From 60d50de0d64759eb9bc5233b888a0c869fe5b328 Mon Sep 17 00:00:00 2001 From: wdower <57142072+wdower@users.noreply.github.com> Date: Wed, 24 Apr 2024 18:55:42 +0000 Subject: [PATCH] up through 257991 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> --- controls/SV-257961.rb | 1 - controls/SV-257967.rb | 2 +- controls/SV-257980.rb | 9 +++++++++ controls/SV-257982.rb | 10 ++++++++++ controls/SV-257983.rb | 10 ++++++++++ controls/SV-257984.rb | 10 ++++++++++ controls/SV-257986.rb | 10 ++++++++++ controls/SV-257987.rb | 3 +++ controls/SV-257988.rb | 24 ++++++++++++++++++++++++ controls/SV-257989.rb | 15 ++++++++------- controls/SV-257990.rb | 19 +++++++++++++++++++ controls/SV-257991.rb | 40 ++++++++++++---------------------------- controls/SV-257992.rb | 10 ++++++++++ inspec.yml | 10 +++++++++- rhel9_status.csv | 26 +++++++++++++------------- 15 files changed, 148 insertions(+), 51 deletions(-) diff --git a/controls/SV-257961.rb b/controls/SV-257961.rb index 182de91..cf523be 100644 --- a/controls/SV-257961.rb +++ b/controls/SV-257961.rb @@ -100,5 +100,4 @@ end end end - end diff --git a/controls/SV-257967.rb b/controls/SV-257967.rb index d8f43e7..d49eda0 100644 --- a/controls/SV-257967.rb +++ b/controls/SV-257967.rb @@ -38,7 +38,7 @@ tag cci: ['CCI-000366'] tag nist: ['CM-6 b'] tag 'host' - + # Define the kernel parameter to be checked parameter = 'net.ipv4.icmp_ignore_bogus_error_response' action = 'IPv4 bogus error response logging' diff --git a/controls/SV-257980.rb b/controls/SV-257980.rb index 9e17784..4182506 100644 --- a/controls/SV-257980.rb +++ b/controls/SV-257980.rb @@ -25,4 +25,13 @@ tag 'documentable' tag cci: ['CCI-000366'] tag nist: ['CM-6 b'] + tag 'host' + + only_if('This control is Not Applicable to containers', impact: 0.0) { + !virtualization.system.eql?('docker') + } + + describe package('openssh-clients') do + it { should be_installed } + end end diff --git a/controls/SV-257982.rb b/controls/SV-257982.rb index 6557c30..2ab83be 100644 --- a/controls/SV-257982.rb +++ b/controls/SV-257982.rb @@ -29,4 +29,14 @@ tag 'documentable' tag cci: ['CCI-000067'] tag nist: ['AC-17 (1)'] + tag 'host' + tag 'container-conditional' + + only_if('This control is Not Applicable to containers without SSH installed', impact: 0.0) { + !(virtualization.system.eql?('docker') && !directory('/etc/ssh').exist?) + } + + describe sshd_config do + its('LogLevel') { should cmp 'VERBOSE' } + end end diff --git a/controls/SV-257983.rb b/controls/SV-257983.rb index 2d7d1d7..184486e 100644 --- a/controls/SV-257983.rb +++ b/controls/SV-257983.rb @@ -30,4 +30,14 @@ tag 'documentable' tag cci: ['CCI-000765', 'CCI-000766', 'CCI-000767', 'CCI-000768'] tag nist: ['IA-2 (1)', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)'] + tag 'host' + tag 'container-conditional' + + only_if('This control is Not Applicable to containers without SSH installed', impact: 0.0) { + !(virtualization.system.eql?('docker') && !directory('/etc/ssh').exist?) + } + + describe sshd_config do + its('PubkeyAuthentication') { should cmp 'yes' } + end end diff --git a/controls/SV-257984.rb b/controls/SV-257984.rb index 080a46a..e094f5c 100644 --- a/controls/SV-257984.rb +++ b/controls/SV-257984.rb @@ -30,4 +30,14 @@ tag 'documentable' tag cci: ['CCI-000366', 'CCI-000766'] tag nist: ['CM-6 b', 'IA-2 (2)'] + tag 'host' + tag 'container-conditional' + + only_if('This control is Not Applicable to containers without SSH installed', impact: 0.0) { + !(virtualization.system.eql?('docker') && !directory('/etc/ssh').exist?) + } + + describe sshd_config do + its('PermitEmptyPasswords') { should cmp 'no' } + end end diff --git a/controls/SV-257986.rb b/controls/SV-257986.rb index 1cba698..b032835 100644 --- a/controls/SV-257986.rb +++ b/controls/SV-257986.rb @@ -27,4 +27,14 @@ tag 'documentable' tag cci: ['CCI-000877'] tag nist: ['MA-4 c'] + tag 'host' + tag 'container-conditional' + + only_if('This control is Not Applicable to containers without SSH installed', impact: 0.0) { + !(virtualization.system.eql?