make rule stricter when checking for fips crypto-policies

Resolves: rhbz#2057082
This commit is contained in:
Vojtech Polasek 2022-07-18 11:16:51 +02:00
parent 5d949040cc
commit 17023b428c
2 changed files with 32 additions and 0 deletions

View File

@ -0,0 +1,30 @@
From 402df0b7dff60a71ed546f025f0a0374fe744605 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Thu, 14 Jul 2022 17:28:00 +0200
Subject: [PATCH] Reduce the list of FIPS crypto policies
RHEL9 and newer systems have no reasons to recognize FIPS crypto policies with modifiers
as FIPS, except the FIPS:OSPP.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2057082
---
.../software/integrity/fips/enable_fips_mode/oval/shared.xml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index 7cf1de346a7..65056a654c6 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -21,7 +21,12 @@
<ind:var_ref>var_system_crypto_policy</ind:var_ref>
</ind:variable_object>
<ind:variable_state comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy." id="ste_system_crypto_policy_value" version="2">
+ {{% if product in ["ol9","rhel9"] -%}}
+ <ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
+ {{%- else %}}
+ {{# Legacy and more relaxed list of crypto policies that were historically considered FIPS-compatible. More recent products should use the more restricted list of options #}}
<ind:value operation="pattern match" datatype="string">^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$</ind:value>
+ {{%- endif %}}
</ind:variable_state>
<external_variable comment="defined crypto policy" datatype="string" id="var_system_crypto_policy" version="1" />
</def-group>

View File

@ -36,6 +36,7 @@ Patch8: scap-security-guide-0.1.63-remove_rule_login_defs_min_siz
Patch9: scap-security-guide-0.1.63-remove_rsyslog_rules_from_rhel9_ospp-PR_9116.patch Patch9: scap-security-guide-0.1.63-remove_rsyslog_rules_from_rhel9_ospp-PR_9116.patch
Patch10: scap-security-guide-0.1.63-remove_sshd_enable_strictmodes_ospp-PR_9143.patch Patch10: scap-security-guide-0.1.63-remove_sshd_enable_strictmodes_ospp-PR_9143.patch
Patch11: scap-security-guide-0.1.63-remove_nis_rules-PR_9148.patch Patch11: scap-security-guide-0.1.63-remove_nis_rules-PR_9148.patch
Patch12: scap-security-guide-0.1.63-make_fips_subpolicies_stricter-PR_9149.patch
%description %description
The scap-security-guide project provides a guide for configuration of the The scap-security-guide project provides a guide for configuration of the
@ -123,6 +124,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
- Remove rules related to remove logging from RHEL9 OSPP (RHBZ#2105016) - Remove rules related to remove logging from RHEL9 OSPP (RHBZ#2105016)
- Remove sshd_enable_strictmodes from OSPP (RHBZ#2105278) - Remove sshd_enable_strictmodes from OSPP (RHBZ#2105278)
- Remove rules related to NIS services (RHBZ#2096602) - Remove rules related to NIS services (RHBZ#2096602)
- Make rule stricter when checking for FIPS crypto-policies (RHBZ#2057082)
* Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1 * Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
- Rebase to a new upstream release (RHBZ#2070563) - Rebase to a new upstream release (RHBZ#2070563)