From 98de9107053b6b1e0efeee8e8e11eafaf50720cd Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Tue, 12 May 2026 11:54:51 +0200 Subject: [PATCH] Add rule crypto_policy_not_overridden for RHEL-09-672020 --- components/crypto-policies.yml | 1 + .../ansible/shared.yml | 23 ++++++++++++ .../bash/shared.sh | 23 ++++++++++++ .../crypto_policy_not_overridden/rule.yml | 35 +++++++++++++++++++ .../sce/shared.sh | 12 +++++++ .../tests/backend_file_overridden.fail.sh | 15 ++++++++ .../tests/config_changed_not_applied.fail.sh | 12 +++++++ .../tests/correct_policy_applied.pass.sh | 6 ++++ products/rhel9/controls/stig_rhel9.yml | 17 ++------- shared/references/cce-redhat-avail.txt | 1 - .../data/profile_stability/rhel9/stig.profile | 1 + .../profile_stability/rhel9/stig_gui.profile | 1 + 12 files changed, 132 insertions(+), 15 deletions(-) create mode 100644 linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/ansible/shared.yml create mode 100644 linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/bash/shared.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/rule.yml create mode 100644 linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/sce/shared.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/tests/backend_file_overridden.fail.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/tests/config_changed_not_applied.fail.sh create mode 100644 linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/tests/correct_policy_applied.pass.sh diff --git a/components/crypto-policies.yml b/components/crypto-policies.yml index 520f5d752d7..595c4dbc8db 100644 --- a/components/crypto-policies.yml +++ b/components/crypto-policies.yml @@ -25,3 +25,4 @@ rules: - package_crypto-policies_installed - fips_crypto_subpolicy - fips_crypto_policy_symlinks +- crypto_policy_not_overridden diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/ansible/shared.yml new file mode 100644 index 00000000000..730eebf13a9 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/ansible/shared.yml @@ -0,0 +1,23 @@ +# platform = multi_platform_rhel,multi_platform_fedora,Oracle Linux 8,Oracle Linux 9 +# reboot = false +# strategy = configure +# complexity = low +# disruption = low +{{{ ansible_instantiate_variables("var_system_crypto_policy") }}} + +- name: "{{{ rule_title }}} - Check if crypto policy is overridden" + ansible.builtin.command: /usr/bin/update-crypto-policies --check + register: crypto_policy_check + changed_when: false + failed_when: false + check_mode: false + +- name: "{{{ rule_title }}} - Reinstall crypto-policies to restore back-end files" + ansible.builtin.command: dnf -y reinstall crypto-policies + become: true + when: crypto_policy_check.rc != 0 + +- name: "{{{ rule_title }}} - Re-apply crypto policy" + ansible.builtin.command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy }} + become: true + when: crypto_policy_check.rc != 0 diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/bash/shared.sh new file mode 100644 index 00000000000..2ce25b6362b --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/bash/shared.sh @@ -0,0 +1,23 @@ +# platform = multi_platform_all +# reboot = false +# strategy = configure +# complexity = low +# disruption = low + +{{{ bash_instantiate_variables("var_system_crypto_policy") }}} + +dnf -y reinstall crypto-policies + +stderr_of_call=$(update-crypto-policies --set "${var_system_crypto_policy}" 2>&1 > /dev/null) +rc=$? + +if test "$rc" = 127; then + echo "$stderr_of_call" >&2 + echo "Make sure that the script is installed on the remediated system." >&2 + echo "See output of the 'dnf provides update-crypto-policies' command" >&2 + echo "to see what package to (re)install" >&2 + false +elif test "$rc" != 0; then + echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2 + false +fi diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/rule.yml b/linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/rule.yml new file mode 100644 index 00000000000..312997ba039 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/rule.yml @@ -0,0 +1,35 @@ +documentation_complete: true + +title: 'Ensure System Cryptographic Policy Is Not Overridden' + +description: |- + The system-wide cryptographic policy must not be overridden by individual + applications. All files in /etc/crypto-policies/back-ends/ except for + nss.config should be symbolic links generated by the + update-crypto-policies tool. + Verify that the configured cryptographic policy has not been overridden by running: + 
$ sudo update-crypto-policies --check
+ The output should confirm the configured policy matches the generated policy. + +rationale: |- + Centralized cryptographic policies simplify applying secure ciphers across an + operating system and the applications that run on that operating system. If + cryptographic policy back-end configurations are overridden, the system may use + weak or unapproved cipher suites, undermining the intended security posture. + +severity: medium + +identifiers: + cce@rhel9: CCE-86483-5 + +references: + srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174 + +ocil_clause: 'the configured policy does not match the generated policy' + +ocil: |- + Verify that the cryptographic policy has not been overridden by running: + 
$ sudo update-crypto-policies --check
