Add rule crypto_policy_not_overridden for RHEL-09-672020

components/crypto-policies.yml

@@ -1,10 +1,10 @@
 groups:
 - crypto
 name: crypto-policies
 packages:
 - crypto-policies
 rules:
 - configure_bind_crypto_policy
 - configure_crypto_policy
 - configure_gnutls_tls_crypto_policy
 - configure_kerberos_crypto_policy
@@ -25,3 +25,4 @@
 - package_crypto-policies_installed
 - fips_crypto_subpolicy
 - fips_crypto_policy_symlinks
+- crypto_policy_not_overridden

linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/ansible/shared.yml

@@ -0,0 +1,23 @@
+# platform = multi_platform_rhel,multi_platform_fedora,Oracle Linux 8,Oracle Linux 9
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+{{{ ansible_instantiate_variables("var_system_crypto_policy") }}}
+
+- name: "{{{ rule_title }}} - Check if crypto policy is overridden"
+  ansible.builtin.command: /usr/bin/update-crypto-policies --check
+  register: crypto_policy_check
+  changed_when: false
+  failed_when: false
+  check_mode: false
+
+- name: "{{{ rule_title }}} - Reinstall crypto-policies to restore back-end files"
+  ansible.builtin.command: dnf -y reinstall crypto-policies
+  become: true
+  when: crypto_policy_check.rc != 0
+
+- name: "{{{ rule_title }}} - Re-apply crypto policy"
+  ansible.builtin.command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy }}
+  become: true
+  when: crypto_policy_check.rc != 0

linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/bash/shared.sh

@@ -0,0 +1,23 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+{{{ bash_instantiate_variables("var_system_crypto_policy") }}}
+
+dnf -y reinstall crypto-policies
+
+stderr_of_call=$(update-crypto-policies --set "${var_system_crypto_policy}" 2>&1 > /dev/null)
+rc=$?
+
+if test "$rc" = 127; then
+    echo "$stderr_of_call" >&2
+    echo "Make sure that the script is installed on the remediated system." >&2
+    echo "See output of the 'dnf provides update-crypto-policies' command" >&2
+    echo "to see what package to (re)install" >&2
+    false
+elif test "$rc" != 0; then
+    echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
+    false
+fi

linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/rule.yml

@@ -0,0 +1,35 @@
+documentation_complete: true
+
+title: 'Ensure System Cryptographic Policy Is Not Overridden'
+
+description: |-
+    The system-wide cryptographic policy must not be overridden by individual
+    applications. All files in <tt>/etc/crypto-policies/back-ends/</tt> except for
+    <tt>nss.config</tt> should be symbolic links generated by the
+    <tt>update-crypto-policies</tt> tool.
+    Verify that the configured cryptographic policy has not been overridden by running:
+    <pre>$ sudo update-crypto-policies --check</pre>
+    The output should confirm the configured policy matches the generated policy.
+
+rationale: |-
+    Centralized cryptographic policies simplify applying secure ciphers across an
+    operating system and the applications that run on that operating system. If
+    cryptographic policy back-end configurations are overridden, the system may use
+    weak or unapproved cipher suites, undermining the intended security posture.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-86483-5
+
+references:
+    srg: SRG-OS-000396-GPOS-00176,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
+
+ocil_clause: 'the configured policy does not match the generated policy'
+
+ocil: |-
+    Verify that the cryptographic policy has not been overridden by running:
+    <pre>$ sudo update-crypto-policies --check</pre>
+    If compliant, the output confirms the configured policy matches the generated policy.
+
+platform: system_with_kernel and not osbuild

linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/sce/shared.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+# platform = multi_platform_rhel,multi_platform_fedora,Oracle Linux 8,Oracle Linux 9
+# check-import = stdout
+
+update-crypto-policies --check
+rc=$?
+
+if [ $rc -eq 0 ]; then
+    exit "${XCCDF_RESULT_PASS}"
+fi
+
+exit "${XCCDF_RESULT_FAIL}"

linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/tests/backend_file_overridden.fail.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,Oracle Linux 8,Oracle Linux 9
+# packages = crypto-policies-scripts
+
+# Start from a clean, fully applied state
+update-crypto-policies --set DEFAULT
+
+# Replace the gnutls backend symlink with a modified regular file to simulate
+# a manual per-application override of the system crypto policy.
+# update-crypto-policies --check regenerates the policy and byte-compares it
+# against the back-ends directory, so any content change causes a failure.
+BACKEND_FILE="/etc/crypto-policies/back-ends/gnutls.config"
+content=$(cat "${BACKEND_FILE}")
+rm -f "${BACKEND_FILE}"
+printf '%s\n# manual override\n' "${content}" > "${BACKEND_FILE}"

linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/tests/config_changed_not_applied.fail.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,Oracle Linux 8,Oracle Linux 9
+# packages = crypto-policies-scripts
+
+# Start from a clean, fully applied DEFAULT state
+update-crypto-policies --set DEFAULT
+
+# Change the config to a different policy without running update-crypto-policies.
+# --check regenerates the policy from /etc/crypto-policies/config (now LEGACY)
+# and compares it against the back-ends still generated for DEFAULT, so they
+# will not match.
+echo "LEGACY" > /etc/crypto-policies/config

linux_os/guide/system/software/integrity/crypto/crypto_policy_not_overridden/tests/correct_policy_applied.pass.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,Oracle Linux 8,Oracle Linux 9
+# packages = crypto-policies-scripts
+
+# Ensure the crypto policy is set and fully applied so --check passes
+update-crypto-policies --set DEFAULT

products/rhel9/controls/stig_rhel9.yml

@@ -3983,20 +3983,9 @@ controls:
       levels:
           - medium
       title: RHEL 9 cryptographic policy must not be overridden.
-      notes: Rules for this control are intentionally not implemented. Checking whether files under
-          /etc/crypto-policies/back-ends/
-          are symlinks is not an appropriate way to verify the consistency of the system's
-          cryptographic settings.
-          The suggested fix mentioned in the STIG does not fully satisfy its own requirements, as
-          it also symlinks the nss.config file.
-          Furthermore, running sudo 'update-crypto-policies --set FIPS' is not a reliable way to
-          ensure FIPS compliance. Customers should
-          refer to the official Red Hat Documentation and use the 'fips=1' kernel option during
-          system installation to ensure the system is
-          in FIPS mode.
-          More information can be found at
-          https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/switching-rhel-to-fips-mode_security-hardening
-      status: pending
+      rules:
+          - crypto_policy_not_overridden
+      status: automated
 
     - id: RHEL-09-672030
       levels:

shared/references/cce-redhat-avail.txt

@@ -1,4 +1,3 @@
-CCE-86483-5
 CCE-86484-3
 CCE-86492-6
 CCE-86494-2

tests/data/profile_stability/rhel9/stig.profile

@@ -156,6 +156,7 @@ configure_usbguard_auditbackend
 configured_firewalld_default_deny
 coredump_disable_backtraces
 coredump_disable_storage
+crypto_policy_not_overridden
 dconf_db_up_to_date
 dconf_gnome_banner_enabled
 dconf_gnome_disable_automount_open

tests/data/profile_stability/rhel9/stig_gui.profile

@@ -156,6 +156,7 @@ configure_usbguard_auditbackend
 configured_firewalld_default_deny
 coredump_disable_backtraces
 coredump_disable_storage
+crypto_policy_not_overridden
 dconf_db_up_to_date
 dconf_gnome_banner_enabled
 dconf_gnome_disable_automount_open