From c328834e4200a88b1b5110bdb3f34fcb6d91bd8a Mon Sep 17 00:00:00 2001
From: Thomas H Jones II <github@xanthia.com>
Date: Mon, 23 Oct 2023 14:25:03 -0400
Subject: [PATCH] Force FIPS-compliant Ciphers in SSH

---
 .../el8/STIGbyID/cat2/RHEL-08-010291.sls      | 50 +++++++++++++++++++
 .../el8/STIGbyID/cat2/files/RHEL-08-010291.sh | 32 ++++++++++++
 2 files changed, 82 insertions(+)
 create mode 100644 ash-linux/el8/STIGbyID/cat2/RHEL-08-010291.sls
 create mode 100644 ash-linux/el8/STIGbyID/cat2/files/RHEL-08-010291.sh

diff --git a/ash-linux/el8/STIGbyID/cat2/RHEL-08-010291.sls b/ash-linux/el8/STIGbyID/cat2/RHEL-08-010291.sls
new file mode 100644
index 000000000..6b3571174
--- /dev/null
+++ b/ash-linux/el8/STIGbyID/cat2/RHEL-08-010291.sls
@@ -0,0 +1,50 @@
+# Ref Doc:    STIG - RHEL 8 v1r11
+# Finding ID: V-230252
+# Rule ID:    SV-230252r917873_rule
+# STIG ID:    RHEL-08-010291
+# SRG ID:     SRG-OS-000250-GPOS-00093
+#
+# Finding Level: medium
+#
+# Rule Summary:
+#       The operating system must implement DoD-approved encryption to protect
+#       the confidentiality of SSH server connections
+#
+# References:
+#   CCI:
+#     - CCI-001453
+#         NIST SP 800-53 :: AC-17 (2)
+#         NIST SP 800-53A :: AC-17.1 (2).1
+#         NIST SP 800-53 Revision 4 :: AC-17 (2)
+#
+###########################################################################
+{%- set stig_id = 'RHEL-08-010291' %}
+{%- set helperLoc = 'ash-linux/el8/STIGbyID/cat2/files' %}
+{%- set skipIt = salt.pillar.get('ash-linux:lookup:skip-stigs', []) %}
+{%- set cfgFile = '/etc/crypto-policies/back-ends/opensshserver.config' %}
+{%- set fixOpts = [
+  'aes256-ctr',
+  'aes192-ctr',
+  'aes128-ctr',
+  'aes256-gcm@openssh.com',
+  'aes128-gcm@openssh.com'
+] %}
+
+script_{{ stig_id }}-describe:
+  cmd.script:
+    - source: salt://{{ helperLoc }}/{{ stig_id }}.sh
+    - cwd: /root
+
+{%- if stig_id in skipIt %}
+notify_{{ stig_id }}-skipSet:
+  cmd.run:
+    - name: 'printf "\nchanged=no comment=''Handler for {{ stig_id }} has been selected for skip.''\n"'
+    - stateful: True
+    - cwd: /root
+{%- else %}
+Set SSHD Ciphers:
+  file.replace:
+    - name:  '{{ cfgFile }}'
+    - pattern: "(^CRYPTO_POLICY='.*)(-oCiphers=[a-z0-9,@.-]*)(.*'$)"
+    - repl: '\g<1>-oCiphers={{ fixOpts|join(',') }}\g<3>'
+{%- endif %}
diff --git a/ash-linux/el8/STIGbyID/cat2/files/RHEL-08-010291.sh b/ash-linux/el8/STIGbyID/cat2/files/RHEL-08-010291.sh
new file mode 100644
index 000000000..e3572331c
--- /dev/null
+++ b/ash-linux/el8/STIGbyID/cat2/files/RHEL-08-010291.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+#
+# Ref Doc:    STIG - RHEL 8 v1r11
+# Finding ID: V-230252
+# Rule ID:    SV-230252r917873_rule
+# STIG ID:    RHEL-08-010291
+# SRG ID:     SRG-OS-000250-GPOS-00093
+#
+# Finding Level: medium
+#
+# Rule Summary:
+#       The operating system must implement DoD-approved encryption to protect
+#       the confidentiality of SSH server connections
+#
+# References:
+#   CCI:
+#     - CCI-001453
+#         NIST SP 800-53 :: AC-17 (2)
+#         NIST SP 800-53A :: AC-17.1 (2).1
+#         NIST SP 800-53 Revision 4 :: AC-17 (2)
+#
+###########################################################################
+# Standard outputter function
+diag_out() {
+   echo "${1}"
+}
+
+diag_out "--------------------------------------"
+diag_out "STIG Finding ID: V-230252"
+diag_out "     The OS must allow only DoD-
+diag_out "     approved SSH encryption-ciphers"
+diag_out "--------------------------------------"