From fe328ba783b820368f880bc75c35ffc86c4f8fd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 20 Oct 2025 16:27:28 +0200 Subject: [PATCH 1/8] Improve SSHD ciphers settings in RHEL 8 CIS Adds a new rule crypto_sub_policy_sshd_ciphers that configure a custom crypto sub policy module for SSHD. The new rule is very similar to fips_custom_stig_sub_policy. It configures a new module for system wide crypto policies that reduces the set of usable ciphers in sshd. This change aligns the RHEL 8 CIS profiles with the CIS RHEL 8 Benchmark v 4.0.0 requirement 5.1.8. Resolves: https://issues.redhat.com/browse/RHEL-111896 --- components/openssh.yml | 1 + controls/cis_rhel8.yml | 3 +- .../ansible/shared.yml | 26 +++++++++++++++++ .../bash/shared.sh | 12 ++++++++ .../oval/shared.xml | 21 ++++++++++++++ .../crypto_sub_policy_sshd_ciphers/rule.yml | 29 +++++++++++++++++++ .../tests/correct.pass.sh | 4 +++ .../tests/empty.fail.sh | 2 ++ .../tests/file_dne.fail.sh | 6 ++++ .../tests/invalid.fail.sh | 4 +++ shared/references/cce-redhat-avail.txt | 1 - .../data/profile_stability/rhel8/cis.profile | 3 +- .../rhel8/cis_server_l1.profile | 3 +- .../rhel8/cis_workstation_l1.profile | 3 +- .../rhel8/cis_workstation_l2.profile | 3 +- 15 files changed, 110 insertions(+), 11 deletions(-) create mode 100644 linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/ansible/shared.yml create mode 100644 linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/bash/shared.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/oval/shared.xml create mode 100644 linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/rule.yml create mode 100644 linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/correct.pass.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/empty.fail.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/file_dne.fail.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/invalid.fail.sh diff --git a/components/openssh.yml b/components/openssh.yml index e89f5bbba93..6d444e4365a 100644 --- a/components/openssh.yml +++ b/components/openssh.yml @@ -9,6 +9,7 @@ packages: - openssh-clients - openssh-server rules: +- crypto_sub_policy_sshd_ciphers - directory_groupowner_sshd_config_d - directory_owner_sshd_config_d - directory_permissions_sshd_config_d diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index a3365c4ea77..f000830da9c 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1504,8 +1504,7 @@ controls: notes: |- Introduced in CIS RHEL8 v3.0.0 rules: - - sshd_use_approved_ciphers - - sshd_approved_ciphers=cis_rhel8 + - crypto_sub_policy_sshd_ciphers - id: 4.2.7 title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured (Automated) diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/ansible/shared.yml new file mode 100644 index 00000000000..bd32c86aee8 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/ansible/shared.yml @@ -0,0 +1,26 @@ +# platform = multi_platform_all +# reboot = true +# strategy = configure +# complexity = low +# disruption = low + +- name: "{{{ rule_title }}} - Create custom crypto policy - cipher" + ansible.builtin.lineinfile: + path: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod + owner: root + group: root + mode: '0644' + line: cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305 + create: true + regexp: "cipher@SSH" + +- name: "{{{ rule_title }}} - Check current crypto policy" + ansible.builtin.command: update-crypto-policies --show + register: current_crypto_policy + changed_when: false + failed_when: false + check_mode: false + +- name: "{{{ rule_title }}} - Update crypto-policies" + ansible.builtin.command: update-crypto-policies --set DEFAULT:NO-SSHWEAKCIPHERS + when: current_crypto_policy.stdout.strip() != "DEFAULT:NO-SSHWEAKCIPHERS" diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/bash/shared.sh new file mode 100644 index 00000000000..b40a09e6a43 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/bash/shared.sh @@ -0,0 +1,12 @@ +# platform = multi_platform_all +# reboot = true +# strategy = configure +# complexity = low +# disruption = low + +{{%- set contents = "cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305" -%}} + + +{{{ bash_file_contents('/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod', contents) }}} + +sudo update-crypto-policies --set DEFAULT:NO-SSHWEAKCIPHERS diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/oval/shared.xml new file mode 100644 index 00000000000..ff180b6577c --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/oval/shared.xml @@ -0,0 +1,21 @@ + + + {{{ oval_metadata("Ensure that the custom crypto policy module for SSH is configured", rule_title=rule_title) }}} + + + + + + + + + + /etc/crypto-policies/policies/modules/ + NO-SSHWEAKCIPHERS.pmod + ^cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305$ + 1 + + diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/rule.yml b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/rule.yml new file mode 100644 index 00000000000..1cc3c849e27 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/rule.yml @@ -0,0 +1,29 @@ +documentation_complete: true + +title: Implement Custom Crypto Policy for SSHD Ciphers + +description: |- + Create a custom crypto policy module for SSHD to enforce the use of strong ciphers. + Add the following line to the file /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod: + 
+    cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305
+
+ +rationale: |- + Weak ciphers that are used for authentication to the cryptographic module cannot be + relied upon to provide confidentiality or integrity, and system data may be compromised. + +severity: medium + +identifiers: + cce@rhel8: CCE-86707-7 + +references: + +ocil_clause: 'the custom crypto policy module for SSH does not exist' + +ocil: |- + Verify that /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod exists and has the following content: + 
