add control for CRYPTO_POLICY on RedHat

schurzi · schurzi · commit 30e98c10b644 · 2020-07-15T18:47:28.000+02:00
RedHat introduces a CRYPTO_POLICY in RHEL8. This needs to be configured separately, or it will override sshd_config settings for Cipher, MAC and Kex. see: https://access.redhat.com/solutions/4410591 Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
diff --git a/controls/sshd_spec.rb b/controls/sshd_spec.rb
@@ -503,3 +503,17 @@
     its('stderr') { should eq '' }
   end
 end
+
+control 'sshd-49' do
+  impact 1.0
+  title 'Server: CRYPTO_POLICY'
+  desc 'Verifies, that we are not running CRYPTO_POLICY and our settings from sshd_config are effective'
+  if os[:family] == "redhat" && ::Gem::Version.new(os.release) > ::Gem::Version.new('8')
+    describe bash("pgrep -af 'sshd -D'") do
+      its('exit_status') { should eq 0 }
+      its('stdout') { should_not match('-oCiphers') }
+      its('stdout') { should_not match('-oKexAlgorithms') }
+      its('stdout') { should_not match('-oHostKeyAlgorithms') }
+    end
+  end
+end
