diff --git a/SOURCES/scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch b/SOURCES/scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch new file mode 100644 index 0000000..4f0e114 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch @@ -0,0 +1,408 @@ +From 94ace689f800fde1453b986de02c1d0581174451 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 8 Jul 2020 17:37:50 +0200 +Subject: [PATCH 1/9] create rule, check, bash remediation + +--- + .../bash/shared.sh | 9 +++++ + .../oval/shared.xml | 1 + + .../harden_openssl_crypto_policy/rule.yml | 33 +++++++++++++++++++ + shared/references/cce-redhat-avail.txt | 2 -- + 4 files changed, 43 insertions(+), 2 deletions(-) + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh +new file mode 100644 +index 0000000000..9838a13c95 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh +@@ -0,0 +1,9 @@ ++# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora ++ ++cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" ++file=/etc/crypto-policies/local.d/opensslcnf-ospp.config ++ ++#blank line at the begining to ease later readibility ++echo '' > "$file" ++echo "$cp" >> "$file" ++update-crypto-policies +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml +new file mode 100644 +index 0000000000..09199ce4da +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml +@@ -0,0 +1 @@ ++{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="=", ) }}} +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +new file mode 100644 +index 0000000000..afbdb36a23 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +@@ -0,0 +1,32 @@ ++documentation_complete: true ++ ++prodtype: rhel8 ++ ++title: 'Harden OpenSSL Crypto Policy' ++ ++description: |- ++ Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL. ++ OPenSSL is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSL r and leave rest of the Crypto Policy intact. ++ This can be done by dropping a file named opensslcnf-xxx.config, replacing xxx with arbitrary identifier, into /etc/crypto-policies/local.d. This has to be followed by running update-crypto-policies so that changes are applied. ++ Changes are propagated into /etc/crypto-policies/back-ends/opensslcnf.config. This rule checks if this file contains predefined Ciphersuites variable configured with predefined value. ++ ++rationale: |- ++ The Common Criteria requirements specify that certain parameters for OpenSSL are configured e.g. cipher suites. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel8: 84286-4 ++ ++references: ++ nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3) ++ ospp : FCS_SSHS_EXT.1 ++ srg: SRG-OS-000250-GPOS-00093,SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061 ++ ++ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements' ++ ++ocil: |- ++ To verify if the OpenSSL uses defined Crypto Policy, run: ++
$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1
++ and verify that the line matches ++
84285-6
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index afc0d80417..01b321b6d5 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -904,8 +904,6 @@ CCE-84281-5 + CCE-84282-3 + CCE-84283-1 + CCE-84284-9 +-CCE-84285-6 +-CCE-84286-4 + CCE-84287-2 + CCE-84288-0 + CCE-84289-8 + +From ddc8380b44f907872f6f3b9b0d10421329e3c0a1 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 8 Jul 2020 17:38:32 +0200 +Subject: [PATCH 2/9] add tests + +--- + .../harden_openssl_crypto_policy/tests/correct.pass.sh | 7 +++++++ + .../tests/correct_commented.fail.sh | 7 +++++++ + .../tests/correct_followed_by_incorrect.fail.sh | 8 ++++++++ + .../tests/empty_policy.fail.sh | 7 +++++++ + .../tests/incorrect_followed_by_correct.pass.sh | 8 ++++++++ + .../tests/incorrect_policy.fail.sh | 7 +++++++ + .../tests/missing_file.fail.sh | 7 +++++++ + 7 files changed, 51 insertions(+) + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh +new file mode 100644 +index 0000000000..9e59b30bd2 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++configfile=/etc/crypto-policies/back-ends/opensslcnf.config ++ ++echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile" +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh +new file mode 100644 +index 0000000000..91863849b3 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++configfile=/etc/crypto-policies/back-ends/opensslcnf.config ++ ++echo "#Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile" +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh +new file mode 100644 +index 0000000000..f44957d3e1 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++configfile=/etc/crypto-policies/back-ends/opensslcnf.config ++ ++echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile" ++echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" >> "$configfile" +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh +new file mode 100644 +index 