+    cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305
+
diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/correct.pass.sh new file mode 100644 index 00000000000..2d17dda6a85 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/correct.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash +cat > /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod << EOF +cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305 +EOF diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/empty.fail.sh b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/empty.fail.sh new file mode 100644 index 00000000000..3296ae56356 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/empty.fail.sh @@ -0,0 +1,2 @@ +#!/bin/bash +touch /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/file_dne.fail.sh b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/file_dne.fail.sh new file mode 100644 index 00000000000..de8efa96b98 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/file_dne.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +if [[ -f /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod ]] +then + rm /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod +fi diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/invalid.fail.sh b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/invalid.fail.sh new file mode 100644 index 00000000000..e9735dd0f7e --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/invalid.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash +cat > /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod << EOF +cipher@SSH = -3DES-CBC -AES-128-CBC -CHACHA20-POLY1305 -AES-256-EBC +EOF diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 872b9b99746..c093e443928 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -72,7 +72,6 @@ CCE-86702-8 CCE-86703-6 CCE-86704-4 CCE-86706-9 -CCE-86707-7 CCE-86708-5 CCE-86709-3 CCE-86710-1 diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile index 8cead5964cb..367079c35ac 100644 --- a/tests/data/profile_stability/rhel8/cis.profile +++ b/tests/data/profile_stability/rhel8/cis.profile @@ -109,6 +109,7 @@ configure_crypto_policy configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage +crypto_sub_policy_sshd_ciphers dconf_db_up_to_date dconf_gnome_banner_enabled dconf_gnome_disable_automount @@ -349,7 +350,6 @@ set_password_hashing_algorithm_logindefs set_password_hashing_algorithm_passwordauth set_password_hashing_algorithm_systemauth socket_systemd-journal-remote_disabled -sshd_approved_ciphers=cis_rhel8 sshd_disable_empty_passwords sshd_disable_rhosts sshd_disable_root_login @@ -368,7 +368,6 @@ sshd_set_max_sessions sshd_set_maxstartups sshd_strong_kex=cis_rhel8 sshd_strong_macs=cis_rhel8 -sshd_use_approved_ciphers sshd_use_strong_kex sshd_use_strong_macs sudo_add_use_pty diff --git a/tests/data/profile_stability/rhel8/cis_server_l1.profile b/tests/data/profile_stability/rhel8/cis_server_l1.profile index 6fb27ec0032..e7877be342d 100644 --- a/tests/data/profile_stability/rhel8/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_server_l1.profile @@ -44,6 +44,7 @@ configure_crypto_policy configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage +crypto_sub_policy_sshd_ciphers dconf_db_up_to_date dconf_gnome_banner_enabled dconf_gnome_disable_automount @@ -251,7 +252,6 @@ set_password_hashing_algorithm_logindefs set_password_hashing_algorithm_passwordauth set_password_hashing_algorithm_systemauth socket_systemd-journal-remote_disabled -sshd_approved_ciphers=cis_rhel8 sshd_disable_empty_passwords sshd_disable_rhosts sshd_disable_root_login @@ -270,7 +270,6 @@ sshd_set_max_sessions sshd_set_maxstartups sshd_strong_kex=cis_rhel8 sshd_strong_macs=cis_rhel8 -sshd_use_approved_ciphers sshd_use_strong_kex sshd_use_strong_macs sudo_add_use_pty diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile index e01bf4b95eb..5a3ba15e5cc 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile @@ -44,6 +44,7 @@ configure_crypto_policy configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage +crypto_sub_policy_sshd_ciphers dconf_db_up_to_date dconf_gnome_banner_enabled dconf_gnome_disable_automount @@ -245,7 +246,6 @@ set_password_hashing_algorithm_logindefs set_password_hashing_algorithm_passwordauth set_password_hashing_algorithm_systemauth socket_systemd-journal-remote_disabled -sshd_approved_ciphers=cis_rhel8 sshd_disable_empty_passwords sshd_disable_rhosts sshd_disable_root_login @@ -264,7 +264,6 @@ sshd_set_max_sessions sshd_set_maxstartups sshd_strong_kex=cis_rhel8 sshd_strong_macs=cis_rhel8 -sshd_use_approved_ciphers sshd_use_strong_kex sshd_use_strong_macs sudo_add_use_pty diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile index ea03d59545b..15be903f77e 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile @@ -109,6 +109,7 @@ configure_crypto_policy configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage +crypto_sub_policy_sshd_ciphers dconf_db_up_to_date dconf_gnome_banner_enabled dconf_gnome_disable_automount @@ -345,7 +346,6 @@ set_password_hashing_algorithm_logindefs set_password_hashing_algorithm_passwordauth set_password_hashing_algorithm_systemauth socket_systemd-journal-remote_disabled -sshd_approved_ciphers=cis_rhel8 sshd_disable_empty_passwords sshd_disable_rhosts sshd_disable_root_login @@ -364,7 +364,6 @@ sshd_set_max_sessions sshd_set_maxstartups sshd_strong_kex=cis_rhel8 sshd_strong_macs=cis_rhel8 -sshd_use_approved_ciphers sshd_use_strong_kex sshd_use_strong_macs sudo_add_use_pty From 0a182d8239559c7a6a99916b6a7e68ecf481950c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 27 Oct 2025 09:17:17 +0100 Subject: [PATCH 