+ If compliant, the output confirms the configured policy matches the generated policy. + +platform: system_with_kernel and not osbuild diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/sce/shared.sh b/linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/sce/shared.sh new file mode 100644 index 00000000000..edeae200b3d --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/sce/shared.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash +# platform = multi_platform_rhel,multi_platform_fedora,Oracle Linux 8,Oracle Linux 9 +# check-import = stdout + +update-crypto-policies --check +rc=$? + +if [ $rc -eq 0 ]; then + exit "${XCCDF_RESULT_PASS}" +fi + +exit "${XCCDF_RESULT_FAIL}" diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/tests/backend_file_overridden.fail.sh b/linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/tests/backend_file_overridden.fail.sh new file mode 100644 index 00000000000..9222ec53093 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/tests/backend_file_overridden.fail.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# platform = multi_platform_rhel,multi_platform_fedora,Oracle Linux 8,Oracle Linux 9 +# packages = crypto-policies-scripts + +# Start from a clean, fully applied state +update-crypto-policies --set DEFAULT + +# Replace the gnutls backend symlink with a modified regular file to simulate +# a manual per-application override of the system crypto policy. +# update-crypto-policies --check regenerates the policy and byte-compares it +# against the back-ends directory, so any content change causes a failure. +BACKEND_FILE="/etc/crypto-policies/back-ends/gnutls.config" +content=$(cat "${BACKEND_FILE}") +rm -f "${BACKEND_FILE}" +printf '%s\n# manual override\n' "${content}" > "${BACKEND_FILE}" diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/tests/config_changed_not_applied.fail.sh b/linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/tests/config_changed_not_applied.fail.sh new file mode 100644 index 00000000000..e4d033ac06e --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/tests/config_changed_not_applied.fail.sh @@ -0,0 +1,12 @@ +#!/bin/bash +# platform = multi_platform_rhel,multi_platform_fedora,Oracle Linux 8,Oracle Linux 9 +# packages = crypto-policies-scripts + +# Start from a clean, fully applied DEFAULT state +update-crypto-policies --set DEFAULT + +# Change the config to a different policy without running update-crypto-policies. +# --check regenerates the policy from /etc/crypto-policies/config (now LEGACY) +# and compares it against the back-ends still generated for DEFAULT, so they +# will not match. +echo "LEGACY" > /etc/crypto-policies/config diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/tests/correct_policy_applied.pass.sh b/linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/tests/correct_policy_applied.pass.sh new file mode 100644 index 00000000000..b3c3f267fd6 --- /dev/null +++ b/linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/tests/correct_policy_applied.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = multi_platform_rhel,multi_platform_fedora,Oracle Linux 8,Oracle Linux 9 +# packages = crypto-policies-scripts + +# Ensure the crypto policy is set and fully applied so --check passes +update-crypto-policies --set DEFAULT diff --git a/products/rhel9/controls/stig_rhel9.yml b/products/rhel9/controls/stig_rhel9.yml index 42e77ff2533..a9cb7172350 100644 --- a/products/rhel9/controls/stig_rhel9.yml +++ b/products/rhel9/controls/stig_rhel9.yml @@ -3983,20 +3983,9 @@ controls: levels: - medium title: RHEL 9 cryptographic policy must not be overridden. - notes: Rules for this control are intentionally not implemented. Checking whether files under - /etc/crypto-policies/back-ends/ - are symlinks is not an appropriate way to verify the consistency of the system's - cryptographic settings. - The suggested fix mentioned in the STIG does not fully satisfy its own requirements, as - it also symlinks the nss.config file. - Furthermore, running sudo 'update-crypto-policies --set FIPS' is not a reliable way to - ensure FIPS compliance. Customers should - refer to the official Red Hat Documentation and use the 'fips=1' kernel option during - system installation to ensure the system is - in FIPS mode. - More information can be found at - https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/switching-rhel-to-fips-mode_security-hardening - status: pending + rules: + - crypto_policy_not_overridden + status: automated - id: RHEL-09-672030 levels: diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 7c9d4b0fba0..24b00cf3cc4 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -1,4 +1,3 @@ -CCE-86483-5 CCE-86484-3 CCE-86492-6 CCE-86494-2 diff --git a/tests/data/profile_stability/rhel9/stig.profile b/tests/data/profile_stability/rhel9/stig.profile index 991aff3f494..73c7af5a3cf 100644 --- a/tests/data/profile_stability/rhel9/stig.profile +++ b/tests/data/profile_stability/rhel9/stig.profile @@ -156,6 +156,7 @@ configure_usbguard_auditbackend configured_firewalld_default_deny coredump_disable_backtraces coredump_disable_storage +crypto_policy_not_overridden dconf_db_up_to_date dconf_gnome_banner_enabled dconf_gnome_disable_automount_open diff --git a/tests/data/profile_stability/rhel9/stig_gui.profile b/tests/data/profile_stability/rhel9/stig_gui.profile index 7c09f905d19..0d9576e8d48 100644 --- a/tests/data/profile_stability/rhel9/stig_gui.profile +++ b/tests/data/profile_stability/rhel9/stig_gui.profile @@ -156,6 +156,7 @@ configure_usbguard_auditbackend configured_firewalld_default_deny coredump_disable_backtraces coredump_disable_storage +crypto_policy_not_overridden dconf_db_up_to_date dconf_gnome_banner_enabled dconf_gnome_disable_automount_open