Update harden_sshd_ciphers/macs_opensshserver_conf_crypto_policy

[mrkanon]

Description:

Update OVAL file and remediations of harden_sshd_ciphers/macs_opensshserver_conf_crypto_policy

Add new test to check new behavior.

It takes advantage of the fix introduced in textfilecontent54_probe, which enables correct handling of negative numbers in OpenSCAP evaluations. OpenSCAP/openscap#2210

Rationale:

Remediation scripts for rule harden_sshd_ciphers_opensshserver_conf_crypto_policy and harden_sshd_macs_opensshserver_conf_crypto_policy does not guarantee configuration persistent after system package updates.

Scenario to reproduce:

generate remediation script for stig profile rule "harden_sshd_ciphers_opensshserver_conf_crypto_policy"
execute remediation script on OL8 system
call "update-crypto-policies --no-reload"

Result:

/etc/crypto-policies/back-ends/opensshserver.config reverted to default content

Expected result:

/etc/crypto-policies/back-ends/opensshserver.config has set of ciphers defined in the remediation script

[openshift-ci]

Hi @mrkanon. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
@@ -6,27 +6,33 @@
 
 
 CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
+LOCAL_CONF_DIR=/etc/crypto-policies/local.d
+LOCAL_CONF_FILE=${LOCAL_CONF_DIR}/opensshserver-ssg.config
 correct_value="-oCiphers=${sshd_approved_ciphers}"
 
-# Test if file exists
-test -f ${CONF_FILE} || touch ${CONF_FILE}
+# Test if file exists, create default it if not
+if [[ ! -s ${CONF_FILE} ]] || ! grep -q "^\s*CRYPTO_POLICY=" ${CONF_FILE} ; then
+    update-crypto-policies --no-reload # Generate a default configuration
+fi
 
-# Ensure CRYPTO_POLICY is not commented out
-sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE}
+# Get the last occurrence of CRYPTO_POLICY
+last_crypto_policy=$(grep -Eo "^\s*CRYPTO_POLICY='[^']+'" ${CONF_FILE} | tail -n 1)
 
-if ! grep -q "\\$correct_value" "$CONF_FILE"; then
-    # We need to get the existing value, using PCRE to maintain same regex
-    existing_value=$(grep -Po '(-oCiphers=\S+)' ${CONF_FILE})
+# Copy the last CRYPTO_POLICY value to the local configuration file
+if [[ -n "$last_crypto_policy" ]]; then
+    if ! grep -qe "$correct_value" <<< "$last_crypto_policy"; then
+        # If an existing -oCiphers= is found, replace it
+        # Else, append correct_value before the closing apostrophe
+        if [[ "$last_crypto_policy" == *"-oCiphers="* ]]; then
+            last_crypto_policy=$(echo "$last_crypto_policy" | sed -E "s/-oCiphers=\S+/${correct_value}/")
+        else
+            last_crypto_policy=$(echo "$last_crypto_policy" | sed -E "s/'[[:space:]]*$/ ${correct_value}'/")
+        fi
+        # Write updated line to LOCAL_CONF_FILE
+        echo -e "\n$last_crypto_policy" > "$LOCAL_CONF_FILE"
+    fi
+else
+    echo -e "\nCRYPTO_POLICY='${correct_value}'" > ${LOCAL_CONF_FILE}
+fi
 
-    if [[ ! -z ${existing_value} ]]; then
-        # replace existing_value with correct_value
-        sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
-    else
-        # ***NOTE*** #
-        # This probably means this file is not here or it's been modified
-        # unintentionally.
-        # ********** #
-        # echo correct_value to end
-        echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}
-    fi
-fi
+update-crypto-policies --no-reload

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
@@ -5,9 +5,10 @@
     - always
 
 - name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
-    Set facts'
-  set_fact:
-    path: /etc/crypto-policies/back-ends/opensshserver.config
+    Set relevant paths and correct value'
+  ansible.builtin.set_fact:
+    opensshserver_path: /etc/crypto-policies/back-ends/opensshserver.config
+    local_path: /etc/crypto-policies/local.d/opensshserver-ssg.config
     correct_value: -oCiphers={{ sshd_approved_ciphers }}
   tags:
   - CCE-85897-7
@@ -21,9 +22,9 @@
   - restrict_strategy
 
 - name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
-    Stat'
-  stat:
-    path: '{{ path }}'
+    Ensure crypto config exists'
+  ansible.builtin.stat:
+    path: '{{ opensshserver_path }}'
     follow: true
   register: opensshserver_file
   tags:
@@ -38,12 +39,9 @@
   - restrict_strategy
 
 - name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
-    Create'
-  lineinfile:
-    path: '{{ path }}'
-    line: CRYPTO_POLICY='{{ correct_value }}'
-    create: true
-  when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length
+    Generate default config if missing or empty'
+  ansible.builtin.command: update-crypto-policies --no-reload
+  when: not opensshserver_file.stat.exists or opensshserver_file.stat.size == 0
   tags:
   - CCE-85897-7
   - DISA-STIG-RHEL-08-010291
@@ -55,26 +53,11 @@
   - reboot_required
   - restrict_strategy
 
-- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config'
-  block:
-
-  - name: Existing value check
-    lineinfile:
-      path: '{{ path }}'
-      create: false
-      regexp: '{{ correct_value }}'
-      state: absent
-    check_mode: true
-    changed_when: false
-    register: opensshserver
-
-  - name: Update/Correct value
-    replace:
-      path: '{{ path }}'
-      regexp: (-oCiphers=\S+)
-      replace: '{{ correct_value }}'
-    when: opensshserver.found is defined and opensshserver.found != 1
-  when: opensshserver_file.stat.exists and opensshserver_file.stat.size > correct_value|length
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
+    Read opensshserver.config content'
+  ansible.builtin.slurp:
+    src: '{{ opensshserver_path }}'
+  register: ssh_config_raw
   tags:
   - CCE-85897-7
   - DISA-STIG-RHEL-08-010291
@@ -85,3 +68,120 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
+    Extract last CRYPTO_POLICY line'
+  ansible.builtin.set_fact:
+    last_crypto_policy: '{{ (ssh_config_raw.content | b64decode).splitlines() | select(''match'',
+      "^\s*CRYPTO_POLICY=''[^'']+''") | list | last | default('''') }}'
+  tags:
+  - CCE-85897-7
+  - DISA-STIG-RHEL-08-010291
+  - NIST-800-53-AC-17(2)
+  - harden_sshd_ciphers_opensshserver_conf_crypto_policy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
+    Check if correct_value is present'
+  ansible.builtin.set_fact:
+    cipher_is_correct: '{{ correct_value in last_crypto_policy }}'
+  tags:
+  - CCE-85897-7
+  - DISA-STIG-RHEL-08-010291
+  - NIST-800-53-AC-17(2)
+  - harden_sshd_ciphers_opensshserver_conf_crypto_policy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
+    Extract current Ciphers if needed'
+  ansible.builtin.set_fact:
+    existing_cipher: '{{ (last_crypto_policy | regex_findall(''(-oCiphers=\S+)'',
+      ''\1'')) | last | default('''') }}'
+  when: not cipher_is_correct and last_crypto_policy != ''
+  tags:
+  - CCE-85897-7
+  - DISA-STIG-RHEL-08-010291
+  - NIST-800-53-AC-17(2)
+  - harden_sshd_ciphers_opensshserver_conf_crypto_policy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
+    Build full updated CRYPTO_POLICY line'
+  set_fact:
+    updated_crypto_policy: '{% if last_crypto_policy == '''' %} CRYPTO_POLICY=''{{
+      correct_value }}'' {% elif existing_cipher != '''' %} {{ last_crypto_policy
+      | regex_replace(existing_cipher, correct_value) }} {% else %} {{ last_crypto_policy[:-1]
+      ~ " " ~ correct_value ~ "''" }} {% endif %}'
+  when: not cipher_is_correct
+  tags:
+  - CCE-85897-7
+  - DISA-STIG-RHEL-08-010291
+  - NIST-800-53-AC-17(2)
+  - harden_sshd_ciphers_opensshserver_conf_crypto_policy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
+    Ensure local.d dir exists'
+  ansible.builtin.file:
+    path: '{{ local_path | dirname }}'
+    state: directory
+  tags:
+  - CCE-85897-7
+  - DISA-STIG-RHEL-08-010291
+  - NIST-800-53-AC-17(2)
+  - harden_sshd_ciphers_opensshserver_conf_crypto_policy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
+    Write CRYPTO_POLICY to local config'
+  ansible.builtin.lineinfile:
+    path: '{{ local_path }}'
+    line: |-
+      {{ '
+      ' ~ updated_crypto_policy }}
+    create: true
+    insertafter: EOF
+  tags:
+  - CCE-85897-7
+  - DISA-STIG-RHEL-08-010291
+  - NIST-800-53-AC-17(2)
+  - harden_sshd_ciphers_opensshserver_conf_crypto_policy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
+    Apply updated crypto policies'
+  ansible.builtin.command: update-crypto-policies --no-reload
+  tags:
+  - CCE-85897-7
+  - DISA-STIG-RHEL-08-010291
+  - NIST-800-53-AC-17(2)
+  - harden_sshd_ciphers_opensshserver_conf_crypto_policy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy

bash remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy
@@ -6,27 +6,33 @@
 
 
 CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
+LOCAL_CONF_DIR=/etc/crypto-policies/local.d
+LOCAL_CONF_FILE=${LOCAL_CONF_DIR}/opensshserver-ssg.config
 correct_value="-oMACs=${sshd_approved_macs}"
 
-# Test if file exists
-test -f ${CONF_FILE} || touch ${CONF_FILE}
+# Test if file exists, create default it if not
+if [[ ! -s ${CONF_FILE} ]] || ! grep -q "^\s*CRYPTO_POLICY=" ${CONF_FILE} ; then
+    update-crypto-policies --no-reload # Generate a default configuration
+fi
 
-# Ensure CRYPTO_POLICY is not commented out
-sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE}
+# Get the last occurrence of CRYPTO_POLICY
+last_crypto_policy=$(grep -Eo "^\s*CRYPTO_POLICY='[^']+'" ${CONF_FILE} | tail -n 1)
 
-if ! grep -q "\\$correct_value" "$CONF_FILE"; then
-    # We need to get the existing value, using PCRE to maintain same regex
-    existing_value=$(grep -Po '(-oMACs=\S+)' ${CONF_FILE})
+# Copy the last CRYPTO_POLICY value to the local configuration file
+if [[ -n "$last_crypto_policy" ]]; then
+    if ! grep -qe "$correct_value" <<< "$last_crypto_policy"; then
+        # If an existing -oMACs= is found, replace it
+        # Else, append correct_value before the closing apostrophe
+        if [[ "$last_crypto_policy" == *"-oMACs="* ]]; then
+            last_crypto_policy=$(echo "$last_crypto_policy" | sed -E "s/-oMACs=\S+/${correct_value}/")
+        else
+            last_crypto_policy=$(echo "$last_crypto_policy" | sed -E "s/'[[:space:]]*$/ ${correct_value}'/")
+        fi
+        # Write updated line to LOCAL_CONF_FILE
+        echo -e "\n$last_crypto_policy" > "$LOCAL_CONF_FILE"
+    fi
+else
+    echo -e "\nCRYPTO_POLICY='${correct_value}'" > ${LOCAL_CONF_FILE}
+fi
 
-    if [[ ! -z ${existing_value} ]]; then
-        # replace existing_value with correct_value
-        sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
-    else
-        # ***NOTE*** #
-        # This probably means this file is not here or it's been modified
-        # unintentionally.
-        # ********** #
-        # echo correct_value to end
-        echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}
-    fi
-fi
+update-crypto-policies --no-reload

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy
@@ -5,9 +5,10 @@
     - always
 
 - name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
-    Set facts'
-  set_fact:
-    path: /etc/crypto-policies/back-ends/opensshserver.config
+    Set relevant paths and correct value'
+  ansible.builtin.set_fact:
+    opensshserver_path: /etc/crypto-policies/back-ends/opensshserver.config
+    local_path: /etc/crypto-policies/local.d/opensshserver-ssg.config
     correct_value: -oMACs={{ sshd_approved_macs }}
   tags:
   - CCE-85899-3
@@ -21,9 +22,9 @@
   - restrict_strategy
 
 - name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
-    Stat'
-  stat:
-    path: '{{ path }}'
+    Ensure crypto config exists'
+  ansible.builtin.stat:
+    path: '{{ opensshserver_path }}'
     follow: true
   register: opensshserver_file
   tags:
@@ -38,12 +39,9 @@
   - restrict_strategy
 
 - name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
-    Create'
-  lineinfile:
-    path: '{{ path }}'
-    line: CRYPTO_POLICY='{{ correct_value }}'
-    create: true
-  when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length
+    Generate default config if missing or empty'
+  ansible.builtin.command: update-crypto-policies --no-reload
+  when: not opensshserver_file.stat.exists or opensshserver_file.stat.size == 0
   tags:
   - CCE-85899-3
   - DISA-STIG-RHEL-08-010290
@@ -55,26 +53,11 @@
   - reboot_required
   - restrict_strategy
 
-- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config'
-  block:
-
-  - name: Existing value check
-    lineinfile:
-      path: '{{ path }}'
-      create: false
-      regexp: '{{ correct_value }}'
-      state: absent
-    check_mode: true
-    changed_when: false
-    register: opensshserver
-
-  - name: Update/Correct value
-    replace:
-      path: '{{ path }}'
-      regexp: (-oMACs=\S+)
-      replace: '{{ correct_value }}'
-    when: opensshserver.found is defined and opensshserver.found != 1
-  when: opensshserver_file.stat.exists and opensshserver_file.stat.size > correct_value|length
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
+    Read opensshserver.config content'
+  ansible.builtin.slurp:
+    src: '{{ opensshserver_path }}'
+  register: ssh_config_raw
   tags:
   - CCE-85899-3
   - DISA-STIG-RHEL-08-010290
@@ -85,3 +68,120 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
+    Extract last CRYPTO_POLICY line'
+  ansible.builtin.set_fact:
+    last_crypto_policy: '{{ (ssh_config_raw.content | b64decode).splitlines() | select(''match'',
+      "^\s*CRYPTO_POLICY=''[^'']+''") | list | last | default('''') }}'
+  tags:
+  - CCE-85899-3
+  - DISA-STIG-RHEL-08-010290
+  - NIST-800-53-AC-17(2)
+  - harden_sshd_macs_opensshserver_conf_crypto_policy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
+    Check if correct_value is present'
+  ansible.builtin.set_fact:
+    mac_is_correct: '{{ correct_value in last_crypto_policy }}'
+  tags:
+  - CCE-85899-3
+  - DISA-STIG-RHEL-08-010290
+  - NIST-800-53-AC-17(2)
+  - harden_sshd_macs_opensshserver_conf_crypto_policy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
+    Extract current Ciphers if needed'
+  ansible.builtin.set_fact:
+    existing_mac: '{{ (last_crypto_policy | regex_findall(''(-oMACs=\S+)'', ''\1''))
+      | last | default('''') }}'
+  when: not mac_is_correct and last_crypto_policy != ''
+  tags:
+  - CCE-85899-3
+  - DISA-STIG-RHEL-08-010290
+  - NIST-800-53-AC-17(2)
+  - harden_sshd_macs_opensshserver_conf_crypto_policy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
+    Build full updated CRYPTO_POLICY line'
+  set_fact:
+    updated_crypto_policy: '{% if last_crypto_policy == '''' %} CRYPTO_POLICY=''{{
+      correct_value }}'' {% elif existing_mac != '''' %} {{ last_crypto_policy | regex_replace(existing_mac,
+      correct_value) }} {% else %} {{ last_crypto_policy[:-1] ~ " " ~ correct_value
+      ~ "''" }} {% endif %}'
+  when: not mac_is_correct
+  tags:
+  - CCE-85899-3
+  - DISA-STIG-RHEL-08-010290
+  - NIST-800-53-AC-17(2)
+  - harden_sshd_macs_opensshserver_conf_crypto_policy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
+    Ensure local.d dir exists'
+  ansible.builtin.file:
+    path: '{{ local_path | dirname }}'
+    state: directory
+  tags:
+  - CCE-85899-3
+  - DISA-STIG-RHEL-08-010290
+  - NIST-800-53-AC-17(2)
+  - harden_sshd_macs_opensshserver_conf_crypto_policy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
+    Write CRYPTO_POLICY to local config'
+  ansible.builtin.lineinfile:
+    path: '{{ local_path }}'
+    line: |-
+      {{ '
+      ' ~ updated_crypto_policy }}
+    create: true
+    insertafter: EOF
+  tags:
+  - CCE-85899-3
+  - DISA-STIG-RHEL-08-010290
+  - NIST-800-53-AC-17(2)
+  - harden_sshd_macs_opensshserver_conf_crypto_policy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
+    Apply updated crypto policies'
+  ansible.builtin.command: update-crypto-policies --no-reload
+  tags:
+  - CCE-85899-3
+  - DISA-STIG-RHEL-08-010290
+  - NIST-800-53-AC-17(2)
+  - harden_sshd_macs_opensshserver_conf_crypto_policy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[qlty-cloud-legacy]

Code Climate has analyzed commit 69b91c7 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

[jan-cerny]

/packit build

[jan-cerny]

/packit build

[jan-cerny]

/packit build