Update harden_sshd_ciphers/macs_opensshserver_conf_crypto_policy #13374
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Armando Acosta <armando.acosta@oracle.com>
Signed-off-by: Armando Acosta <armando.acosta@oracle.com>
Signed-off-by: Armando Acosta <armando.acosta@oracle.com>
Signed-off-by: Armando Acosta <armando.acosta@oracle.com>
Signed-off-by: Armando Acosta <armando.acosta@oracle.com>
|
Hi @mrkanon. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
@@ -6,27 +6,33 @@
CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
+LOCAL_CONF_DIR=/etc/crypto-policies/local.d
+LOCAL_CONF_FILE=${LOCAL_CONF_DIR}/opensshserver-ssg.config
correct_value="-oCiphers=${sshd_approved_ciphers}"
-# Test if file exists
-test -f ${CONF_FILE} || touch ${CONF_FILE}
+# Test if file exists, create default it if not
+if [[ ! -s ${CONF_FILE} ]] || ! grep -q "^\s*CRYPTO_POLICY=" ${CONF_FILE} ; then
+ update-crypto-policies --no-reload # Generate a default configuration
+fi
-# Ensure CRYPTO_POLICY is not commented out
-sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE}
+# Get the last occurrence of CRYPTO_POLICY
+last_crypto_policy=$(grep -Eo "^\s*CRYPTO_POLICY='[^']+'" ${CONF_FILE} | tail -n 1)
-if ! grep -q "\\$correct_value" "$CONF_FILE"; then
- # We need to get the existing value, using PCRE to maintain same regex
- existing_value=$(grep -Po '(-oCiphers=\S+)' ${CONF_FILE})
+# Copy the last CRYPTO_POLICY value to the local configuration file
+if [[ -n "$last_crypto_policy" ]]; then
+ if ! grep -qe "$correct_value" <<< "$last_crypto_policy"; then
+ # If an existing -oCiphers= is found, replace it
+ # Else, append correct_value before the closing apostrophe
+ if [[ "$last_crypto_policy" == *"-oCiphers="* ]]; then
+ last_crypto_policy=$(echo "$last_crypto_policy" | sed -E "s/-oCiphers=\S+/${correct_value}/")
+ else
+ last_crypto_policy=$(echo "$last_crypto_policy" | sed -E "s/'[[:space:]]*$/ ${correct_value}'/")
+ fi
+ # Write updated line to LOCAL_CONF_FILE
+ echo -e "\n$last_crypto_policy" > "$LOCAL_CONF_FILE"
+ fi
+else
+ echo -e "\nCRYPTO_POLICY='${correct_value}'" > ${LOCAL_CONF_FILE}
+fi
- if [[ ! -z ${existing_value} ]]; then
- # replace existing_value with correct_value
- sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
- else
- # ***NOTE*** #
- # This probably means this file is not here or it's been modified
- # unintentionally.
- # ********** #
- # echo correct_value to end
- echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}
- fi
-fi
+update-crypto-policies --no-reload
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
@@ -5,9 +5,10 @@
- always
- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
- Set facts'
- set_fact:
- path: /etc/crypto-policies/back-ends/opensshserver.config
+ Set relevant paths and correct value'
+ ansible.builtin.set_fact:
+ opensshserver_path: /etc/crypto-policies/back-ends/opensshserver.config
+ local_path: /etc/crypto-policies/local.d/opensshserver-ssg.config
correct_value: -oCiphers={{ sshd_approved_ciphers }}
tags:
- CCE-85897-7
@@ -21,9 +22,9 @@
- restrict_strategy
- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
- Stat'
- stat:
- path: '{{ path }}'
+ Ensure crypto config exists'
+ ansible.builtin.stat:
+ path: '{{ opensshserver_path }}'
follow: true
register: opensshserver_file
tags:
@@ -38,12 +39,9 @@
- restrict_strategy
- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
- Create'
- lineinfile:
- path: '{{ path }}'
- line: CRYPTO_POLICY='{{ correct_value }}'
- create: true
- when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length
+ Generate default config if missing or empty'
+ ansible.builtin.command: update-crypto-policies --no-reload
+ when: not opensshserver_file.stat.exists or opensshserver_file.stat.size == 0
tags:
- CCE-85897-7
- DISA-STIG-RHEL-08-010291
@@ -55,26 +53,11 @@
- reboot_required
- restrict_strategy
-- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config'
- block:
-
- - name: Existing value check
- lineinfile:
- path: '{{ path }}'
- create: false
- regexp: '{{ correct_value }}'
- state: absent
- check_mode: true
- changed_when: false
- register: opensshserver
-
- - name: Update/Correct value
- replace:
- path: '{{ path }}'
- regexp: (-oCiphers=\S+)
- replace: '{{ correct_value }}'
- when: opensshserver.found is defined and opensshserver.found != 1
- when: opensshserver_file.stat.exists and opensshserver_file.stat.size > correct_value|length
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
+ Read opensshserver.config content'
+ ansible.builtin.slurp:
+ src: '{{ opensshserver_path }}'
+ register: ssh_config_raw
tags:
- CCE-85897-7
- DISA-STIG-RHEL-08-010291
@@ -85,3 +68,120 @@
- medium_severity
- reboot_required
- restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
+ Extract last CRYPTO_POLICY line'
+ ansible.builtin.set_fact:
+ last_crypto_policy: '{{ (ssh_config_raw.content | b64decode).splitlines() | select(''match'',
+ "^\s*CRYPTO_POLICY=''[^'']+''") | list | last | default('''') }}'
+ tags:
+ - CCE-85897-7
+ - DISA-STIG-RHEL-08-010291
+ - NIST-800-53-AC-17(2)
+ - harden_sshd_ciphers_opensshserver_conf_crypto_policy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
+ Check if correct_value is present'
+ ansible.builtin.set_fact:
+ cipher_is_correct: '{{ correct_value in last_crypto_policy }}'
+ tags:
+ - CCE-85897-7
+ - DISA-STIG-RHEL-08-010291
+ - NIST-800-53-AC-17(2)
+ - harden_sshd_ciphers_opensshserver_conf_crypto_policy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
+ Extract current Ciphers if needed'
+ ansible.builtin.set_fact:
+ existing_cipher: '{{ (last_crypto_policy | regex_findall(''(-oCiphers=\S+)'',
+ ''\1'')) | last | default('''') }}'
+ when: not cipher_is_correct and last_crypto_policy != ''
+ tags:
+ - CCE-85897-7
+ - DISA-STIG-RHEL-08-010291
+ - NIST-800-53-AC-17(2)
+ - harden_sshd_ciphers_opensshserver_conf_crypto_policy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
+ Build full updated CRYPTO_POLICY line'
+ set_fact:
+ updated_crypto_policy: '{% if last_crypto_policy == '''' %} CRYPTO_POLICY=''{{
+ correct_value }}'' {% elif existing_cipher != '''' %} {{ last_crypto_policy
+ | regex_replace(existing_cipher, correct_value) }} {% else %} {{ last_crypto_policy[:-1]
+ ~ " " ~ correct_value ~ "''" }} {% endif %}'
+ when: not cipher_is_correct
+ tags:
+ - CCE-85897-7
+ - DISA-STIG-RHEL-08-010291
+ - NIST-800-53-AC-17(2)
+ - harden_sshd_ciphers_opensshserver_conf_crypto_policy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
+ Ensure local.d dir exists'
+ ansible.builtin.file:
+ path: '{{ local_path | dirname }}'
+ state: directory
+ tags:
+ - CCE-85897-7
+ - DISA-STIG-RHEL-08-010291
+ - NIST-800-53-AC-17(2)
+ - harden_sshd_ciphers_opensshserver_conf_crypto_policy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
+ Write CRYPTO_POLICY to local config'
+ ansible.builtin.lineinfile:
+ path: '{{ local_path }}'
+ line: |-
+ {{ '
+ ' ~ updated_crypto_policy }}
+ create: true
+ insertafter: EOF
+ tags:
+ - CCE-85897-7
+ - DISA-STIG-RHEL-08-010291
+ - NIST-800-53-AC-17(2)
+ - harden_sshd_ciphers_opensshserver_conf_crypto_policy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
+ Apply updated crypto policies'
+ ansible.builtin.command: update-crypto-policies --no-reload
+ tags:
+ - CCE-85897-7
+ - DISA-STIG-RHEL-08-010291
+ - NIST-800-53-AC-17(2)
+ - harden_sshd_ciphers_opensshserver_conf_crypto_policy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
bash remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy
@@ -6,27 +6,33 @@
CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
+LOCAL_CONF_DIR=/etc/crypto-policies/local.d
+LOCAL_CONF_FILE=${LOCAL_CONF_DIR}/opensshserver-ssg.config
correct_value="-oMACs=${sshd_approved_macs}"
-# Test if file exists
-test -f ${CONF_FILE} || touch ${CONF_FILE}
+# Test if file exists, create default it if not
+if [[ ! -s ${CONF_FILE} ]] || ! grep -q "^\s*CRYPTO_POLICY=" ${CONF_FILE} ; then
+ update-crypto-policies --no-reload # Generate a default configuration
+fi
-# Ensure CRYPTO_POLICY is not commented out
-sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE}
+# Get the last occurrence of CRYPTO_POLICY
+last_crypto_policy=$(grep -Eo "^\s*CRYPTO_POLICY='[^']+'" ${CONF_FILE} | tail -n 1)
-if ! grep -q "\\$correct_value" "$CONF_FILE"; then
- # We need to get the existing value, using PCRE to maintain same regex
- existing_value=$(grep -Po '(-oMACs=\S+)' ${CONF_FILE})
+# Copy the last CRYPTO_POLICY value to the local configuration file
+if [[ -n "$last_crypto_policy" ]]; then
+ if ! grep -qe "$correct_value" <<< "$last_crypto_policy"; then
+ # If an existing -oMACs= is found, replace it
+ # Else, append correct_value before the closing apostrophe
+ if [[ "$last_crypto_policy" == *"-oMACs="* ]]; then
+ last_crypto_policy=$(echo "$last_crypto_policy" | sed -E "s/-oMACs=\S+/${correct_value}/")
+ else
+ last_crypto_policy=$(echo "$last_crypto_policy" | sed -E "s/'[[:space:]]*$/ ${correct_value}'/")
+ fi
+ # Write updated line to LOCAL_CONF_FILE
+ echo -e "\n$last_crypto_policy" > "$LOCAL_CONF_FILE"
+ fi
+else
+ echo -e "\nCRYPTO_POLICY='${correct_value}'" > ${LOCAL_CONF_FILE}
+fi
- if [[ ! -z ${existing_value} ]]; then
- # replace existing_value with correct_value
- sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
- else
- # ***NOTE*** #
- # This probably means this file is not here or it's been modified
- # unintentionally.