2/8] Introduce a new template crypto_sub_policy --- docs/templates/template_reference.md | 15 +++++++++++++++ .../crypto_sub_policy_sshd_ciphers/bash/shared.sh | 12 ------------ .../crypto_sub_policy_sshd_ciphers/rule.yml | 7 +++++++ .../tests/correct.pass.sh | 4 ---- .../tests/empty.fail.sh | 2 -- .../tests/file_dne.fail.sh | 6 ------ .../tests/invalid.fail.sh | 4 ---- .../templates/crypto_sub_policy/ansible.template | 12 ++++++------ shared/templates/crypto_sub_policy/bash.template | 9 +++++++++ .../templates/crypto_sub_policy/oval.template | 10 +++++----- shared/templates/crypto_sub_policy/template.yml | 4 ++++ .../crypto_sub_policy/tests/correct.pass.sh | 4 ++++ .../crypto_sub_policy/tests/empty.fail.sh | 2 ++ .../crypto_sub_policy/tests/file_dne.fail.sh | 6 ++++++ .../crypto_sub_policy/tests/invalid.fail.sh | 4 ++++ 15 files changed, 62 insertions(+), 39 deletions(-) delete mode 100644 linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/bash/shared.sh delete mode 100644 linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/correct.pass.sh delete mode 100644 linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/empty.fail.sh delete mode 100644 linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/file_dne.fail.sh delete mode 100644 linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/invalid.fail.sh rename linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/ansible/shared.yml => shared/templates/crypto_sub_policy/ansible.template (60%) create mode 100644 shared/templates/crypto_sub_policy/bash.template rename linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/oval/shared.xml => shared/templates/crypto_sub_policy/oval.template (65%) create mode 100644 shared/templates/crypto_sub_policy/template.yml create mode 100644 shared/templates/crypto_sub_policy/tests/correct.pass.sh create mode 100644 shared/templates/crypto_sub_policy/tests/empty.fail.sh create mode 100644 shared/templates/crypto_sub_policy/tests/file_dne.fail.sh create mode 100644 shared/templates/crypto_sub_policy/tests/invalid.fail.sh diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md index a6bc1095c21..62f9232bf62 100644 --- a/docs/templates/template_reference.md +++ b/docs/templates/template_reference.md @@ -245,6 +245,21 @@ - Languages: OVAL, Kubernetes +#### crypto_sub_policy +- Configures a sub policy for system wide crypto policies. Creates a module + file `module_name.pmod` in `/etc/crypto-policies/policies/modules/` that + contains `key = value`. Then, it applies this module. + +- Parameters: + + - **module_name** - crypto sub policy name, eg. `NO-SSHWEAKCIPHERS` + + - **key** - entry key, eg. `cipher@SSH` + + - **value** - entry value, eg. `-3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305` + +- Languages: Ansible, Bash, OVAL + #### dconf_ini_file - Checks for `dconf` configuration. Additionally checks if the configuration is locked so it cannot be overridden by the user. diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/bash/shared.sh deleted file mode 100644 index b40a09e6a43..00000000000 --- a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/bash/shared.sh +++ /dev/null @@ -1,12 +0,0 @@ -# platform = multi_platform_all -# reboot = true -# strategy = configure -# complexity = low -# disruption = low - -{{%- set contents = "cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305" -%}} - - -{{{ bash_file_contents('/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod', contents) }}} - -sudo update-crypto-policies --set DEFAULT:NO-SSHWEAKCIPHERS diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/rule.yml b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/rule.yml index 1cc3c849e27..e7f161d9048 100644 --- a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/rule.yml @@ -27,3 +27,10 @@ ocil: |- 
     cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305
+ +template: + name: crypto_sub_policy + vars: + module_name: NO-SSHWEAKCIPHERS + key: cipher@SSH + value: -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305 diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/correct.pass.sh deleted file mode 100644 index 2d17dda6a85..00000000000 --- a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/correct.pass.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash -cat > /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod << EOF -cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305 -EOF diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/empty.fail.sh b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/empty.fail.sh deleted file mode 100644 index 3296ae56356..00000000000 --- a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/empty.fail.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -touch /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/file_dne.fail.sh b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/file_dne.fail.sh deleted file mode 100644 index de8efa96b98..00000000000 --- a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/file_dne.fail.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash - -if [[ -f /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod ]] -then - rm /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod -fi diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/invalid.fail.sh b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/invalid.fail.sh deleted file mode 100644 index e9735dd0f7e..00000000000 --- a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/tests/invalid.fail.