Merge pull request #13042 from vojtapolasek/fix_harden_ciphers_openss…

…hserver

Fixes related to STIG and SSH cryptopolicy

controls/stig_rhel9.yml

@@ -1866,8 +1866,7 @@ controls:
             RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality
             of SSH client connections.
         rules:
-            - harden_sshd_ciphers_openssh_conf_crypto_policy
-            - sshd_approved_ciphers=stig_rhel9
+            - sshd_include_crypto_policy
         status: automated
     -   id: RHEL-09-255064
         title: The RHEL 9 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
@@ -1884,6 +1883,7 @@ controls:
             of SSH server connections.
         rules:
             - harden_sshd_ciphers_opensshserver_conf_crypto_policy
+            - sshd_approved_ciphers=stig_rhel9
         status: automated
     -   id: RHEL-09-255070
         levels:

linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml

@@ -16,20 +16,17 @@
 
   <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
     <ind:filepath>{{{ PATH }}}</ind:filepath>
-    <ind:pattern operation="pattern match">^(?!#).*(-oCiphers=[^\s']+).*$</ind:pattern>
+    {{%- if product in ["ol8", "rhel8"] -%}}
+    <ind:pattern operation="pattern match">^(?!#).*-oCiphers=([^\s']+).*$</ind:pattern>
+    {{%- else -%}}
+    <ind:pattern operation="pattern match">^(?!#).*Ciphers\s+([^\s']+).*$</ind:pattern>
+    {{%- endif -%}}
     <ind:instance operation="equals" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
   <ind:textfilecontent54_state id="ste_{{{ rule_id }}}" version="1">
-    <ind:subexpression var_ref="sshd_ciphers_crypto_opensshserver" operation="equals" />
+    <ind:subexpression var_ref="sshd_approved_ciphers" operation="equals" />
   </ind:textfilecontent54_state>
 
-  <local_variable id="sshd_ciphers_crypto_opensshserver" datatype="string" comment="The regex of the directive" version="1">
-    <concat>
-      <literal_component>-oCiphers=</literal_component>
-      <variable_component var_ref="sshd_approved_ciphers"/>
-    </concat>
-  </local_variable>
-
   <external_variable comment="SSH Approved Ciphers by FIPS" datatype="string" id="sshd_approved_ciphers" version="1" />
 </def-group>

linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel9_stig_correct.pass.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 9
+# variables = [email protected],aes256-ctr,[email protected],aes128-ctr
+# remediation = none
+
+[email protected],aes256-ctr,[email protected],aes128-ctr
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+correct_value="Ciphers ${sshd_approved_ciphers}"
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+# Proceed when file exists
+if [[ -f $configfile ]]; then
+    sed -i -r "s/Ciphers\s+\S+/${correct_value}/" $configfile
+else
+    echo "${correct_value}" > "$configfile"
+fi

linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel9_stig_incorrect_policy.fail.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 9
+# variables = [email protected],aes256-ctr,[email protected],aes128-ctr
+# remediation = none
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+    sed -i -r "s/Ciphers\s+\S+/Ciphers [email protected],[email protected],aes256-ctr,aes256-cbc/" $configfile
+else
+    echo "Ciphers [email protected],[email protected],aes256-ctr,aes256-cbc" > "$configfile"
+fi