🧹 Remove Key Exchange Algorithm: `diffie-hellman-group-exchange-sha25…

…6` (#290) Removes the following Key Exchange Algorithm: - `diffie-hellman-group-exchange-sha256` Reasoning: Since [RFC4419](https://www.rfc-editor.org/rfc/inline-errata/rfc4419.html) `diffie-hellman-group-exchange-sha256` negotiates a DH group with at least 2048 bits (= group14) and maximum 8192 bits (= group18), since anything below DH group17 is not advisable, we should remove this KexAlgorithm. Adds the following Kex Algorithm: - `diffie-hellman-group18-sha512` Reasoning: `diffie-hellman-group18-sha512` has the following chracteristics: ``` Prime Field Size | Estimated Security Strength | Example MODP Group -- | -- | -- 8192-bit | 200 bits | group18 ``` --------- Signed-off-by: Manuel Weber <[email protected]>
mondoohq · Nov 21, 2023 · 05cbf29 · 05cbf29
1 parent 413148e
commit 05cbf29
Showing 1 changed file with 18 additions and 9 deletions.
diff --git a/core/mondoo-linux-security.mql.yaml b/core/mondoo-linux-security.mql.yaml
@@ -4,7 +4,7 @@
 policies:
   - uid: mondoo-linux-security
     name: Linux Security
-    version: 2.1.0
+    version: 2.2.0
     license: BUSL-1.1
     tags:
       mondoo.com/category: security
@@ -2409,13 +2409,16 @@ queries:
       - uid: MondooKexAlgos
         title: Define the hardened key exchange algorithms for all SSH configurations
         mql: |
-          if( package('openssh-server').version == /6./ || package('openssh-server').version == /7./ ) {
-            return ["[email protected]","diffie-hellman-group-exchange-sha256"]
+          if( package('openssh-server').version == /6./) {
+            return ["[email protected]"]
+          }
+          if( package('openssh-server').version == /7./) {
+            return ["[email protected]","diffie-hellman-group18-sha512"]
           }
           if( package('openssh-server').version == /8\.[0|1|2|3|4|5]/ ) {
-            return ["[email protected]","[email protected]","diffie-hellman-group-exchange-sha256"]
+            return ["[email protected]","[email protected]","diffie-hellman-group18-sha512"]
           }
-          return ["[email protected]","[email protected]","diffie-hellman-group-exchange-sha256"]
+          return ["[email protected]","[email protected]","diffie-hellman-group18-sha512"]
     mql: |
       sshd.config.kexs != null
       sshd.config.kexs.containsOnly(props.MondooKexAlgos)
@@ -2424,22 +2427,28 @@ queries:
       remediation: |-
         Edit the `/etc/ssh/sshd_config` file to add or modify the `KexAlgorithms` parameter so that it contains a comma-separated list of the site approved key exchange algorithms
 
-        openssh-server version 6.x or 7.x:
+        openssh-server version 6.x
+
+        ```
+        KexAlgorithms [email protected]
+        ```
+
+        openssh-server version 7.x:
 
         ```
-        KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
+        KexAlgorithms [email protected],diffie-hellman-group18-sha512
         ```
 
         openssh-server version 8.0 to 8.5:
 
         ```
-        KexAlgorithms [email protected],[email protected],diffie-hellman-group-exchange-sha256
+        KexAlgorithms [email protected],[email protected],diffie-hellman-group18-sha512
         ```
 
         openssh-server version 8.6 to 9:
 
         ```
-        KexAlgorithms [email protected],[email protected],diffie-hellman-group-exchange-sha256
+        KexAlgorithms [email protected],[email protected],diffie-hellman-group18-sha512
         ```
 
         NOTE: