Skip to content

Commit

Permalink
Hardening sshd encryption policies
Browse files Browse the repository at this point in the history 
Hardening sshd encryption policies to respond vulnerability scanning.

This will apply following CIS compliance rules:

- xccdf_org.ssgproject.content_rule_sshd_use_strong_ciphers
- xccdf_org.ssgproject.content_rule_sshd_use_strong_kex
- xccdf_org.ssgproject.content_rule_sshd_use_strong_macs

Fixes #456
Related scylladb/scylla-pkg#2953

(cherry picked from commit 3dafdb5)
  • Loading branch information
@syuu1228 @yaronkaikov
syuu1228 authored and yaronkaikov committed Dec 21, 2024
1 parent 256720d commit 0615031
Showing 1 changed file with 13 additions and 0 deletions.
13 changes: 13 additions & 0 deletions packer/apply_cis_rules
View file
Original file line number Diff line number Diff line change
Expand Up @@ -225,3 +225,16 @@ WantedBy=multi-user.target
f.write(var_tmp_dot_mount)
run('systemctl daemon-reload', shell=True, check=True)
run('systemctl enable var-tmp.mount', shell=True, check=True)


# xccdf_org.ssgproject.content_rule_sshd_use_strong_ciphers
# xccdf_org.ssgproject.content_rule_sshd_use_strong_kex
# xccdf_org.ssgproject.content_rule_sshd_use_strong_macs
sshd_config = '''
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
'''[1:-1]
with open('/etc/ssh/sshd_config.d/99-cis-rules.conf', 'w') as f:
f.write(sshd_config)
run('systemctl restart ssh.service', shell=True, check=True)

0 comments on commit 0615031

Please sign in to comment.