Skip to content

Commit

Permalink
Merge pull request dev-sec#119 from atomic111/master
Browse files Browse the repository at this point in the history
Use new ciphers, kex, macs and priv separation sandbox for redhat family 7
  • Loading branch information
chris-rock authored Jul 27, 2016
2 parents 2e7a893 + a3f7e40 commit 51f4f12
Show file tree
Hide file tree
Showing 7 changed files with 31 additions and 12 deletions.
2 changes: 1 addition & 1 deletion attributes/default.rb
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@
default['sshserver']['service_name'] = 'ssh'
end

default['config_disclaimer'] = '**Note:** This file was automatically created by Hardening Framework (hardening.io) configuration. If you use its automated setup, do not edit this file directly, but adjust the automation instead.'
default['config_disclaimer'] = '**Note:** This file was automatically created by Hardening Framework (dev-sec.io) configuration. If you use its automated setup, do not edit this file directly, but adjust the automation instead.'
default['network']['ipv6']['enable'] = false # sshd + ssh
default['ssh']['client']['cbc_required'] = false # ssh
default['ssh']['server']['cbc_required'] = false # sshd
Expand Down
4 changes: 4 additions & 0 deletions libraries/get_ssh_ciphers.rb
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,10 @@ def self.get_ciphers(node, cbc_required)
elsif node['platform'] == 'debian' && node['platform_version'].to_f >= 8
Chef::Log.info('Detected Debian 8 or newer, use new ciphers')
cipher = ciphers_66

elsif node['platform_family'] == 'rhel' && node['platform_version'].to_f >= 7
Chef::Log.info('Detected RedHat Family with version 7 or newer, use new ciphers')
cipher = ciphers_66
end

Chef::Log.info("Choose cipher: #{cipher[weak_ciphers]}")
Expand Down
12 changes: 9 additions & 3 deletions libraries/get_ssh_kex.rb
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ class Chef
class Recipe
class SshKex
# rubocop:disable AbcSize
def self.get_kexs(node, weak_kex)
def self.get_kexs(node, weak_kex) # rubocop:disable CyclomaticComplexity, PerceivedComplexity
weak_kex = weak_kex ? 'weak' : 'default'

kex_59 = {}
Expand All @@ -47,8 +47,14 @@ def self.get_kexs(node, weak_kex)
Chef::Log.info('Detected Debian 8 or newer, use new key exchange algorithms')
kex = kex_66

# deactivate kex on redhat
elsif node['platform_family'] == 'rhel'
# use newer kex for redhat version 7 or newer
elsif node['platform_family'] == 'rhel' && node['platform_version'].to_f >= 7
Chef::Log.info('Detected Redhat 7 or newer, use new key exchange algorithms')
kex = kex_66

# deactivate kex on redhat version 6
elsif node['platform_family'] == 'rhel' && node['platform_version'].to_f < 7
Chef::Log.info('Detected Redhat 6 or earlier, disable KEX')
kex = {}
kex.default = nil

Expand Down
13 changes: 9 additions & 4 deletions libraries/get_ssh_macs.rb
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ class Chef
class Recipe
class SshMac
# rubocop:disable AbcSize
def self.get_macs(node, weak_hmac)
def self.get_macs(node, weak_hmac) # rubocop:disable CyclomaticComplexity, PerceivedComplexity
weak_macs = weak_hmac ? 'weak' : 'default'

macs_53 = {}
Expand All @@ -41,7 +41,7 @@ def self.get_macs(node, weak_hmac)
# determine the mac for the operating system
macs = macs_59

# use newer ciphers on ubuntu 14.04
# use newer macs on ubuntu 14.04
if node['platform'] == 'ubuntu' && node['platform_version'].to_f >= 14.04
Chef::Log.info('Detected Ubuntu 14.04 or newer, use new macs')
macs = macs_66
Expand All @@ -50,8 +50,13 @@ def self.get_macs(node, weak_hmac)
Chef::Log.info('Detected Debian 8 or newer, use new macs')
macs = macs_66

# stick to 53 for rhel <= 6, verify for rhel >= 7
elsif node['platform_family'] == 'rhel'
# use newer macs for rhel >= 7
elsif node['platform_family'] == 'rhel' && node['platform_version'].to_f >= 7
Chef::Log.info('Detected RedHat Family with version 7 or newer, use new macs')
macs = macs_66

# stick to 53 for rhel <= 6
elsif node['platform_family'] == 'rhel' && node['platform_version'].to_f < 7
Chef::Log.info('Detected RedHat Family, use old macs')
macs = macs_53

Expand Down
6 changes: 5 additions & 1 deletion libraries/use_privilege_separation.rb
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,11 @@ def self.get(node)
# ubuntu 12.04 and newer has ssh 5.9+

# redhat/centos/oracle 6.x has ssh 5.3
if node['platform_family'] == 'rhel'
if node['platform_family'] == 'rhel' && node['platform_version'].to_f >= 7
ps = ps59

# redhat/centos/oracle 6.x has ssh 5.3
elsif node['platform_family'] == 'rhel' && node['platform_version'].to_f < 7
ps = ps53

# debian 7.x and newer has ssh 5.9+
Expand Down
2 changes: 1 addition & 1 deletion templates/default/openssh.conf.erb
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
# This is the ssh client system-wide configuration file.
# See ssh_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
#
# Created for OpenSSH v5.9
# Created for OpenSSH v5.9 up to 6.8

# Basic configuration
# ===================
Expand Down
4 changes: 2 additions & 2 deletions templates/default/opensshd.conf.erb
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
# This is the ssh client system-wide configuration file.
# See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
#
# Created for OpenSSH v5.9
# Created for OpenSSH v5.9 up to 6.8

# Basic configuration
# ===================
Expand Down Expand Up @@ -219,4 +219,4 @@ X11Forwarding no
#PasswordAuthentication no
#PermitRootLogin no
#X11Forwarding no
<% end %>
<% end %>

0 comments on commit 51f4f12

Please sign in to comment.