skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch

c7 c7-alt c7-beta c8 c8-beta c8s
  1.   973b04979f25b8681652f31e096ad6a32f1cb9e8
  2.   SOURCES
  3.   scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch
Blob History Raw
475544 
From 94ace689f800fde1453b986de02c1d0581174451 Mon Sep 17 00:00:00 2001
475544 
From: Vojtech Polasek <vpolasek@redhat.com>
475544 
Date: Wed, 8 Jul 2020 17:37:50 +0200
475544 
Subject: [PATCH 1/9] create rule, check, bash remediation
475544
475544 
---
475544 
 .../bash/shared.sh                            |  9 +++++
475544 
 .../oval/shared.xml                           |  1 +
475544 
 .../harden_openssl_crypto_policy/rule.yml     | 33 +++++++++++++++++++
475544 
 shared/references/cce-redhat-avail.txt        |  2 --
475544 
 4 files changed, 43 insertions(+), 2 deletions(-)
475544 
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
475544 
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
475544 
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
475544
475544 
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
475544 
new file mode 100644
475544 
index 0000000000..9838a13c95
475544 
--- /dev/null
475544 
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
475544 
@@ -0,0 +1,9 @@
475544 
+# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora
475544 
+
475544 
+cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
475544 
+file=/etc/crypto-policies/local.d/opensslcnf-ospp.config
475544 
+
475544 
+#blank line at the begining to ease later readibility
475544 
+echo '' > "$file"
475544 
+echo "$cp" >> "$file"
475544 
+update-crypto-policies
475544 
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
475544 
new file mode 100644
475544 
index 0000000000..09199ce4da
475544 
--- /dev/null
475544 
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
475544 
@@ -0,0 +1 @@
475544 
+{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="=", ) }}}
475544 
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
475544 
new file mode 100644
475544 
index 0000000000..afbdb36a23
475544 
--- /dev/null
475544 
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
475544 
@@ -0,0 +1,32 @@
475544 
+documentation_complete: true
475544 
+
475544 
+prodtype: rhel8
475544 
+
475544 
+title: 'Harden OpenSSL Crypto Policy'
475544 
+
475544 
+description: |-
475544 
+    Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL.
475544 
+    OPenSSL is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSL r and leave rest of the Crypto Policy intact.
475544 
+    This can be done by dropping a file named <tt>opensslcnf-xxx.config</tt>, replacing <tt>xxx</tt> with arbitrary identifier, into <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running <tt>update-crypto-policies</tt> so that changes are applied.
475544 
+    Changes are propagated into <tt>/etc/crypto-policies/back-ends/opensslcnf.config</tt>. This rule checks if this file contains predefined <tt>Ciphersuites</tt>  variable configured with predefined value.
475544 
+
475544 
+rationale: |-
475544 
+    The Common Criteria requirements specify that certain parameters for OpenSSL are configured e.g. cipher suites. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.
475544 
+
475544 
+severity: medium
475544 
+
475544 
+identifiers:
475544 
+    cce@rhel8: 84286-4
475544 
+
475544 
+references:
475544 
+    nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
475544 
+    ospp : FCS_SSHS_EXT.1
475544 
+    srg: SRG-OS-000250-GPOS-00093,SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061
475544 
+
475544 
+ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements'
475544 
+
475544 
+ocil: |-
475544 
+    To verify if the OpenSSL uses defined Crypto Policy, run:
475544 
+    
$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1
475544 
+    and verify that the line matches
475544 
+    
84285-6
475544 
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
475544 
index afc0d80417..01b321b6d5 100644
475544 
--- a/shared/references/cce-redhat-avail.txt
475544 
+++ b/shared/references/cce-redhat-avail.txt
475544 
@@ -904,8 +904,6 @@ CCE-84281-5
475544 
 CCE-84282-3
475544 
 CCE-84283-1
475544 
 CCE-84284-9
475544 
-CCE-84285-6
475544 
-CCE-84286-4
475544 
 CCE-84287-2
475544 
 CCE-84288-0
475544 
 CCE-84289-8
475544
475544 
From ddc8380b44f907872f6f3b9b0d10421329e3c0a1 Mon Sep 17 00:00:00 2001
475544 
From: Vojtech Polasek <vpolasek@redhat.com>
475544 
Date: Wed, 8 Jul 2020 17:38:32 +0200
475544 
Subject: [PATCH 2/9] add tests
475544
475544 
---
475544 
 .../harden_openssl_crypto_policy/tests/correct.pass.sh    | 7 +++++++
475544 
 .../tests/correct_commented.fail.sh                       | 7 +++++++
475544 
