Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pamd updates #186

Closed
wants to merge 6 commits into from
Closed

Pamd updates #186

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
8828e34
updated logic and seperated tasks
uk-bolly Mar 10, 2023
4823364
added isolated cipher/mac/kex configs
uk-bolly Mar 10, 2023
88e7eaf
updated
uk-bolly Mar 10, 2023
835f53a
removed debug
uk-bolly Mar 10, 2023
b318c3b
removed test tag
uk-bolly Mar 10, 2023
35e7440
removed repeated content
uk-bolly Mar 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Changelog.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
## Release 2.8.1

- updates to pamd logic thanks to @JacobBuskirk for highlighting
- improvements to openssh configs and seperated tasks

Also following issues/PRs

Expand Down
5 changes: 4 additions & 1 deletion defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -855,7 +855,10 @@ rhel8stig_white_list_services:
# This will be the MACs setting. It is a string that will be the entirety of the MAC's setting in the openssh.config file
# to conform to STIG standard control RHEL-08-010290 this variable must include hmac-sha2-512,hmac-sha2-256
# to conform to STIG standard control RHEL-08-010291 this variable must include aes256-ctr,aes192-ctr,aes128-ctr
rhel8stig_ssh_cipher_settings: "aes256-ctr,aes192-ctr,aes128-ctr"
rhel8stig_ssh_macs: 'MACS=hmac-sha2-512,hmac-sha2-256'
rhel8stig_ssh_ciphers: "Ciphers=aes256-ctr,aes192-ctr,aes128-ctr"
rhel8stig_ssh_kex: "KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512"

# This will be the CRYPTO_POLICY settings in the opensshserver.conf file. It will be a string for the entirety of the setting
# to conform to STIG standard control RHEL-08-010290 this variable must contain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr -oMACS=hmac-sha2-512,hmac-sha2-256 settings
# to conform to STIG standard control RHEL-08-010291 this variable must cotnain oCiphers=aes256-ctr,aes192-ctr,aes128-ctr
Expand Down
71 changes: 54 additions & 17 deletions tasks/fix-cat2.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -769,26 +769,53 @@
- V-244526
- ssh

- name: |
"MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Add ssh ciphers"
"MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections. | Add ssh ciphers"
lineinfile:
path: /etc/crypto-policies/back-ends/opensshserver.config
regexp: "^CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}'"
line: CRYPTO_POLICY='{{ rhel8stig_ssh_server_crypto_settings }}'
- name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Add MACs"
block:
- name: "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | get MACs"
ansible.builtin.shell: grep "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i MACs | sed s'/-o//g'
changed_when: false
register: rhel8stig_current_macs

- name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | get MACs"
ansible.builtin.lineinfile:
path: /etc/crypto-policies/back-ends/opensshserver.config
regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_macs.stdout }}(.*$)'
line: '\g<1>-o{{ rhel8stig_ssh_macs }}\g<2>'
backrefs: true
notify: change_requires_reboot
when:
- rhel_08_010290 or
rhel_08_010291
- rhel_08_010290
tags:
- CAT2
- RHEL-08-010290
- RHEL-08-010291
- CCI-001453
- SRG-OS-000250-GPOS-00093
- SV-230251r743937_rule
- SV-230252r743940_rule
- V-230251
- fips

- name: "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | Add Ciphers"
block:
- name: "MEDIUM | RHEL-08-010291 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | get Ciphers"
ansible.builtin.shell: grep "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i Ciphers | sed s'/-o//g'
changed_when: false
register: rhel8stig_current_ciphers

- name: "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | get Ciphers"
ansible.builtin.lineinfile:
path: /etc/crypto-policies/back-ends/opensshserver.config
regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_ciphers.stdout }}(.*$)'
line: '\g<1>-o{{ rhel8stig_ssh_ciphers }}\g<2>'
backrefs: true
notify: change_requires_reboot
when:
- rhel_08_010291
tags:
- CAT2
- RHEL-08-010291
- CCI-001453
- SRG-OS-000250-GPOS-00093
- SV-230252r877394_rule
- V-230252
- fips

Expand Down Expand Up @@ -7328,11 +7355,21 @@
- SV-230556r858723_rule
- ssh

- name: "MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms."
lineinfile:
path: /etc/crypto-policies/back-ends/opensshserver.config
regexp: "^CRYPTO_POLICY='{{ FIPS_KEX_ALGO }}'"
line: "CRYPTO_POLICY='{{ FIPS_KEX_ALGO }}'"

- name: "MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | Add KEXs"
block:
- name: "MEDIUM | RHEL-08-040342 | AUDIT | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | get KEXs"
ansible.builtin.shell: grep "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i okexa | sed s'/-o//g'
changed_when: false
register: rhel8stig_current_kex

- name: MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | get KEXs"
ansible.builtin.lineinfile:
path: /etc/crypto-policies/back-ends/opensshserver.config
regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_kex.stdout }}(.*$)'
line: '\g<1>-o{{ rhel8stig_ssh_kex }}\g<2>'
backrefs: true
notify: change_requires_reboot
when:
- rhel_08_040342
- rhel8stig_ssh_required
Expand All @@ -7342,7 +7379,7 @@
- CCI-001453
- SRG-OS-000250-GPOS-00093
- SV-255924r880733_rule
- ssh
- fips

- name: "MEDIUM | RHEL-08-040350 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode."
lineinfile:
Expand Down