Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve sshd_use_approved_kex_ordered_stig #11053

Merged
merged 5 commits into from
Sep 18, 2023
Merged

Improve sshd_use_approved_kex_ordered_stig #11053

merged 5 commits into from
Sep 18, 2023

Conversation

dodys
Copy link
Contributor

@dodys dodys commented Sep 6, 2023
edited

Description:

  • While reviewing PR Ubuntu2004 stig profile v1r9 update #10738 , I came across an issue in sshd_use_approved_kex_ordered_stig. Its OVAL wasn't checking the value against anything and tests were passing for cases that should be failing.
  • As @Xeicker suggested, I've reverted the OVAL changes as this issue was introduced in Add rules SLES-15-040450 SLES-12-030270 #10639 and fixed issues in the correct_scrambled.fail.sh test.
  • Added multi_platform_ubuntu to tests
  • Small fix on sshd_use_strong_kex variable state comment

Rationale:

  • This rule is needed for DISA STIG in different vendors.

@dodys dodys requested review from a team as code owners September 6, 2023 18:27
@github-actions
Copy link

github-actions bot commented Sep 6, 2023

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@dodys dodys added STIG STIG Benchmark related. enhancement General enhancements to the project. labels Sep 6, 2023
@codeclimate
Copy link

codeclimate bot commented Sep 7, 2023

Code Climate has analyzed commit 12df498 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.8% (0.0% change).

View more on Code Climate.

freddieRv
freddieRv approved these changes Sep 12, 2023
View reviewed changes
Copy link
Contributor

@freddieRv freddieRv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes LGTM.

Thanks for the efforts!

@dodys dodys mentioned this pull request Sep 13, 2023
Closed
marcusburghardt
marcusburghardt approved these changes Sep 15, 2023
View reviewed changes
Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed the remediations are not enabled for RHEL 8 while the assessment is. I believe this is intentional but I will take a look to confirm. In any case this doesn't block the PR.

@dodys
Copy link
Contributor Author

dodys commented Sep 15, 2023

I noticed the remediations are not enabled for RHEL 8 while the assessment is. I believe this is intentional but I will take a look to confirm. In any case this doesn't block the PR.

in rule.yml you have this entry:

     {{% if product in ['ol8', 'rhel8']  %}}
     - general: |-
         This rule doesn't come with a remediation, automatically changing the crypto-policies may be too disruptive

@marcusburghardt
Copy link
Member

I noticed the remediations are not enabled for RHEL 8 while the assessment is. I believe this is intentional but I will take a look to confirm. In any case this doesn't block the PR.

in rule.yml you have this entry:

     {{% if product in ['ol8', 'rhel8']  %}}
     - general: |-
         This rule doesn't come with a remediation, automatically changing the crypto-policies may be too disruptive

Perfect. I overlooked this warning. Thanks

@marcusburghardt marcusburghardt merged commit fe26446 into ComplianceAsCode:master Sep 18, 2023
36 of 38 checks passed
@marcusburghardt marcusburghardt self-assigned this Sep 18, 2023
@marcusburghardt marcusburghardt added this to the 0.1.70 milestone Sep 18, 2023
@Mab879 Mab879 added the OVAL OVAL update. Related to the systems assessments. label Sep 18, 2023
@dodys dodys deleted the sshd_strong_kex branch October 10, 2023 09:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Xeicker Xeicker Xeicker requested changes

@marcusburghardt marcusburghardt marcusburghardt approved these changes

@freddieRv freddieRv freddieRv approved these changes

Assignees

@marcusburghardt marcusburghardt

Labels
enhancement General enhancements to the project. OVAL OVAL update. Related to the systems assessments. STIG STIG Benchmark related.
Projects
None yet
Milestone
0.1.70
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@dodys @marcusburghardt @freddieRv @Xeicker @Mab879 @dexterle