From e0f1e2096d0f33fa94e3f78a5038e929b0039c32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= Date: Mon, 27 Jan 2020 11:51:53 +0100 Subject: [PATCH 1/6] Add a rule for the openssl strong entropy wrapper. --- .../openssl_use_strong_entropy/rule.yml | 65 +++++++++++++++++++ rhel8/profiles/ospp.profile | 1 + shared/references/cce-redhat-avail.txt | 1 - 3 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml new file mode 100644 index 0000000000..e9ea8ed338 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml @@ -0,0 +1,65 @@ +documentation_complete: true + +# TODO: The plan is not to need this for RHEL>=8.4 +prodtype: rhel8 + +title: 'OpenSSL uses strong entropy source' + +description: |- + To set up an openssl wrapper that adds a -rand /dev/random option to the openssl invocation, + save the following shell snippet to the /etc/profile.d/cc-config.sh: + 
+    # provide a default -rand /dev/random option to openssl commands that
+    # support it
+
+    # written inefficiently for maximum shell compatibility
+    openssl()
+    (
+      openssl_bin=/usr/bin/openssl
+
+      case "$*" in
+        # if user specified -rand, honor it
+        *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
+      esac
+
+      cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
+      for i in `$openssl_bin list -commands`; do
+        if $openssl_bin list -options "$i" | grep -q '^rand '; then
+          cmds=" $i $cmds"
+        fi
+      done
+
+      case "$cmds" in
+        *\ "$1"\ *)
+          cmd="$1"; shift
+          exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
+      esac
+
+      exec $openssl_bin "$@"
+    )
+
+ +rationale: |- + The openssl default configuration uses less robust entropy sources for seeding. + The referenced script is sourced to every login shell, and it transparently adds an option + that enforces strong entropy to every openssl invocation, + which makes openssl more secure by default. + +severity: medium + +identifiers: + cce@rhel8: 82721-2 + +references: + ospp: FIA_AFL.1 + +ocil: |- + To determine whether the openssl wrapper is configured correcrlty, + make sure that the /etc/profile.d/cc-config.sh file contains contents + that are included in the rule's description. + +ocil_clause: |- + there is no /etc/profile.d/cc-config.sh file, or its contents don't match those in the description + +warnings: + - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available." diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile index 63aea526b7..ef3ced5010 100644 --- a/rhel8/profiles/ospp.profile +++ b/rhel8/profiles/ospp.profile @@ -59,6 +59,7 @@ selections: - sshd_enable_warning_banner - sshd_rekey_limit - sshd_use_strong_rng + - openssl_use_strong_entropy # Time Server - chronyd_client_only diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 4cb08794f4..1733872dfa 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -248,6 +248,5 @@ CCE-82719-6 CCE-82720-4 -CCE-82721-2 CCE-82722-0 CCE-82723-8 CCE-82724-6 From bbd0f8b1234858a4abeece07d7d188bb07d3d077 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 27 Jan 2020 19:35:06 +0100 Subject: [PATCH 2/6] create checks, remediations, --- .../ansible/shared.yml | 12 +++++++ .../openssl_use_strong_entropy/bash/shared.sh | 5 +++ .../oval/shared.xml | 34 +++++++++++++++++++ .../openssl_use_strong_entropy/rule.yml | 29 +--------------- shared/macros.jinja | 34 ++++++++++++++++++- 5 files changed, 85 insertions(+), 29 deletions(-) create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml new file mode 100644 index 0000000000..3ce26d6525 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml @@ -0,0 +1,12 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +- name: "copy a file with shell snippet to configure openssl strong entropy" + copy: + dest: /etc/profile.d/cc-config.sh + content: |+ + {{{ openssl_strong_entropy_config_file()|indent(8,blank=True) }}} + diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh new file mode 100644 index 0000000000..db5c331ce7 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh @@ -0,0 +1,5 @@ +# platform = Red Hat Enterprise Linux 8 + +cat > /etc/profile.d/cc-config.sh <<- 'EOM' +{{{ openssl_strong_entropy_config_file() }}} +EOM diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml new file mode 100644 index 0000000000..b441b7ae6e --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml @@ -0,0 +1,34 @@ + + + + Configure Openssl to use strong entropy + + Red Hat Enterprise Linux 8 + multi_platform_fedora + + OpenSSL should be configured to generate random data with strong entropy. + + + + + + + + + + + + + /etc/profile.d/cc-config.sh + SHA-256 + + + + /etc/profile.d/cc-config.sh + SHA-256 + 6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af + + diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml index e9ea8ed338..3b01da01af 100644 --- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml @@ -9,34 +9,7 @@ description: |- To set up an openssl wrapper that adds a -rand /dev/random option to the openssl invocation, save the following shell snippet to the /etc/profile.d/cc-config.sh: 
-    # provide a default -rand /dev/random option to openssl commands that
-    # support it
-
-    # written inefficiently for maximum shell compatibility
-    openssl()
-    (
-      openssl_bin=/usr/bin/openssl
-
-      case "$*" in
-        # if user specified -rand, honor it
-        *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
-      esac
-
-      cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
-      for i in `$openssl_bin list -commands`; do
-        if $openssl_bin list -options "$i" | grep -q '^rand '; then
-          cmds=" $i $cmds"
-        fi
-      done
-
-      case "$cmds" in
-        *\ "$1"\ *)
-          cmd="$1"; shift
-          exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
-      esac
-
-      exec $openssl_bin "$@"
-    )
+    {{{ openssl_strong_entropy_config_file() | indent(4) }}}
rationale: |- diff --git a/shared/macros.jinja b/shared/macros.jinja index 77f8eb31c7..8a25acc937 100644 --- a/shared/macros.jinja +++ b/shared/macros.jinja @@ -618,10 +618,42 @@ ocil_clause: "the correct value is not returned" {{% macro body_of_warning_about_dependent_rule(rule_id, why) -%}} - When selecting this rule in a profile, + When selecting this rule in a profile, {{%- if why %}} make sure that rule with ID {{{ rule_id }}} is selected as well: {{{ why }}} {{%- else %}} rule {{{ rule_id }}} has to be selected as well. {{%- endif %}} {{% endmacro %}} + +{{% macro openssl_strong_entropy_config_file() -%}} +# provide a default -rand /dev/random option to openssl commands that +# support it + +# written inefficiently for maximum shell compatibility +openssl() +( + openssl_bin=/usr/bin/openssl + + case "$*" in + # if user specified -rand, honor it + *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;; + esac + + cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '` + for i in `$openssl_bin list -commands`; do + if $openssl_bin list -options "$i" | grep -q '^rand '; then + cmds=" $i $cmds" + fi + done + + case "$cmds" in + *\ "$1"\ *) + cmd="$1"; shift + exec $openssl_bin "$cmd" -rand /dev/random "$@" ;; + esac + + exec $openssl_bin "$@" +) + +{{%- endmacro %}} From efaa2c9cbbe09af6b319f487ec05f646290a05a1 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 28 Jan 2020 13:42:40 +0100 Subject: [PATCH 3/6] add tests --- .../tests/correct.pass.sh | 34 +++++++++++++++++++ .../tests/file_missing.fail.sh | 5 +++ .../tests/file_modified.fail.sh | 5 +++ 3 files changed, 44 insertions(+) create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh new file mode 100644 index 0000000000..0bffab3c81 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh @@ -0,0 +1,34 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_ospp + +cat > /etc/profile.d/cc-config.sh <<- 'EOM' +# provide a default -rand /dev/random option to openssl commands that +# support it + +# written inefficiently for maximum shell compatibility +openssl() +( + openssl_bin=/usr/bin/openssl + + case "$*" in + # if user specified -rand, honor it + *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;; + esac + + cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '` + for i in `$openssl_bin list -commands`; do + if $openssl_bin list -options "$i" | grep -q '^rand '; then + cmds=" $i $cmds" + fi + done + + case "$cmds" in + *\ "$1"\ *) + cmd="$1"; shift + exec $openssl_bin "$cmd" -rand /dev/random "$@" ;; + esac + + exec $openssl_bin "$@" +) +EOM diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh new file mode 100644 index 0000000000..c1d526902c --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_ospp + +rm -f /etc/profile.d/cc-config.sh diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh new file mode 100644 index 0000000000..313d14a37f --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_ospp + +echo "wrong data" > /etc/profile.d/cc-config.sh From 223194744d54d0400ab1d2981761166580a4f017 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 29 Jan 2020 11:12:46 +0100 Subject: [PATCH 4/6] remove blank=true from jinja macro as rhel6 and rhel7 do not support it --- .../crypto/openssl_use_strong_entropy/ansible/shared.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml index 3ce26d6525..bdc530f9f5 100644 --- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml @@ -8,5 +8,5 @@ copy: dest: /etc/profile.d/cc-config.sh content: |+ - {{{ openssl_strong_entropy_config_file()|indent(8,blank=True) }}} + {{{ openssl_strong_entropy_config_file()|indent(8) }}} From bd41dcc77b326ed4bc352fe15d083ca6b144855f Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 30 Jan 2020 14:25:31 +0100 Subject: [PATCH 5/6] reword rationale, change file name from cc-config.sh to openssl-rand.sh change title of oval --- .../openssl_use_strong_entropy/ansible/shared.yml | 2 +- .../openssl_use_strong_entropy/bash/shared.sh | 2 +- .../openssl_use_strong_entropy/oval/shared.xml | 11 ++++------- .../crypto/openssl_use_strong_entropy/rule.yml | 14 +++++--------- .../tests/correct.pass.sh | 2 +- .../tests/file_missing.fail.sh | 2 +- .../tests/file_modified.fail.sh | 2 +- 7 files changed, 14 insertions(+), 21 deletions(-) diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml index bdc530f9f5..6ee232892d 100644 --- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml @@ -6,7 +6,7 @@ - name: "copy a file with shell snippet to configure openssl strong entropy" copy: - dest: /etc/profile.d/cc-config.sh + dest: /etc/profile.d/openssl-rand.sh content: |+ {{{ openssl_strong_entropy_config_file()|indent(8) }}} diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh index db5c331ce7..d8c9935005 100644 --- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh @@ -1,5 +1,5 @@ # platform = Red Hat Enterprise Linux 8 -cat > /etc/profile.d/cc-config.sh <<- 'EOM' +cat > /etc/profile.d/openssl-rand.sh <<- 'EOM' {{{ openssl_strong_entropy_config_file() }}} EOM diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml index b441b7ae6e..847754f36d 100644 --- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml @@ -1,11 +1,8 @@ - Configure Openssl to use strong entropy - - Red Hat Enterprise Linux 8 - multi_platform_fedora - + Configure OpenSSL to use strong entropy + {{{- oval_affected(products) }}} OpenSSL should be configured to generate random data with strong entropy. @@ -22,12 +19,12 @@ - /etc/profile.d/cc-config.sh + /etc/profile.d/openssl-rand.sh SHA-256 - /etc/profile.d/cc-config.sh + /etc/profile.d/openssl-rand.sh SHA-256 6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml index 3b01da01af..dd82336532 100644 --- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml @@ -7,19 +7,15 @@ title: 'OpenSSL uses strong entropy source' description: |- To set up an openssl wrapper that adds a -rand /dev/random option to the openssl invocation, - save the following shell snippet to the /etc/profile.d/cc-config.sh: + save the following shell snippet to the /etc/profile.d/openssl-rand.sh: 
     {{{ openssl_strong_entropy_config_file() | indent(4) }}}
