-
Notifications
You must be signed in to change notification settings - Fork 684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix RHEL7 rules sshd_use_strong_macs and sshd_use_strong_ciphers. #5010
Fix RHEL7 rules sshd_use_strong_macs and sshd_use_strong_ciphers. #5010
Conversation
matejak
commented
Nov 14, 2019
- Implemented Bash remediations according to rule description.
- Synced sshd_use_strong_ciphers OVAL according with the rule description.
- Implemented Bash remediations according to rule description. - Synced sshd_use_strong_ciphers OVAL according with the rule description.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@matejak Thanks!
What about adding test scenarios?
@@ -0,0 +1,3 @@ | |||
# platform = multi_platform_all | |||
|
|||
{{{ bash_sshd_config_set(parameter="Ciphers", value="aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr") }}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
aes128-ctr and aes256-ctr is twice in the list
@@ -1 +1 @@ | |||
{{{ oval_sshd_config(parameter="Ciphers", value="((chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com|aes256-ctr|aes128-ctr),?)") }}} | |||
{{{ oval_sshd_config(parameter="Ciphers", value="((aes128-ctr|aes192-ctr|aes256-ctr|chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com|aes256-ctr|aes128-ctr),?)") }}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
aes128-ctr and aes256-ctr is twice in the list
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the rule.yml also has it twice and the OCIL there is missing aes192-ctr, could you please fix rule.yml as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And the OVAL has been missing + as well. I will indeed add some scenarios :-)
@@ -9,8 +9,7 @@ description: |- | |||
Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. | |||
The following line in <tt>/etc/ssh/sshd_config</tt> | |||
demonstrates use of those ciphers: | |||
<pre>Ciphers aes128-ctr,aes192-ctr,aes256-ctr</pre> | |||
<pre>chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr</pre> | |||
<pre>Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr</pre> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about aes192-ctr?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, right. Fixed by rebase.
- Fixed ciphers rule description metadata and bash remediation - removed duplicate ciphers. - Fixed ciphers rule OVAL. - Added test cases.
bebf97e
to
32c5bdb
Compare