Blob Blame History Raw
From e0f1e2096d0f33fa94e3f78a5038e929b0039c32 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 27 Jan 2020 11:51:53 +0100
Subject: [PATCH 1/6] Add a rule for the openssl strong entropy wrapper.

---
 .../openssl_use_strong_entropy/rule.yml       | 65 +++++++++++++++++++
 rhel8/profiles/ospp.profile                   |  1 +
 shared/references/cce-redhat-avail.txt        |  1 -
 3 files changed, 66 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
new file mode 100644
index 0000000000..e9ea8ed338
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
@@ -0,0 +1,65 @@
+documentation_complete: true
+
+# TODO: The plan is not to need this for RHEL>=8.4
+prodtype: rhel8
+
+title: 'OpenSSL uses strong entropy source'
+
+description: |-
+    To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
+    save the following shell snippet to the <tt>/etc/profile.d/cc-config.sh</tt>:
+    <pre>
+    # provide a default -rand /dev/random option to openssl commands that
+    # support it
+
+    # written inefficiently for maximum shell compatibility
+    openssl()
+    (
+      openssl_bin=/usr/bin/openssl
+
+      case "$*" in
+        # if user specified -rand, honor it
+        *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
+      esac
+
+      cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
+      for i in `$openssl_bin list -commands`; do
+        if $openssl_bin list -options "$i" | grep -q '^rand '; then
+          cmds=" $i $cmds"
+        fi
+      done
+
+      case "$cmds" in
+        *\ "$1"\ *)
+          cmd="$1"; shift
+          exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
+      esac
+
+      exec $openssl_bin "$@"
+    )
+    </pre>
+
+rationale: |-
+    The <tt>openssl</tt> default configuration uses less robust entropy sources for seeding.
+    The referenced script is sourced to every login shell, and it transparently adds an option
+    that enforces strong entropy to every <tt>openssl</tt> invocation,
+    which makes <tt>openssl</tt> more secure by default.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: 82721-2
+
+references:
+    ospp: FIA_AFL.1
+
+ocil: |-
+    To determine whether the <tt>openssl</tt> wrapper is configured correcrlty,
+    make sure that the <tt>/etc/profile.d/cc-config.sh</tt> file contains contents
+    that are included in the rule's description.
+
+ocil_clause: |-
+    there is no <tt>/etc/profile.d/cc-config.sh</tt> file, or its contents don't match those in the description
+
+warnings:
+    - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available."
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 63aea526b7..ef3ced5010 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -59,6 +59,7 @@ selections:
     - sshd_enable_warning_banner
     - sshd_rekey_limit
     - sshd_use_strong_rng
+    - openssl_use_strong_entropy
 
     # Time Server
     - chronyd_client_only
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 4cb08794f4..1733872dfa 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -248,6 +248,5 @@
 CCE-82719-6
 CCE-82720-4
-CCE-82721-2
 CCE-82722-0
 CCE-82723-8
 CCE-82724-6

From bbd0f8b1234858a4abeece07d7d188bb07d3d077 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 27 Jan 2020 19:35:06 +0100
Subject: [PATCH 2/6] create checks, remediations,

