From 94ace689f800fde1453b986de02c1d0581174451 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 8 Jul 2020 17:37:50 +0200 Subject: [PATCH 1/9] create rule, check, bash remediation --- .../bash/shared.sh | 9 +++++ .../oval/shared.xml | 1 + .../harden_openssl_crypto_policy/rule.yml | 33 +++++++++++++++++++ shared/references/cce-redhat-avail.txt | 2 -- 4 files changed, 43 insertions(+), 2 deletions(-) create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh new file mode 100644 index 0000000000..9838a13c95 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh @@ -0,0 +1,9 @@ +# platform = Oracle Linux 8,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora + +cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" +file=/etc/crypto-policies/local.d/opensslcnf-ospp.config + +#blank line at the begining to ease later readibility +echo '' > "$file" +echo "$cp" >> "$file" +update-crypto-policies diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml new file mode 100644 index 0000000000..09199ce4da --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml @@ -0,0 +1 @@ +{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="=", ) }}} diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml new file mode 100644 index 0000000000..afbdb36a23 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml @@ -0,0 +1,32 @@ +documentation_complete: true + +prodtype: rhel8 + +title: 'Harden OpenSSL Crypto Policy' + +description: |- + Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL. + OPenSSL is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSL r and leave rest of the Crypto Policy intact. + This can be done by dropping a file named opensslcnf-xxx.config, replacing xxx with arbitrary identifier, into /etc/crypto-policies/local.d. This has to be followed by running update-crypto-policies so that changes are applied. + Changes are propagated into /etc/crypto-policies/back-ends/opensslcnf.config. This rule checks if this file contains predefined Ciphersuites variable configured with predefined value. + +rationale: |- + The Common Criteria requirements specify that certain parameters for OpenSSL are configured e.g. cipher suites. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy. + +severity: medium + +identifiers: + cce@rhel8: 84286-4 + +references: + nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3) + ospp : FCS_SSHS_EXT.1 + srg: SRG-OS-000250-GPOS-00093,SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061 + +ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements' + +ocil: |- + To verify if the OpenSSL uses defined Crypto Policy, run: + 
$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1
+ and verify that the line matches + 
84285-6
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index afc0d80417..01b321b6d5 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -904,8 +904,6 @@ CCE-84281-5 CCE-84282-3 CCE-84283-1 CCE-84284-9 -CCE-84285-6 -CCE-84286-4 CCE-84287-2 CCE-84288-0 CCE-84289-8 From ddc8380b44f907872f6f3b9b0d10421329e3c0a1 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 8 Jul 2020 17:38:32 +0200 Subject: [PATCH 2/9] add tests --- .../harden_openssl_crypto_policy/tests/correct.pass.sh | 7 +++++++ .../tests/correct_commented.fail.sh | 7 +++++++ .../tests/correct_followed_by_incorrect.fail.sh | 8 ++++++++ .../tests/empty_policy.fail.sh | 7 +++++++ .../tests/incorrect_followed_by_correct.pass.sh | 8 ++++++++ .../tests/incorrect_policy.fail.sh | 7 +++++++ .../tests/missing_file.fail.sh | 7 +++++++ 7 files changed, 51 insertions(+) create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh new file mode 100644 index 0000000000..9e59b30bd2 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_ospp + +configfile=/etc/crypto-policies/back-ends/opensslcnf.config + +echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile" diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh new file mode 100644 index 0000000000..91863849b3 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_commented.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_ospp + +configfile=/etc/crypto-policies/back-ends/opensslcnf.config + +echo "#Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile" diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh new file mode 100644 index 0000000000..f44957d3e1 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/correct_followed_by_incorrect.fail.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_ospp + +configfile=/etc/crypto-policies/back-ends/opensslcnf.config + +echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > "$configfile" +echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" >> "$configfile" diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh new file mode 100644 index 0000000000..5b14fe8ef4 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/empty_policy.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_ospp + +configfile=/etc/crypto-policies/back-ends/opensslcnf.config + +echo "Ciphersuites=" > "$configfile" diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh new file mode 100644 index 0000000000..6be3bb2ffa --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_followed_by_correct.pass.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_ospp + +configfile=/etc/crypto-policies/back-ends/opensslcnf.config + +echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" > "$configfile" +echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" >> "$configfile" diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh new file mode 100644 index 0000000000..b4fd0f97be --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/incorrect_policy.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_ospp + +configfile=/etc/crypto-policies/back-ends/opensslcnf.config + +echo "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" > "$configfile" diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh new file mode 100644 index 0000000000..2d11d227cb --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/tests/missing_file.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = multi_platform_fedora,Red Hat Enterprise Linux 8 +# profiles = xccdf_org.ssgproject.content_profile_ospp + +configfile=/etc/crypto-policies/back-ends/opensslcnf.config + +rm -f "$configfile" From b08a7f3889e4592dc54a431aa4cfb6983990daba Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 9 Jul 2020 09:05:38 +0200 Subject: [PATCH 3/9] remove blank line from remediation --- .../crypto/harden_openssl_crypto_policy/bash/shared.