Allowed MACs should allow for greater security #24

millerthomasj · 2018-04-11T13:11:52Z

The current match scheme does not allow for greater security, this check will ensure that each MAC is in the allowed list instead.

chris-rock · 2018-04-11T13:47:35Z

Gemfile.lock

@@ -0,0 +1,192 @@
+GEM


We should not include Gemfile.lock

chris-rock · 2018-04-11T13:48:43Z

controls/5_2_ssh_server_configuration.rb

  if sshd_config.MACs
-    describe sshd_config.MACs.split(',').each do
-      it { should match(/^((hmac-sha2-512-etm@openssh\.com|hmac-sha2-256-etm@openssh\.com|umac-128-etm@openssh\.com|hmac-sha2-512|hmac-sha2-256|umac-128@openssh\.com|curve25519-sha256@libssh\.org|diffie-hellman-group-exchange-sha256),)*(hmac-sha2-512-etm@openssh\.com|hmac-sha2-256-etm@openssh\.com|umac-128-etm@openssh\.com|hmac-sha2-512|hmac-sha2-256|umac-128@openssh\.com)$/) }
+    sshd_config.MACs.split(',').each do |m|


It feels like we re-invent the wheel. We should consider depending on https://github.com/dev-sec/ssh-baseline and the defined resources to define the best macs and ciphers for the operating system.

That makes sense, sorry I don't know your overall goals or layout for all of dev-sec just wanting to use the common benchmark for my purposes.

@millerthomasj Oh, that was not a complaint :-) I just wanted to mention it, since we should consider harmonizing this in the future

I'll merge this for now, and I agree that we should start reusing code in the other profiles. Will have a look at the best way to approach that.

chris-rock

Thank you for this improvement @millerthomasj

rarenerd · 2018-04-13T13:45:04Z

controls/5_2_ssh_server_configuration.rb

  if sshd_config.MACs
-    describe sshd_config.MACs.split(',').each do
-      it { should match(/^((hmac-sha2-512-etm@openssh\.com|hmac-sha2-256-etm@openssh\.com|umac-128-etm@openssh\.com|hmac-sha2-512|hmac-sha2-256|umac-128@openssh\.com|curve25519-sha256@libssh\.org|diffie-hellman-group-exchange-sha256),)*(hmac-sha2-512-etm@openssh\.com|hmac-sha2-256-etm@openssh\.com|umac-128-etm@openssh\.com|hmac-sha2-512|hmac-sha2-256|umac-128@openssh\.com)$/) }
+    sshd_config.MACs.split(',').each do |m|


I'll merge this for now, and I agree that we should start reusing code in the other profiles. Will have a look at the best way to approach that.

Tom Miller added 4 commits April 11, 2018 06:22

Each MAC entry should be an element in the list.

221e29f

Check if each MAC is approved instead of specific sets of MACs.

7ddd08e

Trying to get syntax right to iterate over array.

d0c5b46

Ensuring the MACs list is proper.

c686e75

chris-rock reviewed Apr 11, 2018

View reviewed changes

Fixing linting error.

1b5abcb

chris-rock approved these changes Apr 11, 2018

View reviewed changes

chris-rock requested a review from rarenerd April 11, 2018 14:04

rarenerd approved these changes Apr 13, 2018

View reviewed changes

rarenerd merged commit 8fa4f35 into dev-sec:master Apr 13, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Allowed MACs should allow for greater security #24

Allowed MACs should allow for greater security #24

millerthomasj commented Apr 11, 2018

chris-rock Apr 11, 2018

chris-rock Apr 11, 2018

millerthomasj Apr 11, 2018

chris-rock Apr 11, 2018

rarenerd Apr 13, 2018

chris-rock left a comment

rarenerd Apr 13, 2018

Allowed MACs should allow for greater security #24

Allowed MACs should allow for greater security #24

Conversation

millerthomasj commented Apr 11, 2018

chris-rock Apr 11, 2018

Choose a reason for hiding this comment

chris-rock Apr 11, 2018

Choose a reason for hiding this comment

millerthomasj Apr 11, 2018

Choose a reason for hiding this comment

chris-rock Apr 11, 2018

Choose a reason for hiding this comment

rarenerd Apr 13, 2018

Choose a reason for hiding this comment

chris-rock left a comment

Choose a reason for hiding this comment

rarenerd Apr 13, 2018

Choose a reason for hiding this comment