From bf4da502abb91d3db88e76f7239880909f400604 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 25 Jun 2020 09:53:38 +0200
Subject: [PATCH 1/3] fixed description, oval, ansible, bash

---
 .../configure_openssl_crypto_policy/ansible/shared.yml |  4 ++--
 .../configure_openssl_crypto_policy/bash/shared.sh     |  4 ++--
 .../configure_openssl_crypto_policy/oval/shared.xml    |  2 +-
 .../crypto/configure_openssl_crypto_policy/rule.yml    | 10 +++++-----
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
index e6318f221c..98fe134aca 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
@@ -15,7 +15,7 @@
   lineinfile:
     create: yes
     insertafter: '^\s*\[\s*crypto_policy\s*]\s*'
-    line: ".include /etc/crypto-policies/back-ends/openssl.config"
+    line: ".include /etc/crypto-policies/back-ends/opensslcnf.config"
     path: /etc/pki/tls/openssl.cnf
   when:
     - test_crypto_policy_group.stdout is defined
@@ -24,7 +24,7 @@
 - name: "Add crypto_policy group and set include openssl.config"
   lineinfile:
     create: yes
-    line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/openssl.config"
+    line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"
     path: /etc/pki/tls/openssl.cnf
   when:
     - test_crypto_policy_group.stdout is defined
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
index 0b3cbf3b46..a0b30cce96 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
@@ -2,8 +2,8 @@
 
 OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
 OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
-OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/openssl.config'
-OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config$'
+OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config'
+OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$'
 
 function remediate_openssl_crypto_policy() {
 	CONFIG_FILE="/etc/pki/tls/openssl.cnf"
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
index a9b3f7b6e9..2019769736 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
@@ -20,7 +20,7 @@
   <ind:textfilecontent54_object id="object_configure_openssl_crypto_policy"
   version="1">
     <ind:filepath>/etc/pki/tls/openssl.cnf</ind:filepath>
-    <ind:pattern operation="pattern match">^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config\s*$</ind:pattern>
+    <ind:pattern operation="pattern match">^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config\s*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 </def-group>
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
index 8c015bb3b2..1a66570a8c 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
@@ -11,7 +11,7 @@ description: |-
     To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file
     available under <tt>/etc/pki/tls/openssl.cnf</tt>.
     This file has the <tt>ini</tt> format, and it enables crypto policy support
-    if there is a <tt>[ crypto_policy ]</tt> section that contains the <tt>.include /etc/crypto-policies/back-ends/openssl.config</tt> directive.
+    if there is a <tt>[ crypto_policy ]</tt> section that contains the <tt>.include /etc/crypto-policies/back-ends/opensslcnf.config</tt> directive.
 
 rationale: |-
     Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
@@ -29,11 +29,11 @@ references:
 
 ocil_clause: |-
     the OpenSSL config file doesn't contain the whole section,
-    or that the section doesn't have the <pre>.include /etc/crypto-policies/back-ends/openssl.config</pre> directive
+    or that the section doesn't have the <pre>.include /etc/crypto-policies/back-ends/opensslcnf.config</pre> directive
 
 ocil: |-
-    To verify that OpenSSL uses the system crypro policy, check out that the OpenSSL config file
+    To verify that OpenSSL uses the system crypto policy, check out that the OpenSSL config file
     <pre>/etc/pki/tls/openssl.cnf</pre> contains the <pre>[ crypto_policy ]</pre> section with the
-    <pre>.include /etc/crypto-policies/back-ends/openssl.config</pre> directive:
-    <pre>grep '\.include\s* /etc/crypto-policies/back-ends/openssl.config$' /etc/pki/tls/openssl.cnf</pre>.
+    <pre>.include /etc/crypto-policies/back-ends/opensslcnf.config</pre> directive:
+    <pre>grep '\.include\s* /etc/crypto-policies/back-ends/opensslcnf.config$' /etc/pki/tls/openssl.cnf</pre>.
 

From 5e4f19a3301fbdc74b199b418a435924089d6c30 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 25 Jun 2020 09:54:09 +0200
Subject: [PATCH 2/3] updated tests

---
 .../configure_openssl_crypto_policy/tests/ok.pass.sh   |  2 +-
 .../tests/wrong.fail.sh                                | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh

diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
index 5b8334735e..c56916883e 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
@@ -6,5 +6,5 @@
 
 create_config_file_with "[ crypto_policy ]
 
-.include /etc/crypto-policies/back-ends/openssl.config
+.include /etc/crypto-policies/back-ends/opensslcnf.config
 "
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh
new file mode 100644
index 0000000000..5b8334735e
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard
+
+. common.sh
+
+create_config_file_with "[ crypto_policy ]
+
+.include /etc/crypto-policies/back-ends/openssl.config
+"

From 73804523130ce02162b780b8811e79e6adcb51a6 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 25 Jun 2020 17:32:00 +0200
Subject: [PATCH 3/3] Update task name to reflect correct opensslcnf.config
 file.

---
 .../crypto/configure_openssl_crypto_policy/ansible/shared.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
index 98fe134aca..986543c10f 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
@@ -11,7 +11,7 @@
   changed_when: False
   check_mode: no
 
-- name: "Add .include for openssl.config to crypto_policy section"
+- name: "Add .include for opensslcnf.config to crypto_policy section"
   lineinfile:
     create: yes
     insertafter: '^\s*\[\s*crypto_policy\s*]\s*'
@@ -21,7 +21,7 @@
     - test_crypto_policy_group.stdout is defined
     - test_crypto_policy_group.stdout | length > 0
 
-- name: "Add crypto_policy group and set include openssl.config"
+- name: "Add crypto_policy group and set include opensslcnf.config"
   lineinfile:
     create: yes
     line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"