add rhel7 stig specific rule for sshd approved macs

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml

@@ -54,7 +54,6 @@ references:
     nist-csf: PR.AC-1,PR.AC-3,PR.DS-5,PR.PT-4
     srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174
     vmmsrg: SRG-OS-000033-VMM-000140,SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000480-VMM-002000,SRG-OS-000396-VMM-001590
-    stigid@rhel7: RHEL-07-040400
     stigid@sle12: SLES-12-030180
     isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.6,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
     isa-62443-2009: 4.3.3.5.1,4.3.3.6.6

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml

@@ -0,0 +1,13 @@
+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: "Configure sshd to use approved MACs"
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    line: 'MACs hmac-sha2-512,hmac-sha2-256'
+    state: present
+    regexp: '^[\s]*MACs[\s]+(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$'
+    create: True

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh

@@ -0,0 +1,7 @@
+# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7
+
+if grep -q -P '^\s*MACs\s+' /etc/ssh/sshd_config; then
+  sed -i 's/^\s*MACs.*/MACs hmac-sha2-512,hmac-sha2-256/' /etc/ssh/sshd_config
+else
+  echo "MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
+fi

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml

@@ -0,0 +1,38 @@
+<def-group>
+  <definition class="compliance" id="sshd_use_approved_macs_ordered_stig" version="1">
+    {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
+    <criteria operator="AND">
+      <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
+      <criteria comment="SSH is configured correctly or is not installed"
+      operator="OR">
+        <criteria comment="sshd is not installed" operator="AND">
+          <extend_definition comment="sshd is not required or requirement is unset"
+          definition_ref="sshd_not_required_or_unset" />
+          <extend_definition comment="rpm package openssh-server removed"
+          definition_ref="package_openssh-server_removed" />
+        </criteria>
+        <criteria comment="sshd is installed and configured" operator="AND">
+          <extend_definition comment="sshd is required or requirement is unset"
+          definition_ref="sshd_required_or_unset" />
+          <extend_definition comment="rpm package openssh-server installed"
+          definition_ref="package_openssh-server_installed" />
+          <criterion comment="Check MACs in /etc/ssh/sshd_config"
+          test_ref="test_sshd_use_approved_macs_ordered_stig" />
+        </criteria>
+      </criteria>
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+  comment="tests the value of MACs setting in the /etc/ssh/sshd_config file"
+  id="test_sshd_use_approved_macs_ordered_stig" version="1">
+    <ind:object object_ref="obj_sshd_use_approved_macs_ordered_stig" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1">
+    <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml

@@ -0,0 +1,57 @@
+documentation_complete: true
+
+prodtype: rhel7
+
+title: 'Use Only FIPS 140-2 Validated MACs'
+
+description: |-
+    Limit the MACs to those hash algorithms which are FIPS-approved.
+    The following line in <tt>/etc/ssh/sshd_config</tt>
+    demonstrates use of FIPS-approved MACs:
+    <pre>MACs hmac-sha2-512,hmac-sha2-256</pre>
+    This rule ensures that there are configured MACs mentioned
+    above (or their subset), keeping the given order of algorithms.
+
+rationale: |-
+    DoD Information Systems are required to use FIPS-approved cryptographic hash
+    functions. The only SSHv2 hash algorithms meeting this requirement is SHA2.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-83398-8
+
+references:
+    disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
+    srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174
+    stigid@rhel7: RHEL-07-040400
+
+ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algorithms'
+
+ocil: |-
+    Only FIPS-approved MACs should be used. To verify that only FIPS-approved
+    MACs are in use, run the following command:
+    <pre>$ sudo grep -i macs /etc/ssh/sshd_config</pre>
+    The output should contain only following MACs (or a subset) in the exact order:
+    <pre>hmac-sha2-512,hmac-sha2-256</pre>
+
+warnings:
+    - general: |-
+        The system needs to be rebooted for these changes to take effect.
+    - regulatory: |-
+        System Crypto Modules must be provided by a vendor that undergoes
+        FIPS-140 certifications.
+        FIPS-140 is applicable to all Federal agencies that use
+        cryptographic-based security systems to protect sensitive information
+        in computer and telecommunication systems (including voice systems) as
+        defined in Section 5131 of the Information Technology Management Reform
+        Act of 1996, Public Law 104-106. This standard shall be used in
+        designing and implementing cryptographic modules that Federal
+        departments and agencies operate or are operated for them under
+        contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
+        To meet this, the system has to have cryptographic software provided by
+        a vendor that has undergone this certification. This means providing
+        documentation, test results, design information, and independent third
+        party review by an accredited lab. While open source software is
+        capable of meeting this, it does not meet FIPS-140 unless the vendor
+        submits to this process.

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^MACs" /etc/ssh/sshd_config; then
+	sed -i "s/^MACs.*/# MACs hmac-sha2-512,hmac-sha2-256/" /etc/ssh/sshd_config
+else
+	echo "# ciphers MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
+fi

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^MACs" /etc/ssh/sshd_config; then
+	sed -i "s/^MACs.*/MACs hmac-sha2-512/" /etc/ssh/sshd_config
+else
+	echo "MACs hmac-sha2-512" >> /etc/ssh/sshd_config
+fi

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^MACs" /etc/ssh/sshd_config; then
+	sed -i "s/^MACs.*/MACs hmac-sha2-256,hmac-sha2-512/" /etc/ssh/sshd_config
+else
+	echo "MACs hmac-sha2-256,hmac-sha2-512" >> /etc/ssh/sshd_config
+fi

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^MACs" /etc/ssh/sshd_config; then
+	sed -i "s/^MACs.*/MACs hmac-sha2-512,hmac-sha2-256/" /etc/ssh/sshd_config
+else
+	echo 'MACs hmac-sha2-512,hmac-sha2-256' >> /etc/ssh/sshd_config
+fi

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sed -i "/^MACs.*/d" /etc/ssh/sshd_config

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^MACs" /etc/ssh/sshd_config; then
+	sed -i "s/^MACs.*/MACs /" /etc/ssh/sshd_config
+else
+	echo 'MACs ' >> /etc/ssh/sshd_config
+fi

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q "^MACs" /etc/ssh/sshd_config; then
+	sed -i "s/^MACs.*/MACs hmac-sha2-512,hmac-sha2-256,blahblah/" /etc/ssh/sshd_config
+else
+	echo "MACs hmac-sha2-512,hmac-sha2-256,blahblah" >> /etc/ssh/sshd_config
+fi

rhel7/profiles/stig.profile

@@ -28,7 +28,6 @@ selections:
     - inactivity_timeout_value=15_minutes
     - var_screensaver_lock_delay=5_seconds
     - sshd_idle_timeout_value=10_minutes
-    - sshd_approved_macs=stig
     - var_accounts_fail_delay=4
     - var_selinux_state=enforcing
     - var_selinux_policy_name=targeted
@@ -259,7 +258,7 @@ selections:
     - sshd_print_last_log
     - sshd_disable_root_login
     - sshd_allow_only_protocol2
-    - sshd_use_approved_macs
+    - sshd_use_approved_macs_ordered_stig
     - file_permissions_sshd_pub_key
     - file_permissions_sshd_private_key
     - sshd_disable_gssapi_auth

shared/references/cce-redhat-avail.txt

@@ -1,4 +1,3 @@
-CCE-83398-8
 CCE-83399-6
 CCE-83405-1
 CCE-83406-9