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash -cat > /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod << EOF -cipher@SSH = -3DES-CBC -AES-128-CBC -CHACHA20-POLY1305 -AES-256-EBC -EOF diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/ansible/shared.yml b/shared/templates/crypto_sub_policy/ansible.template similarity index 60% rename from linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/ansible/shared.yml rename to shared/templates/crypto_sub_policy/ansible.template index bd32c86aee8..9cdddb333ec 100644 --- a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/ansible/shared.yml +++ b/shared/templates/crypto_sub_policy/ansible.template @@ -4,15 +4,15 @@ # complexity = low # disruption = low -- name: "{{{ rule_title }}} - Create custom crypto policy - cipher" +- name: "{{{ rule_title }}} - Create custom crypto policy - {{{ KEY }}}" ansible.builtin.lineinfile: - path: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod + path: /etc/crypto-policies/policies/modules/{{{ MODULE_NAME }}}.pmod owner: root group: root mode: '0644' - line: cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305 + line: {{{ KEY }}} = {{{ VALUE }}} create: true - regexp: "cipher@SSH" + regexp: "{{{ KEY }}}" - name: "{{{ rule_title }}} - Check current crypto policy" ansible.builtin.command: update-crypto-policies --show @@ -22,5 +22,5 @@ check_mode: false - name: "{{{ rule_title }}} - Update crypto-policies" - ansible.builtin.command: update-crypto-policies --set DEFAULT:NO-SSHWEAKCIPHERS - when: current_crypto_policy.stdout.strip() != "DEFAULT:NO-SSHWEAKCIPHERS" + ansible.builtin.command: update-crypto-policies --set DEFAULT:{{{ MODULE_NAME }}} + when: current_crypto_policy.stdout.strip() != "DEFAULT:{{{ MODULE_NAME }}}" diff --git a/shared/templates/crypto_sub_policy/bash.template b/shared/templates/crypto_sub_policy/bash.template new file mode 100644 index 00000000000..120cc074d75 --- /dev/null +++ b/shared/templates/crypto_sub_policy/bash.template @@ -0,0 +1,9 @@ +# platform = multi_platform_all +# reboot = true +# strategy = configure +# complexity = low +# disruption = low + +{{{ bash_file_contents("/etc/crypto-policies/policies/modules/" ~ MODULE_NAME ~ ".pmod", KEY ~ " = " ~ VALUE) }}} + +sudo update-crypto-policies --set DEFAULT:{{{ MODULE_NAME }}} diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/oval/shared.xml b/shared/templates/crypto_sub_policy/oval.template similarity index 65% rename from linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/oval/shared.xml rename to shared/templates/crypto_sub_policy/oval.template index ff180b6577c..1327272aa4d 100644 --- a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/oval/shared.xml +++ b/shared/templates/crypto_sub_policy/oval.template @@ -1,21 +1,21 @@ - {{{ oval_metadata("Ensure that the custom crypto policy module for SSH is configured", rule_title=rule_title) }}} + {{{ oval_metadata("Ensure that the custom crypto policy module " ~ MODULE_NAME ~ " is configured", rule_title=rule_title) }}} - /etc/crypto-policies/policies/modules/ - NO-SSHWEAKCIPHERS.pmod - ^cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305$ + {{{ MODULE_NAME }}}.pmod + ^{{{ KEY }}} = {{{ VALUE }}}$ 1 diff --git a/shared/templates/crypto_sub_policy/template.yml b/shared/templates/crypto_sub_policy/template.yml new file mode 100644 index 00000000000..b57de6fbb63 --- /dev/null +++ b/shared/templates/crypto_sub_policy/template.yml @@ -0,0 +1,4 @@ +supported_languages: + - ansible + - bash + - oval diff --git a/shared/templates/crypto_sub_policy/tests/correct.pass.sh b/shared/templates/crypto_sub_policy/tests/correct.pass.sh new file mode 100644 index 00000000000..e7db70141c8 --- /dev/null +++ b/shared/templates/crypto_sub_policy/tests/correct.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash +cat > /etc/crypto-policies/policies/modules/{{{ MODULE_NAME }}}.pmod << EOF +{{{ KEY }}} = {{{ VALUE }}} +EOF diff --git a/shared/templates/crypto_sub_policy/tests/empty.fail.sh b/shared/templates/crypto_sub_policy/tests/empty.fail.sh new file mode 100644 index 00000000000..73a0455cebf --- /dev/null +++ b/shared/templates/crypto_sub_policy/tests/empty.fail.sh @@ -0,0 +1,2 @@ +#!/bin/bash +touch /etc/crypto-policies/policies/modules/{{{ MODULE_NAME }}}.pmod diff --git a/shared/templates/crypto_sub_policy/tests/file_dne.fail.sh b/shared/templates/crypto_sub_policy/tests/file_dne.fail.sh new file mode 100644 index 00000000000..e1519d3eb0a --- /dev/null +++ b/shared/templates/crypto_sub_policy/tests/file_dne.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +if [[ -f /etc/crypto-policies/policies/modules/{{{ MODULE_NAME }}}.pmod ]] +then + rm /etc/crypto-policies/policies/modules/{{{ MODULE_NAME }}}.pmod +fi diff --git a/shared/templates/crypto_sub_policy/tests/invalid.fail.sh b/shared/templates/crypto_sub_policy/tests/invalid.fail.sh new file mode 100644 index 00000000000..4e93ca370a5 --- /dev/null +++ b/shared/templates/crypto_sub_policy/tests/invalid.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash +cat > /etc/crypto-policies/policies/modules/{{{ MODULE_NAME }}}.pmod << EOF +{{{ KEY }}} = ABCDEFGHIJKLMNOPQRSTUVWXYZ +EOF From 286787c7a6b19a31c5542fa74507a354440ee5f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 27 Oct 2025 09:48:32 +0100 Subject: [PATCH 3/8] Extract description and OCIL as a macro We prevent future code duplication by extracting the common rule description and OCIL text to new Jinja macros describe_crypto_sub_policy and ocil_crypto_sub_policy. These macros can be used in rules that use the crypto_sub_policy template. --- .../crypto_sub_policy_sshd_ciphers/rule.yml | 20 +++++++++---------- shared/macros/01-general.jinja | 17 ++++++++++++++++ shared/macros/10-ocil.jinja | 17 ++++++++++++++++ 3 files changed, 43 insertions(+), 11 deletions(-) diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/rule.yml b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/rule.yml index e7f161d9048..1a2309dcfce 100644 --- a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/rule.yml @@ -2,12 +2,13 @@ documentation_complete: true title: Implement Custom Crypto Policy for SSHD Ciphers +{{% set module_name = "NO-SSHWEAKCIPHERS" %}} +{{% set key = "cipher@SSH" %}} +{{% set value = "-3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305" %}} + description: |- Create a custom crypto policy module for SSHD to enforce the use of strong ciphers. - Add the following line to the file /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod: - 
