Skip to content

Fix crypto policy settings in RHEL 8 CIS #14066

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

Fix crypto policy settings in RHEL 8 CIS #14066

wants to merge 3 commits into from
+332 −142

Conversation

@jan-cerny
Copy link
Collaborator

Add a new rule crypto_sub_policies_cis_rhel8 that configures multiple custom crypto sub policy modules for RHEL 8 CIS. The new rule is very similar to fips_custom_stig_sub_policy. It configures new modules for system wide crypto policies that reduces the set of usable ciphers in sshd, MACs, and others.

The rule is templated by a new template crypto_sub_policies that is also introduced in this commit so that the code can be reused in other similar rules.

This change aligns the RHEL 8 CIS profiles in CaC with the CIS RHEL 8 Benchmark v4.0.0 requirements. All crypto requirements of this profile are now covered by this single rule. The reason for merging all of the sub module configuration is to prevent overriding crypto policy settings. If there would be multiple rules, each of them would call the update-crypto-policies commands with a different sub policy, overriding each other.

This supersedes #14050

Resolves: https://issues.redhat.com/browse/RHEL-111896

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Oct 30, 2025
@openshift-ci
Copy link

openshift-ci bot commented Oct 30, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@jan-cerny jan-cerny added bugfix Fixes to reported bugs. RHEL8 Red Hat Enterprise Linux 8 product related. CIS CIS Benchmark related. and removed do-not-merge/work-in-progress Used by openshift-ci bot. labels Oct 30, 2025
@jan-cerny jan-cerny added this to the 0.1.79 milestone Oct 30, 2025
@jan-cerny jan-cerny mentioned this pull request Oct 30, 2025
Draft
ggbecker
ggbecker reviewed Oct 30, 2025
View reviewed changes
Copy link
Member

@ggbecker ggbecker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe the same should apply for all other CIS RHEL (9/10) major versions.

And would be ideal if the rule would not be RHEL8 centric. We could in theory set the sub_policies variable according to the RHEL version.

Also I believe that it is still valid to check for particular submodules in the crypto policy, for example there would still have a need for the rule that checks if the current crypto policy respects a given security requirement (e.g. no weak mac), this rule would simply check if the submodule contains the right algorithm restriction, and the remediation can simply be reapply the expected sub crypto policy in case of deviation.

This would not imply a change in the CIS benchmarks for example, where they have a requirement for each of the restriction they expect.

I also don't like the name of the rule, instead of crypto_sub_policies_cis_rhel8,
maybe something like configure_custom_crypto_policy_cis

@jan-cerny
Copy link
Collaborator Author

@ggbecker

I believe the same should apply for all other CIS RHEL (9/10) major versions.

Great idea! I have checked the latest versions of RHEL 9 and RHEL 10 CIS Benchmarks and I found they also use the approach to configure cryptography by creating custom crypto policy sub modules. They are very similar to the RHEL 8 bu sometimes with different values. I think I will extend this change to use the new rule also on RHEL 9 and RHEL 10.

And would be ideal if the rule would not be RHEL8 centric. We could in theory set the sub_policies variable according to the RHEL version.

Yes, that makes sense.

Also I believe that it is still valid to check for particular submodules in the crypto policy, for example there would still have a need for the rule that checks if the current crypto policy respects a given security requirement (e.g. no weak mac), this rule would simply check if the submodule contains the right algorithm restriction, and the remediation can simply be reapply the expected sub crypto policy in case of deviation.

I'm not sure if I follow. Can you try to rephrase or explain this a little more? The current code in this PR contains OVAL that checks the contents of the submodule file (.pmod) file, I believe that this way it checks if the current crypto policy respects a given security requirement (e.g. no weak mac).

This would not imply a change in the CIS benchmarks for example, where they have a requirement for each of the restriction they expect.

Is your concern about the fact that after this change we would cover multiple controls with a single rule?

I'm concerned about covering multiple requirements by single rule as well. The previous PR #14050 has the configuration split into 4 different rules. That's better for the granularity, and I'd prefer that. However, it has a problem that when the remediation of a rule runs the update-crypto-policies command it adds the crypto policy sub module configured by the rule but removes the others because it has no information that there are other rules adding other modules. That's a blocker because the test fails and the final state after all 4 rules are applied isn't compliant. I couldn't find a solution for this.

I also don't like the name of the rule, instead of crypto_sub_policies_cis_rhel8,
maybe something like configure_custom_crypto_policy_cis

OK, makes sense once I incorporate the change to RHEL 9 and RHEL 10 CIS profiles.

@jan-cerny jan-cerny added the Highlight This PR/Issue should make it to the featured changelog. label Oct 31, 2025
@openshift-merge-robot openshift-merge-robot added the needs-rebase Used by openshift-ci bot. label Oct 31, 2025
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Used by openshift-ci bot. label Oct 31, 2025
@jan-cerny
Copy link
Collaborator Author

I have rebased this PR on the top of the latest upstream master branch. I have renamed the rule and started using it in RHEL 9 and RHEL 10 CIS control files.

@jan-cerny
Fix crypto policy settings in RHEL 8 CIS
bc9207d 
Add a new rule `crypto_sub_policies_cis_rhel8` that configures multiple
custom crypto sub policy modules for RHEL 8 CIS. The new rule is very
similar to `fips_custom_stig_sub_policy`. It configures new modules for
system wide crypto policies that reduces the set of usable ciphers in
sshd, MACs, and others.

The rule is templated by a new template `crypto_sub_policies` that is
also introduced in this commit so that the code can be reused in other
similar rules.

This change aligns the RHEL 8 CIS profiles in CaC with the CIS RHEL 8
Benchmark v4.0.0 requirements. All crypto requirements of this profile
are now covered by this single rule. The reason for merging all of the
sub module configuration is to prevent overriding crypto policy
settings. If there would be multiple rules, each of them would call
the `update-crypto-policies` commands with a different sub policy,
overriding each other.

This supersedes ComplianceAsCode#14050

Resolves: https://issues.redhat.com/browse/RHEL-111896
@jan-cerny
Rename rule crypto_sub_policies_cis_rhel8 to configure_custom_crypto_…
e34d034 
…policy_cis
@jan-cerny
Start using configure_custom_crypto_policy_cis in RHEL 9 and 10
60376ca 
I have checked the latest versions of RHEL 9 and RHEL 10 CIS Benchmarks
and I found they also use the approach to configure cryptography by
creating custom crypto policy sub modules. They are very similar to the
RHEL 8 bu sometimes with different values.
In this commit, we will start using the rule configure_custom_crypto_policy_cis
in CIS for RHEL 9 and RHEL 10 as well, in a similar way to RHEL 8.
@jan-cerny
Copy link
Collaborator Author

I have rebased this PR on the top of the latest upstream master branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ggbecker ggbecker ggbecker left review comments

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka will be requested when the pull request is marked ready for review matusmarhefka is a code owner

@Mab879 Mab879 Awaiting requested review from Mab879 Mab879 will be requested when the pull request is marked ready for review Mab879 is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek will be requested when the pull request is marked ready for review vojtapolasek is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

bugfix Fixes to reported bugs. CIS CIS Benchmark related. Highlight This PR/Issue should make it to the featured changelog. RHEL8 Red Hat Enterprise Linux 8 product related.

Projects

None yet

Milestone

0.1.79

Development

Successfully merging this pull request may close these issues.

3 participants

@jan-cerny @ggbecker @openshift-merge-robot