From bf4da502abb91d3db88e76f7239880909f400604 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 25 Jun 2020 09:53:38 +0200 Subject: [PATCH 1/3] fixed description, oval, ansible, bash --- .../configure_openssl_crypto_policy/ansible/shared.yml | 4 ++-- .../configure_openssl_crypto_policy/bash/shared.sh | 4 ++-- .../configure_openssl_crypto_policy/oval/shared.xml | 2 +- .../crypto/configure_openssl_crypto_policy/rule.yml | 10 +++++----- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml index e6318f221c..98fe134aca 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml @@ -15,7 +15,7 @@ lineinfile: create: yes insertafter: '^\s*\[\s*crypto_policy\s*]\s*' - line: ".include /etc/crypto-policies/back-ends/openssl.config" + line: ".include /etc/crypto-policies/back-ends/opensslcnf.config" path: /etc/pki/tls/openssl.cnf when: - test_crypto_policy_group.stdout is defined @@ -24,7 +24,7 @@ - name: "Add crypto_policy group and set include openssl.config" lineinfile: create: yes - line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/openssl.config" + line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config" path: /etc/pki/tls/openssl.cnf when: - test_crypto_policy_group.stdout is defined diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh index 0b3cbf3b46..a0b30cce96 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh @@ -2,8 +2,8 @@ OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]' OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]' -OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/openssl.config' -OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config$' +OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config' +OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$' function remediate_openssl_crypto_policy() { CONFIG_FILE="/etc/pki/tls/openssl.cnf" diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml index a9b3f7b6e9..2019769736 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml @@ -20,7 +20,7 @@ /etc/pki/tls/openssl.cnf - ^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config\s*$ + ^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config\s*$ 1 diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml index 8c015bb3b2..1a66570a8c 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml @@ -11,7 +11,7 @@ description: |- To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file available under /etc/pki/tls/openssl.cnf. This file has the ini format, and it enables crypto policy support - if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/openssl.config directive. + if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive. rationale: |- Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, @@ -29,11 +29,11 @@ references: ocil_clause: |- the OpenSSL config file doesn't contain the whole section, - or that the section doesn't have the
.include /etc/crypto-policies/back-ends/openssl.config
directive + or that the section doesn't have the
.include /etc/crypto-policies/back-ends/opensslcnf.config
directive ocil: |- - To verify that OpenSSL uses the system crypro policy, check out that the OpenSSL config file + To verify that OpenSSL uses the system crypto policy, check out that the OpenSSL config file
/etc/pki/tls/openssl.cnf
contains the
[ crypto_policy ]
section with the -
.include /etc/crypto-policies/back-ends/openssl.config
directive: -
grep '\.include\s* /etc/crypto-policies/back-ends/openssl.config$' /etc/pki/tls/openssl.cnf
. +
.include /etc/crypto-policies/back-ends/opensslcnf.config
directive: +
grep '\.include\s* /etc/crypto-policies/back-ends/opensslcnf.config$' /etc/pki/tls/openssl.cnf
. From 5e4f19a3301fbdc74b199b418a435924089d6c30 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 25 Jun 2020 09:54:09 +0200 Subject: [PATCH 2/3] updated tests --- .../configure_openssl_crypto_policy/tests/ok.pass.sh | 2 +- .../tests/wrong.fail.sh | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh index 5b8334735e..c56916883e 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh @@ -6,5 +6,5 @@ create_config_file_with "[ crypto_policy ] -.include /etc/crypto-policies/back-ends/openssl.config +.include /etc/crypto-policies/back-ends/opensslcnf.config " diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh new file mode 100644 index 0000000000..5b8334735e --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard + +. common.sh + +create_config_file_with "[ crypto_policy ] + +.include /etc/crypto-policies/back-ends/openssl.config +" From 73804523130ce02162b780b8811e79e6adcb51a6 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Thu, 25 Jun 2020 17:32:00 +0200 Subject: [PATCH 3/3] Update task name to reflect correct opensslcnf.config file. --- .../crypto/configure_openssl_crypto_policy/ansible/shared.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml index 98fe134aca..986543c10f 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml @@ -11,7 +11,7 @@ changed_when: False check_mode: no -- name: "Add .include for openssl.config to crypto_policy section" +- name: "Add .include for opensslcnf.config to crypto_policy section" lineinfile: create: yes insertafter: '^\s*\[\s*crypto_policy\s*]\s*' @@ -21,7 +21,7 @@ - test_crypto_policy_group.stdout is defined - test_crypto_policy_group.stdout | length > 0 -- name: "Add crypto_policy group and set include openssl.config" +- name: "Add crypto_policy group and set include opensslcnf.config" lineinfile: create: yes line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"