0000000000..5b14fe8ef4 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++configfile=/etc/crypto-policies/back-ends/opensslcnf.config ++ ++echo "Ciphersuites=" > "$configfile" +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh +new file mode 100644 +index 0000000000..6be3bb2ffa +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh +@@ -0,0 +1,8 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++configfile=/etc/crypto-policies/back-ends/opensslcnf.config ++ ++echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" > "$configfile" ++echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" >> "$configfile" +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh +new file mode 100644 +index 0000000000..b4fd0f97be +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++configfile=/etc/crypto-policies/back-ends/opensslcnf.config ++ ++echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" > "$configfile" +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh +new file mode 100644 +index 0000000000..2d11d227cb +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 ++# profiles = xccdf_org.ssgproject.content_profile_ospp ++ ++configfile=/etc/crypto-policies/back-ends/opensslcnf.config ++ ++rm -f "$configfile" + +From b08a7f3889e4592dc54a431aa4cfb6983990daba Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 9 Jul 2020 09:05:38 +0200 +Subject: [PATCH 3/9] remove blank line from remediation + +--- + .../crypto/harden_openssl_crypto_policy/bash/shared.sh | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh +index 9838a13c95..be6f84f83d 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh +@@ -3,7 +3,6 @@ + cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" + file=/etc/crypto-policies/local.d/opensslcnf-ospp.config + +-#blank line at the begining to ease later readibility +-echo '' > "$file" ++ + echo "$cp" >> "$file" + update-crypto-policies + +From d249fbe6f2b0cc8b6cd8a0bb02b03ead04e1dd12 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 9 Jul 2020 09:06:02 +0200 +Subject: [PATCH 4/9] fix separator regex in oval + +--- + .../crypto/harden_openssl_crypto_policy/oval/shared.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml +index 09199ce4da..37be62ee39 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml +@@ -1 +1 @@ +-{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="=", ) }}} ++{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="\s*=\s*", ) }}} + +From 0b203279dde378cd45f05ec93a9653e1bc3b6002 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 9 Jul 2020 09:06:29 +0200 +Subject: [PATCH 5/9] reformat rule, fix wrong ocil + +--- + .../harden_openssl_crypto_policy/rule.yml | 22 ++++++++++++++----- + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +index afbdb36a23..d019d6cd32 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +@@ -5,13 +5,23 @@ prodtype: rhel8 + title: 'Harden OpenSSL Crypto Policy' + + description: |- +- Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL. +- OPenSSL is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSL r and leave rest of the Crypto Policy intact. +- This can be done by dropping a file named opensslcnf-xxx.config, replacing xxx with arbitrary identifier, into /etc/crypto-policies/local.d. This has to be followed by running update-crypto-policies so that changes are applied. +- Changes are propagated into /etc/crypto-policies/back-ends/opensslcnf.config. This rule checks if this file contains predefined Ciphersuites variable configured with predefined value. ++ Crypto Policies are means of enforcing certain cryptographic settings for ++ selected applications including OpenSSL. OPenSSL is by default configured to ++ modify its configuration based on currently configured Crypto-Policy. ++ However, in certain cases it might be needed to override the Crypto Policy ++ specific to OpenSSL r and leave rest of the Crypto Policy intact. This can ++ be done by dropping a file named opensslcnf-xxx.config, replacing ++ xxx with arbitrary identifier, into ++ /etc/crypto-policies/local.d. This has to be followed by running ++ update-crypto-policies so that changes are applied. Changes are ++ propagated into /etc/crypto-policies/back-ends/opensslcnf.config. ++ This rule checks if this file contains predefined Ciphersuites ++ variable configured with predefined value. + + rationale: |- +- The Common Criteria requirements specify that certain parameters for OpenSSL are configured e.g. cipher suites. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy. ++ The Common Criteria requirements specify that certain parameters for OpenSSL ++ are configured e.g. cipher suites. Currently particular requirements ++ specified by CC are stricter compared to any existing Crypto Policy. + + severity: medium + +@@ -30,4 +40,4 @@ ocil: |- + To verify if the OpenSSL uses defined Crypto Policy, run: +