---
 .../ansible/shared.yml                        | 12 +++++++
 .../openssl_use_strong_entropy/bash/shared.sh |  5 +++
 .../oval/shared.xml                           | 34 +++++++++++++++++++
 .../openssl_use_strong_entropy/rule.yml       | 29 +---------------
 shared/macros.jinja                           | 34 ++++++++++++++++++-
 5 files changed, 85 insertions(+), 29 deletions(-)
 create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
 create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
 create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
new file mode 100644
index 0000000000..3ce26d6525
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
@@ -0,0 +1,12 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: "copy a file with shell snippet to configure openssl strong entropy"
+  copy:
+    dest: /etc/profile.d/cc-config.sh
+    content: |+
+        {{{ openssl_strong_entropy_config_file()|indent(8,blank=True) }}}
+        
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
new file mode 100644
index 0000000000..db5c331ce7
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
@@ -0,0 +1,5 @@
+# platform = Red Hat Enterprise Linux 8
+
+cat > /etc/profile.d/cc-config.sh <<- 'EOM'
+{{{ openssl_strong_entropy_config_file() }}}
+EOM
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
new file mode 100644
index 0000000000..b441b7ae6e
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
@@ -0,0 +1,34 @@
+<def-group>
+  <definition class="compliance" id="openssl_use_strong_entropy" version="1">
+    <metadata>
+      <title>Configure Openssl to use strong entropy</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 8</platform>
+        <platform>multi_platform_fedora</platform>
+      </affected>
+      <description>OpenSSL should be configured to generate random data with strong entropy.</description>
+    </metadata>
+    <criteria>
+      <criterion test_ref="test_openssl_strong_entropy"
+      comment="Check that the OpenSSL is configured to generate random data with strong entropy." />
+    </criteria>
+  </definition>
+
+  <ind:filehash58_test id="test_openssl_strong_entropy"
+  comment="Test if openssl is configured to generate random data with strong entropy" version="1"
+  check="all" check_existence="all_exist">
+    <ind:object object_ref="object_openssl_strong_entropy"/>
+    <ind:state state_ref="state_openssl_strong_entropy"/>
+  </ind:filehash58_test>
+
+  <ind:filehash58_object id="object_openssl_strong_entropy" version="1">
+    <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
+    <ind:hash_type>SHA-256</ind:hash_type>
+  </ind:filehash58_object>
+
+  <ind:filehash58_state id="state_openssl_strong_entropy" version="1">
+    <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
+    <ind:hash_type>SHA-256</ind:hash_type>
+    <ind:hash>6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af</ind:hash>
+  </ind:filehash58_state>
+</def-group>
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
index e9ea8ed338..3b01da01af 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
@@ -9,34 +9,7 @@ description: |-
     To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
     save the following shell snippet to the <tt>/etc/profile.d/cc-config.sh</tt>:
     <pre>
-    # provide a default -rand /dev/random option to openssl commands that
-    # support it
-
-    # written inefficiently for maximum shell compatibility
-    openssl()
-    (
-      openssl_bin=/usr/bin/openssl
-
-      case "$*" in
-        # if user specified -rand, honor it
-        *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
-      esac
-
-      cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
-      for i in `$openssl_bin list -commands`; do
-        if $openssl_bin list -options "$i" | grep -q '^rand '; then
-          cmds=" $i $cmds"
-        fi
-      done
-
-      case "$cmds" in
-        *\ "$1"\ *)
-          cmd="$1"; shift
-          exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
-      esac
-
-      exec $openssl_bin "$@"
-    )
+    {{{ openssl_strong_entropy_config_file() | indent(4) }}}
     </pre>
 
 rationale: |-
diff --git a/shared/macros.jinja b/shared/macros.jinja
index 77f8eb31c7..8a25acc937 100644
--- a/shared/macros.jinja
+++ b/shared/macros.jinja
@@ -618,10 +618,42 @@ ocil_clause: "the correct value is not returned"
 
 
 {{% macro body_of_warning_about_dependent_rule(rule_id, why) -%}}
-        When selecting this rule in a profile, 
+        When selecting this rule in a profile,
         {{%- if why %}}
             make sure that rule with ID <code>{{{ rule_id }}}</code> is selected as well: {{{ why }}}
         {{%- else %}}
             rule <code>{{{ rule_id }}}</code> has to be selected as well.
         {{%- endif %}}
 {{% endmacro %}}
+
+{{% macro openssl_strong_entropy_config_file() -%}}
+# provide a default -rand /dev/random option to openssl commands that
+# support it
+
+# written inefficiently for maximum shell compatibility
+openssl()
+(
+  openssl_bin=/usr/bin/openssl
+
+  case "$*" in
+    # if user specified -rand, honor it
+    *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
+  esac
+
+  cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
+  for i in `$openssl_bin list -commands`; do
+    if $openssl_bin list -options "$i" | grep -q '^rand '; then
+      cmds=" $i $cmds"
+    fi
+  done
+
+  case "$cmds" in
+    *\ "$1"\ *)
+      cmd="$1"; shift
+      exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
+  esac
+
+  exec $openssl_bin "$@"
+)
+
+{{%- endmacro %}}

From efaa2c9cbbe09af6b319f487ec05f646290a05a1 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 28 Jan 2020 13:42:40 +0100
Subject: [PATCH 3/6] add tests

---
 .../tests/correct.pass.sh                     | 34 +++++++++++++++++++
 .../tests/file_missing.fail.sh                |  5 +++
 .../tests/file_modified.fail.sh               |  5 +++
 3 files changed, 44 insertions(+)
 create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
 create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
 create mode 100644 linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
new file mode 100644
index 0000000000..0bffab3c81
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+cat > /etc/profile.d/cc-config.sh <<- 'EOM'
+# provide a default -rand /dev/random option to openssl commands that
+# support it
+
+# written inefficiently for maximum shell compatibility
+openssl()
+(
+  openssl_bin=/usr/bin/openssl
+
+  case "$*" in
+    # if user specified -rand, honor it
+    *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
+  esac
+
+  cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
+  for i in `$openssl_bin list -commands`; do
+    if $openssl_bin list -options "$i" | grep -q '^rand '; then
+      cmds=" $i $cmds"
+    fi
+  done
+
+  case "$cmds" in
+    *\ "$1"\ *)
+      cmd="$1"; shift
+      exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
+  esac
+
+  exec $openssl_bin "$@"
+)
+EOM
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
new file mode 100644
index 0000000000..c1d526902c
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+rm -f /etc/profile.d/cc-config.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
new file mode 100644
index 0000000000..313d14a37f
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+echo "wrong data" > /etc/profile.d/cc-config.sh

