scap-security-guide/SOURCES/scap-security-guide-0.1.58-fix_cis_value_selector-PR_7452.patch

40 lines
1.6 KiB
Diff
Raw Normal View History

From bd790153e02c1d1725f59f5d88c65c77eb1421e9 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 24 Aug 2021 12:48:46 +0200
Subject: [PATCH] Add a new selector for var_system_crypto_policy and use it
RHEL8 CIS.
This new selector is used to select explicit DEFAULT value in RHEL8 CIS
L1 profiles. The "default" selector cannot be selected and it causes
errors if used.
---
controls/cis_rhel8.yml | 2 +-
.../software/integrity/crypto/var_system_crypto_policy.var | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 29d972427cf..c0d3f5f40de 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -553,7 +553,7 @@ controls:
automated: yes
rules:
- configure_crypto_policy
- - var_system_crypto_policy=default
+ - var_system_crypto_policy=default_policy
# This rule works in conjunction with the configure_crypto_policy above.
# If a system is remediated to CIS Level 1, just the rule above will apply
diff --git a/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var b/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var
index ce301154a39..8b89848d122 100644
--- a/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var
+++ b/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var
@@ -13,6 +13,7 @@ interactive: false
options:
default: DEFAULT
+ default_policy: DEFAULT
default_nosha1: "DEFAULT:NO-SHA1"
fips: FIPS
fips_ospp: "FIPS:OSPP"