From 3eb7c9e7b8e0c2608eb09f71d3e7f1a756b91c33 Mon Sep 17 00:00:00 2001 From: rchikov Date: Mon, 8 May 2023 16:54:20 +0200 Subject: [PATCH] Fix in SLE 12/15 rule sshd_use_approved_macs --- linux_os/guide/services/ssh/sshd_approved_macs.var | 4 ++-- products/sle12/profiles/pci-dss-4.profile | 1 + products/sle12/profiles/pci-dss.profile | 1 + products/sle15/profiles/pci-dss-4.profile | 8 ++++---- products/sle15/profiles/pci-dss.profile | 1 + 5 files changed, 9 insertions(+), 6 deletions(-) diff --git a/linux_os/guide/services/ssh/sshd_approved_macs.var b/linux_os/guide/services/ssh/sshd_approved_macs.var index 0a0c972ca3e..dab7237fcb7 100644 --- a/linux_os/guide/services/ssh/sshd_approved_macs.var +++ b/linux_os/guide/services/ssh/sshd_approved_macs.var @@ -14,7 +14,7 @@ options: stig: hmac-sha2-512,hmac-sha2-256 default: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com cis_rhel7: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-etm@openssh.com - cis_sle12: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-etm@openssh.com - cis_sle15: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-etm@openssh.com + cis_sle12: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 + cis_sle15: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 cis_alinux2: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 cis_ubuntu: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 diff --git a/products/sle12/profiles/pci-dss-4.profile b/products/sle12/profiles/pci-dss-4.profile index f0e3c50b13d..45f293621b6 100644 --- a/products/sle12/profiles/pci-dss-4.profile +++ b/products/sle12/profiles/pci-dss-4.profile @@ -76,4 +76,5 @@ selections: - sshd_set_maxstartups - sshd_use_approved_ciphers - sshd_use_approved_macs + - sshd_approved_macs=cis_sle12 - sysctl_fs_suid_dumpable diff --git a/products/sle12/profiles/pci-dss.profile b/products/sle12/profiles/pci-dss.profile index 3439dd3157f..db8f9491f80 100644 --- a/products/sle12/profiles/pci-dss.profile +++ b/products/sle12/profiles/pci-dss.profile @@ -13,3 +13,4 @@ description: |- selections: - pcidss_3:all:base + - sshd_approved_macs=cis_sle12 diff --git a/products/sle15/profiles/pci-dss-4.profile b/products/sle15/profiles/pci-dss-4.profile index 087c88f4197..270b78b71de 100644 --- a/products/sle15/profiles/pci-dss-4.profile +++ b/products/sle15/profiles/pci-dss-4.profile @@ -13,7 +13,7 @@ description: |- selections: - pcidss_4:all:base - # remove some rules from profile - - '!service_ntp_enabled' - - '!service_ntpd_enabled' - - '!service_timesyncd_enabled' + - sshd_approved_macs=cis_sle15 + - '!service_ntp_enabled' + - '!service_ntpd_enabled' + - '!service_timesyncd_enabled' diff --git a/products/sle15/profiles/pci-dss.profile b/products/sle15/profiles/pci-dss.profile index 9832e0b5368..1f79f6f4ab2 100644 --- a/products/sle15/profiles/pci-dss.profile +++ b/products/sle15/profiles/pci-dss.profile @@ -13,3 +13,4 @@ description: |- selections: - pcidss_3:all:base + - sshd_approved_macs=cis_sle15