-
Notifications
You must be signed in to change notification settings - Fork 706
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Drop hmac-ripemd160 sshd mac from strong MACs list #10739
Drop hmac-ripemd160 sshd mac from strong MACs list #10739
Conversation
- Add variable file sshd_strong_macs.var and rework oval to use it when checking ssh configuration - Add variable definitions default and cis_sle12, which keeps legacy list and cis sle15, which drops hmac-ripemd160 algorithm, which is no longer supported
Skipping CI for Draft Pull Request. |
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs'.
--- xccdf_org.ssgproject.content_rule_sshd_use_strong_macs
+++ xccdf_org.ssgproject.content_rule_sshd_use_strong_macs
@@ -6,7 +6,7 @@
Limit the MACs to strong hash algorithms.
The following line in /etc/ssh/sshd_config demonstrates use
of those MACs:
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
+MACs 'xccdf_org.ssgproject.content_value_sshd_strong_macs'
[rationale]:
MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase
OVAL for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs' differs.
--- oval:ssg-sshd_use_strong_macs:def:1
+++ oval:ssg-sshd_use_strong_macs:def:1
@@ -1,3 +1,4 @@
+criteria AND
criteria OR
criteria AND
extend_definition oval:ssg-sshd_not_required_or_unset:def:1
@@ -5,5 +6,4 @@
criteria AND
extend_definition oval:ssg-sshd_required_or_unset:def:1
extend_definition oval:ssg-package_openssh-server_installed:def:1
-criteria OR
criterion oval:ssg-test_sshd_use_strong_macs:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs' differs.
--- ocil:ssg-sshd_use_strong_macs_ocil:questionnaire:1
+++ ocil:ssg-sshd_use_strong_macs_ocil:questionnaire:1
@@ -2,6 +2,6 @@
MACs are in use, run the following command:
$ sudo grep -i macs /etc/ssh/sshd_config
The output should contain only those MACs which are strong, namely,
-hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 hash functions.
+ hash functions.
Is it the case that MACs option is commented out or not using strong hash algorithms?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_strong_macs
+++ xccdf_org.ssgproject.content_rule_sshd_use_strong_macs
@@ -1,29 +1,30 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-if [ -e "/etc/ssh/sshd_config" ] ; then
-
- LC_ALL=C sed -i "/^\s*MACs\s\+/Id" "/etc/ssh/sshd_config"
+sshd_strong_macs=''
+
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^MACs")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s %s" "$stripped_key" "$sshd_strong_macs"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^MACs\\>" "/etc/ssh/sshd_config"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ LC_ALL=C sed -i --follow-symlinks "s/^MACs\\>.*/$escaped_formatted_output/gi" "/etc/ssh/sshd_config"
else
- touch "/etc/ssh/sshd_config"
+ if [[ -s "/etc/ssh/sshd_config" ]] && [[ -n "$(tail -c 1 -- "/etc/ssh/sshd_config" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/ssh/sshd_config"
+ fi
+ cce="CCE-82364-1"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/ssh/sshd_config" >> "/etc/ssh/sshd_config"
+ printf '%s\n' "$formatted_output" >> "/etc/ssh/sshd_config"
fi
-# make sure file has newline at the end
-sed -i -e '$a\' "/etc/ssh/sshd_config"
-
-cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
-# Insert before the line matching the regex '^Match'.
-line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
-if [ -z "$line_number" ]; then
- # There was no match of '^Match', insert at
- # the end of the file.
- printf '%s\n' "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160" >> "/etc/ssh/sshd_config"
-else
- head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config"
- printf '%s\n' "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160" >> "/etc/ssh/sshd_config"
- tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
-fi
-# Clean up after ourselves.
