Fix ssh include cryptopolicy

[ggbecker]

Description:

• Fix ssh include cryptopolicy

Rationale:

• Update to the RHEL9 STIG

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy
+++ xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy
@@ -4,7 +4,9 @@
 
 [description]:
 SSHD should follow the system cryptographic policy.
-In order to accomplish this the SSHD configuration should include the system
+In order to accomplish this the SSHD configuration should include the configuration file provided by the system crypto policy.
+The following line should be present in /etc/ssh/sshd_config or in a file included by this file (a file within the /etc/ssh/sshd_config.d directory):
+Include /etc/crypto-policies/back-ends/opensshserver.config
 
 [reference]:
 CCI-001453

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy
+++ xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy
@@ -1,8 +1,9 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q kernel; then
 
-echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config
-echo "Include /etc/crypto-policies/back-ends/opensshserver.config" >> /etc/ssh/ssh_config.d/50-redhat.conf
+dnf -y remove openssh-server
+dnf -y install openssh-server
+systemctl restart sshd.service
 
 else
     >&2 echo 'Remediation is not applicable, nothing was done'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy
+++ xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy
@@ -12,13 +12,11 @@
   - no_reboot_needed
   - sshd_include_crypto_policy
 
-- name: SSHD Must Include System Crypto Policy Config File - Ensure That Drop In SSH
-    Config Files are Included
-  ansible.builtin.lineinfile:
-    path: /etc/ssh/sshd_config
-    line: Include /etc/ssh/sshd_config.d/*.conf
-    regexp: ^Include /etc/ssh/sshd_config.d/\*.conf
-    state: present
+- name: SSHD Must Include System Crypto Policy Config File - reinstall the openssh-server
+    package
+  ansible.builtin.shell:
+    cmd: dnf -y remove openssh-server; dnf -y install openssh-server; systemctl restart
+      sshd.service
   when: '"kernel" in ansible_facts.packages'
   tags:
   - CCE-90566-1
@@ -30,22 +28,3 @@
   - medium_severity
   - no_reboot_needed
   - sshd_include_crypto_policy
-
-- name: SSHD Must Include System Crypto Policy Config File - Ensure That System Crypto
-    Policies are Included
-  ansible.builtin.lineinfile:
-    path: /etc/ssh/ssh_config.d/50-redhat.conf
-    regexp: Include /etc/crypto-policies/back-ends/opensshserver.config
-    line: Include /etc/crypto-policies/back-ends/opensshserver.config
-    state: present
-  when: '"kernel" in ansible_facts.packages'
-  tags:
-  - CCE-90566-1
-  - DISA-STIG-RHEL-09-255055
-  - NIST-800-53-AC-17 (2)
-  - configure_strategy
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - sshd_include_crypto_policy

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[Mab879]

Thanks!

[Mab879]

Automatus passes locally:

$ ./automatus.py rule --datastream ../build/ssg-rhel9-ds.xml --libvirt qemu:///system automatus_rhel9_4 sshd_include_crypto_policy                        
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/mburket/Developer/ComplianceAsCode/content/tests/logs/rule-custom-2025-01-29-1053/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_sshd_include_crypto_policy
INFO - Script default_pass.pass.sh using profile (all) OK
INFO - Script no_crypto.fail.sh using profile (all) OK
INFO - Script no_drop_in.fail.sh using profile (all) OK
INFO - Script no_includes.fail.sh using profile (all) OK

[Mab879]

Something odd is going on. Please review the test farm results.

cc @vojtapolasek

[vojtapolasek]

I know what is going on. The problem is in rule ordering. The following happens:

1. rules sshd_disable_gssapi_authand sshd_disable_x11_forwarding get remediated and a file with name starting with 01 is created in /etc/ssh/sshd_config.d directory containing correct values. These values are already defined (with unwanted values) in /etc/ssh/sshd_config.d/50-redhat.conf. They are removed from this file.
2. The rule sshd_include_crypto_policy gets remediated, it reinstalls the openssh-server. This also reinstates the file /etc/ssh/sshd_config.d/50-redhat.conf.
3. OVAL check detects conflicting values in /etc/ssh/sshd_config.d/*.conf. Due to the fact that the remediation done in step 1 created a file with name starting with 01, it takes precedence and technically we are fine. But there is no easy way for OVAL to detect how the files containing matching regexes are ordered, so it reports it as a fail. You can verify that technically it is not a problem by grepping for offending values from sshd -T command.

A solution is either a second remediation or modifying ordering of rules, I will try to propose it.

[vojtapolasek]

I pushed changes to rule ordering.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[codeclimate]

Code Climate has analyzed commit 18be095 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

[Mab879]

Looks like you need to set the permissions the file you create. See the testing farm error for the STIG profile for more details.