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh index 9838a13c95..be6f84f83d 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/bash/shared.sh @@ -3,7 +3,6 @@ cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" file=/etc/crypto-policies/local.d/opensslcnf-ospp.config -#blank line at the begining to ease later readibility -echo '' > "$file" + echo "$cp" >> "$file" update-crypto-policies From d249fbe6f2b0cc8b6cd8a0bb02b03ead04e1dd12 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 9 Jul 2020 09:06:02 +0200 Subject: [PATCH 4/9] fix separator regex in oval --- .../crypto/harden_openssl_crypto_policy/oval/shared.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml index 09199ce4da..37be62ee39 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/oval/shared.xml @@ -1 +1 @@ -{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="=", ) }}} +{{{ oval_check_config_file(path="/etc/crypto-policies/back-ends/opensslcnf.config", prefix_regex="^(?:.*\\n)*\s*", parameter="Ciphersuites", value="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", separator_regex="\s*=\s*", ) }}} From 0b203279dde378cd45f05ec93a9653e1bc3b6002 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 9 Jul 2020 09:06:29 +0200 Subject: [PATCH 5/9] reformat rule, fix wrong ocil --- .../harden_openssl_crypto_policy/rule.yml | 22 ++++++++++++++----- 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml index afbdb36a23..d019d6cd32 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml @@ -5,13 +5,23 @@ prodtype: rhel8 title: 'Harden OpenSSL Crypto Policy' description: |- - Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL. - OPenSSL is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSL r and leave rest of the Crypto Policy intact. - This can be done by dropping a file named opensslcnf-xxx.config, replacing xxx with arbitrary identifier, into /etc/crypto-policies/local.d. This has to be followed by running update-crypto-policies so that changes are applied. - Changes are propagated into /etc/crypto-policies/back-ends/opensslcnf.config. This rule checks if this file contains predefined Ciphersuites variable configured with predefined value. + Crypto Policies are means of enforcing certain cryptographic settings for + selected applications including OpenSSL. OPenSSL is by default configured to + modify its configuration based on currently configured Crypto-Policy. + However, in certain cases it might be needed to override the Crypto Policy + specific to OpenSSL r and leave rest of the Crypto Policy intact. This can + be done by dropping a file named opensslcnf-xxx.config, replacing + xxx with arbitrary identifier, into + /etc/crypto-policies/local.d. This has to be followed by running + update-crypto-policies so that changes are applied. Changes are + propagated into /etc/crypto-policies/back-ends/opensslcnf.config. + This rule checks if this file contains predefined Ciphersuites + variable configured with predefined value. rationale: |- - The Common Criteria requirements specify that certain parameters for OpenSSL are configured e.g. cipher suites. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy. + The Common Criteria requirements specify that certain parameters for OpenSSL + are configured e.g. cipher suites. Currently particular requirements + specified by CC are stricter compared to any existing Crypto Policy. severity: medium @@ -30,4 +40,4 @@ ocil: |- To verify if the OpenSSL uses defined Crypto Policy, run: 
$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1
and verify that the line matches - 
84285-6
+ 
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
From aa2555bdfe67ab41978ae92924580527c7a725eb Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 13 Jul 2020 09:49:34 +0200 Subject: [PATCH 6/9] update references --- .../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml index d019d6cd32..075e381906 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml @@ -31,8 +31,8 @@ identifiers: references: nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3) - ospp : FCS_SSHS_EXT.1 - srg: SRG-OS-000250-GPOS-00093,SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061 + ospp: FCS_TLSC_EXT.1.1 + srg: SRG-OS-000250-GPOS-00093 ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements' From c4e0e35f3dc4abb1cea952aed4216499c622f1cf Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 13 Jul 2020 09:49:48 +0200 Subject: [PATCH 7/9] add ansible remediation --- .../ansible/shared.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml new file mode 100644 index 0000000000..d5c2c2b9f7 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/ansible/shared.yml @@ -0,0 +1,16 @@ +# platform = Red Hat Enterprise Linux 8 +# reboot = true +# strategy = restrict +# complexity = low +# disruption = low + +- name: "Ensure that the correct crypto policy configuration exists in /etc/crypto-policies/local.d/opensslcnf-ospp.config" + lineinfile: + path: "/etc/crypto-policies/local.d/opensslcnf-ospp.config" + line: "Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" + create: yes + insertafter: EOF + +- name: "Update system crypto policy for changes to take effect" + command: + cmd: "update-crypto-policies" From 3a33b284dc3da993b1b98e75f805ebf018d7f2e9 Mon Sep 17 00:00:00 2001 From: vojtapolasek Date: Wed, 15 Jul 2020 09:26:11 +0200 Subject: [PATCH 8/9] fix typos MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jan Černý --- .../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml index 075e381906..ce0351aa34 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml @@ -6,10 +6,10 @@ title: 'Harden OpenSSL Crypto Policy' description: |- Crypto Policies are means of enforcing certain cryptographic settings for - selected applications including OpenSSL. OPenSSL is by default configured to - modify its configuration based on currently configured Crypto-Policy. + selected applications including OpenSSL. OpenSSL is by default configured to + modify its configuration based on currently configured Crypto Policy. However, in certain cases it might be needed to override the Crypto Policy - specific to OpenSSL r and leave rest of the Crypto Policy intact. This can + specific to OpenSSL and leave rest of the Crypto Policy intact. This can be done by dropping a file named opensslcnf-xxx.config, replacing xxx with arbitrary identifier, into /etc/crypto-policies/local.d. This has to be followed by running From e5fa539ea5274e723a428a835673598899a301fa Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 15 Jul 2020 09:36:06 +0200 Subject: [PATCH 9/9] update rule references --- .../integrity/crypto/harden_openssl_crypto_policy/rule.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml index ce0351aa34..0cbead2a6d 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml @@ -30,8 +30,8 @@ identifiers: references: - nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3) + nist: SC-8(1),SC-13 ospp: FCS_TLSC_EXT.1.1 - srg: SRG-OS-000250-GPOS-00093 + srg: SRG-OS-000396-GPOS-00176,SRG-OS-000424-GPOS-00188,SRG-OS-000478-GPOS-00223 ocil_clause: 'Crypto Policy for OpenSSL is not configured according to CC requirements'