-rm "/etc/ssh/sshd_config.bak"
else
>&2 echo 'Remediation is not applicable, nothing was done'
New datastream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs'. |
@@ -1,4 +1,6 @@ | |||
# platform = multi_platform_all | |||
|
|||
{{{ bash_sshd_config_set(parameter="MACs", value="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160") }}} | |||
{{{ bash_instantiate_variables("sshd_strong_macs") }}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When you start using a variable, you should also change the corresponding rule.yml file, otherwise, depending on the variable setting, the remediations will be misaligned with the rule description and rationale.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be covered in 40cf036
@@ -1 +1,71 @@ | |||
{{{ oval_sshd_config(parameter="MACs", value="((hmac-sha2-512-etm@openssh\.com|hmac-sha2-256-etm@openssh\.com|umac-128-etm@openssh\.com|hmac-sha2-512|hmac-sha2-256|hmac-ripemd160),?)+") }}} | |||
<def-group> | |||
<definition class="compliance" id="sshd_use_strong_macs" version="1"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In Bash and Ansible you use the macros but in OVAL you change away from macros. What is the reason for this change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Couldn't find a nice way to transform the comma separated lilst with pipe separated list so can directly use the macro, and didn't felt right to transform the macro that is used in other places.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think with jinja you can just call replace(",", "|")
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think with jinja you can just call
replace(",", "|")
nvm, I think it won't work: https://jinja.palletsprojects.com/en/3.1.x/templates/#jinja-filters.replace
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe with join:
https://jinja.palletsprojects.com/en/2.10.x/templates/#join
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
did you take a look at the above ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes I did but just getting a bar separated list doesn't get me much further since there is need to do much more changes, which I am afraid cause much more noise in the macros, so decided it doesn't worth at this stage
@@ -1663,6 +1663,7 @@ controls: | |||
rules: | |||
- sshd_approved_macs=cis_sle12 | |||
- sshd_use_approved_macs | |||
- sshd_strong_macs=cis_sle12 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The rule sshd_use_strong_macs
is used also in multiple other profiles in other products. You should explicitly assign the value of the new sshd_strong_macs
variable in all the controls and profile files where the rule sshd_use_strong_macs
is selected.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did relevant changes in 40cf036 but I guess that will need extra review from @ComplianceAsCode/oracle-maintainers, @ComplianceAsCode/red-hatters and @ComplianceAsCode/ubuntu-maintainers if I made the right assumptions
<definition class="compliance" id="sshd_use_strong_macs" version="1"> | ||
{{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}} | ||
<criteria operator="AND"> | ||
<extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this addition expected? The rule didn't previously depend on FIPS certification and the rule.yml doesn't mention anything about FIPS.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I saw references to the FIPS-140-2 standard in the CIS spec, dropped it in 9829315
- Use default variable value including the hmac-ripemd160 for rhel7 and ol7 - Use value without the hmac-ripemd160 for ubuntu2204 All of the above needs to be reviewed by @ComplianceAsCode/oracle-maintainers, @ComplianceAsCode/red-hatters and @ComplianceAsCode/ubuntu-maintainers
9829315
to
dab9787
Compare
dab9787
to
1df74f1
Compare
Thanks to @jan-cerny for the tip
Code Climate has analyzed commit 7db8bb6 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.5% (0.7% change). View more on Code Climate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor change needed, but overall looks good
linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml
Outdated
Show resolved
Hide resolved
linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml
Outdated
Show resolved
Hide resolved
Drop rpm for package checks, thanks to @dodys for the feedback 👍
@marcusburghardt could you take a look at the packit issues? |
We are investigating this @dodys . It is not in the project itself but seems to be in the packit side. When it is fixed, we will probably need to re-trigger the failed tests and it should work. |
@dodys and @jan-cerny am I missing something that needs to be done here in order pr to be merged ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
@ComplianceAsCode/oracle-maintainers @ComplianceAsCode/suse-maintainers PTAL |
For now I am the only member of @ComplianceAsCode/suse-maintainers so I have my own approval ;) |
@freddieRv ping |
Thanks @jan-cerny and @freddieRv . @jan-cerny can you please overwrite the @ComplianceAsCode/suse-maintainers requirement, since I am the only member for now |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks
Overriding CODEOWNERS as @teacup-on-rockingchair can't approve his own PR. |
Description:
Rationale:
Add variable file sshd_strong_macs.var and rework oval to use it when checking ssh configuration
Add variable definitions default and cis_sle12, which keeps legacy list and cis sle15, which drops hmac-ripemd160 algorithm, which is no longer supported
Add bash and ansible relevant remediations' changes
Fixes hmac-ripemd160 no longer available on openssh 7.6 and newer (2017+) #8212
Review Hints: