Parameterize OpenSSH crypto-policy backend file paths via product properties#14450
Parameterize OpenSSH crypto-policy backend file paths via product properties#14450Smouhoune wants to merge 6 commits intoComplianceAsCode:masterfrom
Conversation
Smouhoune
requested review from
Mab879,
ggbecker,
jan-cerny,
marcusburghardt and
vojtapolasek
as code owners
|
Hi @Smouhoune. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
@@ -1,7 +1,5 @@
sshd_approved_ciphers=''
-
-
if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then
LC_ALL=C sed -i "/^.*Ciphers\s\+/d" "/etc/crypto-policies/back-ends/openssh.config"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
@@ -2,9 +2,7 @@
if rpm --quiet -q kernel-core; then
sshd_approved_ciphers=''
-
-
-CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
+CONF_FILE="/etc/crypto-policies/back-ends/opensshserver.config"
LOCAL_CONF_DIR=/etc/crypto-policies/local.d
LOCAL_CONF_FILE=${LOCAL_CONF_DIR}/opensshserver-ssg.config
correct_value="-oCiphers=${sshd_approved_ciphers}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
@@ -1,7 +1,5 @@
sshd_approved_macs=''
-
-
if [ -e "/etc/crypto-policies/back-ends/openssh.config" ] ; then
LC_ALL=C sed -i "/^.*MACs\s\+/d" "/etc/crypto-policies/back-ends/openssh.config"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy
@@ -2,9 +2,7 @@
if rpm --quiet -q kernel-core; then
sshd_approved_macs=''
-
-
-CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
+CONF_FILE="/etc/crypto-policies/back-ends/opensshserver.config"
LOCAL_CONF_DIR=/etc/crypto-policies/local.d
LOCAL_CONF_FILE=${LOCAL_CONF_DIR}/opensshserver-ssg.config
correct_value="-oMACs=${sshd_approved_macs}" |
Smouhoune
force-pushed
the
feat/crypto-policy-backend-path-overrides
branch
2 times, most recently
from
bf31c97 to
e811297
Compare
linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/rule.yml
Outdated
Show resolved
Hide resolved
...ide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml
Outdated
Show resolved
Hide resolved
...tem/software/integrity/crypto/harden_sshd_macs_openssh_conf_crypto_policy/ansible/shared.yml
Show resolved
Hide resolved
jan-cerny
left a comment
jan-cerny
left a comment
There was a problem hiding this comment.
I have run test scenarios for selected rules, they passed. I have reviewed the changes in product stability data. LGTM.
|
@ComplianceAsCode/ubuntu-maintainers @ComplianceAsCode/suse-maintainers @ComplianceAsCode/oracle-maintainers please take a look at this PR |
|
Hi @jan-cerny, Thanks for your review. I also have two other PRs on the same topic if you could take a look: |
|
@Mab879 is assigned to them |
|
Thank you @jan-cerny . I’m not familiar with the process. I thought that pull requests had to be reviewed by all the reviewers. Indeed, Matthew reviewed them. |
I approved both since they touch the product stability files we will need reviews from the other vendors. |
|
@Smouhoune It looks like this now needs a rebase. |
… path properties Add openssh_client_crypto_policy_config_file and openssh_server_crypto_policy_config_file to existing product stability reference files so the stable-products test reflects the intended product schema for this PR.
…y rules Declare crypto-policies-scripts in harden_sshd_crypto_policy test scenarios because bash remediation invokes update-crypto-policies. Use ansible_only_lineinfile for harden_sshd_macs_openssh_conf_crypto_policy remediation rendering to keep generated tasks stable. Limit two commented fail scenarios of harden_sshd_macs_openssh_conf_crypto_policy to bash remediation in automatus to avoid ansible runtime-specific failures unrelated to rule logic. No security policy intent or default product behavior is changed.
…acro usage remove no-op variable aliases in rule descriptions and use product variables directly set block=True in harden_sshd_macs_openssh_conf_crypto_policy ansible remediation keep behavior unchanged while improving clarity and consistency with previous ansible_set_config_file semantics
Smouhoune
force-pushed
the
feat/crypto-policy-backend-path-overrides
branch
from
2ba7291 to
4b70eb1
Compare
|
@mrkanon Rebased on current master and force-pushed. |
|
@Smouhoune could you please rebase this PR so we can proceed with the merge? |
6 participants
Description:
- Add product-overridable properties for OpenSSH crypto-policy backend files:
-
openssh_client_crypto_policy_config_file-
openssh_server_crypto_policy_config_file- Add backward-compatible defaults:
-
/etc/crypto-policies/back-ends/openssh.config-
/etc/crypto-policies/back-ends/opensshserver.config- Replace hardcoded backend paths with product properties in affected SSH/crypto content:
-
sshd_include_crypto_policy-
sshd_use_approved_kex_ordered_stig(RHEL8/OL8 branch using opensshserver backend file)-
harden_sshd_crypto_policy-
harden_sshd_ciphers_openssh_conf_crypto_policy-
harden_sshd_macs_openssh_conf_crypto_policy-
harden_sshd_ciphers_opensshserver_conf_crypto_policy-
harden_sshd_macs_opensshserver_conf_crypto_policy#### Rationale:
- Several rules hardcode OpenSSH crypto-policy backend paths, which prevents clean reuse on products with different filesystem layouts.
- This change makes backend file paths product-driven while preserving current behavior through explicit defaults.
- Security intent is unchanged; this PR only parameterizes file locations.
#### Review Hints:
- Suggested review order:
1.
core(ssg): add product-overridable OpenSSH crypto-policy backend paths2.
rules(crypto): replace hardcoded OpenSSH backend paths with product properties3.
scope(crypto): drop fips symlink path parameterization to keep PR focused- Backward compatibility:
- Products without overrides keep using the current default backend paths.
- Local validation:
-
./build_product --datastream-only rhel8-
./build_product --datastream-only rhel9-
ctest -R 'validate-ssg-rhel9-ds.xml' --output-on-failure- Scope is intentionally limited to OpenSSH crypto-policy backend path parameterization in the rules listed above. No rule was removed or
disabled