From 06150310c10396219e0802b62c9d1e5f0367781d Mon Sep 17 00:00:00 2001 From: Takuya ASADA Date: Fri, 26 Jul 2024 01:45:48 +0900 Subject: [PATCH] Hardening sshd encryption policies Hardening sshd encryption policies to respond vulnerability scanning. This will apply following CIS compliance rules: - xccdf_org.ssgproject.content_rule_sshd_use_strong_ciphers - xccdf_org.ssgproject.content_rule_sshd_use_strong_kex - xccdf_org.ssgproject.content_rule_sshd_use_strong_macs Fixes scylladb/scylla-machine-image#456 Related scylladb/scylla-pkg#2953 (cherry picked from commit 3dafdb54a86f6be60311d835e2771d74ba1a9927) --- packer/apply_cis_rules | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/packer/apply_cis_rules b/packer/apply_cis_rules index d9ad5c88..7113d471 100755 --- a/packer/apply_cis_rules +++ b/packer/apply_cis_rules @@ -225,3 +225,16 @@ WantedBy=multi-user.target f.write(var_tmp_dot_mount) run('systemctl daemon-reload', shell=True, check=True) run('systemctl enable var-tmp.mount', shell=True, check=True) + + + # xccdf_org.ssgproject.content_rule_sshd_use_strong_ciphers + # xccdf_org.ssgproject.content_rule_sshd_use_strong_kex + # xccdf_org.ssgproject.content_rule_sshd_use_strong_macs + sshd_config = ''' +Ciphers aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com +KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 + '''[1:-1] + with open('/etc/ssh/sshd_config.d/99-cis-rules.conf', 'w') as f: + f.write(sshd_config) + run('systemctl restart ssh.service', shell=True, check=True)