Update mac and kex to match debian10 CIS (#60)

fix #53

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>

bin/hardening/5.2.14_ssh_cry_mac.sh

@@ -78,7 +78,7 @@ create_config() {
     cat <<EOF
 status=audit
 # Put your MACs
-OPTIONS="MACs=umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256"
+OPTIONS="MACs=hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256"
 EOF
 }
 

bin/hardening/5.2.15_ssh_cry_kex.sh

@@ -78,7 +78,7 @@ create_config() {
     if [[ 7 -le "$DEB_MAJ_VER" ]]; then
         KEX='diffie-hellman-group-exchange-sha256'
     else
-        KEX='curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256'
+        KEX='curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
     fi
     set -u
     cat <<EOF

tests/hardening/5.2.14_ssh_cry_mac.sh

@@ -17,6 +17,6 @@ test_audit() {
 
     describe Checking resolved state
     register_test retvalshouldbe 0
-    register_test contain "[ OK ] ^MACs[[:space:]]*umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256 is present in /etc/ssh/sshd_config"
+    register_test contain "[ OK ] ^MACs[[:space:]]*hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 is present in /etc/ssh/sshd_config"
     run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 }