RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2038841 - Provide a way to list crypto policies with a short description
Summary: Provide a way to list crypto policies with a short description
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: crypto-policies
Version: 9.1
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: ---
Assignee: Alexander Sosedkin
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-01-10 09:47 UTC by Jelle van der Waa
Modified: 2023-06-20 13:09 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-06-20 13:09:48 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker CRYPTO-10929 0 None None None 2023-06-10 07:38:20 UTC
Red Hat Issue Tracker RHELPLAN-107263 0 None None None 2022-01-10 09:49:13 UTC

Description Jelle van der Waa 2022-01-10 09:47:24 UTC 
Description of problem:

Cockpit is adding crypto-policy setting integration for which it would be nice if cockpit could list all available crypto policies with a short description in a machine readable format. The description in /usr/share/crypto-policies/default-config is a good example. As custom policies are also supported

Version-Release number of selected component (if applicable):

crypto-policies-20211115-1.git70de135.el9.noarch

Example

update-crypto-policies --list

LEGACY: Ensures maximum compatibility with legacy systems (64-bit security)
DEFAULT: A reasonable default for today's standards (112-bit security)
FUTURE: A policy to provide security on a conservative level that is believed to withstand any near-term future attacks (128-bit security)
FIPS: Policy that enables only FIPS 140-2 approved or allowed algorithms
Comment 1 Alexander Sosedkin 2022-01-11 12:20:25 UTC 
That's one interesting request. As you might have noticed, this file predates custom policies and subpolicies and needs updating.

> As custom policies are also supported policies are also supported

Truncated sentence?

One more complication I see is what's gonna be the contract of `update-crypto-policies --list`.
From the invocation alone I'd expect that it lists every discoverable policy and subpolicy; yet there are some that we'd prefer not exposing to that list of yours, such as OSPP internal-usage subpolicy or even the FIPS policy. FIPS policy isn't really something one enables directly, there's a separate `fips-mode-setup` doing more than just that (and the advised way to get to it is installing with fips=1, actually).

How fine would you be with:
* going with static generic descriptions of LEGACY/DEFAULT/FUTURE in cockpit and pointing to other docs for more?
* shipping these descriptions as an extra file in crypto-policies?
* ...
* extending the policy/subpolicy files format to support optional short descriptions and visibility toggles to allow generating such a list, then adding an undocumented-internal-only-but-tested --list-examples?

Asking because your request is for a command and not static descriptions, while extending the format feels like overengineering the solution.
Comment 2 Jelle van der Waa 2022-01-20 16:58:38 UTC 
(In reply to Alexander Sosedkin from comment #1)
> That's one interesting request. As you might have noticed, this file
> predates custom policies and subpolicies and needs updating.
> 
> > As custom policies are also supported policies are also supported
> 
> Truncated sentence?
> 
> One more complication I see is what's gonna be the contract of
> `update-crypto-policies --list`.
> From the invocation alone I'd expect that it lists every discoverable policy
> and subpolicy; yet there are some that we'd prefer not exposing to that list
> of yours, such as OSPP internal-usage subpolicy or even the FIPS policy.
> FIPS policy isn't really something one enables directly, there's a separate
> `fips-mode-setup` doing more than just that (and the advised way to get to
> it is installing with fips=1, actually).

Yes, that's true we could maintain a blacklist I suppose in cockpit but that requires constant updating.
 
> How fine would you be with:
> * going with static generic descriptions of LEGACY/DEFAULT/FUTURE in cockpit
> and pointing to other docs for more?

That's now done in the POC https://github.com/cockpit-project/cockpit/pull/16860

> * shipping these descriptions as an extra file in crypto-policies?
> * ...

That's acceptable.

> * extending the policy/subpolicy files format to support optional short
> descriptions and visibility toggles to allow generating such a list, then
> adding an undocumented-internal-only-but-tested --list-examples?

That sounds like the --list option I was suggesting or am I mistaken.
Comment 3 Alexander Sosedkin 2022-01-20 17:44:34 UTC 
>> * going with static generic descriptions of LEGACY/DEFAULT/FUTURE in cockpit
>> and pointing to other docs for more?
>
> That's now done in the POC https://github.com/cockpit-project/cockpit/pull/16860

I meant turning it even more generic and stable across releases and distros, like
"LEGACY: aims at higher interoperability at the cost of an increased attack surface"
"DEFAULT: aims at secure settings for current threat models"
"FUTURE: aims at protecting from anticipated near-term future attacks at the expense of interoperability"
and a link to the distro's equivalent of [1] instead of specifics.
So, generalizing it to something that'd hold true for both RHEL-8 and Fedora 36 alike.

>> adding an undocumented-internal-only-but-tested --list-examples?
>
> That sounds like the --list option I was suggesting or am I mistaken.

I meant two differences from how I happen to read the original request:

1. Original --list sounds like it aims to
   somehow list either everything usable with --set
   or at least all the base policies discovered in the system.
   Hypothetical --list-examples will list just some subset of such possible values.
2. Original --list would have a public-facing --help entry and a manpage entry
   defining what exactly does it do
   (e.g., lists the base policies but not subpolicies
    in the order defined by etc. etc.).
   Hypothetical --list-examples would be for cockpit usage only,
   with its interface enforced only by some automated regression tests
   on both crypto-policies and cockpit sides.

[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
Note You need to log in before you can comment on or make changes to this bug.