From 30e98c10b64418aa62774a41733790aa5ff1602a Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Wed, 15 Jul 2020 18:47:28 +0200 Subject: [PATCH 1/3] add control for CRYPTO_POLICY on RedHat RedHat introduces a CRYPTO_POLICY in RHEL8. This needs to be configured separately, or it will override sshd_config settings for Cipher, MAC and Kex. see: https://access.redhat.com/solutions/4410591 Signed-off-by: Martin Schurz --- controls/sshd_spec.rb | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/controls/sshd_spec.rb b/controls/sshd_spec.rb index e57a77b..4bcedda 100644 --- a/controls/sshd_spec.rb +++ b/controls/sshd_spec.rb @@ -503,3 +503,17 @@ its('stderr') { should eq '' } end end + +control 'sshd-49' do + impact 1.0 + title 'Server: CRYPTO_POLICY' + desc 'Verifies, that we are not running CRYPTO_POLICY and our settings from sshd_config are effective' + if os[:family] == "redhat" && ::Gem::Version.new(os.release) > ::Gem::Version.new('8') + describe bash("pgrep -af 'sshd -D'") do + its('exit_status') { should eq 0 } + its('stdout') { should_not match('-oCiphers') } + its('stdout') { should_not match('-oKexAlgorithms') } + its('stdout') { should_not match('-oHostKeyAlgorithms') } + end + end +end \ No newline at end of file From 5ad1788d1ef046b1f129de97f3e8fcb41430b986 Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Thu, 16 Jul 2020 11:07:59 +0200 Subject: [PATCH 2/3] fix linting Signed-off-by: Martin Schurz --- controls/sshd_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/sshd_spec.rb b/controls/sshd_spec.rb index 4bcedda..ab416d6 100644 --- a/controls/sshd_spec.rb +++ b/controls/sshd_spec.rb @@ -508,7 +508,7 @@ impact 1.0 title 'Server: CRYPTO_POLICY' desc 'Verifies, that we are not running CRYPTO_POLICY and our settings from sshd_config are effective' - if os[:family] == "redhat" && ::Gem::Version.new(os.release) > ::Gem::Version.new('8') + if os[:family] == 'redhat' && ::Gem::Version.new(os.release) > ::Gem::Version.new('8') describe bash("pgrep -af 'sshd -D'") do its('exit_status') { should eq 0 } its('stdout') { should_not match('-oCiphers') } @@ -516,4 +516,4 @@ its('stdout') { should_not match('-oHostKeyAlgorithms') } end end -end \ No newline at end of file +end From 893eeb41a5f14789d6f65385f3594c6159ad582b Mon Sep 17 00:00:00 2001 From: Martin Schurz Date: Thu, 16 Jul 2020 11:38:14 +0200 Subject: [PATCH 3/3] switch to only_if Signed-off-by: Martin Schurz --- controls/sshd_spec.rb | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/controls/sshd_spec.rb b/controls/sshd_spec.rb index ab416d6..97d9a67 100644 --- a/controls/sshd_spec.rb +++ b/controls/sshd_spec.rb @@ -508,12 +508,14 @@ impact 1.0 title 'Server: CRYPTO_POLICY' desc 'Verifies, that we are not running CRYPTO_POLICY and our settings from sshd_config are effective' - if os[:family] == 'redhat' && ::Gem::Version.new(os.release) > ::Gem::Version.new('8') - describe bash("pgrep -af 'sshd -D'") do - its('exit_status') { should eq 0 } - its('stdout') { should_not match('-oCiphers') } - its('stdout') { should_not match('-oKexAlgorithms') } - its('stdout') { should_not match('-oHostKeyAlgorithms') } - end + only_if('OS is RHEL 8+ or compatible') do + os[:family] == 'redhat' && ::Gem::Version.new(os.release) > ::Gem::Version.new('8') + end + + describe bash("pgrep -af 'sshd -D'") do + its('exit_status') { should eq 0 } + its('stdout') { should_not match('-oCiphers') } + its('stdout') { should_not match('-oKexAlgorithms') } + its('stdout') { should_not match('-oHostKeyAlgorithms') } end end