Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Drop hmac-ripemd160 sshd mac from strong MACs list #10739

Conversation

teacup-on-rockingchair
Copy link
Contributor

Description:

  • Handle different ssh strong macs list for different platforms

Rationale:

  • Add variable file sshd_strong_macs.var and rework oval to use it when checking ssh configuration

  • Add variable definitions default and cis_sle12, which keeps legacy list and cis sle15, which drops hmac-ripemd160 algorithm, which is no longer supported

  • Add bash and ansible relevant remediations' changes

  • Fixes hmac-ripemd160 no longer available on openssh 7.6 and newer (2017+) #8212

Review Hints:

  • The implementation is borrowed from the approved_macs oval/bash/asible, if considered valuable will extract the command code in a tempmlate, but didn't think it is worthed

- Add variable file sshd_strong_macs.var and rework oval to use it when checking ssh configuration
- Add variable definitions default and cis_sle12, which keeps legacy list and cis sle15, which drops hmac-ripemd160 algorithm,
  which is no longer supported
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Jun 21, 2023
@openshift-ci
Copy link

openshift-ci bot commented Jun 21, 2023

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@teacup-on-rockingchair teacup-on-rockingchair marked this pull request as ready for review June 21, 2023 09:01
@teacup-on-rockingchair teacup-on-rockingchair requested a review from a team as a code owner June 21, 2023 09:01
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Jun 21, 2023
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel7 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions
Copy link

github-actions bot commented Jun 21, 2023

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs'.
--- xccdf_org.ssgproject.content_rule_sshd_use_strong_macs
+++ xccdf_org.ssgproject.content_rule_sshd_use_strong_macs
@@ -6,7 +6,7 @@
 Limit the MACs to strong hash algorithms.
 The following line in /etc/ssh/sshd_config demonstrates use
 of those MACs:
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
+MACs 'xccdf_org.ssgproject.content_value_sshd_strong_macs'
 
 [rationale]:
 MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase

OVAL for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs' differs.
--- oval:ssg-sshd_use_strong_macs:def:1
+++ oval:ssg-sshd_use_strong_macs:def:1
@@ -1,3 +1,4 @@
+criteria AND
 criteria OR
 criteria AND
 extend_definition oval:ssg-sshd_not_required_or_unset:def:1
@@ -5,5 +6,4 @@
 criteria AND
 extend_definition oval:ssg-sshd_required_or_unset:def:1
 extend_definition oval:ssg-package_openssh-server_installed:def:1
-criteria OR
 criterion oval:ssg-test_sshd_use_strong_macs:tst:1

OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs' differs.
--- ocil:ssg-sshd_use_strong_macs_ocil:questionnaire:1
+++ ocil:ssg-sshd_use_strong_macs_ocil:questionnaire:1
@@ -2,6 +2,6 @@
 MACs are in use, run the following command:
 $ sudo grep -i macs /etc/ssh/sshd_config
 The output should contain only those MACs which are strong, namely,
-hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 hash functions.
+ hash functions.
       Is it the case that MACs option is commented out or not using strong hash algorithms?
       
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_strong_macs
+++ xccdf_org.ssgproject.content_rule_sshd_use_strong_macs
@@ -1,29 +1,30 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-if [ -e "/etc/ssh/sshd_config" ] ; then
-    
-    LC_ALL=C sed -i "/^\s*MACs\s\+/Id" "/etc/ssh/sshd_config"
+sshd_strong_macs=''
+
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^MACs")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s %s" "$stripped_key" "$sshd_strong_macs"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^MACs\\>" "/etc/ssh/sshd_config"; then
+    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+    LC_ALL=C sed -i --follow-symlinks "s/^MACs\\>.*/$escaped_formatted_output/gi" "/etc/ssh/sshd_config"
 else
-    touch "/etc/ssh/sshd_config"
+    if [[ -s "/etc/ssh/sshd_config" ]] && [[ -n "$(tail -c 1 -- "/etc/ssh/sshd_config" || true)" ]]; then
+        LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/ssh/sshd_config"
+    fi
+    cce="CCE-82364-1"
+    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/ssh/sshd_config" >> "/etc/ssh/sshd_config"
+    printf '%s\n' "$formatted_output" >> "/etc/ssh/sshd_config"
 fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/ssh/sshd_config"
-
-cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
-    # There was no match of '^Match', insert at
-    # the end of the file.
-    printf '%s\n' "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160" >> "/etc/ssh/sshd_config"
-else
-    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
-    printf '%s\n' "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160" >> "/etc/ssh/sshd_config"
-    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
-# Clean up after ourselves.
-rm "/etc/ssh/sshd_config.bak"
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

New datastream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs'.

