From e0f1e2096d0f33fa94e3f78a5038e929b0039c32 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>

Date: Mon, 27 Jan 2020 11:51:53 +0100

Subject: [PATCH 1/6] Add a rule for the openssl strong entropy wrapper.

---

 .../openssl_use_strong_entropy/rule.yml       | 65 +++++++++++++++++++

 rhel8/profiles/ospp.profile                   |  1 +

 shared/references/cce-redhat-avail.txt        |  1 -

 3 files changed, 66 insertions(+), 1 deletion(-)

 create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml

new file mode 100644

index 0000000000..e9ea8ed338

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml

@@ -0,0 +1,65 @@

+documentation_complete: true

+

+# TODO: The plan is not to need this for RHEL>=8.4

+prodtype: rhel8

+

+title: 'OpenSSL uses strong entropy source'

+

+description: |-

+    To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,

+    save the following shell snippet to the <tt>/etc/profile.d/cc-config.sh</tt>:

+    

+    # provide a default -rand /dev/random option to openssl commands that

+    # support it

+

+    # written inefficiently for maximum shell compatibility

+    openssl()

+    (

+      openssl_bin=/usr/bin/openssl

+

+      case "$*" in

+        # if user specified -rand, honor it

+        *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;

+      esac

+

+      cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`

+      for i in `$openssl_bin list -commands`; do

+        if $openssl_bin list -options "$i" | grep -q '^rand '; then

+          cmds=" $i $cmds"

+        fi

+      done

+

+      case "$cmds" in

+        *\ "$1"\ *)

+          cmd="$1"; shift

+          exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;

+      esac

+

+      exec $openssl_bin "$@"

+    )

+    

+

+rationale: |-

+    The <tt>openssl</tt> default configuration uses less robust entropy sources for seeding.

+    The referenced script is sourced to every login shell, and it transparently adds an option

+    that enforces strong entropy to every <tt>openssl</tt> invocation,

+    which makes <tt>openssl</tt> more secure by default.

+

+severity: medium

+

+identifiers:

+    cce@rhel8: 82721-2

+

+references:

+    ospp: FIA_AFL.1

+

+ocil: |-

+    To determine whether the <tt>openssl</tt> wrapper is configured correcrlty,

+    make sure that the <tt>/etc/profile.d/cc-config.sh</tt> file contains contents

+    that are included in the rule's description.

+

+ocil_clause: |-

+    there is no <tt>/etc/profile.d/cc-config.sh</tt> file, or its contents don't match those in the description

+

+warnings:

+    - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available."

diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile

index 63aea526b7..ef3ced5010 100644

--- a/rhel8/profiles/ospp.profile

+++ b/rhel8/profiles/ospp.profile

@@ -59,6 +59,7 @@ selections:

     - sshd_enable_warning_banner

     - sshd_rekey_limit

     - sshd_use_strong_rng

+    - openssl_use_strong_entropy

     # Time Server

     - chronyd_client_only

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt

index 4cb08794f4..1733872dfa 100644

--- a/shared/references/cce-redhat-avail.txt

+++ b/shared/references/cce-redhat-avail.txt

@@ -248,6 +248,5 @@

 CCE-82719-6

 CCE-82720-4

-CCE-82721-2

 CCE-82722-0

 CCE-82723-8

 CCE-82724-6

From bbd0f8b1234858a4abeece07d7d188bb07d3d077 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Mon, 27 Jan 2020 19:35:06 +0100

Subject: [PATCH 2/6] create checks, remediations,

---

 .../ansible/shared.yml                        | 12 +++++++

 .../openssl_use_strong_entropy/bash/shared.sh |  5 +++

 .../oval/shared.xml                           | 34 +++++++++++++++++++

 .../openssl_use_strong_entropy/rule.yml       | 29 +---------------

 shared/macros.jinja                           | 34 ++++++++++++++++++-

 5 files changed, 85 insertions(+), 29 deletions(-)

 create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml

 create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh

 create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml

new file mode 100644

index 0000000000..3ce26d6525

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml

@@ -0,0 +1,12 @@

+# platform = multi_platform_all

+# reboot = false

+# strategy = restrict

+# complexity = low

+# disruption = low

+

+- name: "copy a file with shell snippet to configure openssl strong entropy"