- # ********** #
- # echo correct_value to end
- echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}
- fi
-fi
+update-crypto-policies --no-reload
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy
@@ -5,9 +5,10 @@
- always
- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
- Set facts'
- set_fact:
- path: /etc/crypto-policies/back-ends/opensshserver.config
+ Set relevant paths and correct value'
+ ansible.builtin.set_fact:
+ opensshserver_path: /etc/crypto-policies/back-ends/opensshserver.config
+ local_path: /etc/crypto-policies/local.d/opensshserver-ssg.config
correct_value: -oMACs={{ sshd_approved_macs }}
tags:
- CCE-85899-3
@@ -21,9 +22,9 @@
- restrict_strategy
- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
- Stat'
- stat:
- path: '{{ path }}'
+ Ensure crypto config exists'
+ ansible.builtin.stat:
+ path: '{{ opensshserver_path }}'
follow: true
register: opensshserver_file
tags:
@@ -38,12 +39,9 @@
- restrict_strategy
- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
- Create'
- lineinfile:
- path: '{{ path }}'
- line: CRYPTO_POLICY='{{ correct_value }}'
- create: true
- when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length
+ Generate default config if missing or empty'
+ ansible.builtin.command: update-crypto-policies --no-reload
+ when: not opensshserver_file.stat.exists or opensshserver_file.stat.size == 0
tags:
- CCE-85899-3
- DISA-STIG-RHEL-08-010290
@@ -55,26 +53,11 @@
- reboot_required
- restrict_strategy
-- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config'
- block:
-
- - name: Existing value check
- lineinfile:
- path: '{{ path }}'
- create: false
- regexp: '{{ correct_value }}'
- state: absent
- check_mode: true
- changed_when: false
- register: opensshserver
-
- - name: Update/Correct value
- replace:
- path: '{{ path }}'
- regexp: (-oMACs=\S+)
- replace: '{{ correct_value }}'
- when: opensshserver.found is defined and opensshserver.found != 1
- when: opensshserver_file.stat.exists and opensshserver_file.stat.size > correct_value|length
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
+ Read opensshserver.config content'
+ ansible.builtin.slurp:
+ src: '{{ opensshserver_path }}'
+ register: ssh_config_raw
tags:
- CCE-85899-3
- DISA-STIG-RHEL-08-010290
@@ -85,3 +68,120 @@
- medium_severity
- reboot_required
- restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
+ Extract last CRYPTO_POLICY line'
+ ansible.builtin.set_fact:
+ last_crypto_policy: '{{ (ssh_config_raw.content | b64decode).splitlines() | select(''match'',
+ "^\s*CRYPTO_POLICY=''[^'']+''") | list | last | default('''') }}'
+ tags:
+ - CCE-85899-3
+ - DISA-STIG-RHEL-08-010290
+ - NIST-800-53-AC-17(2)
+ - harden_sshd_macs_opensshserver_conf_crypto_policy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
+ Check if correct_value is present'
+ ansible.builtin.set_fact:
+ mac_is_correct: '{{ correct_value in last_crypto_policy }}'
+ tags:
+ - CCE-85899-3
+ - DISA-STIG-RHEL-08-010290
+ - NIST-800-53-AC-17(2)
+ - harden_sshd_macs_opensshserver_conf_crypto_policy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
+ Extract current Ciphers if needed'
+ ansible.builtin.set_fact:
+ existing_mac: '{{ (last_crypto_policy | regex_findall(''(-oMACs=\S+)'', ''\1''))
+ | last | default('''') }}'
+ when: not mac_is_correct and last_crypto_policy != ''
+ tags:
+ - CCE-85899-3
+ - DISA-STIG-RHEL-08-010290
+ - NIST-800-53-AC-17(2)
+ - harden_sshd_macs_opensshserver_conf_crypto_policy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
+ Build full updated CRYPTO_POLICY line'
+ set_fact:
+ updated_crypto_policy: '{% if last_crypto_policy == '''' %} CRYPTO_POLICY=''{{
+ correct_value }}'' {% elif existing_mac != '''' %} {{ last_crypto_policy | regex_replace(existing_
8000
mac,
+ correct_value) }} {% else %} {{ last_crypto_policy[:-1] ~ " " ~ correct_value
