Align sshd_use_approved_macs_ordered_stig with Ubuntu STIG #11853
Conversation
|
Hi @mpurg. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: rhel7 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
dodys
added
Ubuntu
| <def-group> | ||
| <definition class="compliance" id="{{{ rule_id }}}" version="1"> | ||
| {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}} | ||
| <criteria comment="sshd is configured correctly or is not installed" operator="OR"> |
There was a problem hiding this comment.
the "approved" rules should have a requirement on FIPS. See the shared OVAL.
There was a problem hiding this comment.
Nice catch, thanks. I added the requirement and rebased to master.
The tests currently fail on Ubuntu 22.04 since the OS is not yet listed in installed_OS_is_FIPS_certified.
If added to the list, all tests pass.
mpurg
force-pushed
the
ubuntu_2204_stig_255055
branch
from
3f6d10d
to
da349e1
Compare
mpurg
force-pushed
the
ubuntu_2204_stig_255055
branch
from
da349e1
to
67e8ac2
Compare
|
@marcusburghardt @Mab879 @teacup-on-rockingchair do you think it would be worth to make the ubuntu.xml oval the default instead of the current shared.xml, as it seems this is allowing partial matches, and iirc disa is pretty strict on having all the approved algorithms in a specific order, that way a partial match shouldn't be allowed. |
@marcusburghardt @Mab879 @teacup-on-rockingchair tagging you again to bring attention to this |
mpurg
force-pushed
the
ubuntu_2204_stig_255055
branch
2 times, most recently
from
80b90d6
to
63f543d
Compare
openshift-ci
bot
added
the
do-not-merge/work-in-progress
Text was aligned with STIG rules UBTU-20-010043 and UBTU-22-255055.
mpurg
force-pushed
the
ubuntu_2204_stig_255055
branch
from
63f543d
to
a5116bb
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
The OVAL now also allows distributed configs and uses the variable `sshd_approved_macs` instead of hardcoded values. The implementation is based on the template `sshd_lineinfile`, modified to allow external variables as values and checking for FIPS compliant OS.
The remediation now uses the bash_sshd_remediation macro and the sshd_approved_macs variable.
…stig The remediation now uses the ansible_sshd_set macro and the sshd_approved_macs variable.
mpurg
force-pushed
the
ubuntu_2204_stig_255055
branch
from
a5116bb
to
9f849e5
Compare
|
Code Climate has analyzed commit 9f849e5 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.4% (0.0% change). View more on Code Climate. |
|
because of the lack of reply, I will merge this as is, and my comment could be done in a separate PR if other vendors are interested. |
Description:
sshd_use_approved_macs_ordered_stigrule to better align with Ubuntu STIG (UBTU-20-010043, UBTU-22-255055)sshd_approved_macsvariableRationale: