Skip to content

Commit

Permalink
Force FIPS-compliant Ciphers in SSH
Browse files Browse the repository at this point in the history
  • Loading branch information
ferricoxide committed Oct 23, 2023
1 parent eea2c46 commit c328834
Show file tree
Hide file tree
Showing 2 changed files with 82 additions and 0 deletions.
50 changes: 50 additions & 0 deletions ash-linux/el8/STIGbyID/cat2/RHEL-08-010291.sls
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# Ref Doc: STIG - RHEL 8 v1r11
# Finding ID: V-230252
# Rule ID: SV-230252r917873_rule
# STIG ID: RHEL-08-010291
# SRG ID: SRG-OS-000250-GPOS-00093
#
# Finding Level: medium
#
# Rule Summary:
# The operating system must implement DoD-approved encryption to protect
# the confidentiality of SSH server connections
#
# References:
# CCI:
# - CCI-001453
# NIST SP 800-53 :: AC-17 (2)
# NIST SP 800-53A :: AC-17.1 (2).1
# NIST SP 800-53 Revision 4 :: AC-17 (2)
#
###########################################################################
{%- set stig_id = 'RHEL-08-010291' %}
{%- set helperLoc = 'ash-linux/el8/STIGbyID/cat2/files' %}
{%- set skipIt = salt.pillar.get('ash-linux:lookup:skip-stigs', []) %}
{%- set cfgFile = '/etc/crypto-policies/back-ends/opensshserver.config' %}
{%- set fixOpts = [
'aes256-ctr',
'aes192-ctr',
'aes128-ctr',
'[email protected]',
'[email protected]'
] %}

script_{{ stig_id }}-describe:
cmd.script:
- source: salt://{{ helperLoc }}/{{ stig_id }}.sh
- cwd: /root

{%- if stig_id in skipIt %}
notify_{{ stig_id }}-skipSet:
cmd.run:
- name: 'printf "\nchanged=no comment=''Handler for {{ stig_id }} has been selected for skip.''\n"'
- stateful: True
- cwd: /root
{%- else %}
Set SSHD Ciphers:
file.replace:
- name: '{{ cfgFile }}'
- pattern: "(^CRYPTO_POLICY='.*)(-oCiphers=[a-z0-9,@.-]*)(.*'$)"
- repl: '\g<1>-oCiphers={{ fixOpts|join(',') }}\g<3>'
{%- endif %}
32 changes: 32 additions & 0 deletions ash-linux/el8/STIGbyID/cat2/files/RHEL-08-010291.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
#!/bin/bash
#
# Ref Doc: STIG - RHEL 8 v1r11
# Finding ID: V-230252
# Rule ID: SV-230252r917873_rule
# STIG ID: RHEL-08-010291
# SRG ID: SRG-OS-000250-GPOS-00093
#
# Finding Level: medium
#
# Rule Summary:
# The operating system must implement DoD-approved encryption to protect
# the confidentiality of SSH server connections
#
# References:
# CCI:
# - CCI-001453
# NIST SP 800-53 :: AC-17 (2)
# NIST SP 800-53A :: AC-17.1 (2).1
# NIST SP 800-53 Revision 4 :: AC-17 (2)
#
###########################################################################
# Standard outputter function
diag_out() {
echo "${1}"
}

diag_out "--------------------------------------"
diag_out "STIG Finding ID: V-230252"
diag_out " The OS must allow only DoD-
diag_out " approved SSH encryption-ciphers"
diag_out "--------------------------------------"

0 comments on commit c328834

Please sign in to comment.