+  copy:

+    dest: /etc/profile.d/cc-config.sh

+    content: |+

+        {{{ openssl_strong_entropy_config_file()|indent(8,blank=True) }}}

+        

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh

new file mode 100644

index 0000000000..db5c331ce7

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh

@@ -0,0 +1,5 @@

+# platform = Red Hat Enterprise Linux 8

+

+cat > /etc/profile.d/cc-config.sh <<- 'EOM'

+{{{ openssl_strong_entropy_config_file() }}}

+EOM

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml

new file mode 100644

index 0000000000..b441b7ae6e

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml

@@ -0,0 +1,34 @@

+<def-group>

+  <definition class="compliance" id="openssl_use_strong_entropy" version="1">

+    <metadata>

+      <title>Configure Openssl to use strong entropy</title>

+      <affected family="unix">

+        <platform>Red Hat Enterprise Linux 8</platform>

+        <platform>multi_platform_fedora</platform>

+      </affected>

+      <description>OpenSSL should be configured to generate random data with strong entropy.</description>

+    </metadata>

+    <criteria>

+      

+      comment="Check that the OpenSSL is configured to generate random data with strong entropy." />

+    </criteria>

+  </definition>

+

+  

+  comment="Test if openssl is configured to generate random data with strong entropy" version="1"

+  check="all" check_existence="all_exist">

+    <ind:object object_ref="object_openssl_strong_entropy"/>

+    <ind:state state_ref="state_openssl_strong_entropy"/>

+  </ind:filehash58_test>

+

+  <ind:filehash58_object id="object_openssl_strong_entropy" version="1">

+    <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>

+    <ind:hash_type>SHA-256</ind:hash_type>

+  </ind:filehash58_object>

+

+  <ind:filehash58_state id="state_openssl_strong_entropy" version="1">

+    <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>

+    <ind:hash_type>SHA-256</ind:hash_type>

+    <ind:hash>6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af</ind:hash>

+  </ind:filehash58_state>

+</def-group>

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml

index e9ea8ed338..3b01da01af 100644

--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml

+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml

@@ -9,34 +9,7 @@ description: |-

     To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,

     save the following shell snippet to the <tt>/etc/profile.d/cc-config.sh</tt>:

-    # provide a default -rand /dev/random option to openssl commands that

-    # support it

-

-    # written inefficiently for maximum shell compatibility

-    openssl()

-    (

-      openssl_bin=/usr/bin/openssl

-

-      case "$*" in

-        # if user specified -rand, honor it

-        *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;

-      esac

-

-      cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`

-      for i in `$openssl_bin list -commands`; do

-        if $openssl_bin list -options "$i" | grep -q '^rand '; then

-          cmds=" $i $cmds"

-        fi

-      done

-

-      case "$cmds" in

-        *\ "$1"\ *)

-          cmd="$1"; shift

-          exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;

-      esac

-

-      exec $openssl_bin "$@"

-    )

+    {{{ openssl_strong_entropy_config_file() | indent(4) }}}

 rationale: |-

diff --git a/shared/macros.jinja b/shared/macros.jinja

index 77f8eb31c7..8a25acc937 100644

--- a/shared/macros.jinja

+++ b/shared/macros.jinja

@@ -618,10 +618,42 @@ ocil_clause: "the correct value is not returned"

 {{% macro body_of_warning_about_dependent_rule(rule_id, why) -%}}

-        When selecting this rule in a profile, 

+        When selecting this rule in a profile,

         {{%- if why %}}

             make sure that rule with ID {{{ rule_id }}} is selected as well: {{{ why }}}

         {{%- else %}}

             rule {{{ rule_id }}} has to be selected as well.

         {{%- endif %}}

 {{% endmacro %}}

+

+{{% macro openssl_strong_entropy_config_file() -%}}

+# provide a default -rand /dev/random option to openssl commands that

+# support it

+

+# written inefficiently for maximum shell compatibility

+openssl()

+(

+  openssl_bin=/usr/bin/openssl

+

+  case "$*" in

+    # if user specified -rand, honor it

+    *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;

+  esac

+

+  cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`

+  for i in `$openssl_bin list -commands`; do

+    if $openssl_bin list -options "$i" | grep -q '^rand '; then

+      cmds=" $i $cmds"

+    fi

+  done

+

+  case "$cmds" in

+    *\ "$1"\ *)

+      cmd="$1"; shift

+      exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;

+  esac

+

+  exec $openssl_bin "$@"

+)

+

+{{%- endmacro %}}

From efaa2c9cbbe09af6b319f487ec05f646290a05a1 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Tue, 28 Jan 2020 13:42:40 +0100

Subject: [PATCH 3/6] add tests

---

 .../tests/correct.pass.sh                     | 34 +++++++++++++++++++

 .../tests/file_missing.fail.sh                |  5 +++

 .../tests/file_modified.fail.sh               |  5 +++

 3 files changed, 44 insertions(+)

 create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh

 create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh

 create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh

new file mode 100644

index 0000000000..0bffab3c81

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh

@@ -0,0 +1,34 @@

+#!/bin/bash

+# platform = Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_ospp

+

+cat > /etc/profile.d/cc-config.sh <<- 'EOM'

+# provide a default -rand /dev/random option to openssl commands that

+# support it

+

+# written inefficiently for maximum shell compatibility

+openssl()

+(

+  openssl_bin=/usr/bin/openssl

+

+  case "$*" in

+    # if user specified -rand, honor it

+    *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;

+  esac

+

+  cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`

+  for i in `$openssl_bin list -commands`; do

+    if $openssl_bin list -options "$i" | grep -q '^rand '; then

+      cmds=" $i $cmds"

+    fi

+  done

+

+  case "$cmds" in

+    *\ "$1"\ *)

+      cmd="$1"; shift

+      exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;

+  esac

+

+  exec $openssl_bin "$@"

+)

+EOM

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh

new file mode 100644

index 0000000000..c1d526902c

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh

@@ -0,0 +1,5 @@

+#!/bin/bash

+# platform = Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_ospp

+

+rm -f /etc/profile.d/cc-config.sh

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh

new file mode 100644

index 0000000000..313d14a37f

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh

@@ -0,0 +1,5 @@

+#!/bin/bash

+# platform = Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_ospp

+

+echo "wrong data" > /etc/profile.d/cc-config.sh

From 223194744d54d0400ab1d2981761166580a4f017 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Wed, 29 Jan 2020 11:12:46 +0100

Subject: [PATCH 4/6] remove blank=true from  jinja macro as rhel6 and rhel7 do

 not support it

---

 .../crypto/openssl_use_strong_entropy/ansible/shared.yml        | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml

index 3ce26d6525..bdc530f9f5 100644

--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml

+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml

@@ -8,5 +8,5 @@

   copy:

     dest: /etc/profile.d/cc-config.sh

     content: |+

-        {{{ openssl_strong_entropy_config_file()|indent(8,blank=True) }}}

+        {{{ openssl_strong_entropy_config_file()|indent(8) }}}

From bd41dcc77b326ed4bc352fe15d083ca6b144855f Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Thu, 30 Jan 2020 14:25:31 +0100

