up through 257991

Signed-off-by: wdower <[email protected]>
mitre · Apr 24, 2024 · 60d50de · 60d50de
1 parent c1d9e31
commit 60d50de
Show file tree

Hide file tree

Showing 15 changed files with 148 additions and 51 deletions.
diff --git a/controls/SV-257961.rb b/controls/SV-257961.rb
@@ -100,5 +100,4 @@
       end
     end
   end
-
 end
diff --git a/controls/SV-257967.rb b/controls/SV-257967.rb
@@ -38,7 +38,7 @@
   tag cci: ['CCI-000366']
   tag nist: ['CM-6 b']
   tag 'host'
-  
+
   # Define the kernel parameter to be checked
   parameter = 'net.ipv4.icmp_ignore_bogus_error_response'
   action = 'IPv4 bogus error response logging'

diff --git a/controls/SV-257980.rb b/controls/SV-257980.rb
@@ -25,4 +25,13 @@
   tag 'documentable'
   tag cci: ['CCI-000366']
   tag nist: ['CM-6 b']
+  tag 'host'
+
+  only_if('This control is Not Applicable to containers', impact: 0.0) {
+    !virtualization.system.eql?('docker')
+  }
+
+  describe package('openssh-clients') do
+    it { should be_installed }
+  end
 end
diff --git a/controls/SV-257982.rb b/controls/SV-257982.rb
@@ -29,4 +29,14 @@
   tag 'documentable'
   tag cci: ['CCI-000067']
   tag nist: ['AC-17 (1)']
+  tag 'host'
+  tag 'container-conditional'
+
+  only_if('This control is Not Applicable to containers without SSH installed', impact: 0.0) {
+    !(virtualization.system.eql?('docker') && !directory('/etc/ssh').exist?)
+  }
+
+  describe sshd_config do
+    its('LogLevel') { should cmp 'VERBOSE' }
+  end
 end
diff --git a/controls/SV-257983.rb b/controls/SV-257983.rb
@@ -30,4 +30,14 @@
   tag 'documentable'
   tag cci: ['CCI-000765', 'CCI-000766', 'CCI-000767', 'CCI-000768']
   tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)']
+  tag 'host'
+  tag 'container-conditional'
+
+  only_if('This control is Not Applicable to containers without SSH installed', impact: 0.0) {
+    !(virtualization.system.eql?('docker') && !directory('/etc/ssh').exist?)
+  }
+
+  describe sshd_config do
+    its('PubkeyAuthentication') { should cmp 'yes' }
+  end
 end
diff --git a/controls/SV-257984.rb b/controls/SV-257984.rb
@@ -30,4 +30,14 @@
   tag 'documentable'
   tag cci: ['CCI-000366', 'CCI-000766']
   tag nist: ['CM-6 b', 'IA-2 (2)']
+  tag 'host'
+  tag 'container-conditional'
+
+  only_if('This control is Not Applicable to containers without SSH installed', impact: 0.0) {
+    !(virtualization.system.eql?('docker') && !directory('/etc/ssh').exist?)
+  }
+
+  describe sshd_config do
+    its('PermitEmptyPasswords') { should cmp 'no' }
+  end
 end
diff --git a/controls/SV-257986.rb b/controls/SV-257986.rb
@@ -27,4 +27,14 @@
   tag 'documentable'
   tag cci: ['CCI-000877']
   tag nist: ['MA-4 c']
+  tag 'host'
+  tag 'container-conditional'
+
+  only_if('This control is Not Applicable to containers without SSH installed', impact: 0.0) {
+    !(virtualization.system.eql?('docker') && !directory('/etc/ssh').exist?)
+  }
+
+  describe sshd_config do
+    its('UsePAM') { should cmp 'yes' }
+  end
 end
diff --git a/controls/SV-257987.rb b/controls/SV-257987.rb
@@ -43,6 +43,9 @@
       end
     end
   else
+    describe file('/etc/ssh/sshd_config.d/50-redhat.conf') do
+      it { should exist }
+    end
     describe 'The system' do
       it 'does not have a CRYPTO_POLICY setting configured' do
         expect(parse_config_file('/etc/sysconfig/sshd').params['CRYPTO_POLICY']).to be_nil, 'The CRYPTO_POLICY setting in the /etc/sysconfig/sshd should not be present. Please ensure it is commented out.'

