Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Align sshd_use_approved_ciphers_ordered_stig with Ubuntu STIG #11983

Merged
merged 6 commits into from
May 10, 2024
Merged

Align sshd_use_approved_ciphers_ordered_stig with Ubuntu STIG #11983

merged 6 commits into from
May 10, 2024

Conversation

mpurg
Copy link
Contributor

@mpurg mpurg commented May 9, 2024

Description:

  • Modify sshd_use_approved_ciphers_ordered_stig rule to better align with Ubuntu STIG (UBTU-20-010044, UBTU-22-255050)
  • Switch to using sshd_approved_ciphers variable
  • Switch to checking the whole set of algorithms instead of just a subset
  • Extend OVAL check to allow distributed configs
  • Analogous to Align sshd_use_approved_macs_ordered_stig with Ubuntu STIG #11853

Rationale:

  • Checking just for a subset does not meet the requirement of having the algorithms in the exact same order (as specified in the STIG), because it is possible to specify only the last algorithm, which is effectively the same as specifying them in the wrong order

@mpurg mpurg requested a review from a team as a code owner May 9, 2024 14:32
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented May 9, 2024

Hi @mpurg. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label May 9, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented May 9, 2024

Start a new ephemeral environment with changes proposed in this pull request:

rhel7 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions GitHub Actions
Copy link

github-actions bot commented May 9, 2024
edited
Loading

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11983
This image was built from commit: 0918aac

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11983

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11983 make deploy-local

mpurg added 2 commits May 9, 2024 16:51
@mpurg
Modify Ubuntu OVAL for sshd_use_approved_ciphers_ordered_stig
da09757 
The OVAL now also allows distributed configs and uses
the variable `sshd_approved_ciphers` instead of hardcoded values.

The implementation is based on the template `sshd_lineinfile`,
modified to allow external variables as values and checking for
FIPS compliant OS.
@mpurg
Modify Ubuntu ansible remediation for sshd_use_approved_ciphers_order…
0918aac 
…ed_stig

The remediation now uses the ansible_sshd_set macro and the
sshd_approved_ciphers variable.
@mpurg mpurg force-pushed the ubuntu_2204_stig_255050 branch from b609023 to 0918aac Compare May 9, 2024 14:52
@codeclimate CodeClimate
Copy link

codeclimate bot commented May 9, 2024

Code Climate has analyzed commit 0918aac and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

@dodys dodys self-assigned this May 10, 2024
@dodys dodys added Ubuntu Ubuntu product related. STIG STIG Benchmark related. labels May 10, 2024
dodys
dodys approved these changes May 10, 2024
View reviewed changes
Copy link
Contributor

@dodys dodys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks!

@dodys dodys merged commit 53635a7 into ComplianceAsCode:master May 10, 2024
106 of 108 checks passed
@Mab879 Mab879 added the Update Rule Issues or pull requests related to Rules updates. label May 10, 2024
@Mab879 Mab879 added this to the 0.1.74 milestone May 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dodys dodys dodys approved these changes

Assignees

@dodys dodys

Labels
needs-ok-to-test Used by openshift-ci bot. STIG STIG Benchmark related. Ubuntu Ubuntu product related. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.74
Development

Successfully merging this pull request may close these issues.
3 participants
@mpurg @dodys @Mab879