => sshd_use_approved_ciphers_ordered_stig}/tests/correct_reduced_list.pass.sh (100%) rename linux_os/guide/services/ssh/ssh_server/{sshd_use_approved_ciphers_ordered => sshd_use_approved_ciphers_ordered_stig}/tests/correct_scrambled.fail.sh (100%) rename linux_os/guide/services/ssh/ssh_server/{sshd_use_approved_ciphers_ordered => sshd_use_approved_ciphers_ordered_stig}/tests/correct_value.pass.sh (100%) rename linux_os/guide/services/ssh/ssh_server/{sshd_use_approved_ciphers_ordered => sshd_use_approved_ciphers_ordered_stig}/tests/line_not_there.fail.sh (100%) rename linux_os/guide/services/ssh/ssh_server/{sshd_use_approved_ciphers_ordered => sshd_use_approved_ciphers_ordered_stig}/tests/wrong_value.fail.sh (100%) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml similarity index 100% rename from linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/ansible/shared.yml rename to linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh similarity index 100% rename from linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/bash/shared.sh rename to linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml similarity index 90% rename from linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/oval/shared.xml rename to linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml index cb37672ed463..f69938f4c401 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml @@ -1,5 +1,5 @@ - + {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.") }}} @@ -17,7 +17,7 @@ + test_ref="test_sshd_use_approved_ciphers_ordered_stig" /> @@ -25,11 +25,11 @@ - + id="test_sshd_use_approved_ciphers_ordered_stig" version="1"> + - + /etc/ssh/sshd_config ^[\s]*(?i)Ciphers(?-i)[\s]+(aes256-ctr(?=[\w,-@]+|$),?)?(aes192-ctr(?=[\w,-@]+|$),?)?(aes128-ctr(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$ 1 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml similarity index 100% rename from linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/rule.yml rename to linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh similarity index 100% rename from linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/comment.fail.sh rename to linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh similarity index 100% rename from linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/correct_reduced_list.pass.sh rename to linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/correct_scrambled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh similarity index 100% rename from linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/correct_scrambled.fail.sh rename to linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh similarity index 100% rename from linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/correct_value.pass.sh rename to linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh similarity index 100% rename from linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/line_not_there.fail.sh rename to linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh similarity index 100% rename from linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered/tests/wrong_value.fail.sh rename to linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile index b6c215f87046..adf86894e14d 100644 --- a/rhel7/profiles/stig.profile +++ b/rhel7/profiles/stig.profile @@ -239,7 +239,7 @@ selections: - install_antivirus - accounts_max_concurrent_login_sessions - configure_firewalld_ports - - sshd_use_approved_ciphers_ordered + - sshd_use_approved_ciphers_ordered_stig - accounts_tmout - sshd_enable_warning_banner - sssd_ldap_start_tls From 76f6549ab343ae87e79a85e2ba9230ef8e5e5b4a Mon Sep 17 00:00:00 2001 From: vojtapolasek Date: Tue, 19 Jan 2021 08:54:22 +0100 Subject: [PATCH 07/11] Update linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml Co-authored-by: Gabriel Becker --- .../ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml index 8459c5008f78..07510641795a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml @@ -9,7 +9,8 @@ description: |- The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers: 
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
- This rule ensures that there are configured ciphers mentioned above (or dheir subset), keeping the given order of algorithms. + This rule ensures that there are configured ciphers mentioned + above (or their subset), keeping the given order of algorithms. rationale: |- Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore From ab4604dbc2f18b095bded7256e2fe6fe19a5d607 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 19 Jan 2021 11:04:37 +0100 Subject: [PATCH 08/11] fix oval it was accepting empty list of ciphers --- .../sshd_use_approved_ciphers_ordered_stig/oval/shared.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml index f69938f4c401..7c38eabc1217 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml @@ -31,7 +31,7 @@ /etc/ssh/sshd_config - ^[\s]*(?i)Ciphers(?-i)[\s]+(aes256-ctr(?=[\w,-@]+|$),?)?(aes192-ctr(?=[\w,-@]+|$),?)?(aes128-ctr(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$ + ^[\s]*(?i)Ciphers(?-i)[\s]+(?=[\w,-@]+)(aes256-ctr(?=[\w,-@]+|$),?)?(aes192-ctr(?=[\w,-@]+|$),?)?(aes128-ctr(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$ 1 From 081cb87ed1225a25641104008b92e2aef3844b04 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 19 Jan 2021 11:04:59 +0100 Subject: [PATCH 09/11] fix remediation --- .../sshd_use_approved_ciphers_ordered_stig/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh index 6a7ea28df737..dcae6a3da8d0 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh @@ -1,7 +1,7 @@ # platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7 if grep -q -P '^[[:space:]]*[Cc]iphers[[:space:]]+' /etc/ssh/sshd_config; then - sed -i 's/^[\s]*[Cc]iphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config + sed -i 's/^\s*[Cc]iphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config else echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config fi From d748577d9e0961504e3223ae04c1ed8f799c73bf Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 19 Jan 2021 11:05:21 +0100 Subject: [PATCH 10/11] fix and add tests --- .../tests/no_parameters.fail.sh | 7 +++++++ .../tests/wrong_value.fail.sh | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh new file mode 100644 index 000000000000..6fdb47093d25 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +if grep -q "^Ciphers" /etc/ssh/sshd_config; then + sed -i "s/^Ciphers.*/Ciphers /" /etc/ssh/sshd_config +else + echo 'Ciphers ' >> /etc/ssh/sshd_config +fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh index a88f334b3fa2..24fdf0f30dfc 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh @@ -1,7 +1,7 @@ #!/bin/bash if grep -q "^Ciphers" /etc/ssh/sshd_config; then - sed -i "s/^Ciphers.*/# Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config + sed -i "s/^Ciphers.*/ Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config else - echo "# Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config + echo " Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config fi From b40f5b69e1141c418510ae9cd0cec7b45c83b4e5 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 21 Jan 2021 12:34:56 +0100 Subject: [PATCH 11/11] simplify oval and bash remediation --- .../sshd_use_approved_ciphers_ordered_stig/bash/shared.sh | 2 +- .../sshd_use_approved_ciphers_ordered_stig/oval/shared.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh index dcae6a3da8d0..8f751ed51652 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh @@ -1,6 +1,6 @@ # platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7 -if grep -q -P '^[[:space:]]*[Cc]iphers[[:space:]]+' /etc/ssh/sshd_config; then +if grep -q -P '^\s*[Cc]iphers\s+' /etc/ssh/sshd_config; then sed -i 's/^\s*[Cc]iphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config else echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml index 7c38eabc1217..53ff0a2a9e41 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml @@ -31,7 +31,7 @@ /etc/ssh/sshd_config - ^[\s]*(?i)Ciphers(?-i)[\s]+(?=[\w,-@]+)(aes256-ctr(?=[\w,-@]+|$),?)?(aes192-ctr(?=[\w,-@]+|$),?)?(aes128-ctr(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$ + ^[\s]*(?i)Ciphers(?-i)[\s]+(?=[\w]+)(aes256-ctr(?=[\w,]+|$),?)?(aes192-ctr(?=[\w,]+|$),?)?(aes128-ctr)?[\s]*(?:#.*)?$ 1