Merge pull request #177 from schurzi/crypto_policy

micheelengronne · web-flow · commit e30a2f8787b7 · 2020-07-22T16:22:13.000+02:00
rework CRYPTO_POLICY check to work with fedora
diff --git a/controls/ssh_spec.rb b/controls/ssh_spec.rb
@@ -227,3 +227,19 @@
     its('UseRoaming') { should eq('no') }
   end
 end
+
+control 'ssh-22' do
+  impact 1.0
+  title 'Client: CRYPTO_POLICY'
+  desc 'Verifies, that we are not running CRYPTO_POLICY and our settings from ssh_config are effective'
+  only_if('OS has CRYPTO_POLICY') do
+    file('/etc/sysconfig/sshd').exist? && file('/etc/sysconfig/sshd').content.match?(/CRYPTO_POLICY/)
+  end
+
+  describe bash('ssh -G localhost') do
+    its('exit_status') { should eq 0 }
+    its('stdout') { should match('ciphers ' + ssh_crypto.valid_ciphers) }
+    its('stdout') { should match('kexalgorithms ' + ssh_crypto.valid_kexs) }
+    its('stdout') { should match('macs ' + ssh_crypto.valid_macs) }
+  end
+end
diff --git a/controls/sshd_spec.rb b/controls/sshd_spec.rb
@@ -508,8 +508,8 @@
   impact 1.0
   title 'Server: CRYPTO_POLICY'
   desc 'Verifies, that we are not running CRYPTO_POLICY and our settings from sshd_config are effective'
-  only_if('OS is RHEL 8+ or compatible') do
-    os[:family] == 'redhat' && ::Gem::Version.new(os.release) > ::Gem::Version.new('8')
+  only_if('OS has CRYPTO_POLICY') do
+    file('/etc/sysconfig/sshd').exist? && file('/etc/sysconfig/sshd').content.match?(/CRYPTO_POLICY/)
   end
 
   describe bash("pgrep -af 'sshd -D'") do
