forked from ComplianceAsCode/content
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
d0a69f3
commit 5f8f980
Showing
5 changed files
with
115 additions
and
1 deletion.
There are no files selected for viewing
13 changes: 13 additions & 0 deletions
13
...x_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# platform = Red Hat Enterprise Linux 7,Oracle Linux 7 | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
|
||
- name: "Configure sshd to use approved MACs" | ||
lineinfile: | ||
path: /etc/ssh/sshd_config | ||
line: 'MACs hmac-sha2-512,hmac-sha2-256' | ||
state: present | ||
regexp: '^[\s]*MACs[\s]+(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$' | ||
create: True |
7 changes: 7 additions & 0 deletions
7
linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7 | ||
|
||
if grep -q -P '^[[:space:]]*MACs[[:space:]]+' /etc/ssh/sshd_config; then | ||
sed -i 's/^\s*MACs.*/MACs hmac-sha2-512,hmac-sha2-256/' /etc/ssh/sshd_config | ||
else | ||
echo "MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config | ||
fi |
38 changes: 38 additions & 0 deletions
38
linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
<def-group> | ||
<definition class="compliance" id="sshd_use_approved_macs_ordered_stig" version="1"> | ||
{{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}} | ||
<criteria operator="AND"> | ||
<extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" /> | ||
<criteria comment="SSH is configured correctly or is not installed" | ||
operator="OR"> | ||
<criteria comment="sshd is not installed" operator="AND"> | ||
<extend_definition comment="sshd is not required or requirement is unset" | ||
definition_ref="sshd_not_required_or_unset" /> | ||
<extend_definition comment="rpm package openssh-server removed" | ||
definition_ref="package_openssh-server_removed" /> | ||
</criteria> | ||
<criteria comment="sshd is installed and configured" operator="AND"> | ||
<extend_definition comment="sshd is required or requirement is unset" | ||
definition_ref="sshd_required_or_unset" /> | ||
<extend_definition comment="rpm package openssh-server installed" | ||
definition_ref="package_openssh-server_installed" /> | ||
<criterion comment="Check MACs in /etc/ssh/sshd_config" | ||
test_ref="test_sshd_use_approved_macs_ordered_stig" /> | ||
</criteria> | ||
</criteria> | ||
</criteria> | ||
</definition> | ||
|
||
<ind:textfilecontent54_test check="all" check_existence="all_exist" | ||
comment="tests the value of MACs setting in the /etc/ssh/sshd_config file" | ||
id="test_sshd_use_approved_macs_ordered_stig" version="1"> | ||
<ind:object object_ref="obj_sshd_use_approved_macs_ordered_stig" /> | ||
</ind:textfilecontent54_test> | ||
|
||
<ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1"> | ||
<ind:filepath>/etc/ssh/sshd_config</ind:filepath> | ||
<ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$</ind:pattern> | ||
<ind:instance datatype="int">1</ind:instance> | ||
</ind:textfilecontent54_object> | ||
|
||
</def-group> |
57 changes: 57 additions & 0 deletions
57
linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
documentation_complete: true | ||
|
||
prodtype: rhel7 | ||
|
||
title: 'Use Only FIPS 140-2 Validated MACs' | ||
|
||
description: |- | ||
Limit the MACs to those hash algorithms which are FIPS-approved. | ||
The following line in <tt>/etc/ssh/sshd_config</tt> | ||
demonstrates use of FIPS-approved MACs: | ||
<pre>MACs hmac-sha2-512,hmac-sha2-256</pre> | ||
This rule ensures that there are configured MACs mentioned | ||
above (or their subset), keeping the given order of algorithms. | ||
rationale: |- | ||
DoD Information Systems are required to use FIPS-approved cryptographic hash | ||
functions. The only SSHv2 hash algorithms meeting this requirement is SHA2. | ||
severity: medium | ||
|
||
identifiers: | ||
cce@rhel7: CCE-83398-8 | ||
|
||
references: | ||
disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123 | ||
srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174 | ||
stigid@rhel7: RHEL-07-040400 | ||
|
||
ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algorithms' | ||
|
||
ocil: |- | ||
Only FIPS-approved MACs should be used. To verify that only FIPS-approved | ||
MACs are in use, run the following command: | ||
<pre>$ sudo grep -i macs /etc/ssh/sshd_config</pre> | ||
The output should contain only following MACs (or a subset) in the exact order: | ||
<pre>hmac-sha2-512,hmac-sha2-256</pre> | ||
warnings: | ||
- general: |- | ||
The system needs to be rebooted for these changes to take effect. | ||
- regulatory: |- | ||
System Crypto Modules must be provided by a vendor that undergoes | ||
FIPS-140 certifications. | ||
FIPS-140 is applicable to all Federal agencies that use | ||
cryptographic-based security systems to protect sensitive information | ||
in computer and telecommunication systems (including voice systems) as | ||
defined in Section 5131 of the Information Technology Management Reform | ||
Act of 1996, Public Law 104-106. This standard shall be used in | ||
designing and implementing cryptographic modules that Federal | ||
departments and agencies operate or are operated for them under | ||
contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b> | ||
To meet this, the system has to have cryptographic software provided by | ||
a vendor that has undergone this certification. This means providing | ||
documentation, test results, design information, and independent third | ||
party review by an accredited lab. While open source software is | ||
capable of meeting this, it does not meet FIPS-140 unless the vendor | ||
submits to this process. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,3 @@ | ||
CCE-83398-8 | ||
CCE-83399-6 | ||
CCE-83405-1 | ||
CCE-83406-9 | ||
|