-    cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305
-
+ {{{ describe_crypto_sub_policy(module_name, key, value) }}} rationale: |- Weak ciphers that are used for authentication to the cryptographic module cannot be @@ -23,14 +24,11 @@ references: ocil_clause: 'the custom crypto policy module for SSH does not exist' ocil: |- - Verify that /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod exists and has the following content: - 
-    cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305
-
+ {{{ ocil_crypto_sub_policy(module_name, key, value) }}} template: name: crypto_sub_policy vars: - module_name: NO-SSHWEAKCIPHERS - key: cipher@SSH - value: -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305 + module_name: {{{ module_name }}} + key: {{{ key }}} + value: {{{ value }}} diff --git a/shared/macros/01-general.jinja b/shared/macros/01-general.jinja index c945a9b92c1..3d68145ac9a 100644 --- a/shared/macros/01-general.jinja +++ b/shared/macros/01-general.jinja @@ -1446,3 +1446,20 @@ Create a rule description for rules using the `audit_rules_kernel_module_loading If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. {{% endmacro %}} + +{{# +Create a description text for rules that use the crypto_sub_policy template. + +:param module_name: crypto sub policy name, eg. `NO-SSHWEAKCIPHERS` +:type module_name: str +:param key: The entry key, eg. cipher@SSH +:type key: str +:param value: The entry value, eg. -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305 +:type value: str +#}} +{{% macro describe_crypto_sub_policy(module_name, key, value) %}} + Add the following line to the file /etc/crypto-policies/policies/modules/{{{ module_name }}}.pmod: + 
+    {{{ key }}} = {{{ value }}}
+
+{{%- endmacro %}} diff --git a/shared/macros/10-ocil.jinja b/shared/macros/10-ocil.jinja index 27c1ea4cffa..44de9ea778f 100644 --- a/shared/macros/10-ocil.jinja +++ b/shared/macros/10-ocil.jinja @@ -1538,3 +1538,20 @@ Create an OCIL text for rules that use the audit_rules_watch platform. -w {{{ path }}} -p wa -k {{{ key }}} {{% endif %}} {{% endmacro %}} + +{{# +Create an OCIL text for rules that use the crypto_sub_policy template. + +:param module_name: crypto sub policy name, eg. `NO-SSHWEAKCIPHERS` +:type module_name: str +:param key: The entry key, eg. cipher@SSH +:type key: str +:param value: The entry value, eg. -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305 +:type value: str +#}} +{{% macro ocil_crypto_sub_policy(module_name, key, value) %}} + Verify that /etc/crypto-policies/policies/modules/{{{ module_name }}}.pmod exists and has the following content: + 
+    {{{ key }}} = {{{ value }}}
+
+{{% endmacro %}} From a5d1a5f5d32e36cc19765b9bebfd8c65997aa9d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 27 Oct 2025 10:28:18 +0100 Subject: [PATCH 4/8] Introduce rule crypto_sub_policy_sshd_macs The rule crypto_sub_policy_sshd_macs implements the approach for configuring strong MACs as requested in CIS Benchmark for RHEL 8 version 4.0.0. --- components/openssh.yml | 1 + controls/cis_rhel8.yml | 3 +- .../crypto_sub_policy_sshd_macs/rule.yml | 38 +++++++++++++++++++ shared/references/cce-redhat-avail.txt | 1 - .../templates/crypto_sub_policy/oval.template | 2 +- .../data/profile_stability/rhel8/cis.profile | 3 +- .../rhel8/cis_server_l1.profile | 3 +- .../rhel8/cis_workstation_l1.profile | 3 +- .../rhel8/cis_workstation_l2.profile | 3 +- 9 files changed, 45 insertions(+), 12 deletions(-) create mode 100644 linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_macs/rule.yml diff --git a/components/openssh.yml b/components/openssh.yml index 6d444e4365a..6792f7eea82 100644 --- a/components/openssh.yml +++ b/components/openssh.yml @@ -10,6 +10,7 @@ packages: - openssh-server rules: - crypto_sub_policy_sshd_ciphers +- crypto_sub_policy_sshd_macs - directory_groupowner_sshd_config_d - directory_owner_sshd_config_d - directory_permissions_sshd_config_d diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index f000830da9c..2cc9cce5a1a 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -1593,8 +1593,7 @@ controls: - l1_workstation status: automated rules: - - sshd_use_strong_macs - - sshd_strong_macs=cis_rhel8 + - crypto_sub_policy_sshd_macs - id: 4.2.15 title: Ensure sshd MaxAuthTries is configured (Automated) diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_macs/rule.yml b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_macs/rule.yml new file mode 100644 index 00000000000..e8d72c1c948 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_macs/rule.yml @@ -0,0 +1,38 @@ +documentation_complete: true + +title: Implement Custom Crypto Policy for SSHD MACs + +{{% set module_name = "NO-SSHWEAKMACS" %}} +{{% set key = "mac@SSH" %}} +{{% set value = "-HMAC-MD5* -UMAC-64* -UMAC-128*" %}} + +description: |- + Create a custom crypto policy module for SSHD to enforce the use of strong MACs. + {{{ describe_crypto_sub_policy(module_name, key, value) }}} + +rationale: |- + Message Authentication Codes (MACs) are cryptographic mechanisms used to verify the + integrity and authenticity of data transmitted over SSH connections. Weak MACs that + are used for authentication to the cryptographic module cannot be relied upon to + provide integrity, and system data may be compromised. Implementing a custom