Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config

An XCCDF Rule

Description

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. To check that Crypto Policies settings for ciphers are configured correctly, ensure that /etc/crypto-policies/back-ends/opensshserver.config contains the following text and is not commented out:

-oCiphers=

warning alert: Warning

The system needs to be rebooted for these changes to take effect.

warning alert: Regulatory Warning

System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.

Rationale

Overriding the system crypto policy makes the behavior of the OpenSSH server violate expectations, and makes system configuration more fragmented. By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections.

ID: xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
Severity: Medium
References: CCI-000877 CCI-001453

AC-17(2)

SRG-OS-000125-GPOS-00065 SRG-OS-000250-GPOS-00093

SV-230252r917873_rule
Updated: about 1 year ago

- name: XCCDF Value sshd_approved_ciphers # promote to variable
  set_fact:
    sshd_approved_ciphers: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_sshd_approved_ciphers" use="legacy"/>
  tags:
    - always
- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
    Set facts'
  set_fact:
    path: /etc/crypto-policies/back-ends/opensshserver.config
    correct_value: -oCiphers={{ sshd_approved_ciphers }}
  tags:
  - DISA-STIG-RHEL-08-010291
  - NIST-800-53-AC-17(2)
  - harden_sshd_ciphers_opensshserver_conf_crypto_policy
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
    Stat'
  stat:
    path: '{{ path }}'
    follow: true
  register: opensshserver_file
  tags:
  - DISA-STIG-RHEL-08-010291
  - NIST-800-53-AC-17(2)
  - harden_sshd_ciphers_opensshserver_conf_crypto_policy
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
    Create'
  lineinfile:
    path: '{{ path }}'
    line: CRYPTO_POLICY='{{ correct_value }}'
    create: true
  when: not opensshserver_file.stat.exists or opensshserver_file.stat.size <= correct_value|length
  tags:
  - DISA-STIG-RHEL-08-010291
  - NIST-800-53-AC-17(2)
  - harden_sshd_ciphers_opensshserver_conf_crypto_policy
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config'
  block:

  - name: Existing value check
    lineinfile:
      path: '{{ path }}'
      create: false
      regexp: '{{ correct_value }}'
      state: absent
    check_mode: true
    changed_when: false
    register: opensshserver

  - name: Update/Correct value
    replace:
      path: '{{ path }}'
      regexp: (-oCiphers=\S+)
      replace: '{{ correct_value }}'
    when: opensshserver.found is defined and opensshserver.found != 1
  when: opensshserver_file.stat.exists and opensshserver_file.stat.size > correct_value|length
  tags:
  - DISA-STIG-RHEL-08-010291
  - NIST-800-53-AC-17(2)
  - harden_sshd_ciphers_opensshserver_conf_crypto_policy
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy


sshd_approved_ciphers='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_sshd_approved_ciphers" use="legacy"/>'


CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
correct_value="-oCiphers=${sshd_approved_ciphers}"
# Test if file exists
test -f ${CONF_FILE} || touch ${CONF_FILE}

# Ensure CRYPTO_POLICY is not commented out
sed -i 's/#CRYPTO_POLICY=/CRYPTO_POLICY=/' ${CONF_FILE}

grep -q "'${correct_value}'" ${CONF_FILE}

if [[ $? -ne 0 ]]; then
    # We need to get the existing value, using PCRE to maintain same regex
    existing_value=$(grep -Po '(-oCiphers=\S+)' ${CONF_FILE})

    if [[ ! -z ${existing_value} ]]; then
        # replace existing_value with correct_value
        sed -i "s/${existing_value}/${correct_value}/g" ${CONF_FILE}
    else
        # ***NOTE*** #
        # This probably means this file is not here or it's been modified
        # unintentionally.
        # ********** #
        # echo correct_value to end
        echo "CRYPTO_POLICY='${correct_value}'" >> ${CONF_FILE}
    fi
fi

Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config

Description

Rationale

Remediation - Ansible

Remediation - Shell Script