Merge pull request #5010 from matejak/fix_sshd_ciphers_macs

Fix RHEL7 rules sshd_use_strong_macs and sshd_use_strong_ciphers.
ComplianceAsCode · Nov 15, 2019 · f254745 · f254745
2 parents 8656925 + 32c5bdb
commit f254745
Show file tree

Hide file tree

Showing 8 changed files with 29 additions and 3 deletions.
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/bash/shared.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_all
+
+{{{ bash_sshd_config_set(parameter="Ciphers", value="aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/oval/shared.xml
@@ -1 +1 @@
-{{{ oval_sshd_config(parameter="Ciphers", value="((chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com|aes256-ctr|aes128-ctr),?)") }}}
+{{{ oval_sshd_config(parameter="Ciphers", value="((aes128-ctr|aes192-ctr|aes256-ctr|chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com),?)+") }}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/rule.yml
@@ -9,8 +9,7 @@ description: |-
     Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.
     The following line in <tt>/etc/ssh/sshd_config</tt>
     demonstrates use of those ciphers:
-    <pre>Ciphers aes128-ctr,aes192-ctr,aes256-ctr</pre>
-    <pre>chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr</pre>
+    <pre>Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr</pre>
     The man page <tt>sshd_config(5)</tt> contains a list of supported ciphers.
 
 rationale: |-

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/tests/good_cipher.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/tests/good_cipher.pass.sh
@@ -0,0 +1,6 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# profiles = e8
+
+sed -i 's/^\s*Ciphers\s.*//i' /etc/ssh/sshd_config
+echo "Ciphers aes256-ctr" >> /etc/ssh/sshd_config
+
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/tests/no_ciphers.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_ciphers/tests/no_ciphers.fail.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# profiles = e8
+
+sed -i 's/^\s*Ciphers\s/# &/i' /etc/ssh/sshd_config
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+{{{ bash_sshd_config_set(parameter="MACs", value="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160") }}}
+
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/tests/good_mac.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/tests/good_mac.pass.sh
@@ -0,0 +1,6 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# profiles = e8
+
+sed -i 's/^\s*MACs\s.*//i' /etc/ssh/sshd_config
+echo "MACs hmac-sha2-512" >> /etc/ssh/sshd_config
+
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/tests/no_macs.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/tests/no_macs.fail.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# profiles = e8
+
+sed -i 's/^\s*MACs\s/# &/i' /etc/ssh/sshd_config