Bug 2112304

Summary: SCAP rules enable_fips_mode and configure_crypto_policy do not understand that FIPS:OSPP crypto policy is in fact a FIPS policy
Product: Red Hat Enterprise Linux 9 Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: scap-security-guideAssignee: Gabriel Gaspar Becker <ggasparb>
Status: CLOSED MIGRATED QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: ggasparb, jpazdziora, matyc, mhaicman, mlysonek, openscap-maint, vpolasek
Target Milestone: rcKeywords: MigratedToJIRA, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-30 13:55:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora (Red Hat) 2022-07-29 09:53:29 UTC 
Description of problem:

The OSPP SCAP profile defines

    - var_system_crypto_policy=fips_ospp

which leads to FIPS:OSPP being configured in /etc/crypto-policies/config, and

   # fips-mode-setup --check
   FIPS mode is enabled.

is happy about that.

The STIG SCAP profile defines

    - var_system_crypto_policy=fips

so on an OSPP-configured system, running checking with STIG profile shows rules xccdf_org.ssgproject.content_rule_enable_fips_mode and xccdf_org.ssgproject.content_rule_configure_crypto_policy.

When remediating with the STIG profile, the crypto policy gets reset to FIPS, which in turns makes the same two SCAP rules fail when checking with the OSPP profile.

I wonder if the rules / the STIG SCAP profile could be taught that FIPS:OSPP crypto policy is a more strict (subset) of the FIPS policy that it wants to see on the system, and therefore that the rules should pass.

Version-Release number of selected component (if applicable):

scap-security-guide-0.1.62-2.el9.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. Provision RHEL with

%addon com_redhat_oscap
  content-type = scap-security-guide
  profile = ospp
%end

or remediate RHEL installation with OSPP profile using

# oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_ospp /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

2. Check that FIPS:OSPP got set in /etc/crypto-policies/config.
3. Check with the STIG profile:

# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml | grep -B3 'Result.*fail'

Actual results:

There are multiple failing rules, including

Title   Enable FIPS Mode
Rule    xccdf_org.ssgproject.content_rule_enable_fips_mode
Ident   CCE-88742-2
Result  fail
--
Title   Configure System Cryptography Policy
Rule    xccdf_org.ssgproject.content_rule_configure_crypto_policy
Ident   CCE-83450-7
Result  fail

Expected results:

There might be multiple failing rules but xccdf_org.ssgproject.content_rule_enable_fips_mode and xccdf_org.ssgproject.content_rule_configure_crypto_policy should not be among them.

Additional info:
Comment 3 Jan Pazdziora (Red Hat) 2022-09-20 07:23:17 UTC 
Note (to self) that a work dealing with crypto subpolicies was also done in bug 2057082.
Comment 4 Matěj Týč 2022-09-20 09:59:22 UTC 
This seems to be a problem with policies rather than with rules implementation.

Historically, high-level profiles s.a. CIS or OSPP treated variations of the FIPS Crypto Policy equally. The https://bugzilla.redhat.com/show_bug.cgi?id=2057082 has restricted that, so in RHEL9, only FIPS and FIPS:OSPP are treated equally.

Regarding STIG, the problem is that it is a low-level profile that prescribes exact configuration, so even if there was an imaginary FIPS:FIPS policy that would simply be an ailas to FIPS, system with such policy are expected be labelled as STIG-incompliant. Therefore, the FIPS:OSPP incompatibility with RHEL STIG follows from the STIG definition that is made by DISA, and it has to be addressed there. Then, we can think of how to implement it - as the rule in question is based on an XCCDF variable, we will have to alter the check or even remediation code, so a selected list of modified policies are also allowed.
Comment 5 RHEL Program Management 2023-08-30 13:40:29 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.
Comment 6 RHEL Program Management 2023-08-30 13:55:40 UTC 
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues.