Merge pull request #119 from atomic111/master

Use new ciphers, kex, macs and priv separation sandbox for redhat family 7

Author: chris-rock

attributes/default.rb

@@ -41,7 +41,7 @@
   default['sshserver']['service_name'] = 'ssh'
 end
 
-default['config_disclaimer']              = '**Note:** This file was automatically created by Hardening Framework (hardening.io) configuration. If you use its automated setup, do not edit this file directly, but adjust the automation instead.'
+default['config_disclaimer']              = '**Note:** This file was automatically created by Hardening Framework (dev-sec.io) configuration. If you use its automated setup, do not edit this file directly, but adjust the automation instead.'
 default['network']['ipv6']['enable']      = false   # sshd + ssh
 default['ssh']['client']['cbc_required']  = false   # ssh
 default['ssh']['server']['cbc_required']  = false   # sshd

libraries/get_ssh_ciphers.rb

@@ -47,6 +47,10 @@ def self.get_ciphers(node, cbc_required)
         elsif node['platform'] == 'debian' && node['platform_version'].to_f >= 8
           Chef::Log.info('Detected Debian 8 or newer, use new ciphers')
           cipher = ciphers_66
+
+        elsif node['platform_family'] == 'rhel' && node['platform_version'].to_f >= 7
+          Chef::Log.info('Detected RedHat Family with version 7 or newer, use new ciphers')
+          cipher = ciphers_66
         end
 
         Chef::Log.info("Choose cipher: #{cipher[weak_ciphers]}")

libraries/get_ssh_kex.rb

@@ -24,7 +24,7 @@ class Chef
   class Recipe
     class SshKex
       # rubocop:disable AbcSize
-      def self.get_kexs(node, weak_kex)
+      def self.get_kexs(node, weak_kex) # rubocop:disable CyclomaticComplexity, PerceivedComplexity
         weak_kex = weak_kex ? 'weak' : 'default'
 
         kex_59 = {}
@@ -47,8 +47,14 @@ def self.get_kexs(node, weak_kex)
           Chef::Log.info('Detected Debian 8 or newer, use new key exchange algorithms')
           kex = kex_66
 
-        # deactivate kex on redhat
-        elsif node['platform_family'] == 'rhel'
+        # use newer kex for redhat version 7 or newer
+        elsif node['platform_family'] == 'rhel' && node['platform_version'].to_f >= 7
+          Chef::Log.info('Detected Redhat 7 or newer, use new key exchange algorithms')
+          kex = kex_66
+
+        # deactivate kex on redhat version 6
+        elsif node['platform_family'] == 'rhel' && node['platform_version'].to_f < 7
+          Chef::Log.info('Detected Redhat 6 or earlier, disable KEX')
           kex = {}
           kex.default = nil
 

libraries/get_ssh_macs.rb

@@ -24,7 +24,7 @@ class Chef
   class Recipe
     class SshMac
       # rubocop:disable AbcSize
-      def self.get_macs(node, weak_hmac)
+      def self.get_macs(node, weak_hmac) # rubocop:disable CyclomaticComplexity, PerceivedComplexity
         weak_macs = weak_hmac ? 'weak' : 'default'
 
         macs_53 = {}
@@ -41,7 +41,7 @@ def self.get_macs(node, weak_hmac)
         # determine the mac for the operating system
         macs = macs_59
 
-        # use newer ciphers on ubuntu 14.04
+        # use newer macs on ubuntu 14.04
         if node['platform'] == 'ubuntu' && node['platform_version'].to_f >= 14.04
           Chef::Log.info('Detected Ubuntu 14.04 or newer, use new macs')
           macs = macs_66
@@ -50,8 +50,13 @@ def self.get_macs(node, weak_hmac)
           Chef::Log.info('Detected Debian 8 or newer, use new macs')
           macs = macs_66
 
-        # stick to 53 for rhel <= 6, verify for rhel >= 7
-        elsif node['platform_family'] == 'rhel'
+        # use newer macs for rhel >= 7
+        elsif node['platform_family'] == 'rhel' && node['platform_version'].to_f >= 7
+          Chef::Log.info('Detected RedHat Family with version 7 or newer, use new macs')
+          macs = macs_66
+
+        # stick to 53 for rhel <= 6
+        elsif node['platform_family'] == 'rhel' && node['platform_version'].to_f < 7
           Chef::Log.info('Detected RedHat Family, use old macs')
           macs = macs_53
 

libraries/use_privilege_separation.rb

@@ -30,7 +30,11 @@ def self.get(node)
         # ubuntu 12.04 and newer has ssh 5.9+
 
         # redhat/centos/oracle 6.x has ssh 5.3
-        if node['platform_family'] == 'rhel'
+        if node['platform_family'] == 'rhel' && node['platform_version'].to_f >= 7
+          ps = ps59
+
+        # redhat/centos/oracle 6.x has ssh 5.3
+        elsif node['platform_family'] == 'rhel' && node['platform_version'].to_f < 7
           ps = ps53
 
         # debian 7.x and newer has ssh 5.9+

templates/default/openssh.conf.erb

@@ -6,7 +6,7 @@
 # This is the ssh client system-wide configuration file.
 # See ssh_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
 #
-# Created for OpenSSH v5.9
+# Created for OpenSSH v5.9 up to 6.8
 
 # Basic configuration
 # ===================

templates/default/opensshd.conf.erb

@@ -6,7 +6,7 @@
 # This is the ssh client system-wide configuration file.
 # See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
 #
-# Created for OpenSSH v5.9
+# Created for OpenSSH v5.9 up to 6.8
 
 # Basic configuration
 # ===================
@@ -219,4 +219,4 @@ X11Forwarding no
 #PasswordAuthentication no
 #PermitRootLogin no
 #X11Forwarding no
-<% end %>
+<% end %>