From 00ce44e728dac00df815d305f315d6e1c6ee51fb Mon Sep 17 00:00:00 2001 From: Joe Testa Date: Tue, 14 Jul 2020 17:18:35 -0400 Subject: [PATCH] Added Ubuntu client policies. --- policies/ubuntu_client_16_04.txt | 19 +++++++++++++++++++ policies/ubuntu_client_18_04.txt | 19 +++++++++++++++++++ policies/ubuntu_client_20_04.txt | 19 +++++++++++++++++++ ..._04_policy.txt => ubuntu_server_16_04.txt} | 0 ..._04_policy.txt => ubuntu_server_18_04.txt} | 0 ..._04_policy.txt => ubuntu_server_20_04.txt} | 0 6 files changed, 57 insertions(+) create mode 100644 policies/ubuntu_client_16_04.txt create mode 100644 policies/ubuntu_client_18_04.txt create mode 100644 policies/ubuntu_client_20_04.txt rename policies/{ubuntu_server_16_04_policy.txt => ubuntu_server_16_04.txt} (100%) rename policies/{ubuntu_server_18_04_policy.txt => ubuntu_server_18_04.txt} (100%) rename policies/{ubuntu_server_20_04_policy.txt => ubuntu_server_20_04.txt} (100%) diff --git a/policies/ubuntu_client_16_04.txt b/policies/ubuntu_client_16_04.txt new file mode 100644 index 0000000..e10033a --- /dev/null +++ b/policies/ubuntu_client_16_04.txt @@ -0,0 +1,19 @@ +# +# Official policy for hardened OpenSSH on Ubuntu 16.04 LTS. +# + +client policy = true +name = "Ubuntu Client 16.04 LTS" +version = 1 + +# The host key types that must match exactly (order matters). +host keys = ssh-ed25519, ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256, rsa-sha2-512, ssh-rsa-cert-v01@openssh.com + +# The key exchange algorithms that must match exactly (order matters). +key exchanges = curve25519-sha256@libssh.org, diffie-hellman-group-exchange-sha256, ext-info-c + +# The ciphers that must match exactly (order matters). +ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr + +# The MACs that must match exactly (order matters). +macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com diff --git a/policies/ubuntu_client_18_04.txt b/policies/ubuntu_client_18_04.txt new file mode 100644 index 0000000..84d393b --- /dev/null +++ b/policies/ubuntu_client_18_04.txt @@ -0,0 +1,19 @@ +# +# Official policy for hardened OpenSSH on Ubuntu 18.04 LTS. +# + +client policy = true +name = "Ubuntu Client 18.04 LTS" +version = 1 + +# The host key types that must match exactly (order matters). +host keys = ssh-ed25519, ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256, rsa-sha2-512, ssh-rsa-cert-v01@openssh.com + +# The key exchange algorithms that must match exactly (order matters). +key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256, ext-info-c + +# The ciphers that must match exactly (order matters). +ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr + +# The MACs that must match exactly (order matters). +macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com diff --git a/policies/ubuntu_client_20_04.txt b/policies/ubuntu_client_20_04.txt new file mode 100644 index 0000000..0e04463 --- /dev/null +++ b/policies/ubuntu_client_20_04.txt @@ -0,0 +1,19 @@ +# +# Official policy for hardened OpenSSH on Ubuntu 20.04 LTS. +# + +client policy = true +name = "Ubuntu Client 20.04 LTS" +version = 1 + +# The host key types that must match exactly (order matters). +host keys = ssh-ed25519, ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519@openssh.com, sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-256, rsa-sha2-256-cert-v01@openssh.com, rsa-sha2-512, rsa-sha2-512-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com + +# The key exchange algorithms that must match exactly (order matters). +key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256, ext-info-c + +# The ciphers that must match exactly (order matters). +ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr + +# The MACs that must match exactly (order matters). +macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com diff --git a/policies/ubuntu_server_16_04_policy.txt b/policies/ubuntu_server_16_04.txt similarity index 100% rename from policies/ubuntu_server_16_04_policy.txt rename to policies/ubuntu_server_16_04.txt diff --git a/policies/ubuntu_server_18_04_policy.txt b/policies/ubuntu_server_18_04.txt similarity index 100% rename from policies/ubuntu_server_18_04_policy.txt rename to policies/ubuntu_server_18_04.txt diff --git a/policies/ubuntu_server_20_04_policy.txt b/policies/ubuntu_server_20_04.txt similarity index 100% rename from policies/ubuntu_server_20_04_policy.txt rename to policies/ubuntu_server_20_04.txt