From 935c569349917a272ff7c0d37f8c511ed814ae59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20M=C3=BCnch?= Date: Wed, 27 Jul 2016 12:23:54 +0200 Subject: [PATCH 1/5] use new ciphers for redhat family 7 or newer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Patrick Münch --- libraries/get_ssh_ciphers.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libraries/get_ssh_ciphers.rb b/libraries/get_ssh_ciphers.rb index a4429dcb..a4268fcf 100644 --- a/libraries/get_ssh_ciphers.rb +++ b/libraries/get_ssh_ciphers.rb @@ -47,6 +47,10 @@ def self.get_ciphers(node, cbc_required) elsif node['platform'] == 'debian' && node['platform_version'].to_f >= 8 Chef::Log.info('Detected Debian 8 or newer, use new ciphers') cipher = ciphers_66 + + elsif node['platform_family'] == 'rhel' && node['platform_version'].to_f >= 7 + Chef::Log.info('Detected RedHat Family with version 7 or newer, use new ciphers') + cipher = ciphers_66 end Chef::Log.info("Choose cipher: #{cipher[weak_ciphers]}") From 2263c51a00b7e2579cb27a72a07564a80820c314 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20M=C3=BCnch?= Date: Wed, 27 Jul 2016 12:24:23 +0200 Subject: [PATCH 2/5] use new kex for redhat family 7 or newer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Patrick Münch --- libraries/get_ssh_kex.rb | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libraries/get_ssh_kex.rb b/libraries/get_ssh_kex.rb index 71fdf690..c88d932c 100644 --- a/libraries/get_ssh_kex.rb +++ b/libraries/get_ssh_kex.rb @@ -47,8 +47,14 @@ def self.get_kexs(node, weak_kex) Chef::Log.info('Detected Debian 8 or newer, use new key exchange algorithms') kex = kex_66 - # deactivate kex on redhat - elsif node['platform_family'] == 'rhel' + # use newer kex for redhat version 7 or newer + elsif node['platform_family'] == 'rhel' && node['platform_version'].to_f >= 7 + Chef::Log.info('Detected Redhat 7 or newer, use new key exchange algorithms') + kex = kex_66 + + # deactivate kex on redhat version 6 + elsif node['platform_family'] == 'rhel' && node['platform_version'].to_f < 7 + Chef::Log.info('Detected Redhat 6 or earlier, disable KEX') kex = {} kex.default = nil From f67225c97550767c63cf98e350cb44b15a94337f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20M=C3=BCnch?= Date: Wed, 27 Jul 2016 12:26:35 +0200 Subject: [PATCH 3/5] use new macs for redhat family 7 or newer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Patrick Münch --- libraries/get_ssh_macs.rb | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libraries/get_ssh_macs.rb b/libraries/get_ssh_macs.rb index d2d42544..4d6bc6fb 100644 --- a/libraries/get_ssh_macs.rb +++ b/libraries/get_ssh_macs.rb @@ -41,7 +41,7 @@ def self.get_macs(node, weak_hmac) # determine the mac for the operating system macs = macs_59 - # use newer ciphers on ubuntu 14.04 + # use newer macs on ubuntu 14.04 if node['platform'] == 'ubuntu' && node['platform_version'].to_f >= 14.04 Chef::Log.info('Detected Ubuntu 14.04 or newer, use new macs') macs = macs_66 @@ -50,8 +50,13 @@ def self.get_macs(node, weak_hmac) Chef::Log.info('Detected Debian 8 or newer, use new macs') macs = macs_66 - # stick to 53 for rhel <= 6, verify for rhel >= 7 - elsif node['platform_family'] == 'rhel' + # use newer macs for rhel >= 7 + elsif node['platform_family'] == 'rhel' && node['platform_version'].to_f >= 7 + Chef::Log.info('Detected RedHat Family with version 7 or newer, use new macs') + macs = macs_66 + + # stick to 53 for rhel <= 6 + elsif node['platform_family'] == 'rhel' && node['platform_version'].to_f < 7 Chef::Log.info('Detected RedHat Family, use old macs') macs = macs_53 From bede848ac068a236bd42eab2cea0daf239d99ea8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20M=C3=BCnch?= Date: Wed, 27 Jul 2016 12:27:15 +0200 Subject: [PATCH 4/5] use privilege separation sandbox for redhat family 7 or newer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Patrick Münch --- libraries/use_privilege_separation.