Subject: [PATCH 5/6] reword rationale, change file name

from cc-config.sh to openssl-rand.sh

change title of oval

---

 .../openssl_use_strong_entropy/ansible/shared.yml  |  2 +-

 .../openssl_use_strong_entropy/bash/shared.sh      |  2 +-

 .../openssl_use_strong_entropy/oval/shared.xml     | 11 ++++-------

 .../crypto/openssl_use_strong_entropy/rule.yml     | 14 +++++---------

 .../tests/correct.pass.sh                          |  2 +-

 .../tests/file_missing.fail.sh                     |  2 +-

 .../tests/file_modified.fail.sh                    |  2 +-

 7 files changed, 14 insertions(+), 21 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml

index bdc530f9f5..6ee232892d 100644

--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml

+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml

@@ -6,7 +6,7 @@

 - name: "copy a file with shell snippet to configure openssl strong entropy"

   copy:

-    dest: /etc/profile.d/cc-config.sh

+    dest: /etc/profile.d/openssl-rand.sh

     content: |+

         {{{ openssl_strong_entropy_config_file()|indent(8) }}}

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh

index db5c331ce7..d8c9935005 100644

--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh

+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh

@@ -1,5 +1,5 @@

 # platform = Red Hat Enterprise Linux 8

-cat > /etc/profile.d/cc-config.sh <<- 'EOM'

+cat > /etc/profile.d/openssl-rand.sh <<- 'EOM'

 {{{ openssl_strong_entropy_config_file() }}}

 EOM

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml

index b441b7ae6e..847754f36d 100644

--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml

+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml

@@ -1,11 +1,8 @@

 <def-group>

   <definition class="compliance" id="openssl_use_strong_entropy" version="1">

     <metadata>

-      <title>Configure Openssl to use strong entropy</title>

-      <affected family="unix">

-        <platform>Red Hat Enterprise Linux 8</platform>

-        <platform>multi_platform_fedora</platform>

-      </affected>

+      <title>Configure OpenSSL to use strong entropy</title>

+      {{{- oval_affected(products) }}}

       <description>OpenSSL should be configured to generate random data with strong entropy.</description>

     </metadata>

     <criteria>

@@ -22,12 +19,12 @@

   </ind:filehash58_test>

   <ind:filehash58_object id="object_openssl_strong_entropy" version="1">

-    <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>

+    <ind:filepath>/etc/profile.d/openssl-rand.sh</ind:filepath>

     <ind:hash_type>SHA-256</ind:hash_type>

   </ind:filehash58_object>

   <ind:filehash58_state id="state_openssl_strong_entropy" version="1">

-    <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>

+    <ind:filepath>/etc/profile.d/openssl-rand.sh</ind:filepath>

     <ind:hash_type>SHA-256</ind:hash_type>

     <ind:hash>6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af</ind:hash>

   </ind:filehash58_state>

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml

index 3b01da01af..dd82336532 100644

--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml

+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml

@@ -7,19 +7,15 @@ title: 'OpenSSL uses strong entropy source'

 description: |-

     To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,

-    save the following shell snippet to the <tt>/etc/profile.d/cc-config.sh</tt>:

+    save the following shell snippet to the <tt>/etc/profile.d/openssl-rand.sh</tt>:

     {{{ openssl_strong_entropy_config_file() | indent(4) }}}

 rationale: |-

-    The <tt>openssl</tt> default configuration uses less robust entropy sources for seeding.

-    The referenced script is sourced to every login shell, and it transparently adds an option

-    that enforces strong entropy to every <tt>openssl</tt> invocation,

-    which makes <tt>openssl</tt> more secure by default.

+    This rule ensures that <tt>openssl</tt> always uses SP800-90A compliant random number generator.

 severity: medium

-

 identifiers:

     cce@rhel8: 82721-2

@@ -27,12 +23,12 @@ references:

     ospp: FIA_AFL.1

 ocil: |-

-    To determine whether the <tt>openssl</tt> wrapper is configured correcrlty,

-    make sure that the <tt>/etc/profile.d/cc-config.sh</tt> file contains contents

+    To determine whether the <tt>openssl</tt> wrapper is configured correctly,

+    make sure that the <tt>/etc/profile.d/openssl-rand.sh</tt> file contains contents

     that are included in the rule's description.

 ocil_clause: |-

-    there is no <tt>/etc/profile.d/cc-config.sh</tt> file, or its contents don't match those in the description

+    there is no <tt>/etc/profile.d/openssl-rand.sh</tt> file, or its contents don't match those in the description

 warnings:

     - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available."

