-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update ssh stig HMACS and Ciphers allowed in OL8 STIG #10920
Update ssh stig HMACS and Ciphers allowed in OL8 STIG #10920
Conversation
Hi @Xeicker. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
@@ -10,7 +10,7 @@
To check that Crypto Policies settings are configured correctly, ensure that
/etc/crypto-policies/back-ends/openssh.config contains the following
line and is not commented out:
-MACs hmac-sha2-512,hmac-sha2-256
+MACs 'xccdf_org.ssgproject.content_value_sshd_approved_macs'
[warning]:
The system needs to be rebooted for these changes to take effect.
OCIL for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy' differs.
--- ocil:ssg-harden_sshd_macs_openssh_conf_crypto_policy_ocil:questionnaire:1
+++ ocil:ssg-harden_sshd_macs_openssh_conf_crypto_policy_ocil:questionnaire:1
@@ -1,6 +1,6 @@
To verify if the OpenSSH client uses defined MACs in the Crypto Policy, run:
$ grep -i macs /etc/crypto-policies/back-ends/openssh.config
and verify that the line matches:
-MACs hmac-sha2-512,hmac-sha2-256
+MACs
Is it the case that Crypto Policy for OpenSSH client is not configured correctly?
New content has different text for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy
@@ -10,7 +10,7 @@
To check that Crypto Policies settings are configured correctly, ensure that
/etc/crypto-policies/back-ends/opensshserver.config contains the following
text and is not commented out:
--oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+-oMACS='xccdf_org.ssgproject.content_value_sshd_approved_macs'
[warning]:
The system needs to be rebooted for these changes to take effect.
OCIL for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy' differs.
--- ocil:ssg-harden_sshd_macs_opensshserver_conf_crypto_policy_ocil:questionnaire:1
+++ ocil:ssg-harden_sshd_macs_opensshserver_conf_crypto_policy_ocil:questionnaire:1
@@ -1,6 +1,6 @@
To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run:
$ grep -Po '(-oMACs=\S+)' /etc/crypto-policies/back-ends/opensshserver.config
and verify that the line matches:
--oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+-oMACS=
Is it the case that Crypto Policy for OpenSSH Server is not configured correctly?
|
/packit retest-failed |
1 similar comment
/packit retest-failed |
Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
Update tests inharden_sshd_macs_openssh_conf_crypto_policy Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
Update harden_sshd_ciphers_opensshserver_conf_crypto_policy tests Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
ba8bb3a
to
f873f68
Compare
Code Climate has analyzed commit f873f68 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.2% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes LGTM. Thanks for the efforts @Xeicker
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @Xeicker . I will take a look on RHEL8 STIG and likely update there too in another PR. Thanks again for this.
443156b
into
ComplianceAsCode:master
Description:
sshd_approved_ciphers
in a similar approach as in taken in HMACsRationale:
Note: The Cipher update also applies to RHEL8, let me know if you want me to apply it there also