diff --git a/remove-hmac-ripemd160.patch b/remove-hmac-ripemd160.patch new file mode 100644 index 0000000000000000000000000000000000000000..49e1acd8d91130684509b5aedfdbd9bf92f312b6 --- /dev/null +++ b/remove-hmac-ripemd160.patch @@ -0,0 +1,55 @@ +From 06955b69851882145cbe3b11fd36f23522570c48 Mon Sep 17 00:00:00 2001 +From: htpeng +Date: Fri, 14 Jul 2023 14:56:25 +0800 +Subject: [PATCH] remove hmac-ripemd160 + +openssh is not supported hmac-ripemd160 mac after V_7_6_P1, so remove +it, please refer: +https://github.com/openssh/openssh-portable/commit/7bdb2eeb1d3c26acdc409bd94532eefa252e440b + +Signed-off-by: htpeng +--- + .../ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh | 2 +- + .../ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml | 2 +- + .../services/ssh/ssh_server/sshd_use_strong_macs/rule.yml | 4 ++-- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh +index f77be04..f1cf0ec 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/bash/shared.sh +@@ -1,4 +1,4 @@ + # platform = multi_platform_all + +-{{{ bash_sshd_config_set(parameter="MACs", value="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160") }}} ++{{{ bash_sshd_config_set(parameter="MACs", value="hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256") }}} + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml +index e80fc70..1495555 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/oval/shared.xml +@@ -1 +1 @@ +-{{{ oval_sshd_config(parameter="MACs", value="((hmac-sha2-512-etm@openssh\.com|hmac-sha2-256-etm@openssh\.com|umac-128-etm@openssh\.com|hmac-sha2-512|hmac-sha2-256|hmac-ripemd160),?)+") }}} ++{{{ oval_sshd_config(parameter="MACs", value="((hmac-sha2-512-etm@openssh\.com|hmac-sha2-256-etm@openssh\.com|umac-128-etm@openssh\.com|hmac-sha2-512|hmac-sha2-256),?)+") }}} +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml +index 66d0402..eda32ce 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_macs/rule.yml +@@ -8,7 +8,7 @@ description: |- + Limit the MACs to strong hash algorithms. + The following line in /etc/ssh/sshd_config demonstrates use + of those MACs: +-
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
++
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+ + rationale: |- + MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase +@@ -29,4 +29,4 @@ ocil: |- + MACs are in use, run the following command: +
$ sudo grep -i macs /etc/ssh/sshd_config
+ The output should contain only those MACs which are strong, namely, +- hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 hash functions. ++ hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 hash functions. +-- +2.34.1 + diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 037517521ae0bf28e883d3d814d46439d6ddf74a..4207deffdb5d07eb01cba91480b65255e0784c3c 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,6 +1,6 @@ Name: scap-security-guide Version: 0.1.49 -Release: 6 +Release: 7 Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -13,6 +13,7 @@ Patch0004:backport-fix-remaining-getchildren-and-getiterator-functions.patch Patch0005:backport-fix-for-older-python-versions-lacking-.iter-method.patch Patch0006:init-openEuler-ssg-project.patch Patch0007:enable-76-rules-for-openEuler.patch +Patch0008:remove-hmac-ripemd160.patch BuildArch: noarch BuildRequires: libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML @@ -67,6 +68,9 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Fri Jul 14 2023 penghaitao - 0.1.49-7 +- remove unsupported hmac-ripemd160 + * Sun Jun 25 2023 steven - 0.1.49-6 - add some descriptions