Tree - rpms/scap-security-guide

skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Source
Stats
Files

Commit: 575137e6a33f80e1d70ec7248ee82b9a9e1a9913
Blob Blame History Raw
From c8d00d88a253efc7d3eed11349c4481f8a7e344d Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 11 Feb 2019 14:40:25 +0100
Subject: [PATCH 1/3] Add test scenario for crypto-policy nss.config

---
 .../nss_config_as_file.pass.sh                       | 12 ++++++++++++
 .../nss_config_as_symlink.pass.sh                    | 12 ++++++++++++
 2 files changed, 24 insertions(+)
 create mode 100644 tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_file.pass.sh
 create mode 100644 tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_symlink.pass.sh

diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_file.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_file.pass.sh
new file mode 100644
index 0000000000..89927d0537
--- /dev/null
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_file.pass.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = multi_platform_fedora, Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+update-crypto-policies --set "FIPS"
+
+CRYPTO_POLICY_LIB_FILE="/etc/crypto-policies/back-ends/nss.config"
+SYMLINK_TO_FOLDER="/usr/share/crypto-policies/FIPS/"
+SYMLINK_TO_FILE="nss.txt"
+rm -f $CRYPTO_POLICY_LIB_FILE
+mkdir -p $SYMLINK_TO_FOLDER
+cp $SYMLINK_TO_FOLDER$SYMLINK_TO_FILE $CRYPTO_POLICY_LIB_FILE
diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_symlink.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_symlink.pass.sh
new file mode 100644
index 0000000000..28d704e54f
--- /dev/null
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_symlink.pass.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = multi_platform_fedora, Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+update-crypto-policies --set "FIPS"
+
+CRYPTO_POLICY_LIB_FILE="/etc/crypto-policies/back-ends/nss.config"
+SYMLINK_TO_FOLDER="/usr/share/crypto-policies/FIPS/"
+SYMLINK_TO_FILE="nss.txt"
+rm -f $CRYPTO_POLICY_LIB_FILE
+mkdir -p $SYMLINK_TO_FOLDER
+ln -s $SYMLINK_TO_FOLDER$SYMLINK_TO_FILE $CRYPTO_POLICY_LIB_FILE

From 0c3fb5b64f19fef3ae2dac8bbeb71d9d2ae29b54 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 11 Feb 2019 14:41:01 +0100
Subject: [PATCH 2/3] Update check for configure_crypto_policy

---
 .../crypto/configure_crypto_policy/oval/shared.xml       | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/oval/shared.xml
index 2d42ac26d1..446c584a76 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/oval/shared.xml
@@ -55,11 +55,11 @@
       {{{ crypto_policy_symlink_criterion(library="java") }}}
       {{{ crypto_policy_symlink_criterion(library="krb5") }}}
       {{{ crypto_policy_symlink_criterion(library="libreswan") }}}
-      {{{ crypto_policy_symlink_criterion(library="nss") }}}
       {{{ crypto_policy_symlink_criterion(library="openssh") }}}
       {{{ crypto_policy_symlink_criterion(library="opensshserver") }}}
       {{{ crypto_policy_symlink_criterion(library="openssl") }}}
   {{% endif %}}
+      <criterion comment="Check if /etc/crypto-policies/back-ends/nss.config exists" test_ref="test_crypto_policy_nss_config" />
     </criteria>
   </definition>
 
@@ -146,6 +146,13 @@ id="object_crypto_policies_config_file_modified_time" version="1">
   {{{ crypto_policy_symlink_check(library="openssl") }}}
 {{% endif %}}
 
+  <unix:file_test check="all" check_existence="all_exist" comment="Check if /etc/crypto-policies/back-ends/nss.config exists" id="test_crypto_policy_nss_config" version="1">
+    <unix:object object_ref="object_crypto_policy_nss_config" />
+  </unix:file_test>
+  <unix:file_object id="object_crypto_policy_nss_config" version="1">
+    <unix:filepath>/etc/crypto-policies/back-ends/nss.config</unix:filepath>
+  </unix:file_object>
+
   <external_variable comment="defined crypto policy" datatype="string"
   id="var_system_crypto_policy" version="1" />
 

From e43c26bbcbedf32607a5c997b786b48973df2bcf Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 11 Feb 2019 17:47:51 +0100
Subject: [PATCH 3/3] Add negative test for crypto-policy nss.config

---
 .../missing_nss_config.fail.sh                             | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_nss_config.fail.sh

diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_nss_config.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_nss_config.fail.sh
new file mode 100644
index 0000000000..7611efd3f3
--- /dev/null
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_nss_config.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_fedora, Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+update-crypto-policies --set "FIPS"
+
+rm -f "/etc/crypto-policies/back-ends/nss.config"
skyler / rpms / scap-security-guide

Source Code

Files