crypto + policy that disables weak MAC algorithms helps ensure that only strong, proven + cryptographic algorithms are used to protect SSH communications. + +severity: medium + +identifiers: + cce@rhel8: CCE-86952-9 + +references: + +ocil_clause: 'the custom crypto policy module for SSH does not exist' + +ocil: |- + {{{ ocil_crypto_sub_policy(module_name, key, value) }}} + +template: + name: crypto_sub_policy + vars: + module_name: {{{ module_name }}} + key: {{{ key }}} + value: {{{ value }}} diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index c093e443928..892c33cc546 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -171,7 +171,6 @@ CCE-86934-7 CCE-86935-4 CCE-86936-2 CCE-86937-0 -CCE-86952-9 CCE-86955-2 CCE-86956-0 CCE-86958-6 diff --git a/shared/templates/crypto_sub_policy/oval.template b/shared/templates/crypto_sub_policy/oval.template index 1327272aa4d..d62e790a22a 100644 --- a/shared/templates/crypto_sub_policy/oval.template +++ b/shared/templates/crypto_sub_policy/oval.template @@ -15,7 +15,7 @@ /etc/crypto-policies/policies/modules/ {{{ MODULE_NAME }}}.pmod - ^{{{ KEY }}} = {{{ VALUE }}}$ + ^{{{ KEY }}} = {{{ VALUE | escape_regex }}}$ 1 diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile index 367079c35ac..c23c1895288 100644 --- a/tests/data/profile_stability/rhel8/cis.profile +++ b/tests/data/profile_stability/rhel8/cis.profile @@ -110,6 +110,7 @@ configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage crypto_sub_policy_sshd_ciphers +crypto_sub_policy_sshd_macs dconf_db_up_to_date dconf_gnome_banner_enabled dconf_gnome_disable_automount @@ -367,9 +368,7 @@ sshd_set_max_auth_tries sshd_set_max_sessions sshd_set_maxstartups sshd_strong_kex=cis_rhel8 -sshd_strong_macs=cis_rhel8 sshd_use_strong_kex -sshd_use_strong_macs sudo_add_use_pty sudo_custom_logfile sudo_require_authentication diff --git a/tests/data/profile_stability/rhel8/cis_server_l1.profile b/tests/data/profile_stability/rhel8/cis_server_l1.profile index e7877be342d..f47861c0a76 100644 --- a/tests/data/profile_stability/rhel8/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_server_l1.profile @@ -45,6 +45,7 @@ configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage crypto_sub_policy_sshd_ciphers +crypto_sub_policy_sshd_macs dconf_db_up_to_date dconf_gnome_banner_enabled dconf_gnome_disable_automount @@ -269,9 +270,7 @@ sshd_set_max_auth_tries sshd_set_max_sessions sshd_set_maxstartups sshd_strong_kex=cis_rhel8 -sshd_strong_macs=cis_rhel8 sshd_use_strong_kex -sshd_use_strong_macs sudo_add_use_pty sudo_custom_logfile sudo_require_authentication diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile index 5a3ba15e5cc..2d4ec3d57a8 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile @@ -45,6 +45,7 @@ configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage crypto_sub_policy_sshd_ciphers +crypto_sub_policy_sshd_macs dconf_db_up_to_date dconf_gnome_banner_enabled dconf_gnome_disable_automount @@ -263,9 +264,7 @@ sshd_set_max_auth_tries sshd_set_max_sessions sshd_set_maxstartups sshd_strong_kex=cis_rhel8 -sshd_strong_macs=cis_rhel8 sshd_use_strong_kex -sshd_use_strong_macs sudo_add_use_pty sudo_custom_logfile sudo_require_authentication diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile index 15be903f77e..aa4510de622 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile @@ -110,6 +110,7 @@ configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage crypto_sub_policy_sshd_ciphers +crypto_sub_policy_sshd_macs dconf_db_up_to_date dconf_gnome_banner_enabled dconf_gnome_disable_automount @@ -363,9 +364,7 @@ sshd_set_max_auth_tries sshd_set_max_sessions sshd_set_maxstartups sshd_strong_kex=cis_rhel8 -sshd_strong_macs=cis_rhel8 sshd_use_strong_kex -sshd_use_strong_macs sudo_add_use_pty sudo_custom_logfile sudo_require_authentication From 8de7bffa527491eac104d64349401beb32a5ec3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 27 Oct 2025 11:12:39 +0100 Subject: [PATCH 5/8] Introduce rule crypto_sub_policy_sshd_cbc The rule crypto_sub_policy_sshd_cbc implements the approach for disabling CBC ciphers using a custom crypto policy sub module as requested in requirement 1.6.4 in CIS Benchmark for RHEL 8 version 4.0.0. --- components/openssh.yml | 1 + controls/cis_rhel8.yml | 9 ++--- .../crypto_sub_policy_sshd_cbc/rule.yml | 35 +++++++++++++++++++ shared/references/cce-redhat-avail.txt | 1 - .../data/profile_stability/rhel8/cis.profile | 1 + .../rhel8/cis_server_l1.profile | 1 + .../rhel8/cis_workstation_l1.profile | 1 + .../rhel8/cis_workstation_l2.profile | 1 + 8 files changed, 43 insertions(+), 7 deletions(-) create mode 100644 linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_cbc/rule.yml diff --git a/components/openssh.yml b/components/openssh.yml index 6792f7eea82..c428e322967 100644 --- a/components/openssh.yml +++ b/components/openssh.yml @@ -9,6 +9,7 @@ packages: - openssh-clients - openssh-server rules: +- crypto_sub_policy_sshd_cbc - crypto_sub_policy_sshd_ciphers - crypto_sub_policy_sshd_macs - directory_groupowner_sshd_config_d diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 2cc9cce5a1a..b91c21a752a 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -556,12 +556,9 @@ controls: levels: - l1_server - l1_workstation - status: pending - notes: |- - It is necessary a new rule to ensure a module disabling CBC in - /etc/crypto-policies/policies/modules/ so it can be used by update-crypto-policies command. - related_rules: - - configure_crypto_policy + status: automated + rules: + - crypto_sub_policy_sshd_cbc - id: 1.6.4 title: Ensure system wide crypto policy disables macs less than 128 bits (Automated) diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_cbc/rule.yml b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_cbc/rule.yml