Drop hmac-ripemd160 sshd mac from strong MACs list #10739
Conversation
- Add variable file sshd_strong_macs.var and rework oval to use it when checking ssh configuration - Add variable definitions default and cis_sle12, which keeps legacy list and cis sle15, which drops hmac-ripemd160 algorithm, which is no longer supported
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
Start a new ephemeral environment with changes proposed in this pull request: rhel7 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs'.
--- xccdf_org.ssgproject.content_rule_sshd_use_strong_macs
+++ xccdf_org.ssgproject.content_rule_sshd_use_strong_macs
@@ -6,7 +6,7 @@
Limit the MACs to strong hash algorithms.
The following line in /etc/ssh/sshd_config demonstrates use
of those MACs:
-MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
+MACs 'xccdf_org.ssgproject.content_value_sshd_strong_macs'
[rationale]:
MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase
OVAL for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs' differs.
--- oval:ssg-sshd_use_strong_macs:def:1
+++ oval:ssg-sshd_use_strong_macs:def:1
@@ -1,3 +1,4 @@
+criteria AND
criteria OR
criteria AND
extend_definition oval:ssg-sshd_not_required_or_unset:def:1
@@ -5,5 +6,4 @@
criteria AND
extend_definition oval:ssg-sshd_required_or_unset:def:1
extend_definition oval:ssg-package_openssh-server_installed:def:1
-criteria OR
criterion oval:ssg-test_sshd_use_strong_macs:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs' differs.
--- ocil:ssg-sshd_use_strong_macs_ocil:questionnaire:1
+++ ocil:ssg-sshd_use_strong_macs_ocil:questionnaire:1
@@ -2,6 +2,6 @@
MACs are in use, run the following command:
$ sudo grep -i macs /etc/ssh/sshd_config
The output should contain only those MACs which are strong, namely,
-[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 hash functions.
+ hash functions.
Is it the case that MACs option is commented out or not using strong hash algorithms?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_strong_macs
+++ xccdf_org.ssgproject.content_rule_sshd_use_strong_macs
@@ -1,29 +1,30 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-if [ -e "/etc/ssh/sshd_config" ] ; then
-
- LC_ALL=C sed -i "/^\s*MACs\s\+/Id" "/etc/ssh/sshd_config"
+sshd_strong_macs=''
+
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^MACs")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s %s" "$stripped_key" "$sshd_strong_macs"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^MACs\\>" "/etc/ssh/sshd_config"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ LC_ALL=C sed -i --follow-symlinks "s/^MACs\\>.*/$escaped_formatted_output/gi" "/etc/ssh/sshd_config"
else
- touch "/etc/ssh/sshd_config"
+ if [[ -s "/etc/ssh/sshd_config" ]] && [[ -n "$(tail -c 1 -- "/etc/ssh/sshd_config" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/ssh/sshd_config"
+ fi
+ cce="CCE-82364-1"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/ssh/sshd_config" >> "/etc/ssh/sshd_config"
+ printf '%s\n' "$formatted_output" >> "/etc/ssh/sshd_config"
fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/ssh/sshd_config"
-
-cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
-# Clean up after ourselves.
-rm "/etc/ssh/sshd_config.bak"
else
>&2 echo 'Remediation is not applicable, nothing was done'
New datastream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs'. |
Mab879
added
Update Rule
| @@ -1,4 +1,6 @@ | |||
| # platform = multi_platform_all | |||
|
|
|||
| {{{ bash_sshd_config_set(parameter="MACs", value="[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160") }}} | |||
| {{{ bash_instantiate_variables("sshd_strong_macs") }}} | |||
There was a problem hiding this comment.
When you start using a variable, you should also change the corresponding rule.yml file, otherwise, depending on the variable setting, the remediations will be misaligned with the rule description and rationale.
There was a problem hiding this comment.
Should be covered in 40cf036
| @@ -1 +1,71 @@ | |||
| {{{ oval_sshd_config(parameter="MACs", value="((hmac-sha2-512-etm@openssh\.com|hmac-sha2-256-etm@openssh\.com|umac-128-etm@openssh\.com|hmac-sha2-512|hmac-sha2-256|hmac-ripemd160),?)+") }}} | |||
| <def-group> | |||
| <definition class="compliance" id="sshd_use_strong_macs" version="1"> | |||
There was a problem hiding this comment.
In Bash and Ansible you use the macros but in OVAL you change away from macros. What is the reason for this change?
There was a problem hiding this comment.
Couldn't find a nice way to transform the comma separated lilst with pipe separated list so can directly use the macro, and didn't felt right to transform the macro that is used in other places.
There was a problem hiding this comment.
I think with jinja you can just call replace(",", "|")
There was a problem hiding this comment.
I think with jinja you can just call
replace(",", "|")
nvm, I think it won't work: https://jinja.palletsprojects.com/en/3.1.x/templates/#jinja-filters.replace
There was a problem hiding this comment.
maybe with join:
https://jinja.palletsprojects.com/en/2.10.x/templates/#join
There was a problem hiding this comment.
did you take a look at the above ?
There was a problem hiding this comment.
Yes I did but just getting a bar separated list doesn't get me much further since there is need to do much more changes, which I am afraid cause much more noise in the macros, so decided it doesn't worth at this stage
| @@ -1663,6 +1663,7 @@ controls: | |||
| rules: | |||
| - sshd_approved_macs=cis_sle12 | |||
| - sshd_use_approved_macs | |||
| - sshd_strong_macs=cis_sle12 | |||
There was a problem hiding this comment.
The rule sshd_use_strong_macs is used also in multiple other profiles in other products. You should explicitly assign the value of the new sshd_strong_macs variable in all the controls and profile files where the rule sshd_use_strong_macs is selected.
There was a problem hiding this comment.
Did relevant changes in 40cf036 but I guess that will need extra review from @ComplianceAsCode/oracle-maintainers, @ComplianceAsCode/red-hatters and @ComplianceAsCode/ubuntu-maintainers if I made the right assumptions
| <definition class="compliance" id="sshd_use_strong_macs" version="1"> | ||
| {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}} | ||
| <criteria operator="AND"> | ||
| <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" /> |
There was a problem hiding this comment.
Is this addition expected? The rule didn't previously depend on FIPS certification and the rule.yml doesn't mention anything about FIPS.
There was a problem hiding this comment.
I saw references to the FIPS-140-2 standard in the CIS spec, dropped it in 9829315
- Use default variable value including the hmac-ripemd160 for rhel7 and ol7 - Use value without the hmac-ripemd160 for ubuntu2204 All of the above needs to be reviewed by @ComplianceAsCode/oracle-maintainers, @ComplianceAsCode/red-hatters and @ComplianceAsCode/ubuntu-maintainers
teacup-on-rockingchair
force-pushed
the
fix_strong_mac_drop_hmac-ripemd160
branch
from
9829315 to
dab9787
Compare
teacup-on-rockingchair
force-pushed
the
fix_strong_mac_drop_hmac-ripemd160
branch
from
dab9787 to
1df74f1
Compare
Thanks to @jan-cerny for the tip
|
Code Climate has analyzed commit 7db8bb6 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.5% (0.7% change). View more on Code Climate. |
linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml
Outdated
Show resolved
Hide resolved
Drop rpm for package checks, thanks to @dodys for the feedback 👍
|
@marcusburghardt could you take a look at the packit issues? |
We are investigating this @dodys . It is not in the project itself but seems to be in the packit side. When it is fixed, we will probably need to re-trigger the failed tests and it should work. |
|
@dodys and @jan-cerny am I missing something that needs to be done here in order pr to be merged ? |
|
@ComplianceAsCode/oracle-maintainers @ComplianceAsCode/suse-maintainers PTAL |
For now I am the only member of @ComplianceAsCode/suse-maintainers so I have my own approval ;) |
|
@freddieRv ping |
Thanks @jan-cerny and @freddieRv . @jan-cerny can you please overwrite the @ComplianceAsCode/suse-maintainers requirement, since I am the only member for now |
|
Overriding CODEOWNERS as @teacup-on-rockingchair can't approve his own PR. |
Description:
Rationale:
Add variable file sshd_strong_macs.var and rework oval to use it when checking ssh configuration
Add variable definitions default and cis_sle12, which keeps legacy list and cis sle15, which drops hmac-ripemd160 algorithm, which is no longer supported
Add bash and ansible relevant remediations' changes
Fixes hmac-ripemd160 no longer available on openssh 7.6 and newer (2017+) #8212
Review Hints: