From 103b8fb934345ed6e3c20673ba886c91756d2cbc Mon Sep 17 00:00:00 2001 From: Joe Testa Date: Mon, 6 Jul 2020 16:16:52 -0400 Subject: [PATCH] Added official policies for hardened Ubuntu 16.04, 18.04, and 20.04. --- policies/ubuntu_server_16_04_policy.txt | 21 +++++++++++++++++++++ policies/ubuntu_server_18_04_policy.txt | 21 +++++++++++++++++++++ policies/ubuntu_server_20_04_policy.txt | 25 +++++++++++++++++++++++++ 3 files changed, 67 insertions(+) create mode 100644 policies/ubuntu_server_16_04_policy.txt create mode 100644 policies/ubuntu_server_18_04_policy.txt create mode 100644 policies/ubuntu_server_20_04_policy.txt diff --git a/policies/ubuntu_server_16_04_policy.txt b/policies/ubuntu_server_16_04_policy.txt new file mode 100644 index 0000000..1b39972 --- /dev/null +++ b/policies/ubuntu_server_16_04_policy.txt @@ -0,0 +1,21 @@ +# +# Official policy for hardened OpenSSH on Ubuntu Server 16.04 LTS. +# + +name = "Ubuntu Server 16.04 LTS" +version = 1 + +# Group exchange DH modulus sizes. +dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048 + +# The host key types that must match exactly (order matters). +host keys = ssh-ed25519 + +# The key exchange algorithms that must match exactly (order matters). +key exchanges = curve25519-sha256@libssh.org, diffie-hellman-group-exchange-sha256 + +# The ciphers that must match exactly (order matters). +ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr + +# The MACs that must match exactly (order matters). +macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com diff --git a/policies/ubuntu_server_18_04_policy.txt b/policies/ubuntu_server_18_04_policy.txt new file mode 100644 index 0000000..c23d5e7 --- /dev/null +++ b/policies/ubuntu_server_18_04_policy.txt @@ -0,0 +1,21 @@ +# +# Official policy for hardened OpenSSH on Ubuntu Server 18.04 LTS. +# + +name = "Ubuntu Server 18.04 LTS" +version = 1 + +# Group exchange DH modulus sizes. +dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048 + +# The host key types that must match exactly (order matters). +host keys = ssh-ed25519 + +# The key exchange algorithms that must match exactly (order matters). +key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256 + +# The ciphers that must match exactly (order matters). +ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr + +# The MACs that must match exactly (order matters). +macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com diff --git a/policies/ubuntu_server_20_04_policy.txt b/policies/ubuntu_server_20_04_policy.txt new file mode 100644 index 0000000..bce0654 --- /dev/null +++ b/policies/ubuntu_server_20_04_policy.txt @@ -0,0 +1,25 @@ +# +# Official policy for hardened OpenSSH on Ubuntu Server 20.04 LTS. +# + +name = "Ubuntu Server 20.04 LTS" +version = 1 + +# RSA host key sizes. +hostkey_size_rsa-sha2-256 = 4096 +hostkey_size_rsa-sha2-512 = 4096 + +# Group exchange DH modulus sizes. +dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048 + +# The host key types that must match exactly (order matters). +host keys = rsa-sha2-512, rsa-sha2-256, ssh-ed25519 + +# The key exchange algorithms that must match exactly (order matters). +key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256 + +# The ciphers that must match exactly (order matters). +ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr + +# The MACs that must match exactly (order matters). +macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com