diff --git a/controls/SV-257988.rb b/controls/SV-257988.rb
@@ -30,4 +30,28 @@
   tag 'documentable'
   tag cci: ['CCI-001453']
   tag nist: ['AC-17 (2)']
+  tag 'host'
+  tag 'container-conditional'
+
+  openssh_present = package('openssh-server').installed?
+
+  only_if('This requirement is Not Applicable in the container without open-ssh installed', impact: 0.0) {
+    !(virtualization.system.eql?('docker') && !openssh_present)
+  }
+
+  describe file('/etc/ssh/sshd_config.d/50-redhat.conf') do
+    it { should exist }
+  end
+
+  sshd_grep = command('grep Include /etc/ssh/sshd_config  /etc/ssh/sshd_config.d/*').stdout.lines.map(&:strip)
+
+  star_dot_conf = sshd_grep.any? { |line| line.match?(%r{Include /etc/ssh/sshd_config.d/\*\.conf$}i) }
+  opensshserver_config = sshd_grep.any? { |line| line.match?(%r{Include /etc/crypto-policies/back-ends/opensshserver\.config$}i) }
+
+  describe 'SSHD config files' do
+    it 'should include system-wide crypto policies' do
+      expect(star_dot_conf).to eq(true), 'SSHD conf files do not include /etc/ssh/sshd_config.d/*.conf'
+      expect(opensshserver_config).to eq(true), 'SSHD conf files do not include /etc/crypto-policies/back-ends/opensshserver.config'
+    end
+  end
 end
diff --git a/controls/SV-257989.rb b/controls/SV-257989.rb
@@ -37,15 +37,16 @@
     !(virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?)
   }
 
-  describe parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config') do
-    its('CRYPTO_POLICY') { should_not be_nil }
-  end
+  approved_ciphers = input('approved_openssh_server_conf')['ciphers']
+
+  options = { 'assignment_regex': /^(\S+)\s+(\S+)$/ }
+  opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h
 
-  crypto_policy = parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config')['CRYPTO_POLICY']
+  actual_ciphers = opensshserver_conf['ciphers'].join(',')
 
-  unless crypto_policy.nil?
-    describe parse_config(crypto_policy.gsub(/\s|'/, "\n")) do
-      its('-oCiphers') { should cmp 'aes256-ctr,aes192-ctr,aes128-ctr,[email protected],[email protected]' }
+  describe 'OpenSSH server configuration' do
+    it 'implement approved encryption ciphers' do
+      expect(actual_ciphers).to eq(approved_ciphers), "OpenSSH server cipher configuration actual value:\n\t#{actual_ciphers}\ndoes not match the expected value:\n\t#{approved_ciphers}"
     end
   end
 end
diff --git a/controls/SV-257990.rb b/controls/SV-257990.rb
@@ -30,4 +30,23 @@
   tag 'documentable'
   tag cci: ['CCI-001453']
   tag nist: ['AC-17 (2)']
+  tag 'host'
+  tag 'container-conditional'
+
+  only_if('Control not applicable - SSH is not installed within containerized RHEL', impact: 0.0) {
+    !(virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?)
+  }
+
+  approved_macs = input('approved_openssh_server_conf')['macs']
+
+  options = { 'assignment_regex': /^(\S+)\s+(\S+)$/ }
+  opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h
+
+  actual_macs = opensshserver_conf['macs'].join(',')
+
+  describe 'OpenSSH server configuration' do
+    it 'implement approved MACs' do
+      expect(actual_macs).to eq(approved_macs), "OpenSSH server cipher configuration actual value:\n\t#{actual_macs}\ndoes not match the expected value:\n\t#{approved_macs}"
+    end
+  end
 end
diff --git a/controls/SV-257991.rb b/controls/SV-257991.rb
@@ -32,39 +32,23 @@
   tag 'host'
   tag 'container-conditional'
 
-  # Check if SSH is installed within containerized RHEL
-  only_if('SSH is not installed within containerized RHEL. Therefore, this requirement is not applicable.', impact: 0.0) do
-    !(virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?)
-  end
-
-  # Define the required algorithms
-  required_algorithms = input('openssh_server_required_algorithms')
-
-  # TODO: make a simple resource for this based off 'login_defs' or 'yum' as a model
+  # NOTE: At time of writing, the STIG baseline calls for two different values for the MACs option in the openssh.config file.
+  # SV-257990 calls for one set of MACs and SV-257991 calls for a mutually exclusive set.
 
-  # Parse the configuration file to get the value of "CRYPTO_POLICY"
-  crypto_policy = parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config')['CRYPTO_POLICY']
-
-  # Parse the CRYPTO_POLICY string into a hash of configuration options
-  config_options = crypto_policy.scan(/-o(\w+)=([\w\-,@]+.)/).to_h
+  only_if('Control not applicable - SSH is not installed within containerized RHEL', impact: 0.0) {
+    !(virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?)
+  }
 
-  # Split each configuration option's values into an array
-  config_options.transform_values! { |v| v.split(',') }
+  approved_macs = input('approved_openssh_server_conf')['macs']
 
-  # Define the path to the crypto policy file
-  crypto_policy_file = '/etc/crypto-policies/back-ends/opensshserver.config'
+  options = { 'assignment_regex': /^(\S+)\s+(\S+)$/ }
+  opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h
 
-  # Test that the crypto policy file is configured with the required algorithms
-  describe "The crypto policy file #{crypto_policy_file}" do
-    it 'is configured with the required algorithms' do
-      expect(crypto_policy).not_to be_nil, "The crypto policy file #{crypto_policy_file} \ndoes not contain the required algorithms\n\n\t#{required_algorithms}."
-    end
-  end
+  actual_macs = opensshserver_conf['macs'].join(',')
 
-  # Test that the MACS option in the crypto policy file contains the required algorithms in the correct order
-  describe 'The MACs option in the crypto policy file' do
-    it 'contains the required algorithms in the correct order' do
-      expect(config_options['MACS']).to eq(required_algorithms), "The MACS option in the crypto policy file does not contain the required algorithms in the *exact order*:\n\n\texpected: #{required_algorithms}\n\tgot:#{config_options['MACS']}"
+  describe 'OpenSSH server configuration' do
+    it 'implement approved MACs' do
+      expect(actual_macs).to eq(approved_macs), "OpenSSH server cipher configuration actual value:\n\t#{actual_macs}\ndoes not match the expected value:\n\t#{approved_macs}"
     end
   end
 end
diff --git a/controls/SV-257992.rb b/controls/SV-257992.rb
@@ -29,4 +29,14 @@
   tag 'documentable'
   tag cci: ['CCI-000366']
   tag nist: ['CM-6 b']
+  tag 'host'
+  tag 'container-conditional'
+
+  only_if('This control is Not Applicable to containers without SSH installed', impact: 0.0) {
+    !(virtualization.system.eql?('docker') && !directory('/etc/ssh').exist?)
+  }
+
+  describe sshd_config do
+    its('HostBasedAuthentication') { should cmp 'no' }
+  end
 end
diff --git a/inspec.yml b/inspec.yml
@@ -1103,4 +1103,12 @@ inputs:
       ports: []
       protocols: []
       services:
-        - ssh
+        - ssh
+
+  # SV-257989, SV-257990
+  - name: approved_openssh_server_conf
+    description: Config values expected for openssh server (order matters, so these values are comma-delimited strings and not arrays)
+    type: Hash
+    value: 
+      ciphers: [email protected],[email protected],aes256-ctr,[email protected],aes128-ctr
+      macs: [email protected],hmac-sha2-256,[email protected],hmac-sha2-512
diff --git a/rhel9_status.csv b/rhel9_status.csv
@@ -58,19 +58,19 @@ SV-257949,Implemented
 SV-257950,Implemented
 SV-257953,Implemented
 SV-257954,Implemented
-SV-257957,Not Implemented
-SV-257960,Not Implemented
-SV-257961,Not Implemented
-SV-257965,Not Implemented
-SV-257967,Not Implemented
-SV-257980,Not Implemented
-SV-257982,Not Implemented
-SV-257983,Not Implemented
-SV-257984,Not Implemented
-SV-257986,Not Implemented
-SV-257988,Not Implemented
-SV-257990,Not Implemented
-SV-257992,Not Implemented
+SV-257957,Implemented
+SV-257960,Implemented
+SV-257961,Implemented
+SV-257965,Implemented
+SV-257967,Implemented
+SV-257980,Implemented
+SV-257982,Implemented
+SV-257983,Implemented
+SV-257984,Implemented
+SV-257986,Implemented
+SV-257988,Implemented
+SV-257990,Implemented
+SV-257992,Implemented
 SV-257997,Not Implemented
 SV-257998,Not Implemented
 SV-257999,Not Implemented