make rule stricter when checking for fips crypto-policies
Resolves: rhbz#2057082
This commit is contained in:
parent
5d949040cc
commit
17023b428c
@ -0,0 +1,30 @@
|
||||
From 402df0b7dff60a71ed546f025f0a0374fe744605 Mon Sep 17 00:00:00 2001
|
||||
From: Matej Tyc <matyc@redhat.com>
|
||||
Date: Thu, 14 Jul 2022 17:28:00 +0200
|
||||
Subject: [PATCH] Reduce the list of FIPS crypto policies
|
||||
|
||||
RHEL9 and newer systems have no reasons to recognize FIPS crypto policies with modifiers
|
||||
as FIPS, except the FIPS:OSPP.
|
||||
|
||||
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2057082
|
||||
---
|
||||
.../software/integrity/fips/enable_fips_mode/oval/shared.xml | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
index 7cf1de346a7..65056a654c6 100644
|
||||
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
@@ -21,7 +21,12 @@
|
||||
<ind:var_ref>var_system_crypto_policy</ind:var_ref>
|
||||
</ind:variable_object>
|
||||
<ind:variable_state comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy." id="ste_system_crypto_policy_value" version="2">
|
||||
+ {{% if product in ["ol9","rhel9"] -%}}
|
||||
+ <ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
|
||||
+ {{%- else %}}
|
||||
+ {{# Legacy and more relaxed list of crypto policies that were historically considered FIPS-compatible. More recent products should use the more restricted list of options #}}
|
||||
<ind:value operation="pattern match" datatype="string">^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$</ind:value>
|
||||
+ {{%- endif %}}
|
||||
</ind:variable_state>
|
||||
<external_variable comment="defined crypto policy" datatype="string" id="var_system_crypto_policy" version="1" />
|
||||
</def-group>
|
@ -36,6 +36,7 @@ Patch8: scap-security-guide-0.1.63-remove_rule_login_defs_min_siz
|
||||
Patch9: scap-security-guide-0.1.63-remove_rsyslog_rules_from_rhel9_ospp-PR_9116.patch
|
||||
Patch10: scap-security-guide-0.1.63-remove_sshd_enable_strictmodes_ospp-PR_9143.patch
|
||||
Patch11: scap-security-guide-0.1.63-remove_nis_rules-PR_9148.patch
|
||||
Patch12: scap-security-guide-0.1.63-make_fips_subpolicies_stricter-PR_9149.patch
|
||||
|
||||
%description
|
||||
The scap-security-guide project provides a guide for configuration of the
|
||||
@ -123,6 +124,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
|
||||
- Remove rules related to remove logging from RHEL9 OSPP (RHBZ#2105016)
|
||||
- Remove sshd_enable_strictmodes from OSPP (RHBZ#2105278)
|
||||
- Remove rules related to NIS services (RHBZ#2096602)
|
||||
- Make rule stricter when checking for FIPS crypto-policies (RHBZ#2057082)
|
||||
|
||||
* Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
|
||||
- Rebase to a new upstream release (RHBZ#2070563)
|
||||
|
Loading…
Reference in New Issue
Block a user