Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update ssh stig HMACS and Ciphers allowed in OL8 STIG #10920

Merged
merged 4 commits into from
Aug 9, 2023
Merged

Update ssh stig HMACS and Ciphers allowed in OL8 STIG #10920

merged 4 commits into from
Aug 9, 2023

Conversation

Xeicker
Copy link
Contributor

@Xeicker Xeicker commented Jul 27, 2023
edited

Description:

  • Update HMAC algorithms selection for OL8 STIG
  • Add new cipher selection in sshd_approved_ciphers in a similar approach as in taken in HMACs
  • Apply this new selection in OL8 STIG

Rationale:

  • This is to keep up to date OL8 STIG with DISA's V1R7

Note: The Cipher update also applies to RHEL8, let me know if you want me to apply it there also

@Xeicker Xeicker requested review from a team as code owners July 27, 2023 23:51
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Jul 27, 2023
@openshift-ci
Copy link

openshift-ci bot commented Jul 27, 2023

Hi @Xeicker. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Jul 27, 2023
@Xeicker Xeicker marked this pull request as draft July 27, 2023 23:51
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions
Copy link

github-actions bot commented Jul 27, 2023
edited

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
New content has different text for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
@@ -10,7 +10,7 @@
 To check that Crypto Policies settings are configured correctly, ensure that
 /etc/crypto-policies/back-ends/openssh.config contains the following
 line and is not commented out:
-MACs hmac-sha2-512,hmac-sha2-256
+MACs 'xccdf_org.ssgproject.content_value_sshd_approved_macs'
 
 [warning]:
 The system needs to be rebooted for these changes to take effect.

OCIL for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy' differs.
--- ocil:ssg-harden_sshd_macs_openssh_conf_crypto_policy_ocil:questionnaire:1
+++ ocil:ssg-harden_sshd_macs_openssh_conf_crypto_policy_ocil:questionnaire:1
@@ -1,6 +1,6 @@
 To verify if the OpenSSH client uses defined MACs in the Crypto Policy, run:
 $ grep -i macs /etc/crypto-policies/back-ends/openssh.config
 and verify that the line matches:
-MACs hmac-sha2-512,hmac-sha2-256
+MACs 
       Is it the case that Crypto Policy for OpenSSH client is not configured correctly?
       
New content has different text for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy
@@ -10,7 +10,7 @@
 To check that Crypto Policies settings are configured correctly, ensure that
 /etc/crypto-policies/back-ends/opensshserver.config contains the following
 text and is not commented out:
--oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+-oMACS='xccdf_org.ssgproject.content_value_sshd_approved_macs'
 
 [warning]:
 The system needs to be rebooted for these changes to take effect.

OCIL for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy' differs.
--- ocil:ssg-harden_sshd_macs_opensshserver_conf_crypto_policy_ocil:questionnaire:1
+++ ocil:ssg-harden_sshd_macs_opensshserver_conf_crypto_policy_ocil:questionnaire:1
@@ -1,6 +1,6 @@
 To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run:
 $ grep -Po '(-oMACs=\S+)' /etc/crypto-policies/back-ends/opensshserver.config
 and verify that the line matches:
--oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+-oMACS=
       Is it the case that Crypto Policy for OpenSSH Server is not configured correctly?

@mildas
Copy link
Contributor

mildas commented Jul 28, 2023

/packit retest-failed

1 similar comment
@mildas
Copy link
Contributor

mildas commented Jul 28, 2023

/packit retest-failed

@openshift-merge-robot openshift-merge-robot added the needs-rebase Used by openshift-ci bot. label Aug 5, 2023
@marcusburghardt marcusburghardt added Oracle Linux Oracle Linux product related. STIG STIG Benchmark related. labels Aug 7, 2023
@Xeicker
Update OL8 STIG sshd_approved_macs
51a9e49 
Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
@Xeicker
Update tests in ssh macs rule
f2ee694 
Update tests inharden_sshd_macs_openssh_conf_crypto_policy

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
@Xeicker
Update OL8 STIG sshd_approved_ciphers
7ce7768 
Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
@Xeicker
Update tests in ssh ciphers rule
f873f68 
Update harden_sshd_ciphers_opensshserver_conf_crypto_policy
tests

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Used by openshift-ci bot. label Aug 7, 2023
@Xeicker Xeicker marked this pull request as ready for review August 7, 2023 16:58
@Xeicker Xeicker changed the title WIP: Update ssh stig HMACS and Ciphers allowed in OL8 STIG Update ssh stig HMACS and Ciphers allowed in OL8 STIG Aug 7, 2023
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Aug 7, 2023
@codeclimate
Copy link

codeclimate bot commented Aug 7, 2023

Code Climate has analyzed commit f873f68 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.2% (0.0% change).

View more on Code Climate.

freddieRv
freddieRv approved these changes Aug 8, 2023
View reviewed changes
Copy link
Contributor

@freddieRv freddieRv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes LGTM. Thanks for the efforts @Xeicker

@marcusburghardt marcusburghardt self-assigned this Aug 9, 2023
marcusburghardt
marcusburghardt approved these changes Aug 9, 2023
View reviewed changes
Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @Xeicker . I will take a look on RHEL8 STIG and likely update there too in another PR. Thanks again for this.

@marcusburghardt marcusburghardt merged commit 443156b into ComplianceAsCode:master Aug 9, 2023
32 of 33 checks passed
@Mab879 Mab879 added this to the 0.1.70 milestone Sep 14, 2023
@Mab879 Mab879 added the Update Profile Issues or pull requests related to Profiles updates. label Oct 12, 2023
@jan-cerny jan-cerny added the RHEL9 Red Hat Enterprise Linux 9 product related. label Dec 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcusburghardt marcusburghardt marcusburghardt approved these changes

@freddieRv freddieRv freddieRv approved these changes

Assignees

@marcusburghardt marcusburghardt

Labels
needs-ok-to-test Used by openshift-ci bot. Oracle Linux Oracle Linux product related. RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related. Update Profile Issues or pull requests related to Profiles updates.
Projects
None yet
Milestone
0.1.70
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@Xeicker @mildas @marcusburghardt @freddieRv @Mab879 @jan-cerny @openshift-merge-robot