+ ~ "''" }} {% endif %}'
+ when: not mac_is_correct
+ tags:
+ - CCE-85899-3
+ - DISA-STIG-RHEL-08-010290
+ - NIST-800-53-AC-17(2)
+ - harden_sshd_macs_opensshserver_conf_crypto_policy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
+ Ensure local.d dir exists'
+ ansible.builtin.file:
+ path: '{{ local_path | dirname }}'
+ state: directory
+ tags:
+ - CCE-85899-3
+ - DISA-STIG-RHEL-08-010290
+ - NIST-800-53-AC-17(2)
+ - harden_sshd_macs_opensshserver_conf_crypto_policy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
+ Write CRYPTO_POLICY to local config'
+ ansible.builtin.lineinfile:
+ path: '{{ local_path }}'
+ line: |-
+ {{ '
+ ' ~ updated_crypto_policy }}
+ create: true
+ insertafter: EOF
+ tags:
+ - CCE-85899-3
+ - DISA-STIG-RHEL-08-010290
+ - NIST-800-53-AC-17(2)
+ - harden_sshd_macs_opensshserver_conf_crypto_policy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy
+
+- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
+ Apply updated crypto policies'
+ ansible.builtin.command: update-crypto-policies --no-reload
+ tags:
+ - CCE-85899-3
+ - DISA-STIG-RHEL-08-010290
+ - NIST-800-53-AC-17(2)
+ - harden_sshd_macs_opensshserver_conf_crypto_policy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - reboot_required
+ - restrict_strategy |
|
Change in Ansible Please consider using more suitable Ansible module than |
|
Code Climate has analyzed commit 69b91c7 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.9% (0.0% change). View more on Code Climate. |
|
/packit build |
1 similar comment
|
/packit build |
jan-cerny
added a commit
to jan-cerny/contest
that referenced
this pull request
Apr 29, 2025
These waivers are added to be able to merge the pull request ComplianceAsCode/content#13374 This PR adds changes that work only with new OpenSCAP, but the new OpenSCAP hasn't been shipped in CentOS/RHEL yet, which means the Testing farm tests fail in CI gating. At the same time, we don't want to delay the PR. Therefore, we introduce this waiver, that can be removed once the new OpenSCAP is released. Specifically, these rules require OpenSCAP 1.3.12 or 1.4.2 to pass because they depend on processing negative numbers by textfilecontent54_probe which is fixed by OpenSCAP/openscap#2210
matusmarhefka
pushed a commit
to RHSecurityCompliance/contest
that referenced
this pull request
Apr 29, 2025
These waivers are added to be able to merge the pull request ComplianceAsCode/content#13374 This PR adds changes that work only with new OpenSCAP, but the new OpenSCAP hasn't been shipped in CentOS/RHEL yet, which means the Testing farm tests fail in CI gating. At the same time, we don't want to delay the PR. Therefore, we introduce this waiver, that can be removed once the new OpenSCAP is released. Specifically, these rules require OpenSCAP 1.3.12 or 1.4.2 to pass because they depend on processing negative numbers by textfilecontent54_probe which is fixed by OpenSCAP/openscap#2210
|
/packit build |
jan-cerny
approved these changes
Apr 29, 2025
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Update OVAL file and remediations of harden_sshd_ciphers/macs_opensshserver_conf_crypto_policy
Add new test to check new behavior.
It takes advantage of the fix introduced in textfilecontent54_probe, which enables correct handling of negative numbers in OpenSCAP evaluations. OpenSCAP/openscap#2210
Rationale:
Remediation scripts for rule harden_sshd_ciphers_opensshserver_conf_crypto_policy and harden_sshd_macs_opensshserver_conf_crypto_policy does not guarantee configuration persistent after system package updates.
Scenario to reproduce:
Result:
/etc/crypto-policies/back-ends/opensshserver.configreverted to default contentExpected result:
/etc/crypto-policies/back-ends/opensshserver.confighas set of ciphers defined in the remediation script