Drop hmac-ripemd160 sshd mac from strong MACs list #10739
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # platform = multi_platform_all | ||
| # reboot = false | ||
| # strategy = restrict | ||
| # complexity = low | ||
| # disruption = low | ||
| {{{ ansible_instantiate_variables("sshd_strong_macs") }}} | ||
|
|
||
| {{{ ansible_sshd_set(parameter="MACs", value="{{ sshd_strong_macs }}") }}} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,6 @@ | ||
| # platform = multi_platform_all | ||
|
|
||
| {{{ bash_instantiate_variables("sshd_strong_macs") }}} | ||
|
Collaborator
There was a problem hiding this comment. When you start using a variable, you should also change the corresponding rule.yml file, otherwise, depending on the variable setting, the remediations will be misaligned with the rule description and rationale. |
||
|
|
||
| {{{ bash_replace_or_append('/etc/ssh/sshd_config', '^MACs', "$sshd_strong_macs", '%s %s') }}} | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,70 @@ | ||
| <def-group> | ||
| <definition class="compliance" id="sshd_use_strong_macs" version="1"> | ||
|
Collaborator
There was a problem hiding this comment. In Bash and Ansible you use the macros but in OVAL you change away from macros. What is the reason for this change?
Contributor
Author
There was a problem hiding this comment. Couldn't find a nice way to transform the comma separated lilst with pipe separated list so can directly use the macro, and didn't felt right to transform the macro that is used in other places.
Contributor
There was a problem hiding this comment. I think with jinja you can just call
Contributor
There was a problem hiding this comment.
nvm, I think it won't work: https://jinja.palletsprojects.com/en/3.1.x/templates/#jinja-filters.replace
Contributor
There was a problem hiding this comment. maybe with join:
Contributor
There was a problem hiding this comment. did you take a look at the above ?
Contributor
Author
There was a problem hiding this comment. Yes I did but just getting a bar separated list doesn't get me much further since there is need to do much more changes, which I am afraid cause much more noise in the macros, so decided it doesn't worth at this stage |
||
| {{{ oval_metadata("Ensure only strong MAC algorithms are used") }}} | ||
| <criteria operator="AND"> | ||
| <criteria comment="SSH is configured correctly or is not installed" | ||
| operator="OR"> | ||
| <criteria comment="sshd is not installed" operator="AND"> | ||
| <extend_definition comment="sshd is not required or requirement is unset" | ||
| definition_ref="sshd_not_required_or_unset" /> | ||
| {{% if product in ['opensuse', 'sle12', 'sle15'] %}} | ||
| <extend_definition comment="package openssh removed" | ||
| definition_ref="package_openssh_removed" /> | ||
| {{% else %}} | ||
| <extend_definition comment="package openssh-server removed" | ||
| definition_ref="package_openssh-server_removed" /> | ||
| {{% endif %}} | ||
| </criteria> | ||
| <criteria comment="sshd is installed and configured" operator="AND"> | ||
| <extend_definition comment="sshd is required or requirement is unset" | ||
| definition_ref="sshd_required_or_unset" /> | ||
| {{% if product in ['opensuse', 'sle12', 'sle15'] %}} | ||
| <extend_definition comment="package openssh installed" | ||
| definition_ref="package_openssh_installed" /> | ||
| {{% else %}} | ||
| <extend_definition comment="package openssh-server installed" | ||
| definition_ref="package_openssh-server_installed" /> | ||
| {{% endif %}} | ||
| <criterion comment="Check MACs in /etc/ssh/sshd_config" | ||
| test_ref="test_sshd_use_strong_macs" /> | ||
| </criteria> | ||
| </criteria> | ||
| </criteria> | ||
| </definition> | ||
|
|
||
| <ind:variable_test check="at least one" | ||
| comment="tests the value of MACs setting in the /etc/ssh/sshd_config file" | ||
| id="test_sshd_use_strong_macs" version="1"> | ||
| <ind:object object_ref="obj_sshd_use_strong_macs" /> | ||
| <ind:state state_ref="ste_sshd_use_strong_macs" /> | ||
| </ind:variable_test> | ||
|
|
||
| <ind:variable_object id="obj_sshd_use_strong_macs" version="1"> | ||
| <ind:var_ref>var_sshd_config_strong_macs</ind:var_ref> | ||
| </ind:variable_object> | ||
|
|
||
| <ind:variable_state comment="strong macs" id="ste_sshd_use_strong_macs" version="1"> | ||
| <ind:value operation="equals" datatype="string" var_ref="var_sshd_strong_macs" var_check="at least one" /> | ||
| </ind:variable_state> | ||
|
|
||
| <ind:textfilecontent54_object id="obj_sshd_config_strong_macs" version="1"> | ||
| <ind:filepath>/etc/ssh/sshd_config</ind:filepath> | ||
| <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$</ind:pattern> | ||
| <ind:instance datatype="int">1</ind:instance> | ||
| </ind:textfilecontent54_object> | ||
|
|
||
| <local_variable id="var_sshd_config_strong_macs" datatype="string" version="1" comment="MACs values splitted on comma"> | ||
| <split delimiter=","> | ||
| <object_component item_field="subexpression" object_ref="obj_sshd_config_strong_macs" /> | ||
| </split> | ||
| </local_variable> | ||
|
|
||
| <local_variable id="var_sshd_strong_macs" datatype="string" version="1" comment="strong MACs values splitted on comma"> | ||
| <split delimiter=","> | ||
| <variable_component var_ref="sshd_strong_macs" /> | ||
| </split> | ||
| </local_variable> | ||
| <external_variable comment="SSH MAC algorithms considered strong" datatype="string" id="sshd_strong_macs" version="1" /> | ||
| </def-group> | ||
|
|
||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| documentation_complete: true | ||
|
|
||
| title: 'SSH Strong KEX by FIPS' | ||
|
|
||
| description: "Specify the FIPS approved MACs (Message Authentication Code) algorithms\n\tthat are used for data integrity protection by the SSH server." | ||
|
|
||
| type: string | ||
|
|
||
| operator: equals | ||
|
|
||
| interactive: false | ||
|
|
||
| options: | ||
| default: [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 | ||
| cis_sle12: [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 | ||
| cis_sle15: [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256 | ||
| cis_ubuntu2204: [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The rule
sshd_use_strong_macsis used also in multiple other profiles in other products. You should explicitly assign the value of the newsshd_strong_macsvariable in all the controls and profile files where the rulesshd_use_strong_macsis selected.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did relevant changes in 40cf036 but I guess that will need extra review from @ComplianceAsCode/oracle-maintainers, @ComplianceAsCode/red-hatters and @ComplianceAsCode/ubuntu-maintainers if I made the right assumptions