31 lines
1.8 KiB
Diff
31 lines
1.8 KiB
Diff
From 402df0b7dff60a71ed546f025f0a0374fe744605 Mon Sep 17 00:00:00 2001
|
|
From: Matej Tyc <matyc@redhat.com>
|
|
Date: Thu, 14 Jul 2022 17:28:00 +0200
|
|
Subject: [PATCH] Reduce the list of FIPS crypto policies
|
|
|
|
RHEL9 and newer systems have no reasons to recognize FIPS crypto policies with modifiers
|
|
as FIPS, except the FIPS:OSPP.
|
|
|
|
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2057082
|
|
---
|
|
.../software/integrity/fips/enable_fips_mode/oval/shared.xml | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
|
index 7cf1de346a7..65056a654c6 100644
|
|
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
|
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
|
@@ -21,7 +21,12 @@
|
|
<ind:var_ref>var_system_crypto_policy</ind:var_ref>
|
|
</ind:variable_object>
|
|
<ind:variable_state comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy." id="ste_system_crypto_policy_value" version="2">
|
|
+ {{% if product in ["ol9","rhel9"] -%}}
|
|
+ <ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
|
|
+ {{%- else %}}
|
|
+ {{# Legacy and more relaxed list of crypto policies that were historically considered FIPS-compatible. More recent products should use the more restricted list of options #}}
|
|
<ind:value operation="pattern match" datatype="string">^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$</ind:value>
|
|
+ {{%- endif %}}
|
|
</ind:variable_state>
|
|
<external_variable comment="defined crypto policy" datatype="string" id="var_system_crypto_policy" version="1" />
|
|
</def-group>
|