 .../tests/correct_followed_by_incorrect.fail.sh           | 8 ++++++++
475544 
 .../tests/empty_policy.fail.sh                            | 7 +++++++
475544 
 .../tests/incorrect_followed_by_correct.pass.sh           | 8 ++++++++
475544 
 .../tests/incorrect_policy.fail.sh                        | 7 +++++++
475544 
 .../tests/missing_file.fail.sh                            | 7 +++++++
475544 
 7 files changed, 51 insertions(+)
475544 
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh
475544 
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh
475544 
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh
475544 
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh
475544 
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh
475544 
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh
475544 
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh
475544
475544 
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh
475544 
new file mode 100644
475544 
index 0000000000..9e59b30bd2
475544 
--- /dev/null
475544 
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh
475544 
@@ -0,0 +1,7 @@
475544 
+#!/bin/bash
475544 
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
475544 
+# profiles = xccdf_org.ssgproject.content_profile_ospp
475544 
+
475544 
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
475544 
+
475544 
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile"
475544 
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh
475544 
new file mode 100644
475544 
index 0000000000..91863849b3
475544 
--- /dev/null
475544 
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh
475544 
@@ -0,0 +1,7 @@
475544 
+#!/bin/bash
475544 
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
475544 
+# profiles = xccdf_org.ssgproject.content_profile_ospp
475544 
+
475544 
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
475544 
+
475544 
+echo "#Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile"
475544 
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh
475544 
new file mode 100644
475544 
index 0000000000..f44957d3e1
475544 
--- /dev/null
475544 
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh
475544 
@@ -0,0 +1,8 @@
475544 
+#!/bin/bash
475544 
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
475544 
+# profiles = xccdf_org.ssgproject.content_profile_ospp
475544 
+
475544 
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
475544 
+
475544 
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile"
475544 
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" >> "$configfile"
475544 
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh
475544 
new file mode 100644
475544 
index 0000000000..5b14fe8ef4
475544 
--- /dev/null
475544 
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh
475544 
@@ -0,0 +1,7 @@
475544 
+#!/bin/bash
475544 
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
475544 
+# profiles = xccdf_org.ssgproject.content_profile_ospp
475544 
+
475544 
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
475544 
+
475544 
+echo "Ciphersuites=" > "$configfile"
475544 
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh
475544 
new file mode 100644
475544 
index 0000000000..6be3bb2ffa
475544 
--- /dev/null
475544 
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh
475544 
@@ -0,0 +1,8 @@
475544 
+#!/bin/bash
475544 
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
475544 
+# profiles = xccdf_org.ssgproject.content_profile_ospp
475544 
+
475544 
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
475544 
+
475544 
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" > "$configfile"
475544 
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" >> "$configfile"
475544 
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh
475544 
new file mode 100644
475544 
index 0000000000..b4fd0f97be
475544 
--- /dev/null
475544 
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh
475544 
@@ -0,0 +1,7 @@
475544 
+#!/bin/bash
475544 
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
475544 
+# profiles = xccdf_org.ssgproject.content_profile_ospp
475544 
+
475544 
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
475544 
+
475544 
+echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" > "$configfile"
475544 
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh
475544 
new file mode 100644
475544 
index 0000000000..2d11d227cb
475544 
--- /dev/null
475544 
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh
475544 
@@ -0,0 +1,7 @@
475544 
+#!/bin/bash
475544 
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
475544 
+# profiles = xccdf_org.ssgproject.content_profile_ospp
475544 
+
475544 
+configfile=/etc/crypto-policies/back-ends/opensslcnf.config
