Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1798

SCAP rules enable_fips_mode and configure_crypto_policy do not understand that FIPS:OSPP crypto policy is in fact FIPS policy

XMLWordPrintable

    • None
    • None
    • rhel-sst-security-compliance
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • None
    • None
    • Release Note Not Required
    • None

      Description of problem:

      The OSPP SCAP profile defines

      • var_system_crypto_policy=fips_ospp

      which leads to FIPS:OSPP being configured in /etc/crypto-policies/config, and

      1. fips-mode-setup --check
        FIPS mode is enabled.

      is happy about that.

      The STIG SCAP profile defines

      • var_system_crypto_policy=fips

      so on an OSPP-configured system, running checking with STIG profile shows rules xccdf_org.ssgproject.content_rule_enable_fips_mode and xccdf_org.ssgproject.content_rule_configure_crypto_policy.

      When remediating with the STIG profile, the crypto policy gets reset to FIPS, which in turns makes the same two SCAP rules fail when checking with the OSPP profile.

      I wonder if the rules / the STIG SCAP profile could be taught that FIPS:OSPP crypto policy is a more strict (subset) of the FIPS policy that it wants to see on the system, and therefore that the rules should pass.

      Version-Release number of selected component (if applicable):

      scap-security-guide-0.1.62-2.el9.noarch

      How reproducible:

      Deterministic.

      Steps to Reproduce:
      1. Provision RHEL with

      %addon com_redhat_oscap
      content-type = scap-security-guide
      profile = ospp
      %end

      or remediate RHEL installation with OSPP profile using

      1. oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_ospp /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

      2. Check that FIPS:OSPP got set in /etc/crypto-policies/config.
      3. Check with the STIG profile:

      1. oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml | grep -B3 'Result.*fail'

      Actual results:

      There are multiple failing rules, including

      Title Enable FIPS Mode
      Rule xccdf_org.ssgproject.content_rule_enable_fips_mode
      Ident CCE-88742-2
      Result fail

      Title Configure System Cryptography Policy
      Rule xccdf_org.ssgproject.content_rule_configure_crypto_policy
      Ident CCE-83450-7
      Result fail

      Expected results:

      There might be multiple failing rules but xccdf_org.ssgproject.content_rule_enable_fips_mode and xccdf_org.ssgproject.content_rule_configure_crypto_policy should not be among them.

      Additional info:

              ggasparb Gabriel Gaspar Becker
              rhn-engineering-jpazdziora Jan Pazdziora
              Vojtech Polasek Vojtech Polasek
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: