From c8d00d88a253efc7d3eed11349c4481f8a7e344d Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 11 Feb 2019 14:40:25 +0100
Subject: [PATCH 1/3] Add test scenario for crypto-policy nss.config
---
.../nss_config_as_file.pass.sh | 12 ++++++++++++
.../nss_config_as_symlink.pass.sh | 12 ++++++++++++
2 files changed, 24 insertions(+)
create mode 100644 tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_file.pass.sh
create mode 100644 tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_symlink.pass.sh
diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_file.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_file.pass.sh
new file mode 100644
index 0000000000..89927d0537
--- /dev/null
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_file.pass.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = multi_platform_fedora, Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+update-crypto-policies --set "FIPS"
+
+CRYPTO_POLICY_LIB_FILE="/etc/crypto-policies/back-ends/nss.config"
+SYMLINK_TO_FOLDER="/usr/share/crypto-policies/FIPS/"
+SYMLINK_TO_FILE="nss.txt"
+rm -f $CRYPTO_POLICY_LIB_FILE
+mkdir -p $SYMLINK_TO_FOLDER
+cp $SYMLINK_TO_FOLDER$SYMLINK_TO_FILE $CRYPTO_POLICY_LIB_FILE
diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_symlink.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_symlink.pass.sh
new file mode 100644
index 0000000000..28d704e54f
--- /dev/null
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_symlink.pass.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = multi_platform_fedora, Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+update-crypto-policies --set "FIPS"
+
+CRYPTO_POLICY_LIB_FILE="/etc/crypto-policies/back-ends/nss.config"
+SYMLINK_TO_FOLDER="/usr/share/crypto-policies/FIPS/"
+SYMLINK_TO_FILE="nss.txt"
+rm -f $CRYPTO_POLICY_LIB_FILE
+mkdir -p $SYMLINK_TO_FOLDER
+ln -s $SYMLINK_TO_FOLDER$SYMLINK_TO_FILE $CRYPTO_POLICY_LIB_FILE
From 0c3fb5b64f19fef3ae2dac8bbeb71d9d2ae29b54 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 11 Feb 2019 14:41:01 +0100
Subject: [PATCH 2/3] Update check for configure_crypto_policy
---
.../crypto/configure_crypto_policy/oval/shared.xml | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/oval/shared.xml
index 2d42ac26d1..446c584a76 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/oval/shared.xml
@@ -55,11 +55,11 @@
{{{ crypto_policy_symlink_criterion(library="java") }}}
{{{ crypto_policy_symlink_criterion(library="krb5") }}}
{{{ crypto_policy_symlink_criterion(library="libreswan") }}}
- {{{ crypto_policy_symlink_criterion(library="nss") }}}
{{{ crypto_policy_symlink_criterion(library="openssh") }}}
{{{ crypto_policy_symlink_criterion(library="opensshserver") }}}
{{{ crypto_policy_symlink_criterion(library="openssl") }}}
{{% endif %}}
+ <criterion comment="Check if /etc/crypto-policies/back-ends/nss.config exists" test_ref="test_crypto_policy_nss_config" />
</criteria>
</definition>
@@ -146,6 +146,13 @@ id="object_crypto_policies_config_file_modified_time" version="1">
{{{ crypto_policy_symlink_check(library="openssl") }}}
{{% endif %}}
+ <unix:file_test check="all" check_existence="all_exist" comment="Check if /etc/crypto-policies/back-ends/nss.config exists" id="test_crypto_policy_nss_config" version="1">
+ <unix:object object_ref="object_crypto_policy_nss_config" />
+ </unix:file_test>
+ <unix:file_object id="object_crypto_policy_nss_config" version="1">
+ <unix:filepath>/etc/crypto-policies/back-ends/nss.config</unix:filepath>
+ </unix:file_object>
+
<external_variable comment="defined crypto policy" datatype="string"
id="var_system_crypto_policy" version="1" />
From e43c26bbcbedf32607a5c997b786b48973df2bcf Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 11 Feb 2019 17:47:51 +0100
Subject: [PATCH 3/3] Add negative test for crypto-policy nss.config
---
.../missing_nss_config.fail.sh | 7 +++++++
1 file changed, 7 insertions(+)
create mode 100644 tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_nss_config.fail.sh
diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_nss_config.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_nss_config.fail.sh
new file mode 100644
index 0000000000..7611efd3f3
--- /dev/null
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_nss_config.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora, Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+update-crypto-policies --set "FIPS"
+
+rm -f "/etc/crypto-policies/back-ends/nss.config"