scap-security-guide/SOURCES/scap-security-guide-0.1.51-openssl_crypto_PR_5885.patch
2021-09-10 04:18:41 +00:00

164 lines
9.1 KiB
Diff

From bf4da502abb91d3db88e76f7239880909f400604 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 25 Jun 2020 09:53:38 +0200
Subject: [PATCH 1/3] fixed description, oval, ansible, bash
---
.../configure_openssl_crypto_policy/ansible/shared.yml | 4 ++--
.../configure_openssl_crypto_policy/bash/shared.sh | 4 ++--
.../configure_openssl_crypto_policy/oval/shared.xml | 2 +-
.../crypto/configure_openssl_crypto_policy/rule.yml | 10 +++++-----
4 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
index e6318f221c..98fe134aca 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
@@ -15,7 +15,7 @@
lineinfile:
create: yes
insertafter: '^\s*\[\s*crypto_policy\s*]\s*'
- line: ".include /etc/crypto-policies/back-ends/openssl.config"
+ line: ".include /etc/crypto-policies/back-ends/opensslcnf.config"
path: /etc/pki/tls/openssl.cnf
when:
- test_crypto_policy_group.stdout is defined
@@ -24,7 +24,7 @@
- name: "Add crypto_policy group and set include openssl.config"
lineinfile:
create: yes
- line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/openssl.config"
+ line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"
path: /etc/pki/tls/openssl.cnf
when:
- test_crypto_policy_group.stdout is defined
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
index 0b3cbf3b46..a0b30cce96 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
@@ -2,8 +2,8 @@
OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
-OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/openssl.config'
-OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config$'
+OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config'
+OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$'
function remediate_openssl_crypto_policy() {
CONFIG_FILE="/etc/pki/tls/openssl.cnf"
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
index a9b3f7b6e9..2019769736 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
@@ -20,7 +20,7 @@
<ind:textfilecontent54_object id="object_configure_openssl_crypto_policy"
version="1">
<ind:filepath>/etc/pki/tls/openssl.cnf</ind:filepath>
- <ind:pattern operation="pattern match">^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config\s*$</ind:pattern>
+ <ind:pattern operation="pattern match">^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config\s*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
index 8c015bb3b2..1a66570a8c 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
@@ -11,7 +11,7 @@ description: |-
To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file
available under <tt>/etc/pki/tls/openssl.cnf</tt>.
This file has the <tt>ini</tt> format, and it enables crypto policy support
- if there is a <tt>[ crypto_policy ]</tt> section that contains the <tt>.include /etc/crypto-policies/back-ends/openssl.config</tt> directive.
+ if there is a <tt>[ crypto_policy ]</tt> section that contains the <tt>.include /etc/crypto-policies/back-ends/opensslcnf.config</tt> directive.
rationale: |-
Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
@@ -29,11 +29,11 @@ references:
ocil_clause: |-
the OpenSSL config file doesn't contain the whole section,
- or that the section doesn't have the <pre>.include /etc/crypto-policies/back-ends/openssl.config</pre> directive
+ or that the section doesn't have the <pre>.include /etc/crypto-policies/back-ends/opensslcnf.config</pre> directive
ocil: |-
- To verify that OpenSSL uses the system crypro policy, check out that the OpenSSL config file
+ To verify that OpenSSL uses the system crypto policy, check out that the OpenSSL config file
<pre>/etc/pki/tls/openssl.cnf</pre> contains the <pre>[ crypto_policy ]</pre> section with the
- <pre>.include /etc/crypto-policies/back-ends/openssl.config</pre> directive:
- <pre>grep '\.include\s* /etc/crypto-policies/back-ends/openssl.config$' /etc/pki/tls/openssl.cnf</pre>.
+ <pre>.include /etc/crypto-policies/back-ends/opensslcnf.config</pre> directive:
+ <pre>grep '\.include\s* /etc/crypto-policies/back-ends/opensslcnf.config$' /etc/pki/tls/openssl.cnf</pre>.
From 5e4f19a3301fbdc74b199b418a435924089d6c30 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 25 Jun 2020 09:54:09 +0200
Subject: [PATCH 2/3] updated tests
---
.../configure_openssl_crypto_policy/tests/ok.pass.sh | 2 +-
.../tests/wrong.fail.sh | 10 ++++++++++
2 files changed, 11 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
index 5b8334735e..c56916883e 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/ok.pass.sh
@@ -6,5 +6,5 @@
create_config_file_with "[ crypto_policy ]
-.include /etc/crypto-policies/back-ends/openssl.config
+.include /etc/crypto-policies/back-ends/opensslcnf.config
"
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh
new file mode 100644
index 0000000000..5b8334735e
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/tests/wrong.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+# profiles = xccdf_org.ssgproject.content_profile_ospp, xccdf_org.ssgproject.content_profile_standard
+
+. common.sh
+
+create_config_file_with "[ crypto_policy ]
+
+.include /etc/crypto-policies/back-ends/openssl.config
+"
From 73804523130ce02162b780b8811e79e6adcb51a6 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 25 Jun 2020 17:32:00 +0200
Subject: [PATCH 3/3] Update task name to reflect correct opensslcnf.config
file.
---
.../crypto/configure_openssl_crypto_policy/ansible/shared.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
index 98fe134aca..986543c10f 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
@@ -11,7 +11,7 @@
changed_when: False
check_mode: no
-- name: "Add .include for openssl.config to crypto_policy section"
+- name: "Add .include for opensslcnf.config to crypto_policy section"
lineinfile:
create: yes
insertafter: '^\s*\[\s*crypto_policy\s*]\s*'
@@ -21,7 +21,7 @@
- test_crypto_policy_group.stdout is defined
- test_crypto_policy_group.stdout | length > 0
-- name: "Add crypto_policy group and set include openssl.config"
+- name: "Add crypto_policy group and set include opensslcnf.config"
lineinfile:
create: yes
line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"