Fix RHEL7 rules sshd_use_strong_macs and sshd_use_strong_ciphers. #5010
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
matejak
commented
Nov 14, 2019
matejak
commented
- Implemented Bash remediations according to rule description.
- Synced sshd_use_strong_ciphers OVAL according with the rule description.
- Implemented Bash remediations according to rule description. - Synced sshd_use_strong_ciphers OVAL according with the rule description.
jan-cerny
requested changes
Nov 15, 2019
| @@ -0,0 +1,3 @@ | |||
| # platform = multi_platform_all | |||
|
|
|||
| {{{ bash_sshd_config_set(parameter="Ciphers", value="aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr") }}} | |||
There was a problem hiding this comment.
aes128-ctr and aes256-ctr is twice in the list
| @@ -1 +1 @@ | |||
| {{{ oval_sshd_config(parameter="Ciphers", value="((chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com|aes256-ctr|aes128-ctr),?)") }}} | |||
| {{{ oval_sshd_config(parameter="Ciphers", value="((aes128-ctr|aes192-ctr|aes256-ctr|chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com|aes256-ctr|aes128-ctr),?)") }}} | |||
There was a problem hiding this comment.
aes128-ctr and aes256-ctr is twice in the list
There was a problem hiding this comment.
the rule.yml also has it twice and the OCIL there is missing aes192-ctr, could you please fix rule.yml as well?
There was a problem hiding this comment.
And the OVAL has been missing + as well. I will indeed add some scenarios :-)
jan-cerny
reviewed
Nov 15, 2019
| @@ -9,8 +9,7 @@ description: |- | |||
| Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. | |||
| The following line in <tt>/etc/ssh/sshd_config</tt> | |||
| demonstrates use of those ciphers: | |||
| <pre>Ciphers aes128-ctr,aes192-ctr,aes256-ctr</pre> | |||
| <pre>chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr</pre> | |||
| <pre>Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr</pre> | |||
There was a problem hiding this comment.
Oh, right. Fixed by rebase.
- Fixed ciphers rule description metadata and bash remediation - removed duplicate ciphers. - Fixed ciphers rule OVAL. - Added test cases.
matejak
force-pushed
the
fix_sshd_ciphers_macs
branch
from
bebf97e
to
32c5bdb
Compare
jan-cerny
approved these changes
Nov 15, 2019
This pull request was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.