475544 
+
475544 
+rm -f "$configfile"
475544
475544 
From b08a7f3889e4592dc54a431aa4cfb6983990daba Mon Sep 17 00:00:00 2001
475544 
From: Vojtech Polasek <vpolasek@redhat.com>
475544 
Date: Thu, 9 Jul 2020 09:05:38 +0200
475544 
Subject: [PATCH 3/9] remove blank line from remediation
475544
475544 
---
475544 
 .../crypto/harden_openssl_crypto_policy/bash/shared.sh         | 3 +--
475544 
 1 file changed, 1 insertion(+), 2 deletions(-)
475544
475544 
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
475544 
index 9838a13c95..be6f84f83d 100644
475544 
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
475544 
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh
475544 
@@ -3,7 +3,6 @@
475544 
 cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
475544 
 file=/etc/crypto-policies/local.d/opensslcnf-ospp.config
475544
475544 
-#blank line at the begining to ease later readibility
475544 
-echo '' > "$file"
475544 
+
475544 
 echo "$cp" >> "$file"
475544 
 update-crypto-policies
475544
475544 
From d249fbe6f2b0cc8b6cd8a0bb02b03ead04e1dd12 Mon Sep 17 00:00:00 2001
475544 
From: Vojtech Polasek <vpolasek@redhat.com>
475544 
Date: Thu, 9 Jul 2020 09:06:02 +0200
475544 
Subject: [PATCH 4/9] fix separator regex in oval
475544
475544 
---
475544 
 .../crypto/harden_openssl_crypto_policy/oval/shared.xml         | 2 +-
475544 
 1 file changed, 1 insertion(+), 1 deletion(-)
475544
475544 
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
475544 
index 09199ce4da..37be62ee39 100644
475544 
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
475544 
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml
475544 
@@ -1 +1 @@
475544 
-{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="=", ) }}}
475544 
+{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="\s*=\s*", ) }}}
475544
475544 
From 0b203279dde378cd45f05ec93a9653e1bc3b6002 Mon Sep 17 00:00:00 2001
475544 
From: Vojtech Polasek <vpolasek@redhat.com>
475544 
Date: Thu, 9 Jul 2020 09:06:29 +0200
475544 
Subject: [PATCH 5/9] reformat rule, fix wrong ocil
475544
475544 
---
475544 
 .../harden_openssl_crypto_policy/rule.yml     | 22 ++++++++++++++-----
475544 
 1 file changed, 16 insertions(+), 6 deletions(-)
475544
475544 
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
475544 
index afbdb36a23..d019d6cd32 100644
475544 
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
475544 
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
475544 
@@ -5,13 +5,23 @@ prodtype: rhel8
475544 
 title: 'Harden OpenSSL Crypto Policy'
475544
475544 
 description: |-
475544 
-    Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL.
475544 
-    OPenSSL is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSL r and leave rest of the Crypto Policy intact.
475544 
-    This can be done by dropping a file named <tt>opensslcnf-xxx.config</tt>, replacing <tt>xxx</tt> with arbitrary identifier, into <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running <tt>update-crypto-policies</tt> so that changes are applied.
475544 
-    Changes are propagated into <tt>/etc/crypto-policies/back-ends/opensslcnf.config</tt>. This rule checks if this file contains predefined <tt>Ciphersuites</tt>  variable configured with predefined value.
475544 
+    Crypto Policies are means of enforcing certain cryptographic settings for
475544 
+    selected applications including OpenSSL. OPenSSL is by default configured to
475544 
+    modify its configuration based on currently configured Crypto-Policy.
475544 
+    However, in certain cases it might be needed to override the Crypto Policy
475544 
+    specific to OpenSSL r and leave rest of the Crypto Policy intact. This can
475544 
+    be done by dropping a file named <tt>opensslcnf-xxx.config</tt>, replacing
475544 
+    <tt>xxx</tt> with arbitrary identifier, into
475544 
+    <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running
475544 
+    <tt>update-crypto-policies</tt> so that changes are applied. Changes are
475544 
+    propagated into <tt>/etc/crypto-policies/back-ends/opensslcnf.config</tt>.
475544 
+    This rule checks if this file contains predefined <tt>Ciphersuites</tt>
475544 
+    variable configured with predefined value.
475544
475544 
 rationale: |-
475544 
-    The Common Criteria requirements specify that certain parameters for OpenSSL are configured e.g. cipher suites. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.
475544 
+    The Common Criteria requirements specify that certain parameters for OpenSSL
475544 
+    are configured e.g. cipher suites. Currently particular requirements
475544 
+    specified by CC are stricter compared to any existing Crypto Policy.
475544
475544 
 severity: medium
475544
475544 
@@ -30,4 +40,4 @@ ocil: |-
475544 
     To verify if the OpenSSL uses defined Crypto Policy, run:
475544 
     
$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1
475544 
     and verify that the line matches
475544 
-    
84285-6
475544 
+    
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
475544
475544 
From aa2555bdfe67ab41978ae92924580527c7a725eb Mon Sep 17 00:00:00 2001
475544 
From: Vojtech Polasek <vpolasek@redhat.com>
475544 
Date: Mon, 13 Jul 2020 09:49:34 +0200
475544 
Subject: [PATCH 6/9] update references
475544
475544 
---
475544 
 .../integrity/crypto/harden_openssl_crypto_policy/rule.yml    | 4 ++--
475544 
 1 file changed, 2 insertions(+), 2 deletions(-)
475544
475544 
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
475544 
index d019d6cd32..075e381906 100644
475544 
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
475544 
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
475544 
@@ -31,8 +31,8 @@ identifiers:
475544
475544 
 references:
475544 
     nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
475544 
-    ospp : FCS_SSHS_EXT.1
475544 
-    srg: SRG-OS-000250-GPOS-00093,SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061
475544 
+    ospp: FCS_TLSC_EXT.1.1
475544 
+    srg: SRG-OS-000250-GPOS-00093
475544
475544 
 ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements'
475544
475544
475544 
From c4e0e35f3dc4abb1cea952aed4216499c622f1cf Mon Sep 17 00:00:00 2001
475544 
From: Vojtech Polasek <vpolasek@redhat.com>
475544 
Date: Mon, 13 Jul 2020 09:49:48 +0200
475544 
Subject: [PATCH 7/9] add ansible remediation
475544
475544 
---
475544 
 .../ansible/shared.yml                           | 16 ++++++++++++++++
475544 
 1 file changed, 16 insertions(+)
475544 
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml
475544
475544 
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml
475544 
new file mode 100644
475544 
index 0000000000..d5c2c2b9f7
475544 
--- /dev/null
475544 
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml
475544 
@@ -0,0 +1,16 @@
475544 
+# platform = Red Hat Enterprise Linux 8
475544 
+# reboot = true
475544 
+# strategy = restrict
475544 
+# complexity = low
475544 
+# disruption = low
475544 
+
475544 
+- name: "Ensure that the correct crypto policy configuration exists in /etc/crypto-policies/local.d/opensslcnf-ospp.config"
475544 
+  lineinfile:
475544 
+    path: "/etc/crypto-policies/local.d/opensslcnf-ospp.config"
475544 
+    line: "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
475544 
+    create: yes
475544 
+    insertafter: EOF
475544 
+
475544 
+- name: "Update system crypto policy for changes to take effect"
475544 
+  command:
475544 
+    cmd: "update-crypto-policies"
475544
475544 
From 3a33b284dc3da993b1b98e75f805ebf018d7f2e9 Mon Sep 17 00:00:00 2001
475544 
From: vojtapolasek <krecoun@gmail.com>
475544 
Date: Wed, 15 Jul 2020 09:26:11 +0200
475544 
Subject: [PATCH 8/9] fix typos
475544 
MIME-Version: 1.0
475544 
Content-Type: text/plain; charset=UTF-8
475544 
Content-Transfer-Encoding: 8bit
475544
475544 
Co-authored-by: Jan Černý <jcerny@redhat.com>
475544 
---
475544 
 .../integrity/crypto/harden_openssl_crypto_policy/rule.yml  | 6 +++---
475544 
 1 file changed, 3 insertions(+), 3 deletions(-)
475544
475544 
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
475544 
index 075e381906..ce0351aa34 100644
475544 
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
475544 
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
475544 
@@ -6,10 +6,10 @@ title: 'Harden OpenSSL Crypto Policy'
475544
475544 
 description: |-
475544 
     Crypto Policies are means of enforcing certain cryptographic settings for
475544 
-    selected applications including OpenSSL. OPenSSL is by default configured to
475544 
-    modify its configuration based on currently configured Crypto-Policy.
475544 
+    selected applications including OpenSSL. OpenSSL is by default configured to
475544 
+    modify its configuration based on currently configured Crypto Policy.
475544 
     However, in certain cases it might be needed to override the Crypto Policy
475544 
-    specific to OpenSSL r and leave rest of the Crypto Policy intact. This can
475544 
+    specific to OpenSSL and leave rest of the Crypto Policy intact. This can
475544 
     be done by dropping a file named <tt>opensslcnf-xxx.config</tt>, replacing
475544 
     <tt>xxx</tt> with arbitrary identifier, into
475544 
     <tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running
475544
475544 
From e5fa539ea5274e723a428a835673598899a301fa Mon Sep 17 00:00:00 2001
475544 
From: Vojtech Polasek <vpolasek@redhat.com>
475544 
Date: Wed, 15 Jul 2020 09:36:06 +0200
475544 
Subject: [PATCH 9/9] update rule references
475544
475544 
---
475544 
 .../integrity/crypto/harden_openssl_crypto_policy/rule.yml    | 4 ++--
475544 
 1 file changed, 2 insertions(+), 2 deletions(-)
475544
475544 
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
475544 
index ce0351aa34..0cbead2a6d 100644
475544 
--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
475544 
+++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml
475544 
@@ -30,8 +30,8 @@ identifiers:
475544
475544 
 references:
475544 
-    nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
475544 
+    nist: SC-8(1),SC-13
475544 
     ospp: FCS_TLSC_EXT.1.1
475544 
-    srg: SRG-OS-000250-GPOS-00093
475544 
+    srg: SRG-OS-000396-GPOS-00176,SRG-OS-000424-GPOS-00188,SRG-OS-000478-GPOS-00223
475544
475544 
 ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements'
475544

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation