Merge pull request #10739 from teacup-on-rockingchair/fix_strong_mac_…

…drop_hmac-ripemd160

Drop hmac-ripemd160 sshd mac from strong MACs list

controls/cis_sle12.yml

@@ -1669,6 +1669,7 @@ controls:
     rules:
       - sshd_approved_macs=cis_sle12
       - sshd_use_approved_macs
+      - sshd_strong_macs=cis_sle12
       - sshd_use_strong_macs
 
   - id: 5.2.15

controls/cis_sle15.yml

@@ -1863,6 +1863,7 @@ controls:
     rules:
       - sshd_approved_macs=cis_sle15
       - sshd_use_approved_macs
+      - sshd_strong_macs=cis_sle15
       - sshd_use_strong_macs
 
   - id: 5.2.15

linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/ansible/shared.yml

@@ -0,0 +1,8 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ ansible_instantiate_variables("sshd_strong_macs") }}}
+
+{{{ ansible_sshd_set(parameter="MACs", value="{{ sshd_strong_macs }}") }}}

linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh

@@ -1,4 +1,6 @@
 # platform = multi_platform_all
 
-{{{ bash_sshd_config_set(parameter="MACs", value="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160") }}}
+{{{ bash_instantiate_variables("sshd_strong_macs") }}}
+
+{{{ bash_replace_or_append('/etc/ssh/sshd_config', '^MACs', "$sshd_strong_macs", '%s %s') }}}
 

linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml

@@ -1 +1,70 @@
-{{{ oval_sshd_config(parameter="MACs", value="((hmac-sha2-512-etm@openssh\.com|hmac-sha2-256-etm@openssh\.com|umac-128-etm@openssh\.com|hmac-sha2-512|hmac-sha2-256|hmac-ripemd160),?)+") }}}
+<def-group>
+  <definition class="compliance" id="sshd_use_strong_macs" version="1">
+    {{{ oval_metadata("Ensure only strong MAC algorithms are used") }}}
+    <criteria operator="AND">
+      <criteria comment="SSH is configured correctly or is not installed"
+      operator="OR">
+        <criteria comment="sshd is not installed" operator="AND">
+          <extend_definition comment="sshd is not required or requirement is unset"
+          definition_ref="sshd_not_required_or_unset" />
+          {{% if product in ['opensuse', 'sle12', 'sle15'] %}}
+          <extend_definition comment="package openssh removed"
+          definition_ref="package_openssh_removed" />
+          {{% else %}}
+          <extend_definition comment="package openssh-server removed"
+          definition_ref="package_openssh-server_removed" />
+          {{% endif %}}
+        </criteria>
+        <criteria comment="sshd is installed and configured" operator="AND">
+          <extend_definition comment="sshd is required or requirement is unset"
+          definition_ref="sshd_required_or_unset" />
+          {{% if product in ['opensuse', 'sle12', 'sle15'] %}}
+          <extend_definition comment="package openssh installed"
+          definition_ref="package_openssh_installed" />
+          {{% else %}}
+          <extend_definition comment="package openssh-server installed"
+          definition_ref="package_openssh-server_installed" />
+          {{% endif %}}
+          <criterion comment="Check MACs in /etc/ssh/sshd_config"
+          test_ref="test_sshd_use_strong_macs" />
+        </criteria>
+      </criteria>
+    </criteria>
+  </definition>
+
+  <ind:variable_test check="at least one"
+  comment="tests the value of MACs setting in the /etc/ssh/sshd_config file"
+  id="test_sshd_use_strong_macs" version="1">
+    <ind:object object_ref="obj_sshd_use_strong_macs" />
+    <ind:state state_ref="ste_sshd_use_strong_macs" />
+  </ind:variable_test>
+
+  <ind:variable_object id="obj_sshd_use_strong_macs" version="1">
+    <ind:var_ref>var_sshd_config_strong_macs</ind:var_ref>
+  </ind:variable_object>
+
+  <ind:variable_state comment="strong macs" id="ste_sshd_use_strong_macs" version="1">
+    <ind:value operation="equals" datatype="string" var_ref="var_sshd_strong_macs" var_check="at least one" />
+  </ind:variable_state>
+
+  <ind:textfilecontent54_object id="obj_sshd_config_strong_macs" version="1">
+    <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <local_variable id="var_sshd_config_strong_macs" datatype="string" version="1" comment="MACs values splitted on comma">
+    <split delimiter=",">
+      <object_component item_field="subexpression" object_ref="obj_sshd_config_strong_macs" />
+    </split>
+  </local_variable>
+
+  <local_variable id="var_sshd_strong_macs" datatype="string" version="1" comment="strong MACs values splitted on comma">
+    <split delimiter=",">
+      <variable_component var_ref="sshd_strong_macs" />
+    </split>
+  </local_variable>
+  <external_variable comment="SSH MAC algorithms considered strong" datatype="string" id="sshd_strong_macs" version="1" />
+</def-group>
+
+

linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml

@@ -8,7 +8,7 @@ description: |-
     Limit the MACs to strong hash algorithms.
     The following line in <tt>/etc/ssh/sshd_config</tt> demonstrates use
     of those MACs:
-    <pre>MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160</pre>
+    <pre>MACs {{{ xccdf_value("sshd_strong_macs") }}}</pre>
 
 rationale: |-
     MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase
@@ -36,4 +36,4 @@ ocil: |-
     MACs are in use, run the following command:
     <pre>$ sudo grep -i macs /etc/ssh/sshd_config</pre>
     The output should contain only those MACs which are strong, namely,
-    hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 hash functions.
+    {{{ xccdf_value("sshd_strong_macs") }}} hash functions.

linux_os/guide/services/ssh/sshd_strong_macs.var

@@ -0,0 +1,17 @@
+documentation_complete: true
+
+title: 'SSH Strong KEX by FIPS'
+
+description: "Specify the FIPS approved MACs (Message Authentication Code) algorithms\n\tthat are used for data integrity protection by the SSH server."
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+    default: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
+    cis_sle12: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
+    cis_sle15: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+    cis_ubuntu2204: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256

products/ol7/profiles/e8.profile

@@ -130,6 +130,7 @@ selections:
   - sshd_disable_empty_passwords
   - sshd_disable_user_known_hosts
   - sshd_enable_strictmodes
+  - sshd_strong_macs=default
   - sshd_use_strong_macs
 
   ### Backup

products/rhel7/profiles/e8.profile

@@ -136,6 +136,7 @@ selections:
   - sshd_disable_empty_passwords
   - sshd_disable_user_known_hosts
   - sshd_enable_strictmodes
+  - sshd_strong_macs=default
   - sshd_use_strong_macs
 
   ### Backup

products/ubuntu2204/profiles/cis_level1_server.profile

@@ -779,6 +779,7 @@ selections:
     - sshd_use_strong_ciphers
 
     ### 5.2.14 Ensure only strong MAC algorithms are used (Automated)
+    - sshd_strong_macs=cis_ubuntu2204
     - sshd_use_strong_macs
 
     ### 5.2.15 Ensure only strong Key Exchange algorithms are used (Automated)

tests/data/profile_stability/rhel7/e8.profile

@@ -109,4 +109,5 @@ selections:
 - var_selinux_state=enforcing
 - var_selinux_policy_name=targeted
 - var_auditd_flush=incremental_async
+- sshd_strong_macs=default
 title: Australian Cyber Security Centre (ACSC) Essential Eight