-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce new rule sshd_use_approved_kex_ordered_stig #10103
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please double-check the CCEs.
cce CCE-83280-8 is included in files:
- linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml
- linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
cce CCE-83636-1 is included in files:
- linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml
- linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
81c824b
to
7636129
Compare
I took the first one from shared/references/cce-redhat-avail.txt and assigned it to this new rule. |
d537f5d
to
6e792b1
Compare
linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/ansible/shared.yml
Show resolved
Hide resolved
linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/bash/shared.sh
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reason of Automatus fail on CS9 is that this rule is only for RHEL7 and 8.
When I run tests on RHEL 7 locally, they pass:
[jcerny@thinkpad scap-security-guide{pr/10103}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel7 sshd_use_approved_kex_ordered_stig
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-01-25-1352/test_suite.log
WARNING - Script default_fips.pass.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_sshd_use_approved_kex_ordered_stig
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_reduced_list.pass.sh using profile (all) OK
INFO - Script correct_scrambled.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script no_parameters.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
[jcerny@thinkpad scap-security-guide{pr/10103}]$ python3 tests/automatus.py rule --remediate-using ansible --libvirt qemu:///system ssgts_rhel7 sshd_use_approved_kex_ordered_stig
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-01-25-1402/test_suite.log
WARNING - Script default_fips.pass.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_sshd_use_approved_kex_ordered_stig
INFO - Script comment.fail.sh using profile (all) OK
INFO - Script correct_reduced_list.pass.sh using profile (all) OK
INFO - Script correct_scrambled.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script no_parameters.fail.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
The fail on CentOS 7 testing_farm job is in the test Sanity/machine-hardening/stig
and the reason is that this new rule depends on "installed OS is FIPS certified" therefore it will never pass on CentOS 7 which isn't FIPS certified. I think we need to update the blocklist in https://src.fedoraproject.org/tests/scap-security-guide/blob/main/f/Sanity/machine-hardening/runtest.sh#_27. I have created a PR for it: https://src.fedoraproject.org/tests/scap-security-guide/pull-request/29
@ComplianceAsCode/oracle-maintainers PTAL |
@jan-cerny @freddieRv is the only member of oracle-maintainers and I think he cannot approve his own PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This LGTM.
This rule implements the new DISA STIG requirements OL07-00-040712, OL08-00-040342, RHEL-07-040712, and RHEL-08-040342 Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com> Signed-off-by: Federico Ramírez <federico.r.ramirez@oracle.com>
Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com> Signed-off-by: Federico Ramírez <federico.r.ramirez@oracle.com>
Add a warning about the missing remediations for rule sshd_use_approved_kex_ordered_stig for OL8 and RHEL8. The remediation would require modifying the crypto-policies files, which might be too disruptive. Signed-off-by: Federico Ramirez <federico.r.ramirez@oracle.com>
6e792b1
to
9eec8f4
Compare
Code Climate has analyzed commit 9eec8f4 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 49.5% (0.0% change). View more on Code Climate. |
Overriding and merging, since Freddie is the only member of Oracle maintainers |
Description:
Rationale: