Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[stabilization]: fixes related to STIG and SSH cryptopolicy #13025

Merged
merged 4 commits into from
Feb 12, 2025
Merged

[stabilization]: fixes related to STIG and SSH cryptopolicy #13025

merged 4 commits into from
Feb 12, 2025

Conversation

vojtapolasek
Copy link
Collaborator

Description:

  • remove no longer existing stig RHEL-09-255064
  • fix the check of the rule harden_sshd_ciphers_opensshserver_conf_crypto_policy so that it honors different format of config files used by cryptopolicies
  • fix RHEL-09-255060 which is actually fullfilled by including a cryptopolicy directive, not by checking list of ciphers

Rationale:

  • fixing misalignment with DISA

Review Hints:

I recommend checking latest STIGs if the rule is aligned:

@vojtapolasek vojtapolasek added bugfix Fixes to reported bugs. OVAL OVAL update. Related to the systems assessments. backported-into-stabilization PRs which were cherry-picked during stabilization process. RHEL9 Red Hat Enterprise Linux 9 product related. Update Profile Issues or pull requests related to Profiles updates. RHEL8 Red Hat Enterprise Linux 8 product related. STIG STIG Benchmark related. labels Feb 11, 2025
@vojtapolasek vojtapolasek added this to the 0.1.76 milestone Feb 11, 2025
@vojtapolasek vojtapolasek requested a review from a team as a code owner February 11, 2025 14:56
@Mab879 Mab879 self-assigned this Feb 11, 2025
Mab879
Mab879 requested changes Feb 11, 2025
View reviewed changes
controls/stig_rhel9.yml
status: automated
- id: RHEL-09-255064
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RHEL-09-255064 still seems to exist

See https://stigaview.com/products/rhel9/latest/RHEL-09-255064/

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow, that is a good point. I thought it got deleted because I thought that the table is sorted by the STIG ID.

...ftware/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml Outdated
@@ -16,20 +16,17 @@

<ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1">
<ind:filepath>{{{ PATH }}}</ind:filepath>
<ind:pattern operation="pattern match">^(?!#).*(-oCiphers=[^\s']+).*$</ind:pattern>
{{%- if product == "rhel8" -%}}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there other older OSes we need to account for here?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, there is ol8 as well. I added it. I checked their syntax on their oraclelinux:8 container.

@vojtapolasek vojtapolasek force-pushed the stab_fix_harden_ciphers_opensshserver branch from 6cf5c6e to 60e9c9c Compare February 12, 2025 09:00
@vojtapolasek
Copy link
Collaborator Author

@Mab879 I added also some test scenarios for RHEL 9. I answered your comments.

@Mab879 Mab879 merged commit 71ca65b into ComplianceAsCode:stabilization-v0.1.76 Feb 12, 2025
91 of 96 checks passed
@vojtapolasek vojtapolasek mentioned this pull request Feb 13, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
backported-into-stabilization PRs which were cherry-picked during stabilization process. bugfix Fixes to reported bugs. OVAL OVAL update. Related to the systems assessments. RHEL8 Red Hat Enterprise Linux 8 product related. RHEL9 Red Hat Enterprise Linux 9 product related. STIG STIG Benchmark related. Update Profile Issues or pull requests related to Profiles updates.
Projects
None yet
Milestone
0.1.76
Development

Successfully merging this pull request may close these issues.
2 participants
@vojtapolasek @Mab879