Skip to content

Commit

Permalink
Merge pull request #474 from ferricoxide/Issue_466
Browse files Browse the repository at this point in the history
Add Remediation For EL8 STIG Vulnerability-ID V-255924 (RHEL-08-040342)
  • Loading branch information
ferricoxide authored Oct 27, 2023
2 parents 3a2531a + 325c9db commit 51c9fdc
Show file tree
Hide file tree
Showing 3 changed files with 86 additions and 0 deletions.
52 changes: 52 additions & 0 deletions ash-linux/el8/STIGbyID/cat2/RHEL-08-040342.sls
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# Ref Doc: STIG - RHEL 8 v1r12
# Finding ID: V-255924
# Rule ID: SV-255924r917888_rule
# STIG ID: RHEL-08-040342
# SRG ID: SRG-OS-000250-GPOS-00093
#
# Finding Level: medium
#
# Rule Summary:
# The SSH server must be configured to use only FIPS-validated key
# exchange algorithms.
#
# References:
# CCI:
# - CCI-001453
# NIST SP 800-53 :: AC-17 (2)
# NIST SP 800-53A :: AC-17.1 (2).1
# NIST SP 800-53 Revision 4 :: AC-17 (2)
#
###########################################################################
{%- set stig_id = 'RHEL-08-040342' %}
{%- set helperLoc = 'ash-linux/el8/STIGbyID/cat2/files' %}
{%- set skipIt = salt.pillar.get('ash-linux:lookup:skip-stigs', []) %}
{%- set cfgFile = '/etc/crypto-policies/back-ends/opensshserver.config' %}
{%- set fixOpts = [
'ecdh-sha2-nistp256',
'ecdh-sha2-nistp384',
'ecdh-sha2-nistp521',
'diffie-hellman-group-exchange-sha256',
'diffie-hellman-group14-sha256',
'diffie-hellman-group16-sha512',
'diffie-hellman-group18-sha512'
] %}

script_{{ stig_id }}-describe:
cmd.script:
- source: salt://{{ helperLoc }}/{{ stig_id }}.sh
- cwd: /root

{%- if stig_id in skipIt %}
notify_{{ stig_id }}-skipSet:
cmd.run:
- name: 'printf "\nchanged=no comment=''Handler for {{ stig_id }} has been selected for skip.''\n"'
- stateful: True
- cwd: /root
{%- else %}
Set SSHD Key-Exchange Algorithms:
file.replace:
- name: '{{ cfgFile }}'
- pattern: "^(|#)(CRYPTO_POLICY='.*)(-oKexAlgorithms=[a-z0-9,@.-]*)(.*$)"
- repl: '\g<2>-oKexAlgorithms={{ fixOpts|join(',') }}\g<4>'
{%- endif %}
33 changes: 33 additions & 0 deletions ash-linux/el8/STIGbyID/cat2/files/RHEL-08-040342.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
#!/bin/bash
#
# Ref Doc: STIG - RHEL 8 v1r12
# Finding ID: V-255924
# Rule ID: SV-255924r917888_rule
# STIG ID: RHEL-08-040342
# SRG ID: SRG-OS-000250-GPOS-00093
#
# Finding Level: medium
#
# Rule Summary:
# The SSH server must be configured to use only FIPS-validated key
# exchange algorithms.
#
# References:
# CCI:
# - CCI-001453
# NIST SP 800-53 :: AC-17 (2)
# NIST SP 800-53A :: AC-17.1 (2).1
# NIST SP 800-53 Revision 4 :: AC-17 (2)
#
###########################################################################
# Standard outputter function
diag_out() {
echo "${1}"
}

diag_out "--------------------------------------"
diag_out "STIG Finding ID: V-248543"
diag_out " The SSH daemon must allow only"
diag_out " FIPS-validated key-exchange"
diag_out " algorithms"
diag_out "--------------------------------------"
1 change: 1 addition & 0 deletions ash-linux/el8/STIGbyID/cat2/init.sls
Original file line number Diff line number Diff line change
Expand Up @@ -23,5 +23,6 @@ include:
- ash-linux.el8.STIGbyID.cat2.RHEL-08-040180
- ash-linux.el8.STIGbyID.cat2.RHEL-08-040282
- ash-linux.el8.STIGbyID.cat2.RHEL-08-040290
- ash-linux.el8.STIGbyID.cat2.RHEL-08-040342
- ash-linux.el8.STIGbyID.cat2.RHEL-08-pam_faillock
- ash-linux.el8.STIGbyID.cat2.RHEL-08-pam_pwhistory

0 comments on commit 51c9fdc

Please sign in to comment.