rationale: |- - The openssl default configuration uses less robust entropy sources for seeding. - The referenced script is sourced to every login shell, and it transparently adds an option - that enforces strong entropy to every openssl invocation, - which makes openssl more secure by default. + This rule ensures that openssl always uses SP800-90A compliant random number generator. severity: medium - identifiers: cce@rhel8: 82721-2 @@ -27,12 +23,12 @@ references: ospp: FIA_AFL.1 ocil: |- - To determine whether the openssl wrapper is configured correcrlty, - make sure that the /etc/profile.d/cc-config.sh file contains contents + To determine whether the openssl wrapper is configured correctly, + make sure that the /etc/profile.d/openssl-rand.sh file contains contents that are included in the rule's description. ocil_clause: |- - there is no /etc/profile.d/cc-config.sh file, or its contents don't match those in the description + there is no /etc/profile.d/openssl-rand.sh file, or its contents don't match those in the description warnings: - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available." diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh index 0bffab3c81..d7f3ce8c87 100644 --- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh @@ -2,7 +2,7 @@ # platform = Red Hat Enterprise Linux 8 # profiles = xccdf_org.ssgproject.content_profile_ospp -cat > /etc/profile.d/cc-config.sh <<- 'EOM' +cat > /etc/profile.d/openssl-rand.sh <<- 'EOM' # provide a default -rand /dev/random option to openssl commands that # support it diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh index c1d526902c..64a580da91 100644 --- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh @@ -2,4 +2,4 @@ # platform = Red Hat Enterprise Linux 8 # profiles = xccdf_org.ssgproject.content_profile_ospp -rm -f /etc/profile.d/cc-config.sh +rm -f /etc/profile.d/openssl-rand.sh diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh index 313d14a37f..2c812e874b 100644 --- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh @@ -2,4 +2,4 @@ # platform = Red Hat Enterprise Linux 8 # profiles = xccdf_org.ssgproject.content_profile_ospp -echo "wrong data" > /etc/profile.d/cc-config.sh +echo "wrong data" > /etc/profile.d/openssl-rand.sh From 679bd9cd08f962b3a88197817c199bd90a47f8d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= Date: Fri, 31 Jan 2020 16:34:48 +0100 Subject: [PATCH 6/6] Rule and remediation wording improvements. --- .../openssl_use_strong_entropy/ansible/shared.yml | 3 +-- .../crypto/openssl_use_strong_entropy/rule.yml | 15 ++++++++++----- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml index 6ee232892d..25afb8e27f 100644 --- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml @@ -4,9 +4,8 @@ # complexity = low # disruption = low -- name: "copy a file with shell snippet to configure openssl strong entropy" +- name: "Put a file with shell wrapper to configure OpenSSL to always use strong entropy" copy: dest: /etc/profile.d/openssl-rand.sh content: |+ {{{ openssl_strong_entropy_config_file()|indent(8) }}} - diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml index dd82336532..8a958e93b0 100644 --- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml @@ -6,14 +6,18 @@ prodtype: rhel8 title: 'OpenSSL uses strong entropy source' description: |- - To set up an openssl wrapper that adds a -rand /dev/random option to the openssl invocation, - save the following shell snippet to the /etc/profile.d/openssl-rand.sh: + By default, OpenSSL doesn't always use a SP800-90A compliant random number generator. + A way to configure OpenSSL to always use a strong source is to setup a wrapper that + defines a shell function that shadows the actual openssl binary, + and that ensures that the -rand /dev/random option is added to every openssl invocation. + + To do so, place the following shell snippet exactly as-is to /etc/profile.d/openssl-rand.sh: 
     {{{ openssl_strong_entropy_config_file() | indent(4) }}}
rationale: |- - This rule ensures that openssl always uses SP800-90A compliant random number generator. + This rule ensures that openssl invocations always uses SP800-90A compliant random number generator as a default behavior. severity: medium identifiers: @@ -23,8 +27,9 @@ references: ospp: FIA_AFL.1 ocil: |- - To determine whether the openssl wrapper is configured correctly, - make sure that the /etc/profile.d/openssl-rand.sh file contains contents + To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation + uses a SP800-90A compliant entropy source, + make sure that the /etc/profile.d/openssl-rand.sh file contents exactly match those that are included in the rule's description. ocil_clause: |-