From bf4da502abb91d3db88e76f7239880909f400604 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Thu, 25 Jun 2020 09:53:38 +0200

Subject: [PATCH 1/3] fixed description, oval, ansible, bash

---

 .../configure_openssl_crypto_policy/ansible/shared.yml |  4 ++--

 .../configure_openssl_crypto_policy/bash/shared.sh     |  4 ++--

 .../configure_openssl_crypto_policy/oval/shared.xml    |  2 +-

 .../crypto/configure_openssl_crypto_policy/rule.yml    | 10 +++++-----

 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml

index e6318f221c..98fe134aca 100644

--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml

+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml

@@ -15,7 +15,7 @@

   lineinfile:

     create: yes

     insertafter: '^\s*\[\s*crypto_policy\s*]\s*'

-    line: ".include /etc/crypto-policies/back-ends/openssl.config"

+    line: ".include /etc/crypto-policies/back-ends/opensslcnf.config"

     path: /etc/pki/tls/openssl.cnf

   when:

     - test_crypto_policy_group.stdout is defined

@@ -24,7 +24,7 @@

 - name: "Add crypto_policy group and set include openssl.config"

   lineinfile:

     create: yes

-    line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/openssl.config"

+    line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"

     path: /etc/pki/tls/openssl.cnf

   when:

     - test_crypto_policy_group.stdout is defined

diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh

index 0b3cbf3b46..a0b30cce96 100644

--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh

+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh

@@ -2,8 +2,8 @@

 OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'

 OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'

-OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/openssl.config'

-OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config$'

+OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config'

+OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$'

 function remediate_openssl_crypto_policy() {

 	CONFIG_FILE="/etc/pki/tls/openssl.cnf"

diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml

index a9b3f7b6e9..2019769736 100644

--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml

+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml

@@ -20,7 +20,7 @@

   version="1">

     <ind:filepath>/etc/pki/tls/openssl.cnf</ind:filepath>

-    <ind:pattern operation="pattern match">^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config\s*$</ind:pattern>

+    <ind:pattern operation="pattern match">^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config\s*$</ind:pattern>

     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

   </ind:textfilecontent54_object>

 </def-group>

diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml

index 8c015bb3b2..1a66570a8c 100644

--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml

+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml

@@ -11,7 +11,7 @@ description: |-

     To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file

     available under <tt>/etc/pki/tls/openssl.cnf</tt>.

     This file has the <tt>ini</tt> format, and it enables crypto policy support

-    if there is a <tt>[ crypto_policy ]</tt> section that contains the <tt>.include /etc/crypto-policies/back-ends/openssl.config</tt> directive.

+    if there is a <tt>[ crypto_policy ]</tt> section that contains the <tt>.include /etc/crypto-policies/back-ends/opensslcnf.config</tt> directive.

 rationale: |-

     Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,

@@ -29,11 +29,11 @@ references:

 ocil_clause: |-

     the OpenSSL config file doesn't contain the whole section,

-    or that the section doesn't have the 
.include /etc/crypto-policies/back-ends/openssl.config
 directive

+    or that the section doesn't have the 
.include /etc/crypto-policies/back-ends/opensslcnf.config
 directive

 ocil: |-

-    To verify that OpenSSL uses the system crypro policy, check out that the OpenSSL config file

+    To verify that OpenSSL uses the system crypto policy, check out that the OpenSSL config file

     
/etc/pki/tls/openssl.cnf
 contains the 
[ crypto_policy ]
 section with the

-    
.include /etc/crypto-policies/back-ends/openssl.config
 directive:

-    
grep '\.include\s* /etc/crypto-policies/back-ends/openssl.config$' /etc/pki/tls/openssl.cnf
.

+    
.include /etc/crypto-policies/back-ends/opensslcnf.config
 directive:

+    
grep '\.include\s* /etc/crypto-policies/back-ends/opensslcnf.config$' /etc/pki/tls/openssl.cnf
.

From 5e4f19a3301fbdc74b199b418a435924089d6c30 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Thu, 25 Jun 2020 09:54:09 +0200

Subject: [PATCH 2/3] updated tests

---

 .../configure_openssl_crypto_policy/tests/ok.pass.sh   |  2 +-

 .../tests/wrong.fail.sh                                | 10 ++++++++++

 2 files changed, 11 insertions(+), 1 deletion(-)

 create mode 100644 linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh

diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh

index 5b8334735e..c56916883e 100644

--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh

+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh

@@ -6,5 +6,5 @@

 create_config_file_with "[ crypto_policy ]

-.include /etc/crypto-policies/back-ends/openssl.config

+.include /etc/crypto-policies/back-ends/opensslcnf.config

 "

diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh

new file mode 100644

index 0000000000..5b8334735e

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh

@@ -0,0 +1,10 @@

+#!/bin/bash

+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8

+# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard

+

+. common.sh

+

+create_config_file_with "[ crypto_policy ]

+

+.include /etc/crypto-policies/back-ends/openssl.config

+"

From 73804523130ce02162b780b8811e79e6adcb51a6 Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Thu, 25 Jun 2020 17:32:00 +0200

Subject: [PATCH 3/3] Update task name to reflect correct opensslcnf.config

 file.

---

 .../crypto/configure_openssl_crypto_policy/ansible/shared.yml | 4 ++--

 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml

index 98fe134aca..986543c10f 100644

--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml

+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml

@@ -11,7 +11,7 @@

   changed_when: False

   check_mode: no

-- name: "Add .include for openssl.config to crypto_policy section"

+- name: "Add .include for opensslcnf.config to crypto_policy section"

   lineinfile:

     create: yes

     insertafter: '^\s*\[\s*crypto_policy\s*]\s*'

@@ -21,7 +21,7 @@

     - test_crypto_policy_group.stdout is defined

     - test_crypto_policy_group.stdout | length > 0

-- name: "Add crypto_policy group and set include openssl.config"

+- name: "Add crypto_policy group and set include opensslcnf.config"

   lineinfile:

     create: yes

     line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"