From bd790153e02c1d1725f59f5d88c65c77eb1421e9 Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Tue, 24 Aug 2021 12:48:46 +0200

Subject: [PATCH] Add a new selector for var_system_crypto_policy and use it

 RHEL8 CIS.

This new selector is used to select explicit DEFAULT value in RHEL8 CIS

L1 profiles. The "default" selector cannot be selected and it causes

errors if used.

---

 controls/cis_rhel8.yml                                          | 2 +-

 .../software/integrity/crypto/var_system_crypto_policy.var      | 1 +

 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml

index 29d972427cf..c0d3f5f40de 100644

--- a/controls/cis_rhel8.yml

+++ b/controls/cis_rhel8.yml

@@ -553,7 +553,7 @@ controls:

     automated: yes

     rules:

       - configure_crypto_policy

-      - var_system_crypto_policy=default

+      - var_system_crypto_policy=default_policy

   # This rule works in conjunction with the configure_crypto_policy above.

   # If a system is remediated to CIS Level 1, just the rule above will apply

diff --git a/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var b/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var

index ce301154a39..8b89848d122 100644

--- a/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var

+++ b/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var

@@ -13,6 +13,7 @@ interactive: false

 options:

     default: DEFAULT

+    default_policy: DEFAULT

     default_nosha1: "DEFAULT:NO-SHA1"

     fips: FIPS

     fips_ospp: "FIPS:OSPP"