From 223194744d54d0400ab1d2981761166580a4f017 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 29 Jan 2020 11:12:46 +0100
Subject: [PATCH 4/6] remove blank=true from  jinja macro as rhel6 and rhel7 do
 not support it

---
 .../crypto/openssl_use_strong_entropy/ansible/shared.yml        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
index 3ce26d6525..bdc530f9f5 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
@@ -8,5 +8,5 @@
   copy:
     dest: /etc/profile.d/cc-config.sh
     content: |+
-        {{{ openssl_strong_entropy_config_file()|indent(8,blank=True) }}}
+        {{{ openssl_strong_entropy_config_file()|indent(8) }}}
         

From bd41dcc77b326ed4bc352fe15d083ca6b144855f Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 30 Jan 2020 14:25:31 +0100
Subject: [PATCH 5/6] reword rationale, change file name

from cc-config.sh to openssl-rand.sh
change title of oval
---
 .../openssl_use_strong_entropy/ansible/shared.yml  |  2 +-
 .../openssl_use_strong_entropy/bash/shared.sh      |  2 +-
 .../openssl_use_strong_entropy/oval/shared.xml     | 11 ++++-------
 .../crypto/openssl_use_strong_entropy/rule.yml     | 14 +++++---------
 .../tests/correct.pass.sh                          |  2 +-
 .../tests/file_missing.fail.sh                     |  2 +-
 .../tests/file_modified.fail.sh                    |  2 +-
 7 files changed, 14 insertions(+), 21 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
index bdc530f9f5..6ee232892d 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
@@ -6,7 +6,7 @@
 
 - name: "copy a file with shell snippet to configure openssl strong entropy"
   copy:
-    dest: /etc/profile.d/cc-config.sh
+    dest: /etc/profile.d/openssl-rand.sh
     content: |+
         {{{ openssl_strong_entropy_config_file()|indent(8) }}}
         
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
index db5c331ce7..d8c9935005 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/bash/shared.sh
@@ -1,5 +1,5 @@
 # platform = Red Hat Enterprise Linux 8
 
-cat > /etc/profile.d/cc-config.sh <<- 'EOM'
+cat > /etc/profile.d/openssl-rand.sh <<- 'EOM'
 {{{ openssl_strong_entropy_config_file() }}}
 EOM
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
index b441b7ae6e..847754f36d 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
@@ -1,11 +1,8 @@
 <def-group>
   <definition class="compliance" id="openssl_use_strong_entropy" version="1">
     <metadata>
-      <title>Configure Openssl to use strong entropy</title>
-      <affected family="unix">
-        <platform>Red Hat Enterprise Linux 8</platform>
-        <platform>multi_platform_fedora</platform>
-      </affected>
+      <title>Configure OpenSSL to use strong entropy</title>
+      {{{- oval_affected(products) }}}
       <description>OpenSSL should be configured to generate random data with strong entropy.</description>
     </metadata>
     <criteria>
@@ -22,12 +19,12 @@
   </ind:filehash58_test>
 
   <ind:filehash58_object id="object_openssl_strong_entropy" version="1">
-    <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
+    <ind:filepath>/etc/profile.d/openssl-rand.sh</ind:filepath>
     <ind:hash_type>SHA-256</ind:hash_type>
   </ind:filehash58_object>
 
   <ind:filehash58_state id="state_openssl_strong_entropy" version="1">
-    <ind:filepath>/etc/profile.d/cc-config.sh</ind:filepath>
+    <ind:filepath>/etc/profile.d/openssl-rand.sh</ind:filepath>
     <ind:hash_type>SHA-256</ind:hash_type>
     <ind:hash>6488c757642cd493da09dd78ee27f039711a1ad79039900970553772fd2106af</ind:hash>
   </ind:filehash58_state>
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
index 3b01da01af..dd82336532 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
@@ -7,19 +7,15 @@ title: 'OpenSSL uses strong entropy source'
 
 description: |-
     To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
-    save the following shell snippet to the <tt>/etc/profile.d/cc-config.sh</tt>:
+    save the following shell snippet to the <tt>/etc/profile.d/openssl-rand.sh</tt>:
     <pre>
     {{{ openssl_strong_entropy_config_file() | indent(4) }}}
     </pre>
 
 rationale: |-
-    The <tt>openssl</tt> default configuration uses less robust entropy sources for seeding.
-    The referenced script is sourced to every login shell, and it transparently adds an option
-    that enforces strong entropy to every <tt>openssl</tt> invocation,
-    which makes <tt>openssl</tt> more secure by default.
+    This rule ensures that <tt>openssl</tt> always uses SP800-90A compliant random number generator.
 
 severity: medium
-
 identifiers:
     cce@rhel8: 82721-2
 
@@ -27,12 +23,12 @@ references:
     ospp: FIA_AFL.1
 
 ocil: |-
-    To determine whether the <tt>openssl</tt> wrapper is configured correcrlty,
-    make sure that the <tt>/etc/profile.d/cc-config.sh</tt> file contains contents
+    To determine whether the <tt>openssl</tt> wrapper is configured correctly,
+    make sure that the <tt>/etc/profile.d/openssl-rand.sh</tt> file contains contents
     that are included in the rule's description.
 
 ocil_clause: |-
-    there is no <tt>/etc/profile.d/cc-config.sh</tt> file, or its contents don't match those in the description
+    there is no <tt>/etc/profile.d/openssl-rand.sh</tt> file, or its contents don't match those in the description
 
 warnings:
     - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available."
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
index 0bffab3c81..d7f3ce8c87 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/correct.pass.sh
@@ -2,7 +2,7 @@
 # platform = Red Hat Enterprise Linux 8
 # profiles = xccdf_org.ssgproject.content_profile_ospp
 
-cat > /etc/profile.d/cc-config.sh <<- 'EOM'
+cat > /etc/profile.d/openssl-rand.sh <<- 'EOM'
 # provide a default -rand /dev/random option to openssl commands that
 # support it
 
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
index c1d526902c..64a580da91 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_missing.fail.sh
@@ -2,4 +2,4 @@
 # platform = Red Hat Enterprise Linux 8
 # profiles = xccdf_org.ssgproject.content_profile_ospp
 
-rm -f /etc/profile.d/cc-config.sh
+rm -f /etc/profile.d/openssl-rand.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
index 313d14a37f..2c812e874b 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/tests/file_modified.fail.sh
@@ -2,4 +2,4 @@
 # platform = Red Hat Enterprise Linux 8
 # profiles = xccdf_org.ssgproject.content_profile_ospp
 
-echo "wrong data" > /etc/profile.d/cc-config.sh
+echo "wrong data" > /etc/profile.d/openssl-rand.sh

From 679bd9cd08f962b3a88197817c199bd90a47f8d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 31 Jan 2020 16:34:48 +0100
Subject: [PATCH 6/6] Rule and remediation wording improvements.

---
 .../openssl_use_strong_entropy/ansible/shared.yml |  3 +--
 .../crypto/openssl_use_strong_entropy/rule.yml    | 15 ++++++++++-----
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
index 6ee232892d..25afb8e27f 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/ansible/shared.yml
@@ -4,9 +4,8 @@
 # complexity = low
 # disruption = low
 
-- name: "copy a file with shell snippet to configure openssl strong entropy"
+- name: "Put a file with shell wrapper to configure OpenSSL to always use strong entropy"
   copy:
     dest: /etc/profile.d/openssl-rand.sh
     content: |+
         {{{ openssl_strong_entropy_config_file()|indent(8) }}}
-        
diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
index dd82336532..8a958e93b0 100644
--- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml
@@ -6,14 +6,18 @@ prodtype: rhel8
 title: 'OpenSSL uses strong entropy source'
 
 description: |-
-    To set up an <tt>openssl</tt> wrapper that adds a <tt>-rand /dev/random</tt> option to the <tt>openssl</tt> invocation,
-    save the following shell snippet to the <tt>/etc/profile.d/openssl-rand.sh</tt>:
+    By default, OpenSSL doesn't always use a SP800-90A compliant random number generator.
+    A way to configure OpenSSL to always use a strong source is to setup a wrapper that
+    defines a shell function that shadows the actual <tt>openssl</tt> binary,
+    and that ensures that the <tt>-rand /dev/random</tt> option is added to every <tt>openssl</tt> invocation.
+
+    To do so, place the following shell snippet exactly as-is to <tt>/etc/profile.d/openssl-rand.sh</tt>:
     <pre>
     {{{ openssl_strong_entropy_config_file() | indent(4) }}}
     </pre>
 
 rationale: |-
-    This rule ensures that <tt>openssl</tt> always uses SP800-90A compliant random number generator.
+    This rule ensures that <tt>openssl</tt> invocations always uses SP800-90A compliant random number generator as a default behavior.
 
 severity: medium
 identifiers:
@@ -23,8 +27,9 @@ references:
     ospp: FIA_AFL.1
 
 ocil: |-
-    To determine whether the <tt>openssl</tt> wrapper is configured correctly,
-    make sure that the <tt>/etc/profile.d/openssl-rand.sh</tt> file contains contents
+    To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation
+    uses a SP800-90A compliant entropy source,
+    make sure that the <tt>/etc/profile.d/openssl-rand.sh</tt> file contents exactly match those
     that are included in the rule's description.
 
 ocil_clause: |-