Update ansible in sshd_use_approved_kex_ordered_stig

[Xeicker]

Description:

• Update regex so it can fix the existing configuration instead of just adding another one

Rationale:

• This avoids to add new configuration instead of fixing the existing one

Review Hints:

Here what I got with existing code:

TASK [Configure sshd to use FIPS 140-2 approved key exchange algorithms] *********************************************************************
--- before: /etc/ssh/sshd_config (content)
+++ after: /etc/ssh/sshd_config (content)
@@ -153,3 +153,4 @@
 UsePrivilegeSeparation sandbox
 X11UseLocalhost yes
 KexAlgorithms none
+KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

changed: [root@OL7_experiment]

And with these changes:

TASK [Configure sshd to use FIPS 140-2 approved key exchange algorithms] *********************************************************************
--- before: /etc/ssh/sshd_config (content)
+++ after: /etc/ssh/sshd_config (content)
@@ -149,7 +149,7 @@
 Banner /etc/issue
 PrintLastLog yes
 Ciphers aes256-ctr,aes192-ctr,aes128-ctr
-KexAlgorithms none
+KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
 MACs hmac-sha2-512,hmac-sha2-256
 UsePrivilegeSeparation sandbox
 X11UseLocalhost yes

changed: [root@OL7_experiment]

[openshift-ci]

Hi @Xeicker. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[jan-cerny]

/packit build

[jan-cerny]

The change looks useful. But, please add a test scenario covering this situation.

[Xeicker]

The change looks useful. But, please add a test scenario covering this situation.

I'm not sure how to implement a test for this. As OVAL won't check if there are multiple entries of KexAlgorithms or not

[jan-cerny]

Aha, then I think that the OVAL should be changed as well. I think the rule should fail if there are multiple (different) occurrences of the KexAlgorithm keyword in the config. I assume that multiple occurrences of the same item could make the configuration inconsistent and cause one setting overriding each other.

[Xeicker]

With the update in OVAL, the test wrong_value.fail will fail to be fixed with previous ansible content

[codeclimate]

Code Climate has analyzed commit 151c9d8 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 57.0%.

View more on Code Climate.

[jan-cerny]

The CI fail of Automatus on CS9 is expected because this rule isn't part of the RHEL 9 product. The CI fail of Automatus on SLE15 is caused by python-rpm not present anymore in the BCI that is used to build the container back end, therefore, it isn't caused by changes in this PR.