@Mab879 Mab879 added Update Rule Issues or pull requests related to Rules updates. SLES SUSE Linux Enterprise Server product related. labels Jun 21, 2023
@@ -1,4 +1,6 @@
# platform = multi_platform_all

{{{ bash_sshd_config_set(parameter="MACs", value="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160") }}}
{{{ bash_instantiate_variables("sshd_strong_macs") }}}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When you start using a variable, you should also change the corresponding rule.yml file, otherwise, depending on the variable setting, the remediations will be misaligned with the rule description and rationale.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be covered in 40cf036

@@ -1 +1,71 @@
{{{ oval_sshd_config(parameter="MACs", value="((hmac-sha2-512-etm@openssh\.com|hmac-sha2-256-etm@openssh\.com|umac-128-etm@openssh\.com|hmac-sha2-512|hmac-sha2-256|hmac-ripemd160),?)+") }}}
<def-group>
<definition class="compliance" id="sshd_use_strong_macs" version="1">
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In Bash and Ansible you use the macros but in OVAL you change away from macros. What is the reason for this change?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couldn't find a nice way to transform the comma separated lilst with pipe separated list so can directly use the macro, and didn't felt right to transform the macro that is used in other places.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think with jinja you can just call replace(",", "|")

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think with jinja you can just call replace(",", "|")

nvm, I think it won't work: https://jinja.palletsprojects.com/en/3.1.x/templates/#jinja-filters.replace

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

did you take a look at the above ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I did but just getting a bar separated list doesn't get me much further since there is need to do much more changes, which I am afraid cause much more noise in the macros, so decided it doesn't worth at this stage

linux_os/guide/services/ssh/sshd_strong_macs.var Outdated Show resolved Hide resolved
@@ -1663,6 +1663,7 @@ controls:
rules:
- sshd_approved_macs=cis_sle12
- sshd_use_approved_macs
- sshd_strong_macs=cis_sle12
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rule sshd_use_strong_macs is used also in multiple other profiles in other products. You should explicitly assign the value of the new sshd_strong_macs variable in all the controls and profile files where the rule sshd_use_strong_macs is selected.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did relevant changes in 40cf036 but I guess that will need extra review from @ComplianceAsCode/oracle-maintainers, @ComplianceAsCode/red-hatters and @ComplianceAsCode/ubuntu-maintainers if I made the right assumptions

<definition class="compliance" id="sshd_use_strong_macs" version="1">
{{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
<criteria operator="AND">
<extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this addition expected? The rule didn't previously depend on FIPS certification and the rule.yml doesn't mention anything about FIPS.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I saw references to the FIPS-140-2 standard in the CIS spec, dropped it in 9829315

- Use default variable value including the hmac-ripemd160 for rhel7 and ol7
- Use value without the hmac-ripemd160 for ubuntu2204

All of the above needs to be reviewed by @ComplianceAsCode/oracle-maintainers,
@ComplianceAsCode/red-hatters and @ComplianceAsCode/ubuntu-maintainers
@teacup-on-rockingchair teacup-on-rockingchair requested review from a team as code owners June 25, 2023 20:29
@teacup-on-rockingchair teacup-on-rockingchair force-pushed the fix_strong_mac_drop_hmac-ripemd160 branch from 9829315 to dab9787 Compare June 26, 2023 13:50
@teacup-on-rockingchair teacup-on-rockingchair force-pushed the fix_strong_mac_drop_hmac-ripemd160 branch from dab9787 to 1df74f1 Compare June 26, 2023 13:52
@codeclimate
Copy link

codeclimate bot commented Jul 4, 2023

Code Climate has analyzed commit 7db8bb6 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.5% (0.7% change).

View more on Code Climate.

Copy link
Contributor

@dodys dodys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor change needed, but overall looks good

Drop rpm for package checks, thanks to @dodys for the feedback 👍
@dodys
Copy link
Contributor

dodys commented Jul 27, 2023

@marcusburghardt could you take a look at the packit issues?
the automatus issues is just because this rule is not in their benchmarks

@marcusburghardt
Copy link
Member

@marcusburghardt could you take a look at the packit issues? the automatus issues is just because this rule is not in their benchmarks

We are investigating this @dodys . It is not in the project itself but seems to be in the packit side. When it is fixed, we will probably need to re-trigger the failed tests and it should work.

@teacup-on-rockingchair
Copy link
Contributor Author

@dodys and @jan-cerny am I missing something that needs to be done here in order pr to be merged ?

Copy link
Contributor

@dodys dodys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@jan-cerny
Copy link
Collaborator

@ComplianceAsCode/oracle-maintainers @ComplianceAsCode/suse-maintainers PTAL

@teacup-on-rockingchair
Copy link
Contributor Author

@ComplianceAsCode/oracle-maintainers @ComplianceAsCode/suse-maintainers PTAL

For now I am the only member of @ComplianceAsCode/suse-maintainers so I have my own approval ;)

@jan-cerny
Copy link
Collaborator

@freddieRv ping

@teacup-on-rockingchair
Copy link
Contributor Author

@freddieRv ping

Thanks @jan-cerny and @freddieRv . @jan-cerny can you please overwrite the @ComplianceAsCode/suse-maintainers requirement, since I am the only member for now

@marcusburghardt marcusburghardt self-assigned this Aug 17, 2023
Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@marcusburghardt
Copy link
Member

Overriding CODEOWNERS as @teacup-on-rockingchair can't approve his own PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
SLES SUSE Linux Enterprise Server product related. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

hmac-ripemd160 no longer available on openssh 7.6 and newer (2017+)
6 participants