$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1
+ and verify that the line matches +-
84285-6
++
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+ +From aa2555bdfe67ab41978ae92924580527c7a725eb Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 13 Jul 2020 09:49:34 +0200 +Subject: [PATCH 6/9] update references + +--- + .../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +index d019d6cd32..075e381906 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +@@ -31,8 +31,8 @@ identifiers: + + references: + nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3) +- ospp : FCS_SSHS_EXT.1 +- srg: SRG-OS-000250-GPOS-00093,SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061 ++ ospp: FCS_TLSC_EXT.1.1 ++ srg: SRG-OS-000250-GPOS-00093 + + ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements' + + +From c4e0e35f3dc4abb1cea952aed4216499c622f1cf Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Mon, 13 Jul 2020 09:49:48 +0200 +Subject: [PATCH 7/9] add ansible remediation + +--- + .../ansible/shared.yml | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml +new file mode 100644 +index 0000000000..d5c2c2b9f7 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml +@@ -0,0 +1,16 @@ ++# platform = Red Hat Enterprise Linux 8 ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: "Ensure that the correct crypto policy configuration exists in /etc/crypto-policies/local.d/opensslcnf-ospp.config" ++ lineinfile: ++ path: "/etc/crypto-policies/local.d/opensslcnf-ospp.config" ++ line: "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" ++ create: yes ++ insertafter: EOF ++ ++- name: "Update system crypto policy for changes to take effect" ++ command: ++ cmd: "update-crypto-policies" + +From 3a33b284dc3da993b1b98e75f805ebf018d7f2e9 Mon Sep 17 00:00:00 2001 +From: vojtapolasek +Date: Wed, 15 Jul 2020 09:26:11 +0200 +Subject: [PATCH 8/9] fix typos +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Co-authored-by: Jan Černý +--- + .../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +index 075e381906..ce0351aa34 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +@@ -6,10 +6,10 @@ title: 'Harden OpenSSL Crypto Policy' + + description: |- + Crypto Policies are means of enforcing certain cryptographic settings for +- selected applications including OpenSSL. OPenSSL is by default configured to +- modify its configuration based on currently configured Crypto-Policy. ++ selected applications including OpenSSL. OpenSSL is by default configured to ++ modify its configuration based on currently configured Crypto Policy. + However, in certain cases it might be needed to override the Crypto Policy +- specific to OpenSSL r and leave rest of the Crypto Policy intact. This can ++ specific to OpenSSL and leave rest of the Crypto Policy intact. This can + be done by dropping a file named opensslcnf-xxx.config, replacing + xxx with arbitrary identifier, into + /etc/crypto-policies/local.d. This has to be followed by running + +From e5fa539ea5274e723a428a835673598899a301fa Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Wed, 15 Jul 2020 09:36:06 +0200 +Subject: [PATCH 9/9] update rule references + +--- + .../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +index ce0351aa34..0cbead2a6d 100644 +--- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +@@ -30,8 +30,8 @@ identifiers: + + references: +- nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3) ++ nist: SC-8(1),SC-13 + ospp: FCS_TLSC_EXT.1.1 +- srg: SRG-OS-000250-GPOS-00093 ++ srg: SRG-OS-000396-GPOS-00176,SRG-OS-000424-GPOS-00188,SRG-OS-000478-GPOS-00223 + + ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements' + diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index e8caa82..d073a0c 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -1,6 +1,6 @@ Name: scap-security-guide Version: 0.1.50 -Release: 7%{?dist} +Release: 8%{?dist} Summary: Security guidance and baselines in SCAP formats Group: Applications/System License: BSD @@ -22,6 +22,7 @@ Patch10: scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch Patch11: scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch Patch12: scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch Patch13: scap-security-guide-0.1.51-openssl_crypto_PR_5885.patch +Patch14: scap-security-guide-0.1.52-harden-openssl-crypto-policy_PR_5925.patch BuildArch: noarch # To get python3 inside the buildroot require its path explicitly in BuildRequires @@ -69,6 +70,7 @@ present in %{name} package. %patch11 -p1 %patch12 -p1 %patch13 -p1 +%patch14 -p1 mkdir build %build @@ -103,6 +105,10 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Fri Jul 17 2020 Watson Sato - 0.1.50-8 +- Add rule to harden OpenSSL crypto-policy (RHBZ#1852928) + - Remove CCM from TLS Ciphersuites + * Mon Jun 29 2020 Matěj Týč - 0.1.50-7 - Fix the OpenSSL Crypto Policy rule (RHBZ#1850543)