From 5c5499fd72207c084697fa3e9e21d4624f24f542 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 24 Jul 2024 14:02:51 +0100 Subject: [PATCH] Initial pmod templates for ssh control Signed-off-by: Mark Bolwell --- .../etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2 | 2 +- .../etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2 | 2 +- .../crypto-policies/policies/modules/NO-SSHCHACHA20.pmod.j2 | 5 ----- .../etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2 | 2 +- .../policies/modules/NO-SSHWEAKCIPHERS.pmod.j2 | 4 ++++ .../crypto-policies/policies/modules/NO-SSHWEAKMAC.pmod.j2 | 4 ++++ .../etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2 | 2 +- 7 files changed, 12 insertions(+), 9 deletions(-) delete mode 100644 templates/etc/crypto-policies/policies/modules/NO-SSHCHACHA20.pmod.j2 create mode 100644 templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2 create mode 100644 templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMAC.pmod.j2 diff --git a/templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2 b/templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2 index 2a593d7..fd6eaff 100644 --- a/templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2 +++ b/templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2 @@ -1,5 +1,5 @@ # This is a subpolicy dropping the SHA1 hash and signature support -# Carried out as part of CIS Benchmark +# Carried out as part of CIS Benchmark rule 1.6.3 hash = -SHA1 sign = -*-SHA1 diff --git a/templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2 b/templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2 index 8eb8ae8..9092036 100644 --- a/templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2 +++ b/templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2 @@ -1,5 +1,5 @@ # This is a subpolicy to disable all CBC mode ciphers # for the SSH protocol (libssh and OpenSSH) -# Carried out as part of CIS Benchmark +# Carried out as part of CIS Benchmark rule 1.6.5 cipher@SSH = -*-CBC diff --git a/templates/etc/crypto-policies/policies/modules/NO-SSHCHACHA20.pmod.j2 b/templates/etc/crypto-policies/policies/modules/NO-SSHCHACHA20.pmod.j2 deleted file mode 100644 index 03fe414..0000000 --- a/templates/etc/crypto-policies/policies/modules/NO-SSHCHACHA20.pmod.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# This is a subpolicy to disable the chacha20-poly1305 ciphers -# for the SSH protocol (libssh and OpenSSH) -# Carried out as part of CIS Benchmark - -cipher@SSH = -CHACHA20-POLY1305 diff --git a/templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2 b/templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2 index fe5fb7f..cebc2ad 100644 --- a/templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2 +++ b/templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2 @@ -1,5 +1,5 @@ # This is a subpolicy to disable Encrypt then MAC # for the SSH protocol (libssh and OpenSSH) -# Carried out as part of CIS Benchmark +# Carried out as part of CIS Benchmark rule 1.6.7 etm@SSH = DISABLE_ETM diff --git a/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2 b/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2 new file mode 100644 index 0000000..d325a11 --- /dev/null +++ b/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2 @@ -0,0 +1,4 @@ +# This is a subpolicy to disable weak ciphers +# for the SSH protocol (libssh and OpenSSH) +# Carried out as part of CIS Benchmark rules combined 1.6.6 and 5.1.4 +cipher@SSH ={% if rhel9cis_rule_1_6_6 %} -CHACHA20-POLY1305{% endif %}{% if rhel9cis_rule_5_1_5 %} -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC{% endif %} diff --git a/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMAC.pmod.j2 b/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMAC.pmod.j2 new file mode 100644 index 0000000..f040399 --- /dev/null +++ b/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMAC.pmod.j2 @@ -0,0 +1,4 @@ +# This is a subpolicy to disable weak macs +# Carried out as part of CIS Benchmark control 5.1.6 + +mac@SSH = -HMAC-MD5* -UMAC-64* -UMAC-128* diff --git a/templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2 b/templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2 index ace7fa0..0020e6d 100644 --- a/templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2 +++ b/templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2 @@ -1,4 +1,4 @@ # This is a subpolicy to disable weak macs -# Carried out as part of CIS Benchmark +# Carried out as part of CIS Benchmark rule 1.6.4 mac = -*-64