Skip to content

Add rules for custom crypto policy sub modules #14050

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 8 commits into
base: master
Choose a base branch
from
Draft

Add rules for custom crypto policy sub modules #14050

wants to merge 8 commits into from

Conversation

@jan-cerny
Copy link
Collaborator

Description:

This PR adds new rules to RHEL 8 CIS profiles:

  • crypto_sub_policy_sshd_ciphers
  • crypto_sub_policy_sshd_macs
  • crypto_sub_policy_sshd_cbc
  • crypto_sub_policy_weak_macs

These rules are templated by a template that is also introduced in this PR.

All rules configure or check a new sub module for system wide crypto policy.

Rationale:

Resolves: https://issues.redhat.com/browse/RHEL-111896

Fixes TODOs and aligns the rules with RHEL 8 CIS Benchmark version 4.0.0.

Review Hints:

@jan-cerny jan-cerny added this to the 0.1.79 milestone Oct 27, 2025
@jan-cerny jan-cerny added bugfix Fixes to reported bugs. RHEL8 Red Hat Enterprise Linux 8 product related. CIS CIS Benchmark related. labels Oct 27, 2025
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Oct 27, 2025
@openshift-ci
Copy link

openshift-ci bot commented Oct 27, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-merge-robot openshift-merge-robot added the needs-rebase Used by openshift-ci bot. label Oct 27, 2025
@jan-cerny
Improve SSHD ciphers settings in RHEL 8 CIS
fe328ba 
Adds a new rule crypto_sub_policy_sshd_ciphers that configure a custom
crypto sub policy module for SSHD. The new rule is very similar to
fips_custom_stig_sub_policy. It configures a new module for system
wide crypto policies that reduces the set of usable ciphers in sshd.

This change aligns the RHEL 8 CIS profiles with the
CIS RHEL 8 Benchmark v 4.0.0 requirement 5.1.8.

Resolves: https://issues.redhat.com/browse/RHEL-111896
@jan-cerny
Introduce a new template crypto_sub_policy
0a182d8
@jan-cerny
Extract description and OCIL as a macro
286787c 
We prevent future code duplication by extracting the common rule
description and OCIL text to new Jinja macros describe_crypto_sub_policy
and ocil_crypto_sub_policy. These macros can be used in rules that
use the crypto_sub_policy template.
@jan-cerny
Introduce rule crypto_sub_policy_sshd_macs
a5d1a5f 
The rule crypto_sub_policy_sshd_macs implements the approach
for configuring strong MACs as requested in CIS Benchmark for
RHEL 8 version 4.0.0.
@jan-cerny
Introduce rule crypto_sub_policy_sshd_cbc
8de7bff 
The rule crypto_sub_policy_sshd_cbc implements the approach
for disabling CBC ciphers using a custom crypto policy sub
module as requested in requirement 1.6.4 in CIS Benchmark
for RHEL 8 version 4.0.0.
@jan-cerny
Introduce rule crypto_sub_policy_weak_macs
e776b55 
The rule crypto_sub_policy_weak_macs implements the approach
for disabling MACs using a custom crypto policy sub
module as requested in requirement 1.6.3 in CIS Benchmark
for RHEL 8 version 4.0.0.
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Used by openshift-ci bot. label Oct 27, 2025
jan-cerny added a commit to jan-cerny/scap-security-guide that referenced this pull request Oct 30, 2025
@jan-cerny
Fix crypto policy settings in RHEL 8 CIS
1943340 
Add a new rule `crypto_sub_policies_cis_rhel8` that configures multiple
custom crypto sub policy modules for RHEL 8 CIS. The new rule is very
similar to `fips_custom_stig_sub_policy`. It configures new modules for
system wide crypto policies that reduces the set of usable ciphers in
sshd, MACs, and others.

The rule is templated by a new template `crypto_sub_policies` that is
also introduced in this commit so that the code can be reused in other
similar rules.

This change aligns the RHEL 8 CIS profiles in CaC with the CIS RHEL 8
Benchmark v4.0.0 requirements. All crypto requirements of this profile
are now covered by this single rule. The reason for merging all of the
sub module configuration is to prevent overriding crypto policy
settings. If there would be multiple rules, each of them would call
the `update-crypto-policies` commands with a different sub policy,
overriding each other.

This supersedes ComplianceAsCode#14050

Resolves: https://issues.redhat.com/browse/RHEL-111896
@jan-cerny jan-cerny mentioned this pull request Oct 30, 2025
Draft
@jan-cerny
Copy link
Collaborator Author

This PR has been superseded by #14066

jan-cerny added a commit to jan-cerny/scap-security-guide that referenced this pull request Oct 31, 2025
@jan-cerny
Fix crypto policy settings in RHEL 8 CIS
b95130d 
Add a new rule `crypto_sub_policies_cis_rhel8` that configures multiple
custom crypto sub policy modules for RHEL 8 CIS. The new rule is very
similar to `fips_custom_stig_sub_policy`. It configures new modules for
system wide crypto policies that reduces the set of usable ciphers in
sshd, MACs, and others.

The rule is templated by a new template `crypto_sub_policies` that is
also introduced in this commit so that the code can be reused in other
similar rules.

This change aligns the RHEL 8 CIS profiles in CaC with the CIS RHEL 8
Benchmark v4.0.0 requirements. All crypto requirements of this profile
are now covered by this single rule. The reason for merging all of the
sub module configuration is to prevent overriding crypto policy
settings. If there would be multiple rules, each of them would call
the `update-crypto-policies` commands with a different sub policy,
overriding each other.

This supersedes ComplianceAsCode#14050

Resolves: https://issues.redhat.com/browse/RHEL-111896
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka will be requested when the pull request is marked ready for review matusmarhefka is a code owner

@Mab879 Mab879 Awaiting requested review from Mab879 Mab879 will be requested when the pull request is marked ready for review Mab879 is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek will be requested when the pull request is marked ready for review vojtapolasek is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

bugfix Fixes to reported bugs. CIS CIS Benchmark related. do-not-merge/work-in-progress Used by openshift-ci bot. RHEL8 Red Hat Enterprise Linux 8 product related.

Projects

None yet

Milestone

0.1.79

Development

Successfully merging this pull request may close these issues.

2 participants

@jan-cerny @openshift-merge-robot