Introduce new rule sshd_use_approved_kex_ordered_stig #10103
Conversation
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
There was a problem hiding this comment.
Please double-check the CCEs.
cce CCE-83280-8 is included in files:
- linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml
- linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
cce CCE-83636-1 is included in files:
- linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml
- linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
freddieRv
force-pushed
the
sshd_kex_fips
branch
from
81c824b
to
7636129
Compare
I took the first one from shared/references/cce-redhat-avail.txt and assigned it to this new rule. |
freddieRv
force-pushed
the
sshd_kex_fips
branch
2 times, most recently
from
d537f5d
to
6e792b1
Compare
linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/ansible/shared.yml
Show resolved
Hide resolved
linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/bash/shared.sh
Show resolved
Hide resolved
There was a problem hiding this comment.
The reason of Automatus fail on CS9 is that this rule is only for RHEL7 and 8.
When I run tests on RHEL 7 locally, they pass:
[jcerny@thinkpad scap-security-guide{pr/10103}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel7 sshd_use_approved_kex_ordered_stig
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-01-25-1352/test_suite.log
WARNING - Script default_fips.pass.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_sshd_use_approved_kex_ordered_stig
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_reduced_list.pass.sh using profile (all) OK
INFO - Script correct_scrambled.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script no_parameters.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
[jcerny@thinkpad scap-security-guide{pr/10103}]$ python3 tests/automatus.py rule --remediate-using ansible --libvirt qemu:///system ssgts_rhel7 sshd_use_approved_kex_ordered_stig
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-01-25-1402/test_suite.log
WARNING - Script default_fips.pass.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_sshd_use_approved_kex_ordered_stig
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_reduced_list.pass.sh using profile (all) OK
INFO - Script correct_scrambled.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script no_parameters.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
The fail on CentOS 7 testing_farm job is in the test Sanity/machine-hardening/stig and the reason is that this new rule depends on "installed OS is FIPS certified" therefore it will never pass on CentOS 7 which isn't FIPS certified. I think we need to update the blocklist in https://src.fedoraproject.org/tests/scap-security-guide/blob/main/f/Sanity/machine-hardening/runtest.sh#_27. I have created a PR for it: https://src.fedoraproject.org/tests/scap-security-guide/pull-request/29
|
@ComplianceAsCode/oracle-maintainers PTAL |
jan-cerny
added
RHEL7
|
@jan-cerny @freddieRv is the only member of oracle-maintainers and I think he cannot approve his own PR. |
This rule implements the new DISA STIG requirements OL07-00-040712, OL08-00-040342, RHEL-07-040712, and RHEL-08-040342 Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com> Signed-off-by: Federico Ramírez <federico.r.ramirez@oracle.com>
Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com> Signed-off-by: Federico Ramírez <federico.r.ramirez@oracle.com>
Add a warning about the missing remediations for rule sshd_use_approved_kex_ordered_stig for OL8 and RHEL8. The remediation would require modifying the crypto-policies files, which might be too disruptive. Signed-off-by: Federico Ramirez <federico.r.ramirez@oracle.com>
freddieRv
force-pushed
the
sshd_kex_fips
branch
from
6e792b1
to
9eec8f4
Compare
|
Code Climate has analyzed commit 9eec8f4 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 49.5% (0.0% change). View more on Code Climate. |
|
Overriding and merging, since Freddie is the only member of Oracle maintainers |
Description:
Rationale: