From e0f1e2096d0f33fa94e3f78a5038e929b0039c32 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 27 Jan 2020 11:51:53 +0100
Subject: [PATCH 1/6] Add a rule for the openssl strong entropy wrapper.
---
.../openssl_use_strong_entropy/rule.yml | 65 +++++++++++++++++++
rhel8/profiles/ospp.profile | 1 +
shared/references/cce-redhat-avail.txt | 1 -
3 files changed, 66 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
new file mode 100644
index 0000000000..e9ea8ed338
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
@@ -0,0 +1,65 @@
+documentation_complete: true
+
+# TODO: The plan is not to need this for RHEL>=8.4
+prodtype: rhel8
+
+title: 'OpenSSL uses strong entropy source'
+
+description: |-
+ To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
+ save the following shell snippet to the <tt>/etc/profile.d/cc-config.sh</tt>:
+ <pre>
+ # provide a default -rand /dev/random option to openssl commands that
+ # support it
+
+ # written inefficiently for maximum shell compatibility
+ openssl()
+ (
+ openssl_bin=/usr/bin/openssl
+
+ case "$*" in
+ # if user specified -rand, honor it
+ *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
+ esac
+
+ cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
+ for i in `$openssl_bin list -commands`; do
+ if $openssl_bin list -options "$i" | grep -q '^rand '; then
+ cmds=" $i $cmds"
+ fi
+ done
+
+ case "$cmds" in
+ *\ "$1"\ *)
+ cmd="$1"; shift
+ exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
+ esac
+
+ exec $openssl_bin "$@"
+ )
+ </pre>
+
+rationale: |-
+ The <tt>openssl</tt> default configuration uses less robust entropy sources for seeding.
+ The referenced script is sourced to every login shell, and it transparently adds an option
+ that enforces strong entropy to every <tt>openssl</tt> invocation,
+ which makes <tt>openssl</tt> more secure by default.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: 82721-2
+
+references:
+ ospp: FIA_AFL.1
+
+ocil: |-
+ To determine whether the <tt>openssl</tt> wrapper is configured correcrlty,
+ make sure that the <tt>/etc/profile.d/cc-config.sh</tt> file contains contents
+ that are included in the rule's description.
+
+ocil_clause: |-
+ there is no <tt>/etc/profile.d/cc-config.sh</tt> file, or its contents don't match those in the description
+
+warnings:
+ - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available."
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 63aea526b7..ef3ced5010 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -59,6 +59,7 @@ selections:
- sshd_enable_warning_banner
- sshd_rekey_limit
- sshd_use_strong_rng
+ - openssl_use_strong_entropy
# Time Server
- chronyd_client_only
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 4cb08794f4..1733872dfa 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -248,6 +248,5 @@
CCE-82719-6
CCE-82720-4
-CCE-82721-2
CCE-82722-0
CCE-82723-8
CCE-82724-6
From bbd0f8b1234858a4abeece07d7d188bb07d3d077 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 27 Jan 2020 19:35:06 +0100
Subject: [PATCH 2/6] create checks, remediations,
---
.../ansible/shared.yml | 12 +++++++
.../openssl_use_strong_entropy/bash/shared.sh | 5 +++
.../oval/shared.xml | 34 +++++++++++++++++++
.../openssl_use_strong_entropy/rule.yml | 29 +---------------
shared/macros.jinja | 34 ++++++++++++++++++-
5 files changed, 85 insertions(+), 29 deletions(-)
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
new file mode 100644
index 0000000000..3ce26d6525
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
@@ -0,0 +1,12 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: "copy a file with shell snippet to configure openssl strong entropy"
+ copy:
+ dest: /etc/profile.d/cc-config.sh
+ content: |+
+ {{{ openssl_strong_entropy_config_file()|indent(8,blank=True) }}}
+
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
new file mode 100644
index 0000000000..db5c331ce7
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
@@ -0,0 +1,5 @@
+# platform = Red Hat Enterprise Linux 8
+
+cat > /etc/profile.d/cc-config.sh <<- 'EOM'
+{{{ openssl_strong_entropy_config_file() }}}
+EOM
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
new file mode 100644
index 0000000000..b441b7ae6e
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
@@ -0,0 +1,34 @@
+<def-group>
+ <definition class="compliance" id="openssl_use_strong_entropy" version="1">
+ <metadata>
+ <title>Configure Openssl to use strong entropy</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 8</platform>
+ <platform>multi_platform_fedora</platform>
+ </affected>
+ <description>OpenSSL should be configured to generate random data with strong entropy.</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="test_openssl_strong_entropy"
+ comment="Check that the OpenSSL is configured to generate random data with strong entropy." />
+ </criteria>
+ </definition>
+
+ <ind:filehash58_test id="test_openssl_strong_entropy"
+ comment="Test if openssl is configured to generate random data with strong entropy" version="1"
+ check="all" check_existence="all_exist">
+ <ind:object object_ref="object_openssl_strong_entropy"/>
+ <ind:state state_ref="state_openssl_strong_entropy"/>
+ </ind:filehash58_test>
+
+ <ind:filehash58_object id="object_openssl_strong_entropy" version="1">
+ <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
+ <ind:hash_type>SHA-256</ind:hash_type>
+ </ind:filehash58_object>
+
+ <ind:filehash58_state id="state_openssl_strong_entropy" version="1">
+ <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
+ <ind:hash_type>SHA-256</ind:hash_type>
+ <ind:hash>6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af</ind:hash>
+ </ind:filehash58_state>
+</def-group>
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
index e9ea8ed338..3b01da01af 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
@@ -9,34 +9,7 @@ description: |-
To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
save the following shell snippet to the <tt>/etc/profile.d/cc-config.sh</tt>:
<pre>
- # provide a default -rand /dev/random option to openssl commands that
- # support it
-
- # written inefficiently for maximum shell compatibility
- openssl()
- (
- openssl_bin=/usr/bin/openssl
-
- case "$*" in
- # if user specified -rand, honor it
- *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
- esac
-
- cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
- for i in `$openssl_bin list -commands`; do
- if $openssl_bin list -options "$i" | grep -q '^rand '; then
- cmds=" $i $cmds"
- fi
- done
-
- case "$cmds" in
- *\ "$1"\ *)
- cmd="$1"; shift
- exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
- esac
-
- exec $openssl_bin "$@"
- )
+ {{{ openssl_strong_entropy_config_file() | indent(4) }}}
</pre>
rationale: |-
diff --git a/shared/macros.jinja b/shared/macros.jinja
index 77f8eb31c7..8a25acc937 100644
--- a/shared/macros.jinja
+++ b/shared/macros.jinja
@@ -618,10 +618,42 @@ ocil_clause: "the correct value is not returned"
{{% macro body_of_warning_about_dependent_rule(rule_id, why) -%}}
- When selecting this rule in a profile,
+ When selecting this rule in a profile,
{{%- if why %}}
make sure that rule with ID <code>{{{ rule_id }}}</code> is selected as well: {{{ why }}}
{{%- else %}}
rule <code>{{{ rule_id }}}</code> has to be selected as well.
{{%- endif %}}
{{% endmacro %}}
+
+{{% macro openssl_strong_entropy_config_file() -%}}
+# provide a default -rand /dev/random option to openssl commands that
+# support it
+
+# written inefficiently for maximum shell compatibility
+openssl()
+(
+ openssl_bin=/usr/bin/openssl
+
+ case "$*" in
+ # if user specified -rand, honor it
+ *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
+ esac
+
+ cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
+ for i in `$openssl_bin list -commands`; do
+ if $openssl_bin list -options "$i" | grep -q '^rand '; then
+ cmds=" $i $cmds"
+ fi
+ done
+
+ case "$cmds" in
+ *\ "$1"\ *)
+ cmd="$1"; shift
+ exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
+ esac
+
+ exec $openssl_bin "$@"
+)
+
+{{%- endmacro %}}
From efaa2c9cbbe09af6b319f487ec05f646290a05a1 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 28 Jan 2020 13:42:40 +0100
Subject: [PATCH 3/6] add tests
---
.../tests/correct.pass.sh | 34 +++++++++++++++++++
.../tests/file_missing.fail.sh | 5 +++
.../tests/file_modified.fail.sh | 5 +++
3 files changed, 44 insertions(+)
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
new file mode 100644
index 0000000000..0bffab3c81
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+cat > /etc/profile.d/cc-config.sh <<- 'EOM'
+# provide a default -rand /dev/random option to openssl commands that
+# support it
+
+# written inefficiently for maximum shell compatibility
+openssl()
+(
+ openssl_bin=/usr/bin/openssl
+
+ case "$*" in
+ # if user specified -rand, honor it
+ *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
+ esac
+
+ cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
+ for i in `$openssl_bin list -commands`; do
+ if $openssl_bin list -options "$i" | grep -q '^rand '; then
+ cmds=" $i $cmds"
+ fi
+ done
+
+ case "$cmds" in
+ *\ "$1"\ *)
+ cmd="$1"; shift
+ exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
+ esac
+
+ exec $openssl_bin "$@"
+)
+EOM
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
new file mode 100644
index 0000000000..c1d526902c
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+rm -f /etc/profile.d/cc-config.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
new file mode 100644
index 0000000000..313d14a37f
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+echo "wrong data" > /etc/profile.d/cc-config.sh
From 223194744d54d0400ab1d2981761166580a4f017 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 29 Jan 2020 11:12:46 +0100
Subject: [PATCH 4/6] remove blank=true from jinja macro as rhel6 and rhel7 do
not support it
---
.../crypto/openssl_use_strong_entropy/ansible/shared.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
index 3ce26d6525..bdc530f9f5 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
@@ -8,5 +8,5 @@
copy:
dest: /etc/profile.d/cc-config.sh
content: |+
- {{{ openssl_strong_entropy_config_file()|indent(8,blank=True) }}}
+ {{{ openssl_strong_entropy_config_file()|indent(8) }}}
From bd41dcc77b326ed4bc352fe15d083ca6b144855f Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 30 Jan 2020 14:25:31 +0100
Subject: [PATCH 5/6] reword rationale, change file name
from cc-config.sh to openssl-rand.sh
change title of oval
---
.../openssl_use_strong_entropy/ansible/shared.yml | 2 +-
.../openssl_use_strong_entropy/bash/shared.sh | 2 +-
.../openssl_use_strong_entropy/oval/shared.xml | 11 ++++-------
.../crypto/openssl_use_strong_entropy/rule.yml | 14 +++++---------
.../tests/correct.pass.sh | 2 +-
.../tests/file_missing.fail.sh | 2 +-
.../tests/file_modified.fail.sh | 2 +-
7 files changed, 14 insertions(+), 21 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
index bdc530f9f5..6ee232892d 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
@@ -6,7 +6,7 @@
- name: "copy a file with shell snippet to configure openssl strong entropy"
copy:
- dest: /etc/profile.d/cc-config.sh
+ dest: /etc/profile.d/openssl-rand.sh
content: |+
{{{ openssl_strong_entropy_config_file()|indent(8) }}}
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
index db5c331ce7..d8c9935005 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
@@ -1,5 +1,5 @@
# platform = Red Hat Enterprise Linux 8
-cat > /etc/profile.d/cc-config.sh <<- 'EOM'
+cat > /etc/profile.d/openssl-rand.sh <<- 'EOM'
{{{ openssl_strong_entropy_config_file() }}}
EOM
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
index b441b7ae6e..847754f36d 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
@@ -1,11 +1,8 @@
<def-group>
<definition class="compliance" id="openssl_use_strong_entropy" version="1">
<metadata>
- <title>Configure Openssl to use strong entropy</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 8</platform>
- <platform>multi_platform_fedora</platform>
- </affected>
+ <title>Configure OpenSSL to use strong entropy</title>
+ {{{- oval_affected(products) }}}
<description>OpenSSL should be configured to generate random data with strong entropy.</description>
</metadata>
<criteria>
@@ -22,12 +19,12 @@
</ind:filehash58_test>
<ind:filehash58_object id="object_openssl_strong_entropy" version="1">
- <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
+ <ind:filepath>/etc/profile.d/openssl-rand.sh</ind:filepath>
<ind:hash_type>SHA-256</ind:hash_type>
</ind:filehash58_object>
<ind:filehash58_state id="state_openssl_strong_entropy" version="1">
- <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
+ <ind:filepath>/etc/profile.d/openssl-rand.sh</ind:filepath>
<ind:hash_type>SHA-256</ind:hash_type>
<ind:hash>6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af</ind:hash>
</ind:filehash58_state>
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
index 3b01da01af..dd82336532 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
@@ -7,19 +7,15 @@ title: 'OpenSSL uses strong entropy source'
description: |-
To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
- save the following shell snippet to the <tt>/etc/profile.d/cc-config.sh</tt>:
+ save the following shell snippet to the <tt>/etc/profile.d/openssl-rand.sh</tt>:
<pre>
{{{ openssl_strong_entropy_config_file() | indent(4) }}}
</pre>
rationale: |-
- The <tt>openssl</tt> default configuration uses less robust entropy sources for seeding.
- The referenced script is sourced to every login shell, and it transparently adds an option
- that enforces strong entropy to every <tt>openssl</tt> invocation,
- which makes <tt>openssl</tt> more secure by default.
+ This rule ensures that <tt>openssl</tt> always uses SP800-90A compliant random number generator.
severity: medium
-
identifiers:
cce@rhel8: 82721-2
@@ -27,12 +23,12 @@ references:
ospp: FIA_AFL.1
ocil: |-
- To determine whether the <tt>openssl</tt> wrapper is configured correcrlty,
- make sure that the <tt>/etc/profile.d/cc-config.sh</tt> file contains contents
+ To determine whether the <tt>openssl</tt> wrapper is configured correctly,
+ make sure that the <tt>/etc/profile.d/openssl-rand.sh</tt> file contains contents
that are included in the rule's description.
ocil_clause: |-
- there is no <tt>/etc/profile.d/cc-config.sh</tt> file, or its contents don't match those in the description
+ there is no <tt>/etc/profile.d/openssl-rand.sh</tt> file, or its contents don't match those in the description
warnings:
- general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available."
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
index 0bffab3c81..d7f3ce8c87 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
@@ -2,7 +2,7 @@
# platform = Red Hat Enterprise Linux 8
# profiles = xccdf_org.ssgproject.content_profile_ospp
-cat > /etc/profile.d/cc-config.sh <<- 'EOM'
+cat > /etc/profile.d/openssl-rand.sh <<- 'EOM'
# provide a default -rand /dev/random option to openssl commands that
# support it
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
index c1d526902c..64a580da91 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
@@ -2,4 +2,4 @@
# platform = Red Hat Enterprise Linux 8
# profiles = xccdf_org.ssgproject.content_profile_ospp
-rm -f /etc/profile.d/cc-config.sh
+rm -f /etc/profile.d/openssl-rand.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
index 313d14a37f..2c812e874b 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
@@ -2,4 +2,4 @@
# platform = Red Hat Enterprise Linux 8
# profiles = xccdf_org.ssgproject.content_profile_ospp
-echo "wrong data" > /etc/profile.d/cc-config.sh
+echo "wrong data" > /etc/profile.d/openssl-rand.sh
From 679bd9cd08f962b3a88197817c199bd90a47f8d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 31 Jan 2020 16:34:48 +0100
Subject: [PATCH 6/6] Rule and remediation wording improvements.
---
.../openssl_use_strong_entropy/ansible/shared.yml | 3 +--
.../crypto/openssl_use_strong_entropy/rule.yml | 15 ++++++++++-----
2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
index 6ee232892d..25afb8e27f 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
@@ -4,9 +4,8 @@
# complexity = low
# disruption = low
-- name: "copy a file with shell snippet to configure openssl strong entropy"
+- name: "Put a file with shell wrapper to configure OpenSSL to always use strong entropy"
copy:
dest: /etc/profile.d/openssl-rand.sh
content: |+
{{{ openssl_strong_entropy_config_file()|indent(8) }}}
-
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
index dd82336532..8a958e93b0 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
@@ -6,14 +6,18 @@ prodtype: rhel8
title: 'OpenSSL uses strong entropy source'
description: |-
- To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
- save the following shell snippet to the <tt>/etc/profile.d/openssl-rand.sh</tt>:
+ By default, OpenSSL doesn't always use a SP800-90A compliant random number generator.
+ A way to configure OpenSSL to always use a strong source is to setup a wrapper that
+ defines a shell function that shadows the actual <tt>openssl</tt> binary,
+ and that ensures that the <tt>-rand /dev/random</tt> option is added to every <tt>openssl</tt> invocation.
+
+ To do so, place the following shell snippet exactly as-is to <tt>/etc/profile.d/openssl-rand.sh</tt>:
<pre>
{{{ openssl_strong_entropy_config_file() | indent(4) }}}
</pre>
rationale: |-
- This rule ensures that <tt>openssl</tt> always uses SP800-90A compliant random number generator.
+ This rule ensures that <tt>openssl</tt> invocations always uses SP800-90A compliant random number generator as a default behavior.
severity: medium
identifiers:
@@ -23,8 +27,9 @@ references:
ospp: FIA_AFL.1
ocil: |-
- To determine whether the <tt>openssl</tt> wrapper is configured correctly,
- make sure that the <tt>/etc/profile.d/openssl-rand.sh</tt> file contains contents
+ To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation
+ uses a SP800-90A compliant entropy source,
+ make sure that the <tt>/etc/profile.d/openssl-rand.sh</tt> file contents exactly match those
that are included in the rule's description.
ocil_clause: |-