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh

index 0bffab3c81..d7f3ce8c87 100644

--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh

+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh

@@ -2,7 +2,7 @@

 # platform = Red Hat Enterprise Linux 8

 # profiles = xccdf_org.ssgproject.content_profile_ospp

-cat > /etc/profile.d/cc-config.sh <<- 'EOM'

+cat > /etc/profile.d/openssl-rand.sh <<- 'EOM'

 # provide a default -rand /dev/random option to openssl commands that

 # support it

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh

index c1d526902c..64a580da91 100644

--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh

+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh

@@ -2,4 +2,4 @@

 # platform = Red Hat Enterprise Linux 8

 # profiles = xccdf_org.ssgproject.content_profile_ospp

-rm -f /etc/profile.d/cc-config.sh

+rm -f /etc/profile.d/openssl-rand.sh

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh

index 313d14a37f..2c812e874b 100644

--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh

+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh

@@ -2,4 +2,4 @@

 # platform = Red Hat Enterprise Linux 8

 # profiles = xccdf_org.ssgproject.content_profile_ospp

-echo "wrong data" > /etc/profile.d/cc-config.sh

+echo "wrong data" > /etc/profile.d/openssl-rand.sh

From 679bd9cd08f962b3a88197817c199bd90a47f8d7 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>

Date: Fri, 31 Jan 2020 16:34:48 +0100

Subject: [PATCH 6/6] Rule and remediation wording improvements.

---

 .../openssl_use_strong_entropy/ansible/shared.yml |  3 +--

 .../crypto/openssl_use_strong_entropy/rule.yml    | 15 ++++++++++-----

 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml

index 6ee232892d..25afb8e27f 100644

--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml

+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml

@@ -4,9 +4,8 @@

 # complexity = low

 # disruption = low

-- name: "copy a file with shell snippet to configure openssl strong entropy"

+- name: "Put a file with shell wrapper to configure OpenSSL to always use strong entropy"

   copy:

     dest: /etc/profile.d/openssl-rand.sh

     content: |+

         {{{ openssl_strong_entropy_config_file()|indent(8) }}}

-        

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml

index dd82336532..8a958e93b0 100644

--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml

+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml

@@ -6,14 +6,18 @@ prodtype: rhel8

 title: 'OpenSSL uses strong entropy source'

 description: |-

-    To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,

-    save the following shell snippet to the <tt>/etc/profile.d/openssl-rand.sh</tt>:

+    By default, OpenSSL doesn't always use a SP800-90A compliant random number generator.

+    A way to configure OpenSSL to always use a strong source is to setup a wrapper that

+    defines a shell function that shadows the actual <tt>openssl</tt> binary,

+    and that ensures that the <tt>-rand /dev/random</tt> option is added to every <tt>openssl</tt> invocation.

+

+    To do so, place the following shell snippet exactly as-is to <tt>/etc/profile.d/openssl-rand.sh</tt>:

     {{{ openssl_strong_entropy_config_file() | indent(4) }}}

 rationale: |-

-    This rule ensures that <tt>openssl</tt> always uses SP800-90A compliant random number generator.

+    This rule ensures that <tt>openssl</tt> invocations always uses SP800-90A compliant random number generator as a default behavior.

 severity: medium

 identifiers:

@@ -23,8 +27,9 @@ references:

     ospp: FIA_AFL.1

 ocil: |-

-    To determine whether the <tt>openssl</tt> wrapper is configured correctly,

-    make sure that the <tt>/etc/profile.d/openssl-rand.sh</tt> file contains contents

+    To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation

+    uses a SP800-90A compliant entropy source,

+    make sure that the <tt>/etc/profile.d/openssl-rand.sh</tt> file contents exactly match those

     that are included in the rule's description.

 ocil_clause: |-