Implement Custom Crypto Policy Modules for CIS Benchmark

Docs > Plateforme de sécurité Datadog > OOTB Rules > Implement Custom Crypto Policy Modules for CIS Benchmark

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

Create a custom crypto policy module to enforce the use of strong ciphers and MACs in SSHD, disable CBC mode ciphers in SSHD and disable the use of weak MACs globally. Add the following line to the file /etc/crypto-policies/policies/modules/NO-SSHCBC.pmod:


cipher@SSH = -*-CBC

Add the following line to the file /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod:


cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305

Add the following line to the file /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod:


mac@SSH = -HMAC-MD5* -UMAC-64* -UMAC-128*

Add the following line to the file /etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod:


mac = -*-128*

Then, set the system wide crypto policy to use the custom policy.


$ sudo update-crypto-policies --set DEFAULT:NO-SHA1:NO-SSHCBC:NO-SSHWEAKCIPHERS:NO-SSHWEAKMACS:NO-WEAKMAC

Rationale

CBC mode ciphers are vulnerable to certain attacks, such as the BEAST attack. Disabling CBC mode ciphers helps protect against these attacks and ensures that only strong, proven cryptographic algorithms are used to protect SSH communications. Weak ciphers that are used for authentication to the cryptographic module cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. Message Authentication Codes (MACs) are cryptographic mechanisms used to verify the integrity and authenticity of data transmitted over SSH connections. Weak MACs that are used for authentication to the cryptographic module cannot be relied upon to provide integrity, and system data may be compromised. Implementing a custom crypto policy that disables weak MAC algorithms helps ensure that only strong, proven cryptographic algorithms are used to protect SSH communications.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

cat << 'EOF' > /etc/crypto-policies/policies/modules/NO-SSHCBC.pmod
cipher@SSH = -*-CBC
EOF


cat << 'EOF' > /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod
cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305
EOF


cat << 'EOF' > /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod
mac@SSH = -HMAC-MD5* -UMAC-64* -UMAC-128*
EOF


cat << 'EOF' > /etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod
mac = -*-128*
EOF


current_crypto_policy=$(update-crypto-policies --show)
expected_crypto_policy="DEFAULT:NO-SHA1:NO-SSHCBC:NO-SSHWEAKCIPHERS:NO-SSHWEAKMACS:NO-WEAKMAC"
if [[ "$current_crypto_policy" != "$expected_crypto_policy" ]] ; then
    update-crypto-policies --set "$expected_crypto_policy"
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Implement Custom Crypto Policy Modules for CIS Benchmark - Create custom crypto
    policy module NO-SSHCBC
  ansible.builtin.lineinfile:
    path: /etc/crypto-policies/policies/modules/NO-SSHCBC.pmod
    owner: root
    group: root
    mode: '0644'
    line: cipher@SSH = -*-CBC
    create: true
    regexp: cipher@SSH
  tags:
  - CCE-86707-7
  - configure_custom_crypto_policy_cis
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required

- name: Implement Custom Crypto Policy Modules for CIS Benchmark - Create custom crypto
    policy module NO-SSHWEAKCIPHERS
  ansible.builtin.lineinfile:
    path: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod
    owner: root
    group: root
    mode: '0644'
    line: cipher@SSH = -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305
    create: true
    regexp: cipher@SSH
  tags:
  - CCE-86707-7
  - configure_custom_crypto_policy_cis
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required

- name: Implement Custom Crypto Policy Modules for CIS Benchmark - Create custom crypto
    policy module NO-SSHWEAKMACS
  ansible.builtin.lineinfile:
    path: /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod
    owner: root
    group: root
    mode: '0644'
    line: mac@SSH = -HMAC-MD5* -UMAC-64* -UMAC-128*
    create: true
    regexp: mac@SSH
  tags:
  - CCE-86707-7
  - configure_custom_crypto_policy_cis
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required

- name: Implement Custom Crypto Policy Modules for CIS Benchmark - Create custom crypto
    policy module NO-WEAKMAC
  ansible.builtin.lineinfile:
    path: /etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod
    owner: root
    group: root
    mode: '0644'
    line: mac = -*-128*
    create: true
    regexp: mac
  tags:
  - CCE-86707-7
  - configure_custom_crypto_policy_cis
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required

- name: Implement Custom Crypto Policy Modules for CIS Benchmark - Check current crypto
    policy
  ansible.builtin.command: update-crypto-policies --show
  register: current_crypto_policy
  changed_when: false
  failed_when: false
  check_mode: false
  tags:
  - CCE-86707-7
  - configure_custom_crypto_policy_cis
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required

- name: Implement Custom Crypto Policy Modules for CIS Benchmark - Update crypto-policies
  ansible.builtin.command: update-crypto-policies --set DEFAULT:NO-SHA1:NO-SSHCBC:NO-SSHWEAKCIPHERS:NO-SSHWEAKMACS:NO-WEAKMAC
  when: current_crypto_policy.stdout.strip() != "DEFAULT:NO-SHA1:NO-SSHCBC:NO-SSHWEAKCIPHERS:NO-SSHWEAKMACS:NO-WEAKMAC"
  tags:
  - CCE-86707-7
  - configure_custom_crypto_policy_cis
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required