Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add extended definition to check for OpenSSH 7.4 in sshd_disable_compression #6453

Merged
merged 2 commits into from Mar 31, 2021
Merged

Add extended definition to check for OpenSSH 7.4 in sshd_disable_compression #6453

merged 2 commits into from Mar 31, 2021

Conversation

ggbecker
Copy link
Member

@ggbecker ggbecker commented Dec 3, 2020
edited

Description:

  • Add extended definition to check for OpenSSH 7.4 or higher in sshd_disable_compression

Rationale:

  • The pre-authentication vulnerability was fixed since OpenSSH 7.4 so the SSH configuration represented by this rules doesn't make sense if the version is equals or higher to that.

  • Changelog reference:

 * sshd(8): Remove support for pre-authentication compression.
   Doing compression early in the protocol probably seemed reasonable
   in the 1990s, but today it's clearly a bad idea in terms of both
   cryptography (cf. multiple compression oracle attacks in TLS) and
   attack surface. Pre-auth compression support has been disabled by
   default for >10 years. Support remains in the client.

Additional Information

@ggbecker ggbecker added the OVAL OVAL update. Related to the systems assessments. label Dec 3, 2020
@ggbecker ggbecker added this to the 0.1.54 milestone Dec 3, 2020
@openshift-ci-robot
Copy link
Collaborator

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Dec 3, 2020
@openscap-ci
Copy link
Collaborator

openscap-ci commented Dec 3, 2020
edited

Changes identified:
Rules:
 sshd_disable_compression

Show details

Rule sshd_disable_compression:
 New node inserted to OVAL check.

Recommended tests to execute:
 build_product rhel8
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using bash --datastream build/ssg-rhel8-ds.xml sshd_disable_compression

@vojtapolasek vojtapolasek modified the milestones: 0.1.54, 0.1.55 Jan 11, 2021
@matejak
Copy link
Member

matejak commented Jan 15, 2021

This looks really great, especially the test coverage. Is there any reason for keeping it as a draft PR?

@ggbecker
Copy link
Member Author

ggbecker commented Jan 15, 2021
edited

This looks really great, especially the test coverage. Is there any reason for keeping it as a draft PR?

On my tests, the package downgrade commands were not working. I tested on RHEL7.9 and I'm not sure if it's not possible to downgrade them anymore or if I was doing something wrong.

Update1:

On a RHEL7.9 machine, the command:

yum downgrade -y openssh-6.6.1p1 openssh-clients-6.6.1p1 openssh-server-6.6.1p1

returns:

No package openssh-6.6.1p1 available.
No package openssh-clients-6.6.1p1 available.
No package openssh-server-6.6.1p1 available.

So, the downgrade test scenario should probably go away.

@ggbecker
Add extended definition to check for OpenSSH 7.4 in sshd_disable_comp…
0aedc97 
…ression.
@ggbecker
Remove tests that are not relevant anymore.
431dc18 
OpenSSH version higher than 7.4 contains the vulnerability fix for the
Compression setting and there is no option that can trigger the issue.
So any option should pass if version is higher than 7.4. Packages cannot
be downgraded and the test scenario is not reproduceable anymore.
@ggbecker ggbecker marked this pull request as ready for review January 18, 2021 14:58
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Jan 18, 2021
@ggbecker
Copy link
Member Author

I've flipped to ready to review. The solution proposed is to remove all the fail test scenarios as we cannot reproduce them anymore because the package downgrade doesn't work anymore for recent versions of RHEL (e.g 7.9).

@vojtapolasek vojtapolasek modified the milestones: 0.1.55, 0.1.56 Mar 8, 2021
@carlosmmatos
Copy link
Contributor

/retest

@carlosmmatos carlosmmatos merged commit 09aef79 into ComplianceAsCode:master Mar 31, 2021
@Xeicker Xeicker mentioned this pull request Mar 11, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
OVAL OVAL update. Related to the systems assessments.
Projects
None yet
Milestone
0.1.56
Development

Successfully merging this pull request may close these issues.

sshd_disable_compression fails when set to yes on RHEL7.4+ systems
6 participants
@ggbecker @openshift-ci-robot @openscap-ci @matejak @carlosmmatos @vojtapolasek