Merge pull request #14450 from Smouhoune/feat/crypto-policy-backend-path-overrides

Parameterize OpenSSH crypto-policy backend file paths via product properties

Author: dodys

linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/rule.yml

@@ -6,7 +6,7 @@ description: |-
     SSHD should follow the system cryptographic policy.
     In order to accomplish this the SSHD configuration should include the configuration file provided by the system crypto policy.
     The following line should be present in <tt>/etc/ssh/sshd_config</tt> or in a file included by this file (a file within the <tt>/etc/ssh/sshd_config.d</tt> directory):
-    <pre>Include /etc/crypto-policies/back-ends/opensshserver.config</pre>
+    <pre>Include {{{ openssh_server_crypto_policy_config_file }}}</pre>
 
 
 rationale: |-
@@ -28,8 +28,8 @@ checktext: |-
     <pre>sudo grep -R "Include /etc/ssh/sshd_config"  /etc/ssh/sshd_config.d/
 
     /etc/ssh/sshd_config:Include /etc/ssh/sshd_config.d/*.conf
-    /etc/ssh/sshd_config.d/50-redhat.conf:Include /etc/crypto-policies/back-ends/opensshserver.config</pre>
-    If "Include /etc/ssh/sshd_config.d/*.conf" or "Include /etc/crypto-policies/back-ends/opensshserver.config" are not included in the system sshd config or if the file "/etc/ssh/sshd_config.d/50-redhat.conf" is missing, this is a finding.
+    /etc/ssh/sshd_config.d/50-redhat.conf:Include {{{ openssh_server_crypto_policy_config_file }}}</pre>
+    If "Include /etc/ssh/sshd_config.d/*.conf" or "Include {{{ openssh_server_crypto_policy_config_file }}}" are not included in the system sshd config or if the file "/etc/ssh/sshd_config.d/50-redhat.conf" is missing, this is a finding.
 
 fixtext: |-
     Configure the {{{ full_name }}} SSH daemon to use systemwide crypto policies.

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/shared.xml

@@ -1,5 +1,5 @@
 {{% if product in ['ol8', 'rhel8'] %}}
-{{% set path='/etc/crypto-policies/back-ends/opensshserver.config' %}}
+{{% set path=openssh_server_crypto_policy_config_file %}}
 {{% set prefix_conf="^\s*CRYPTO_POLICY\s*=.*-oKexAlgorithms=" %}}
 {{% set kex_algos=["ecdh-sha2-nistp256","ecdh-sha2-nistp384",
              "ecdh-sha2-nistp521","diffie-hellman-group-exchange-sha256",

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml

@@ -1,5 +1,5 @@
 {{% if product in ['ol8', 'rhel8'] %}}
-{{% set path='/etc/crypto-policies/back-ends/opensshserver.config' %}}
+{{% set path=openssh_server_crypto_policy_config_file %}}
 {{% set conf="CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384" ~
              ",ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" ~
              ",diffie-hellman-group14-sha256,diffie-hellman-group16-sha512" ~

linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/ansible/shared.yml

@@ -4,10 +4,11 @@
 # complexity = low
 # disruption = low
 {{{ ansible_instantiate_variables("sshd_approved_ciphers") }}}
+{{%- set openssh_client_policy_file = openssh_client_crypto_policy_config_file -%}}
 
 {{{ ansible_set_config_file(
         msg='Configure SSH Daemon to Use FIPS 140-2 Validated Ciphers: openssh.config',
-        file='/etc/crypto-policies/back-ends/openssh.config',
+        file=openssh_client_policy_file,
         parameter='Ciphers',
         value="{{ sshd_approved_ciphers }}",
         create='yes',

linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/bash/shared.sh

@@ -1,9 +1,10 @@
 # platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,multi_platform_fedora
 
 {{{ bash_instantiate_variables("sshd_approved_ciphers") }}}
+{{%- set openssh_client_policy_file = openssh_client_crypto_policy_config_file -%}}
 
 {{{ set_config_file(
-        path="/etc/crypto-policies/back-ends/openssh.config",
+        path=openssh_client_policy_file,
         parameter="Ciphers",
         value="${sshd_approved_ciphers}",
         create=true,

linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/oval/shared.xml

@@ -1,4 +1,4 @@
-{{%- set PATH = "/etc/crypto-policies/back-ends/openssh.config" -%}}
+{{%- set PATH = openssh_client_crypto_policy_config_file -%}}
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
     {{{ oval_metadata("Limit the Ciphers to those which are FIPS-approved.", rule_title=rule_title) }}}

linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_openssh_conf_crypto_policy/rule.yml

@@ -9,7 +9,7 @@ description: |-
     set up incorrectly.
 
     To check that Crypto Policies settings for ciphers are configured correctly, ensure that
-    <tt>/etc/crypto-policies/back-ends/openssh.config</tt> contains the following
+    <tt>{{{ openssh_client_crypto_policy_config_file }}}</tt> contains the following
     line and is not commented out:
     <pre>Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
 
@@ -35,7 +35,7 @@ ocil_clause: 'Crypto Policy for OpenSSH client is not configured correctly'
 
 ocil: |-
     To verify if the OpenSSH client uses defined Cipher suite in the Crypto Policy, run:
-    <pre>$ grep -i ciphers /etc/crypto-policies/back-ends/openssh.config</pre>
+    <pre>$ grep -i ciphers {{{ openssh_client_crypto_policy_config_file }}}</pre>
     and verify that the line matches:
     <pre>Ciphers {{{ xccdf_value("sshd_approved_ciphers") }}}</pre>
 

linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/ansible/shared.yml

@@ -4,10 +4,11 @@
 # complexity = low
 # disruption = low
 {{{ ansible_instantiate_variables("sshd_approved_ciphers") }}}
+{{%- set openssh_server_policy_file = openssh_server_crypto_policy_config_file -%}}
 
 -   name: "{{{ rule_title }}}: Set relevant paths and correct value"
     ansible.builtin.set_fact:
-        opensshserver_path: /etc/crypto-policies/back-ends/opensshserver.config
+        opensshserver_path: "{{{ openssh_server_policy_file }}}"
         local_path: /etc/crypto-policies/local.d/opensshserver-ssg.config
         correct_value: "-oCiphers={{ sshd_approved_ciphers }}"
 

linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/bash/shared.sh

@@ -1,8 +1,9 @@
 # platform = Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
 
 {{{ bash_instantiate_variables("sshd_approved_ciphers") }}}
+{{%- set openssh_server_policy_file = openssh_server_crypto_policy_config_file -%}}
 
-CONF_FILE=/etc/crypto-policies/back-ends/opensshserver.config
+CONF_FILE="{{{ openssh_server_policy_file }}}"
 LOCAL_CONF_DIR=/etc/crypto-policies/local.d
 LOCAL_CONF_FILE=${LOCAL_CONF_DIR}/opensshserver-ssg.config
 correct_value="-oCiphers=${sshd_approved_ciphers}"

linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml

@@ -1,4 +1,4 @@
-{{%- set PATH = "/etc/crypto-policies/back-ends/opensshserver.config" -%}}
+{{%- set PATH = openssh_server_crypto_policy_config_file -%}}
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
     {{{ oval_metadata("Limit the Ciphers to those which are FIPS-approved.", rule_title=rule_title) }}}