('docker') && !directory('/etc/ssh').exist?) + } + + describe sshd_config do + its('UsePAM') { should cmp 'yes' } + end end diff --git a/controls/SV-257987.rb b/controls/SV-257987.rb index ab1e9d3..1c53b12 100644 --- a/controls/SV-257987.rb +++ b/controls/SV-257987.rb @@ -43,6 +43,9 @@ end end else + describe file('/etc/ssh/sshd_config.d/50-redhat.conf') do + it { should exist } + end describe 'The system' do it 'does not have a CRYPTO_POLICY setting configured' do expect(parse_config_file('/etc/sysconfig/sshd').params['CRYPTO_POLICY']).to be_nil, 'The CRYPTO_POLICY setting in the /etc/sysconfig/sshd should not be present. Please ensure it is commented out.' diff --git a/controls/SV-257988.rb b/controls/SV-257988.rb index 314db07..9c2d01d 100644 --- a/controls/SV-257988.rb +++ b/controls/SV-257988.rb @@ -30,4 +30,28 @@ tag 'documentable' tag cci: ['CCI-001453'] tag nist: ['AC-17 (2)'] + tag 'host' + tag 'container-conditional' + + openssh_present = package('openssh-server').installed? + + only_if('This requirement is Not Applicable in the container without open-ssh installed', impact: 0.0) { + !(virtualization.system.eql?('docker') && !openssh_present) + } + + describe file('/etc/ssh/sshd_config.d/50-redhat.conf') do + it { should exist } + end + + sshd_grep = command('grep Include /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*').stdout.lines.map(&:strip) + + star_dot_conf = sshd_grep.any? { |line| line.match?(%r{Include /etc/ssh/sshd_config.d/\*\.conf$}i) } + opensshserver_config = sshd_grep.any? { |line| line.match?(%r{Include /etc/crypto-policies/back-ends/opensshserver\.config$}i) } + + describe 'SSHD config files' do + it 'should include system-wide crypto policies' do + expect(star_dot_conf).to eq(true), 'SSHD conf files do not include /etc/ssh/sshd_config.d/*.conf' + expect(opensshserver_config).to eq(true), 'SSHD conf files do not include /etc/crypto-policies/back-ends/opensshserver.config' + end + end end diff --git a/controls/SV-257989.rb b/controls/SV-257989.rb index 558396b..d95e156 100644 --- a/controls/SV-257989.rb +++ b/controls/SV-257989.rb @@ -37,15 +37,16 @@ !(virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?) } - describe parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config') do - its('CRYPTO_POLICY') { should_not be_nil } - end + approved_ciphers = input('approved_openssh_server_conf')['ciphers'] + + options = { 'assignment_regex': /^(\S+)\s+(\S+)$/ } + opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h - crypto_policy = parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config')['CRYPTO_POLICY'] + actual_ciphers = opensshserver_conf['ciphers'].join(',') - unless crypto_policy.nil? - describe parse_config(crypto_policy.gsub(/\s|'/, "\n")) do - its('-oCiphers') { should cmp 'aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com' } + describe 'OpenSSH server configuration' do + it 'implement approved encryption ciphers' do + expect(actual_ciphers).to eq(approved_ciphers), "OpenSSH server cipher configuration actual value:\n\t#{actual_ciphers}\ndoes not match the expected value:\n\t#{approved_ciphers}" end end end diff --git a/controls/SV-257990.rb b/controls/SV-257990.rb index 2f5caf8..13ef554 100644 --- a/controls/SV-257990.rb +++ b/controls/SV-257990.rb @@ -30,4 +30,23 @@ tag 'documentable' tag cci: ['CCI-001453'] tag nist: ['AC-17 (2)'] + tag 'host' + tag 'container-conditional' + + only_if('Control not applicable - SSH is not installed within containerized RHEL', impact: 0.0) { + !(virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?) + } + + approved_macs = input('approved_openssh_server_conf')['macs'] + + options = { 'assignment_regex': /^(\S+)\s+(\S+)$/ } + opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h + + actual_macs = opensshserver_conf['macs'].join(',') + + describe 'OpenSSH server configuration' do + it 'implement approved MACs' do + expect(actual_macs).to eq(approved_macs), "OpenSSH server cipher configuration actual value:\n\t#{actual_macs}\ndoes not match the expected value:\n\t#{approved_macs}" + end + end end diff --git a/controls/SV-257991.rb b/controls/SV-257991.rb index 459f992..fd9bd5c 100644 --- a/controls/SV-257991.rb +++ b/controls/SV-257991.rb @@ -32,39 +32,23 @@ tag 'host' tag 'container-conditional' - # Check if SSH is installed within containerized RHEL - only_if('SSH is not installed within containerized RHEL. Therefore, this requirement is not applicable.', impact: 0.0) do - !(virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?) - end - - # Define the required algorithms - required_algorithms = input('openssh_server_required_algorithms') - - # TODO: make a simple resource for this based off 'login_defs' or 'yum' as a model + # NOTE: At time of writing, the STIG baseline calls for two different values for the MACs option in the openssh.config file. + # SV-257990 calls for one set of MACs and SV-257991 calls for a mutually exclusive set. - # Parse the configuration file to get the value of "CRYPTO_POLICY" - crypto_policy = parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config')['CRYPTO_POLICY'] - - # Parse the CRYPTO_POLICY string into a hash of configuration options - config_options = crypto_policy.scan(/-o(\w+)=([\w\-,@]+.)/).to_h + only_if('Control not applicable - SSH is not installed within containerized RHEL', impact: 0.0) { + !(virtualization.system.eql?('docker') && !file('/etc/sysconfig/sshd').exist?) + } - # Split each configuration option's values into an array - config_options.transform_values! { |v| v.split(',') } + approved_macs = input('approved_openssh_server_conf')['macs'] - # Define the path to the crypto policy file - crypto_policy_file = '/etc/crypto-policies/back-ends/opensshserver.config' + options = { 'assignment_regex': /^(\S+)\s+(\S+)$/ } + opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h - # Test that the crypto policy file is configured with the required algorithms - describe "The crypto policy file #{crypto_policy_file}" do - it 'is configured with the required algorithms' do - expect(crypto_policy).not_to be_nil, "The crypto policy file #{crypto_policy_file} \ndoes not contain the required algorithms\n\n\t#{required_algorithms}." - end - end + actual_macs = opensshserver_conf['macs'].join(',') - # Test that the MACS option in the crypto policy file contains the required algorithms in the correct order - describe 'The MACs option in the crypto policy file' do - it 'contains the required algorithms in the correct order' do - expect(config_options['MACS']).to eq(required_algorithms), "The MACS option in the crypto policy file does not contain the required algorithms in the *exact order*:\n\n\texpected: #{required_algorithms}\n\tgot:#{config_options['MACS']}" + describe 'OpenSSH server configuration' do + it 'implement approved MACs' do + expect(actual_macs).to eq(approved_macs), "OpenSSH server cipher configuration actual value:\n\t#{actual_macs}\ndoes not match the expected value:\n\t#{approved_macs}" end end end diff --git a/controls/SV-257992.rb b/controls/SV-257992.rb index c1dddf0..3ff6f1b 100644 --- a/controls/SV-257992.rb +++ b/controls/SV-257992.rb @@ -29,4 +29,14 @@ tag 'documentable' tag cci: ['CCI-000366'] tag nist: ['CM-6 b'] + tag 'host' + tag 'container-conditional' + + only_if('This control is Not Applicable to containers without SSH installed', impact: 0.0) { + !(virtualization.system.eql?('docker') && !directory('/etc/ssh').exist?) + } + + describe sshd_config do + its('HostBasedAuthentication') { should cmp 'no' } + end end diff --git a/inspec.yml b/inspec.yml index 46c044f..7895911 100644 --- a/inspec.yml +++ b/inspec.yml @@ -1103,4 +1103,12 @@ inputs: ports: [] protocols: [] services: - - ssh \ No newline at end of file + - ssh + + # SV-257989, SV-257990 + - name: approved_openssh_server_conf + description: Config values expected for openssh server (order matters, so these values are comma-delimited strings and not arrays) + type: Hash + value: + ciphers: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr + macs: hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-512 \ No newline at end of file diff --git a/rhel9_status.csv b/rhel9_status.csv index 99b5610..d8cd546 100644 --- a/rhel9_status.csv +++ b/rhel9_status.csv @@ -58,19 +58,19 @@ SV-257949,Implemented SV-257950,Implemented SV-257953,Implemented SV-257954,Implemented -SV-257957,Not Implemented -SV-257960,Not Implemented -SV-257961,Not Implemented -SV-257965,Not Implemented -SV-257967,Not Implemented -SV-257980,Not Implemented -SV-257982,Not Implemented -SV-257983,Not Implemented -SV-257984,Not Implemented -SV-257986,Not Implemented -SV-257988,Not Implemented -SV-257990,Not Implemented -SV-257992,Not Implemented +SV-257957,Implemented +SV-257960,Implemented +SV-257961,Implemented +SV-257965,Implemented +SV-257967,Implemented +SV-257980,Implemented +SV-257982,Implemented +SV-257983,Implemented +SV-257984,Implemented +SV-257986,Implemented +SV-257988,Implemented +SV-257990,Implemented +SV-257992,Implemented SV-257997,Not Implemented SV-257998,Not Implemented SV-257999,Not Implemented