164 lines
9.1 KiB
Diff
164 lines
9.1 KiB
Diff
From bf4da502abb91d3db88e76f7239880909f400604 Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Thu, 25 Jun 2020 09:53:38 +0200
|
|
Subject: [PATCH 1/3] fixed description, oval, ansible, bash
|
|
|
|
---
|
|
.../configure_openssl_crypto_policy/ansible/shared.yml | 4 ++--
|
|
.../configure_openssl_crypto_policy/bash/shared.sh | 4 ++--
|
|
.../configure_openssl_crypto_policy/oval/shared.xml | 2 +-
|
|
.../crypto/configure_openssl_crypto_policy/rule.yml | 10 +++++-----
|
|
4 files changed, 10 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
|
|
index e6318f221c..98fe134aca 100644
|
|
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
|
|
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
|
|
@@ -15,7 +15,7 @@
|
|
lineinfile:
|
|
create: yes
|
|
insertafter: '^\s*\[\s*crypto_policy\s*]\s*'
|
|
- line: ".include /etc/crypto-policies/back-ends/openssl.config"
|
|
+ line: ".include /etc/crypto-policies/back-ends/opensslcnf.config"
|
|
path: /etc/pki/tls/openssl.cnf
|
|
when:
|
|
- test_crypto_policy_group.stdout is defined
|
|
@@ -24,7 +24,7 @@
|
|
- name: "Add crypto_policy group and set include openssl.config"
|
|
lineinfile:
|
|
create: yes
|
|
- line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/openssl.config"
|
|
+ line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"
|
|
path: /etc/pki/tls/openssl.cnf
|
|
when:
|
|
- test_crypto_policy_group.stdout is defined
|
|
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
|
|
index 0b3cbf3b46..a0b30cce96 100644
|
|
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
|
|
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
|
|
@@ -2,8 +2,8 @@
|
|
|
|
OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
|
|
OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
|
|
-OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/openssl.config'
|
|
-OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config$'
|
|
+OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config'
|
|
+OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$'
|
|
|
|
function remediate_openssl_crypto_policy() {
|
|
CONFIG_FILE="/etc/pki/tls/openssl.cnf"
|
|
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
|
|
index a9b3f7b6e9..2019769736 100644
|
|
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
|
|
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
|
|
@@ -20,7 +20,7 @@
|
|
<ind:textfilecontent54_object id="object_configure_openssl_crypto_policy"
|
|
version="1">
|
|
<ind:filepath>/etc/pki/tls/openssl.cnf</ind:filepath>
|
|
- <ind:pattern operation="pattern match">^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config\s*$</ind:pattern>
|
|
+ <ind:pattern operation="pattern match">^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config\s*$</ind:pattern>
|
|
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
</ind:textfilecontent54_object>
|
|
</def-group>
|
|
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
|
|
index 8c015bb3b2..1a66570a8c 100644
|
|
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
|
|
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
|
|
@@ -11,7 +11,7 @@ description: |-
|
|
To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file
|
|
available under <tt>/etc/pki/tls/openssl.cnf</tt>.
|
|
This file has the <tt>ini</tt> format, and it enables crypto policy support
|
|
- if there is a <tt>[ crypto_policy ]</tt> section that contains the <tt>.include /etc/crypto-policies/back-ends/openssl.config</tt> directive.
|
|
+ if there is a <tt>[ crypto_policy ]</tt> section that contains the <tt>.include /etc/crypto-policies/back-ends/opensslcnf.config</tt> directive.
|
|
|
|
rationale: |-
|
|
Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
|
|
@@ -29,11 +29,11 @@ references:
|
|
|
|
ocil_clause: |-
|
|
the OpenSSL config file doesn't contain the whole section,
|
|
- or that the section doesn't have the <pre>.include /etc/crypto-policies/back-ends/openssl.config</pre> directive
|
|
+ or that the section doesn't have the <pre>.include /etc/crypto-policies/back-ends/opensslcnf.config</pre> directive
|
|
|
|
ocil: |-
|
|
- To verify that OpenSSL uses the system crypro policy, check out that the OpenSSL config file
|
|
+ To verify that OpenSSL uses the system crypto policy, check out that the OpenSSL config file
|
|
<pre>/etc/pki/tls/openssl.cnf</pre> contains the <pre>[ crypto_policy ]</pre> section with the
|
|
- <pre>.include /etc/crypto-policies/back-ends/openssl.config</pre> directive:
|
|
- <pre>grep '\.include\s* /etc/crypto-policies/back-ends/openssl.config$' /etc/pki/tls/openssl.cnf</pre>.
|
|
+ <pre>.include /etc/crypto-policies/back-ends/opensslcnf.config</pre> directive:
|
|
+ <pre>grep '\.include\s* /etc/crypto-policies/back-ends/opensslcnf.config$' /etc/pki/tls/openssl.cnf</pre>.
|
|
|
|
|
|
From 5e4f19a3301fbdc74b199b418a435924089d6c30 Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Thu, 25 Jun 2020 09:54:09 +0200
|
|
Subject: [PATCH 2/3] updated tests
|
|
|
|
---
|
|
.../configure_openssl_crypto_policy/tests/ok.pass.sh | 2 +-
|
|
.../tests/wrong.fail.sh | 10 ++++++++++
|
|
2 files changed, 11 insertions(+), 1 deletion(-)
|
|
create mode 100644 linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh
|
|
|
|
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
|
|
index 5b8334735e..c56916883e 100644
|
|
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
|
|
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
|
|
@@ -6,5 +6,5 @@
|
|
|
|
create_config_file_with "[ crypto_policy ]
|
|
|
|
-.include /etc/crypto-policies/back-ends/openssl.config
|
|
+.include /etc/crypto-policies/back-ends/opensslcnf.config
|
|
"
|
|
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh
|
|
new file mode 100644
|
|
index 0000000000..5b8334735e
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh
|
|
@@ -0,0 +1,10 @@
|
|
+#!/bin/bash
|
|
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
+# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard
|
|
+
|
|
+. common.sh
|
|
+
|
|
+create_config_file_with "[ crypto_policy ]
|
|
+
|
|
+.include /etc/crypto-policies/back-ends/openssl.config
|
|
+"
|
|
|
|
From 73804523130ce02162b780b8811e79e6adcb51a6 Mon Sep 17 00:00:00 2001
|
|
From: Gabriel Becker <ggasparb@redhat.com>
|
|
Date: Thu, 25 Jun 2020 17:32:00 +0200
|
|
Subject: [PATCH 3/3] Update task name to reflect correct opensslcnf.config
|
|
file.
|
|
|
|
---
|
|
.../crypto/configure_openssl_crypto_policy/ansible/shared.yml | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
|
|
index 98fe134aca..986543c10f 100644
|
|
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
|
|
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
|
|
@@ -11,7 +11,7 @@
|
|
changed_when: False
|
|
check_mode: no
|
|
|
|
-- name: "Add .include for openssl.config to crypto_policy section"
|
|
+- name: "Add .include for opensslcnf.config to crypto_policy section"
|
|
lineinfile:
|
|
create: yes
|
|
insertafter: '^\s*\[\s*crypto_policy\s*]\s*'
|
|
@@ -21,7 +21,7 @@
|
|
- test_crypto_policy_group.stdout is defined
|
|
- test_crypto_policy_group.stdout | length > 0
|
|
|
|
-- name: "Add crypto_policy group and set include openssl.config"
|
|
+- name: "Add crypto_policy group and set include opensslcnf.config"
|
|
lineinfile:
|
|
create: yes
|
|
line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"
|