V-204578 change order of SSH cipher suites for stig

[amdonov]

Latest stig requires specific order for SSH ciphers.

Description:

Change the order of SSH cipher suites.

Rationale:

https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2020-12-08/finding/V-204578

Inspect the "Ciphers" configuration with the following command:

# grep -i ciphers /etc/ssh/sshd_config
Ciphers aes256-ctr,aes192-ctr,aes128-ctr

If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding.

[openscap-ci]

Can one of the admins verify this patch?

[openscap-ci]

Can one of the admins verify this patch?

[openshift-ci-robot]

Hi @amdonov. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ggbecker]

We have already fixed this issue by creating a new rule that considers ordering and a subset of ciphers. Please use it instead: sshd_use_approved_ciphers_ordered_stig

Only changing the order in the variable does not solve all the issues, which includes allowing a subset of ciphers in this case.

For more details please check the pull request: #6541

This new rule should be part of the next release v0.1.55.

Feel free to reopen this or start a discussion at https://github.com/ComplianceAsCode/content/discussions