new file mode 100644 index 00000000000..10c342c3ef4 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_cbc/rule.yml @@ -0,0 +1,35 @@ +documentation_complete: true + +title: Implement Custom Crypto Policy to disable CBC mode ciphers + +{{% set module_name = "NO-SSHCBC" %}} +{{% set key = "cipher@SSH" %}} +{{% set value = "-*-CBC" %}} + +description: |- + Create a custom crypto policy module for SSHD to disable CBC mode ciphers. + {{{ describe_crypto_sub_policy(module_name, key, value) }}} + +rationale: |- + CBC mode ciphers are vulnerable to certain attacks, such as the BEAST attack. + Disabling CBC mode ciphers helps protect against these attacks and ensures that only + strong, proven cryptographic algorithms are used to protect SSH communications. + +severity: medium + +identifiers: + cce@rhel8: CCE-86956-0 + +references: + +ocil_clause: 'the custom crypto policy module for SSHD to disable CBC mode ciphers does not exist' + +ocil: |- + {{{ ocil_crypto_sub_policy(module_name, key, value) }}} + +template: + name: crypto_sub_policy + vars: + module_name: {{{ module_name }}} + key: {{{ key }}} + value: {{{ value }}} diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 892c33cc546..6778415d7a2 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -172,7 +172,6 @@ CCE-86935-4 CCE-86936-2 CCE-86937-0 CCE-86955-2 -CCE-86956-0 CCE-86958-6 CCE-86959-4 CCE-86963-6 diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile index c23c1895288..5d91922cd39 100644 --- a/tests/data/profile_stability/rhel8/cis.profile +++ b/tests/data/profile_stability/rhel8/cis.profile @@ -109,6 +109,7 @@ configure_crypto_policy configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage +crypto_sub_policy_sshd_cbc crypto_sub_policy_sshd_ciphers crypto_sub_policy_sshd_macs dconf_db_up_to_date diff --git a/tests/data/profile_stability/rhel8/cis_server_l1.profile b/tests/data/profile_stability/rhel8/cis_server_l1.profile index f47861c0a76..e85bf5b8d38 100644 --- a/tests/data/profile_stability/rhel8/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_server_l1.profile @@ -44,6 +44,7 @@ configure_crypto_policy configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage +crypto_sub_policy_sshd_cbc crypto_sub_policy_sshd_ciphers crypto_sub_policy_sshd_macs dconf_db_up_to_date diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile index 2d4ec3d57a8..a43ec628cf8 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile @@ -44,6 +44,7 @@ configure_crypto_policy configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage +crypto_sub_policy_sshd_cbc crypto_sub_policy_sshd_ciphers crypto_sub_policy_sshd_macs dconf_db_up_to_date diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile index aa4510de622..6da4300b1c2 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile @@ -109,6 +109,7 @@ configure_crypto_policy configure_ssh_crypto_policy coredump_disable_backtraces coredump_disable_storage +crypto_sub_policy_sshd_cbc crypto_sub_policy_sshd_ciphers crypto_sub_policy_sshd_macs dconf_db_up_to_date From e776b55c6e1ea3a9b66a5178c4c587dea54fed41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 27 Oct 2025 11:39:02 +0100 Subject: [PATCH 6/8] Introduce rule crypto_sub_policy_weak_macs The rule crypto_sub_policy_weak_macs implements the approach for disabling MACs using a custom crypto policy sub module as requested in requirement 1.6.3 in CIS Benchmark for RHEL 8 version 4.0.0. --- components/crypto-policies.yml | 4 ++ controls/cis_rhel8.yml | 9 ++--- .../crypto_sub_policy_weak_macs/rule.yml | 38 +++++++++++++++++++ shared/references/cce-redhat-avail.txt | 1 - .../data/profile_stability/rhel8/cis.profile | 1 + .../rhel8/cis_server_l1.profile | 1 + .../rhel8/cis_workstation_l1.profile | 1 + .../rhel8/cis_workstation_l2.profile | 1 + 8 files changed, 49 insertions(+), 7 deletions(-) create mode 100644 linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_weak_macs/rule.yml diff --git a/components/crypto-policies.yml b/components/crypto-policies.yml index b15f25fbd36..499a93a4531 100644 --- a/components/crypto-policies.yml +++ b/components/crypto-policies.yml @@ -12,6 +12,10 @@ rules: - configure_openssl_crypto_policy - configure_openssl_tls_crypto_policy - configure_ssh_crypto_policy +- crypto_sub_policy_sshd_ciphers +- crypto_sub_policy_sshd_macs +- crypto_sub_policy_sshd_cbc +- crypto_sub_policy_weak_macs - harden_openssl_crypto_policy - harden_ssh_client_crypto_policy - harden_sshd_ciphers_openssh_conf_crypto_policy diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index b91c21a752a..f188d8e53a7 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -565,12 +565,9 @@ controls: levels: - l1_server - l1_workstation - status: pending - notes: |- - It is necessary a new rule to ensure a module disabling weak MACs in - /etc/crypto-policies/policies/modules/ so it can be used by update-crypto-policies command. - related_rules: - - configure_crypto_policy + status: automated + rules: + - crypto_sub_policy_weak_macs - id: 1.7.1 title: Ensure message of the day is configured properly (Automated) diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_weak_macs/rule.yml b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_weak_macs/rule.yml new file mode 100644 index 00000000000..0cf1a981e74 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_weak_macs/rule.yml @@ -0,0 +1,38 @@ +documentation_complete: true + +title: Implement Custom Crypto Policy to Disable Weak MAC Algorithms + +{{% set module_name = "NO-WEAKMAC" %}} +{{% set key = "mac" %}} +{{% set value = "-*-128*" %}} + +description: |- + Create a custom crypto policy module to disable weak MACs. + {{{ describe_crypto_sub_policy(module_name, key, value) }}} + +rationale: |- + Message Authentication Codes (MACs) are cryptographic