make rule stricter when checking for fips crypto-policies

Resolves: rhbz#2057082
2022-07-18 11:16:51 +02:00 · 2022-07-18 11:16:51 +02:00 · 17023b428c
parent 5d949040cc
commit 17023b428c
2 changed files with 32 additions and 0 deletions
--- a/scap-security-guide-0.1.63-make_fips_subpolicies_stricter-PR_9149.patch
+++ b/scap-security-guide-0.1.63-make_fips_subpolicies_stricter-PR_9149.patch
@ -0,0 +1,30 @@
+From 402df0b7dff60a71ed546f025f0a0374fe744605 Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Thu, 14 Jul 2022 17:28:00 +0200
+Subject: [PATCH] Reduce the list of FIPS crypto policies
+
+RHEL9 and newer systems have no reasons to recognize FIPS crypto policies with modifiers
+as FIPS, except the FIPS:OSPP.
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2057082
+---
+ .../software/integrity/fips/enable_fips_mode/oval/shared.xml | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+index 7cf1de346a7..65056a654c6 100644
+--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+@@ -21,7 +21,12 @@
+     <ind:var_ref>var_system_crypto_policy</ind:var_ref>
+   </ind:variable_object>
+   <ind:variable_state comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy." id="ste_system_crypto_policy_value" version="2">
+  {{% if product in ["ol9","rhel9"] -%}}
+    <ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
+  {{%- else %}}
+  {{# Legacy and more relaxed list of crypto policies that were historically considered FIPS-compatible. More recent products should use the more restricted list of options #}}
+     <ind:value operation="pattern match" datatype="string">^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$</ind:value>
+  {{%- endif %}}
+   </ind:variable_state>
+   <external_variable comment="defined crypto policy" datatype="string" id="var_system_crypto_policy" version="1" />
+ </def-group>
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@ -36,6 +36,7 @@ Patch8:                scap-security-guide-0.1.63-remove_rule_login_defs_min_siz
 Patch9:                scap-security-guide-0.1.63-remove_rsyslog_rules_from_rhel9_ospp-PR_9116.patch
 Patch10:                scap-security-guide-0.1.63-remove_sshd_enable_strictmodes_ospp-PR_9143.patch
 Patch11:                scap-security-guide-0.1.63-remove_nis_rules-PR_9148.patch
+Patch12:                scap-security-guide-0.1.63-make_fips_subpolicies_stricter-PR_9149.patch

 %description
 The scap-security-guide project provides a guide for configuration of the
@ -123,6 +124,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 - Remove rules related to remove logging from RHEL9 OSPP (RHBZ#2105016)
 - Remove sshd_enable_strictmodes from OSPP (RHBZ#2105278)
 - Remove rules related to NIS services (RHBZ#2096602)
+- Make rule stricter when checking for FIPS crypto-policies (RHBZ#2057082)

 * Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
 - Rebase to a new upstream release (RHBZ#2070563)