Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update sshd crypto policy for CC #5742

Merged
merged 3 commits into from May 13, 2020
Merged

Update sshd crypto policy for CC #5742

merged 3 commits into from May 13, 2020

Conversation

vojtapolasek
Copy link
Collaborator

Description:

Add supported public key algorithms to sshd crypto-policy - rsa-sha2-256,rsa-sha2-512

Rationale:

Update supported algorithms for common criteria

@vojtapolasek vojtapolasek added this to the 0.1.50 milestone May 6, 2020
yuumasato
yuumasato reviewed May 6, 2020
View reviewed changes
linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh Outdated
@@ -1,7 +1,7 @@
# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora


cp="CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384 -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'"
cp="CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384 -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-256,rsa-sha2-512'"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but..
@jjaburek @stevegrubb Can the new algorithms just be appended? Should they be in inserted in a specific position?

@stevegrubb
Copy link
Contributor

In a lot of cases, sshd/ssh uses the order given as the preferred order. So, generally you want things ordered from strongest to weakest. I don't think this particular setting matters on the server side. But it might on the client side. The safest thing to do is just go from strong to weak.

@vojtapolasek
Copy link
Collaborator Author

In a lot of cases, sshd/ssh uses the order given as the preferred order. So, generally you want things ordered from strongest to weakest. I don't think this particular setting matters on the server side. But it might on the client side. The safest thing to do is just go from strong to weak.

So dou want me to also sort ciphers etc? Cause now they are afaik not sorted from strongest to weakest. How about this?
-oCiphers=aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,ssh-rsa -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa

@mildas
Copy link
Contributor

mildas commented May 13, 2020

Changes identified:
Rule harden_sshd_crypto_policy:
 Template usage changed in OVAL check.
 Found change in bash remediation.

Recommended tests to execute:
 build_product ocp4
 test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate bash --datastream build/ssg-ocp4-ds.xml harden_sshd_crypto_policy

yuumasato
yuumasato reviewed May 13, 2020
View reviewed changes
linux_os/guide/system/software/integrity/crypto/harden_sshd_crypto_policy/bash/shared.sh
@@ -1,7 +1,6 @@
# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora


cp="CRYPTO_POLICY='-oCiphers=aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc -oMACs=hmac-sha2-256,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384 -oPubkeyAcceptedKeyTypes=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384'"
cp="CRYPTO_POLICY='-oCiphers=aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -oPubkeyAcceptedKeyTypes=rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256'"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@t8m Hi, does the order of the algorithms for opensshserver matter?

If so, can you help review order of the algorithms?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it does. I think the new order is OK.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thank you for the review.

@yuumasato yuumasato merged commit 669a9b7 into ComplianceAsCode:master May 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@t8m t8m t8m left review comments

@yuumasato yuumasato yuumasato left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.1.50
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@vojtapolasek @stevegrubb @mildas @t8m @yuumasato