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libraries/use_privilege_separation.rb b/libraries/use_privilege_separation.rb index 43b3184e..e7cd118d 100644 --- a/libraries/use_privilege_separation.rb +++ b/libraries/use_privilege_separation.rb @@ -30,7 +30,11 @@ def self.get(node) # ubuntu 12.04 and newer has ssh 5.9+ # redhat/centos/oracle 6.x has ssh 5.3 - if node['platform_family'] == 'rhel' + if node['platform_family'] == 'rhel' && node['platform_version'].to_f >= 7 + ps = ps59 + + # redhat/centos/oracle 6.x has ssh 5.3 + elsif node['platform_family'] == 'rhel' && node['platform_version'].to_f < 7 ps = ps53 # debian 7.x and newer has ssh 5.9+ From a3f7e408b3236d07197b06e316e0efdd3d39f2e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20M=C3=BCnch?= Date: Wed, 27 Jul 2016 12:27:48 +0200 Subject: [PATCH 5/5] change config disclaimer from hardening.io to dev-sec.io MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Patrick Münch --- attributes/default.rb | 2 +- libraries/get_ssh_kex.rb | 2 +- libraries/get_ssh_macs.rb | 2 +- templates/default/openssh.conf.erb | 2 +- templates/default/opensshd.conf.erb | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/attributes/default.rb b/attributes/default.rb index 43f0ffe9..afa497e3 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -41,7 +41,7 @@ default['sshserver']['service_name'] = 'ssh' end -default['config_disclaimer'] = '**Note:** This file was automatically created by Hardening Framework (hardening.io) configuration. If you use its automated setup, do not edit this file directly, but adjust the automation instead.' +default['config_disclaimer'] = '**Note:** This file was automatically created by Hardening Framework (dev-sec.io) configuration. If you use its automated setup, do not edit this file directly, but adjust the automation instead.' default['network']['ipv6']['enable'] = false # sshd + ssh default['ssh']['client']['cbc_required'] = false # ssh default['ssh']['server']['cbc_required'] = false # sshd diff --git a/libraries/get_ssh_kex.rb b/libraries/get_ssh_kex.rb index c88d932c..2df96199 100644 --- a/libraries/get_ssh_kex.rb +++ b/libraries/get_ssh_kex.rb @@ -24,7 +24,7 @@ class Chef class Recipe class SshKex # rubocop:disable AbcSize - def self.get_kexs(node, weak_kex) + def self.get_kexs(node, weak_kex) # rubocop:disable CyclomaticComplexity, PerceivedComplexity weak_kex = weak_kex ? 'weak' : 'default' kex_59 = {} diff --git a/libraries/get_ssh_macs.rb b/libraries/get_ssh_macs.rb index 4d6bc6fb..60464f14 100644 --- a/libraries/get_ssh_macs.rb +++ b/libraries/get_ssh_macs.rb @@ -24,7 +24,7 @@ class Chef class Recipe class SshMac # rubocop:disable AbcSize - def self.get_macs(node, weak_hmac) + def self.get_macs(node, weak_hmac) # rubocop:disable CyclomaticComplexity, PerceivedComplexity weak_macs = weak_hmac ? 'weak' : 'default' macs_53 = {} diff --git a/templates/default/openssh.conf.erb b/templates/default/openssh.conf.erb index a0fecf9d..ae9e24bb 100644 --- a/templates/default/openssh.conf.erb +++ b/templates/default/openssh.conf.erb @@ -6,7 +6,7 @@ # This is the ssh client system-wide configuration file. # See ssh_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen. # -# Created for OpenSSH v5.9 +# Created for OpenSSH v5.9 up to 6.8 # Basic configuration # =================== diff --git a/templates/default/opensshd.conf.erb b/templates/default/opensshd.conf.erb index 6781acb1..21eacf07 100644 --- a/templates/default/opensshd.conf.erb +++ b/templates/default/opensshd.conf.erb @@ -6,7 +6,7 @@ # This is the ssh client system-wide configuration file. # See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen. # -# Created for OpenSSH v5.9 +# Created for OpenSSH v5.9 up to 6.8 # Basic configuration # =================== @@ -219,4 +219,4 @@ X11Forwarding no #PasswordAuthentication no #PermitRootLogin no #X11Forwarding no -<% end %> \ No newline at end of file +<% end %>