Fix crypto policy settings in RHEL CIS profiles#14120
Conversation
Add a new rule `configure_custom_crypto_policy_cis` that configures multiple custom crypto sub policy modules for RHEL CIS. The new rule is very similar to `fips_custom_stig_sub_policy`. It configures new modules for system wide crypto policies that reduces the set of usable ciphers in sshd, MACs, and others. The rule is templated by a new template `crypto_sub_policies` that is also introduced in this commit so that the code can be reused in other similar rules. This change aligns the RHEL CIS profiles in CaC with: - CIS RHEL 8 Benchmark v4.0.0 - CIS RHEL 9 Benchmark v2.0.0 - CIS RHEL 10 Benchmark v1.0.1 All crypto requirements of the CIS profiles are now covered by this single rule. Resolves: https://issues.redhat.com/browse/RHEL-111896
f3dd0c0 to
80c3dbf
Compare
| - **sub_policies** - A list of dictionaries. Each dictionary represents one custom crypto sub policy module. The dictionary has the following members: | ||
|
|
There was a problem hiding this comment.
Please consider adding a simple example.
vojtapolasek
left a comment
There was a problem hiding this comment.
Thank you for this rule. I verified it works with Automatus tests.
I have few remarks, please see below.
|
|
||
| update-crypto-policies --set {{{ BASE_POLICY }}}:{{{ CONFIGURE_CRYPTO_POLICY_MODULES }}} |
There was a problem hiding this comment.
Do you think it would make sense to make this command conditional in the same way as in the Ansible remediation?
| {{{ oval_metadata("Ensure that the custom crypto policy module is configured", rule_title=rule_title) }}} | ||
| <criteria operator="AND" comment="Ensure that all of the correct lines are in the file."> | ||
| {{% for sub_policy in SUB_POLICIES %}} | ||
| <criterion comment="Check that {{{ sub_policy.key }}} is configured in {{{ sub_policy.name }}}" |
There was a problem hiding this comment.
| <criterion comment="Check that {{{ sub_policy.key }}} is configured in {{{ sub_policy.name }}}" | |
| <criterion comment="Check that {{{ sub_policy.key }}} is configured in {{{ sub_policy.module_name }}}" |
| { | ||
| "module_name": "NO-SSHWEAKCIPHERS", | ||
| "key": "cipher@SSH", | ||
| "value": "-3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC" |
There was a problem hiding this comment.
Note that in RHEL 9 there is the chacha cipher, here it is not. In the original CIS policy, I think there is the chacha mentioned, but at the same time it is marked as manual... maybe this should be checked later.
There was a problem hiding this comment.
I have created this value based on the RHEL 10 CIS requirement 5.1.6 which has exactly this list of ciphers. There are some mentions of the chacha cipher, but it doesn't say that we should add it to the NO-SSHWEAKCIPHERS.module.
I noticed that the RHEL 9 CIS benchmark contains requirement 1.6.6 "Ensure system wide crypto policy disables chacha20-poly1305 for ssh". But, RHEL 10 CIS benchmark doesn't contain this requirement.
The RHEL 9 requirement 1.6.6 says that the chacha cipher should be disabled only if the system is affected by CVE-2023-48795. It says: if CVE-2023-48795 has been addressed, and it meets local site policy, this
recommendation may be skipped. The Red Hat page https://access.redhat.com/security/cve/cve-2023-48795 doesn't list RHEL 10 as affected by this CVE. Based on that I think the reason the requirement isn't here is because RHEL 10 doesn't suffer from this CVE and therefore it's fine to use the chacha20-poly1305 cipher on RHEL 10.
Do not run the update command if the correct crypto policy is already set.
|
I have added an example to the documentation, I have improved idempotency of the Bash remediation and I have fixed comment in an OVAL criterion element. |
| { | ||
| "module_name": "NO-WEAKMAC", | ||
| "key": "mac", | ||
| "value": "-*-64*" |
There was a problem hiding this comment.
Why do we have 64 here and not 128 the same as RHEL8 and RHEL10?
There was a problem hiding this comment.
in RHEL9 CIS 2.0.0 we have
1.6.4 Ensure system wide crypto policy disables macs less than
128 bits (Automated)
and then in the code it actually disables 64. Maybe it's an issue in the benchmark.
There was a problem hiding this comment.
I have created https://workbench.cisecurity.org/benchmarks/18210/tickets/26578 to check if that is a real issue.
There was a problem hiding this comment.
So, checking the ticket again, it seems it was a mistake indeed. So your code remains the same as changed in a77ffb1
In RHEL9 CIS 2.0.0 we have 1.6.4 Ensure system wide crypto policy disables macs less than 128 bits, but the prose says 64. This is an issue in CIS Benchmark, see https://workbench.cisecurity.org/benchmarks/18210/tickets/26578
|
@jan-cerny: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/test e2e-aws-openshift-node-compliance |
vojtapolasek
left a comment
There was a problem hiding this comment.
LGTM now, thank you.
43e69b1
into
ComplianceAsCode:master
Add a new rule
configure_custom_crypto_policy_cisthat configures multiple custom crypto sub policy modules for RHEL CIS. The new rule is very similar tofips_custom_stig_sub_policy. It configures new modules for system wide crypto policies that reduces the set of usable ciphers in sshd, MACs, and others.The rule is templated by a new template
crypto_sub_policiesthat is also introduced in this commit so that the code can be reused in other similar rules.This change aligns the RHEL CIS profiles in CaC with:
All crypto requirements of the CIS profiles are now covered by this single rule.
This PR replaces the previous PR #14066 - see the discussion there for context!
Resolves: https://issues.redhat.com/browse/RHEL-111896
Also, it resolves crypto-related items from https://issues.redhat.com/browse/RHEL-76009.