From 17023b428c1fe07b7d90b03193d787d403246dac Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 18 Jul 2022 11:16:51 +0200
Subject: [PATCH] make rule stricter when checking for fips crypto-policies

Resolves: rhbz#2057082
---
 ...ke_fips_subpolicies_stricter-PR_9149.patch | 30 +++++++++++++++++++
 scap-security-guide.spec                      |  2 ++
 2 files changed, 32 insertions(+)
 create mode 100644 scap-security-guide-0.1.63-make_fips_subpolicies_stricter-PR_9149.patch

diff --git a/scap-security-guide-0.1.63-make_fips_subpolicies_stricter-PR_9149.patch b/scap-security-guide-0.1.63-make_fips_subpolicies_stricter-PR_9149.patch
new file mode 100644
index 0000000..66b2b40
--- /dev/null
+++ b/scap-security-guide-0.1.63-make_fips_subpolicies_stricter-PR_9149.patch
@@ -0,0 +1,30 @@
+From 402df0b7dff60a71ed546f025f0a0374fe744605 Mon Sep 17 00:00:00 2001
+From: Matej Tyc <matyc@redhat.com>
+Date: Thu, 14 Jul 2022 17:28:00 +0200
+Subject: [PATCH] Reduce the list of FIPS crypto policies
+
+RHEL9 and newer systems have no reasons to recognize FIPS crypto policies with modifiers
+as FIPS, except the FIPS:OSPP.
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2057082
+---
+ .../software/integrity/fips/enable_fips_mode/oval/shared.xml | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+index 7cf1de346a7..65056a654c6 100644
+--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+@@ -21,7 +21,12 @@
+     <ind:var_ref>var_system_crypto_policy</ind:var_ref>
+   </ind:variable_object>
+   <ind:variable_state comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy." id="ste_system_crypto_policy_value" version="2">
++  {{% if product in ["ol9","rhel9"] -%}}
++    <ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
++  {{%- else %}}
++  {{# Legacy and more relaxed list of crypto policies that were historically considered FIPS-compatible. More recent products should use the more restricted list of options #}}
+     <ind:value operation="pattern match" datatype="string">^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$</ind:value>
++  {{%- endif %}}
+   </ind:variable_state>
+   <external_variable comment="defined crypto policy" datatype="string" id="var_system_crypto_policy" version="1" />
+ </def-group>
diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index b456c26..f5702b1 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -36,6 +36,7 @@ Patch8:                scap-security-guide-0.1.63-remove_rule_login_defs_min_siz
 Patch9:                scap-security-guide-0.1.63-remove_rsyslog_rules_from_rhel9_ospp-PR_9116.patch
 Patch10:                scap-security-guide-0.1.63-remove_sshd_enable_strictmodes_ospp-PR_9143.patch
 Patch11:                scap-security-guide-0.1.63-remove_nis_rules-PR_9148.patch
+Patch12:                scap-security-guide-0.1.63-make_fips_subpolicies_stricter-PR_9149.patch
 
 %description
 The scap-security-guide project provides a guide for configuration of the
@@ -123,6 +124,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 - Remove rules related to remove logging from RHEL9 OSPP (RHBZ#2105016)
 - Remove sshd_enable_strictmodes from OSPP (RHBZ#2105278)
 - Remove rules related to NIS services (RHBZ#2096602)
+- Make rule stricter when checking for FIPS crypto-policies (RHBZ#2057082)
 
 * Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
 - Rebase to a new upstream release (RHBZ#2070563)