mechanisms used to verify the + integrity and authenticity of data transmitted over SSH connections. Weak MACs + that are used for authentication to the cryptographic module cannot be relied upon to + provide integrity, and system data may be compromised. Implementing a custom crypto + policy that disables weak MAC algorithms helps ensure that only strong, proven + cryptographic algorithms are used to protect system data. + +severity: medium + +identifiers: + cce@rhel8: CCE-86958-6 + +references: + +ocil_clause: 'the custom crypto policy module to disable weak MACs does not exist' + +ocil: |- + {{{ ocil_crypto_sub_policy(module_name, key, value) }}} + +template: + name: crypto_sub_policy + vars: + module_name: {{{ module_name }}} + key: {{{ key }}} + value: {{{ value }}} diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 6778415d7a2..929b62c3bea 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -172,7 +172,6 @@ CCE-86935-4 CCE-86936-2 CCE-86937-0 CCE-86955-2 -CCE-86958-6 CCE-86959-4 CCE-86963-6 CCE-86965-1 diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile index 5d91922cd39..0ba872705bb 100644 --- a/tests/data/profile_stability/rhel8/cis.profile +++ b/tests/data/profile_stability/rhel8/cis.profile @@ -112,6 +112,7 @@ coredump_disable_storage crypto_sub_policy_sshd_cbc crypto_sub_policy_sshd_ciphers crypto_sub_policy_sshd_macs +crypto_sub_policy_weak_macs dconf_db_up_to_date dconf_gnome_banner_enabled dconf_gnome_disable_automount diff --git a/tests/data/profile_stability/rhel8/cis_server_l1.profile b/tests/data/profile_stability/rhel8/cis_server_l1.profile index e85bf5b8d38..fe37de884b8 100644 --- a/tests/data/profile_stability/rhel8/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_server_l1.profile @@ -47,6 +47,7 @@ coredump_disable_storage crypto_sub_policy_sshd_cbc crypto_sub_policy_sshd_ciphers crypto_sub_policy_sshd_macs +crypto_sub_policy_weak_macs dconf_db_up_to_date dconf_gnome_banner_enabled dconf_gnome_disable_automount diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile index a43ec628cf8..7b1d3a66369 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile @@ -47,6 +47,7 @@ coredump_disable_storage crypto_sub_policy_sshd_cbc crypto_sub_policy_sshd_ciphers crypto_sub_policy_sshd_macs +crypto_sub_policy_weak_macs dconf_db_up_to_date dconf_gnome_banner_enabled dconf_gnome_disable_automount diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile index 6da4300b1c2..2d580418751 100644 --- a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile @@ -112,6 +112,7 @@ coredump_disable_storage crypto_sub_policy_sshd_cbc crypto_sub_policy_sshd_ciphers crypto_sub_policy_sshd_macs +crypto_sub_policy_weak_macs dconf_db_up_to_date dconf_gnome_banner_enabled dconf_gnome_disable_automount From fcb7dbb7a32b642bdd1325ecf9f3eec7fcec38cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 27 Oct 2025 13:27:14 +0100 Subject: [PATCH 7/8] Remove empty references: key --- .../integrity/crypto/crypto_sub_policy_sshd_cbc/rule.yml | 2 -- .../integrity/crypto/crypto_sub_policy_sshd_ciphers/rule.yml | 2 -- .../integrity/crypto/crypto_sub_policy_sshd_macs/rule.yml | 2 -- .../integrity/crypto/crypto_sub_policy_weak_macs/rule.yml | 2 -- 4 files changed, 8 deletions(-) diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_cbc/rule.yml b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_cbc/rule.yml index 10c342c3ef4..be58854686b 100644 --- a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_cbc/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_cbc/rule.yml @@ -20,8 +20,6 @@ severity: medium identifiers: cce@rhel8: CCE-86956-0 -references: - ocil_clause: 'the custom crypto policy module for SSHD to disable CBC mode ciphers does not exist' ocil: |- diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/rule.yml b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/rule.yml index 1a2309dcfce..9dee0b6e111 100644 --- a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_ciphers/rule.yml @@ -19,8 +19,6 @@ severity: medium identifiers: cce@rhel8: CCE-86707-7 -references: - ocil_clause: 'the custom crypto policy module for SSH does not exist' ocil: |- diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_macs/rule.yml b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_macs/rule.yml index e8d72c1c948..1bbf6cb333d 100644 --- a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_macs/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_sshd_macs/rule.yml @@ -23,8 +23,6 @@ severity: medium identifiers: cce@rhel8: CCE-86952-9 -references: - ocil_clause: 'the custom crypto policy module for SSH does not exist' ocil: |- diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_weak_macs/rule.yml b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_weak_macs/rule.yml index 0cf1a981e74..6a97bab810d 100644 --- a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_weak_macs/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_weak_macs/rule.yml @@ -23,8 +23,6 @@ severity: medium identifiers: cce@rhel8: CCE-86958-6 -references: - ocil_clause: 'the custom crypto policy module to disable weak MACs does not exist' ocil: |- From 8e5402b0a9f0b4c2bca4d32edb02690381ab4d24 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 27 Oct 2025 13:30:57 +0100 Subject: [PATCH 8/8] Prevent removal of sshd_use_strong_macs from RHEL 8 data stream --- products/rhel8/profiles/default.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/products/rhel8/profiles/default.profile b/products/rhel8/profiles/default.profile index 21898474dbc..362f53b9eb2 100644 --- a/products/rhel8/profiles/default.profile +++ b/products/rhel8/profiles/default.profile @@ -726,3 +726,4 @@ selections: - service_rlogin_disabled - service_zebra_disabled - package_rsh-server_removed + - sshd_use_strong_macs