Merge pull request #14454 from jan-cerny/fix_configure_custom_crypto_policy_cis

Set rpm crypto only if rpm scope exists

Author: Mab879

linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis/rule.yml

@@ -52,7 +52,8 @@ title: Implement Custom Crypto Policy Modules for CIS Benchmark
     {
         "module_name": "NO-RPMSHA1",
         "key": "hash@rpm",
-        "value": "-SHA1"
+        "value": "-SHA1",
+        "scope": "rpm-sequoia"
     },
 ] %}}
 {{% elif product == "rhel10" or product == "fedora" %}}

shared/templates/crypto_sub_policies/ansible.template

@@ -4,7 +4,18 @@
 # complexity = low
 # disruption = low
 
+-   name: "{{{ rule_title }}} - Set the base crypto policy"
+    ansible.builtin.set_fact:
+        expected_crypto_policy: "{{{ BASE_POLICY }}}"
+
 {{% for sub_policy in SUB_POLICIES %}}
+{{% if "scope" in sub_policy %}}
+-   name: "{{{ rule_title }}} - Check That /etc/crypto-policies/back-ends/{{{ sub_policy.scope }}}.config Exists"
+    ansible.builtin.stat:
+        path: /etc/crypto-policies/back-ends/{{{ sub_policy.scope }}}.config
+    register: crypto_{{{ sub_policy.scope | replace("-", "_") }}}_scope
+{{% endif %}}
+
 -   name: "{{{ rule_title }}} - Create custom crypto policy module {{{ sub_policy.module_name }}}"
     ansible.builtin.lineinfile:
         path: /etc/crypto-policies/policies/modules/{{{ sub_policy.module_name }}}.pmod
@@ -14,6 +25,16 @@
         line: {{{ sub_policy.key }}} = {{{ sub_policy.value }}}
         create: true
         regexp: "{{{ sub_policy.key }}}"
+{{% if "scope" in sub_policy %}}
+    when: crypto_{{{ sub_policy.scope | replace("-", "_") }}}_scope.stat.exists
+{{% endif %}}
+
+-   name: "{{{ rule_title }}} - Update the expected policy"
+    ansible.builtin.set_fact:
+        expected_crypto_policy: "{{ expected_crypto_policy + ':{{{ sub_policy.module_name }}}' }}"
+{{% if "scope" in sub_policy %}}
+    when: crypto_{{{ sub_policy.scope | replace("-", "_") }}}_scope.stat.exists
+{{% endif %}}
 {{% endfor %}}
 
 -   name: "{{{ rule_title }}} - Check current crypto policy"
@@ -24,5 +45,5 @@
     check_mode: false
 
 -   name: "{{{ rule_title }}} - Update crypto-policies"
-    ansible.builtin.command: update-crypto-policies --set {{{ BASE_POLICY }}}:{{{ CONFIGURE_CRYPTO_POLICY_MODULES }}}
-    when: current_crypto_policy.stdout.strip() != "{{{ BASE_POLICY }}}:{{{ CONFIGURE_CRYPTO_POLICY_MODULES }}}"
+    ansible.builtin.command: update-crypto-policies --set {{ expected_crypto_policy }}
+    when: current_crypto_policy.stdout.strip() != expected_crypto_policy

shared/templates/crypto_sub_policies/bash.template

@@ -4,12 +4,22 @@
 # complexity = low
 # disruption = low
 
-{{% for sub_policy in SUB_POLICIES %}}
-{{{ bash_file_contents("/etc/crypto-policies/policies/modules/" ~ sub_policy.module_name ~ ".pmod", sub_policy.key ~ " = " ~ sub_policy.value) }}}
-{{% endfor %}}
+expected_crypto_policy="{{{ BASE_POLICY }}}"
+
+{{% for sub_policy in SUB_POLICIES -%}}
+{{% if "scope" in sub_policy %}}
+# this module is applicable only if {{{ sub_policy.scope }}} scope is available in crypto-policies
+if [[ -f /etc/crypto-policies/back-ends/{{{ sub_policy.scope }}}.config ]] ; then
+{{%- endif %}}
+expected_crypto_policy="${expected_crypto_policy}:{{{ sub_policy.module_name }}}"
+{{{ bash_file_contents("/etc/crypto-policies/policies/modules/" ~ sub_policy.module_name ~ ".pmod", sub_policy.key ~ " = " ~ sub_policy.value) | trim }}}
+{{% if "scope" in sub_policy -%}}
+fi
+{{% endif %}}
+{{%- endfor %}}
 
 current_crypto_policy=$(update-crypto-policies --show)
-expected_crypto_policy="{{{ BASE_POLICY }}}:{{{ CONFIGURE_CRYPTO_POLICY_MODULES }}}"
+
 if [[ "$current_crypto_policy" != "$expected_crypto_policy" ]] ; then
     update-crypto-policies --set "$expected_crypto_policy"
 fi

shared/templates/crypto_sub_policies/oval.template

@@ -3,8 +3,18 @@
         {{{ oval_metadata("Ensure that the custom crypto policy module is configured", rule_title=rule_title) }}}
         <criteria operator="AND" comment="Ensure that all of the correct lines are in the file.">
         {{% for sub_policy in SUB_POLICIES %}}
-            <criterion comment="Check that {{{ sub_policy.key }}} is configured in {{{ sub_policy.module_name }}}.pmod"
+            {{% if "scope" in sub_policy %}}
+                <criteria operator="OR" comment="If {{{ sub_policy.scope }}} scope is available then {{{ sub_policy.key }}} must be configured in {{{ sub_policy.module_name }}}.pmod">
+                    <criterion comment="Check that {{{ sub_policy.scope }}} scope is not available" negate="true" test_ref="test_{{{ rule_id }}}_{{{ sub_policy.scope }}}" />
+                    <criteria operator="AND" comment="Check that {{{ sub_policy.scope }}} scope is available AND {{{ sub_policy.key }}} is configured in {{{ sub_policy.module_name }}}.pmod">
+                        <criterion comment="Check that {{{ sub_policy.scope }}} scope is available" test_ref="test_{{{ rule_id }}}_{{{ sub_policy.scope }}}" />
+                        <criterion comment="Check that {{{ sub_policy.key }}} is configured in {{{ sub_policy.module_name }}}.pmod" test_ref="test_{{{ rule_id }}}_{{{ sub_policy.module_name }}}"/>
+                    </criteria>
+                </criteria>
+            {{% else %}}
+                <criterion comment="Check that {{{ sub_policy.key }}} is configured in {{{ sub_policy.module_name }}}.pmod"
                        test_ref="test_{{{ rule_id }}}_{{{ sub_policy.module_name }}}"/>
+            {{% endif %}}
         {{% endfor %}}
         </criteria>
     </definition>
@@ -21,5 +31,14 @@
             <ind:pattern operation="pattern match">^{{{ sub_policy.key }}} = {{{ sub_policy.value | escape_regex }}}$</ind:pattern>
             <ind:instance datatype="int">1</ind:instance>
         </ind:textfilecontent54_object>
+        {{% if "scope" in sub_policy %}}
+            <unix:file_test comment="Check that {{{ sub_policy.scope }}} scope is available" id="test_{{{ rule_id }}}_{{{ sub_policy.scope }}}" check="all" check_existence="all_exist" version="1">
+                <unix:object object_ref="object_{{{ rule_id }}}_{{{ sub_policy.scope }}}" />
+            </unix:file_test>
+
+            <unix:file_object comment="/etc/crypto-policies/back-ends/{{{ sub_policy.scope }}}.config" id="object_{{{ rule_id }}}_{{{ sub_policy.scope }}}" version="1">
+                <unix:filepath>/etc/crypto-policies/back-ends/{{{ sub_policy.scope }}}.config</unix:filepath>
+            </unix:file_object>
+        {{% endif %}}
         {{% endfor %}}
 </def-group>