This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2112304 - SCAP rules enable_fips_mode and configure_crypto_policy do not understand that FIPS:OSPP crypto policy is in fact a FIPS policy
Summary: SCAP rules enable_fips_mode and configure_crypto_policy do not understand tha...
Keywords:
Status: CLOSED MIGRATED
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: scap-security-guide
Version: 9.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Gabriel Gaspar Becker
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-07-29 09:53 UTC by Jan Pazdziora (Red Hat)
Modified: 2023-09-16 18:51 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-30 13:55:40 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker   RHEL-1798 0 None Migrated None 2023-08-30 13:55:34 UTC
Red Hat Issue Tracker RHELPLAN-129640 0 None None None 2022-07-29 10:06:49 UTC

Description Jan Pazdziora (Red Hat) 2022-07-29 09:53:29 UTC 
Description of problem:

The OSPP SCAP profile defines

    - var_system_crypto_policy=fips_ospp

which leads to FIPS:OSPP being configured in /etc/crypto-policies/config, and

   # fips-mode-setup --check
   FIPS mode is enabled.

is happy about that.

The STIG SCAP profile defines

    - var_system_crypto_policy=fips

so on an OSPP-configured system, running checking with STIG profile shows rules xccdf_org.ssgproject.content_rule_enable_fips_mode and xccdf_org.ssgproject.content_rule_configure_crypto_policy.

When remediating with the STIG profile, the crypto policy gets reset to FIPS, which in turns makes the same two SCAP rules fail when checking with the OSPP profile.

I wonder if the rules / the STIG SCAP profile could be taught that FIPS:OSPP crypto policy is a more strict (subset) of the FIPS policy that it wants to see on the system, and therefore that the rules should pass.

Version-Release number of selected component (if applicable):

scap-security-guide-0.1.62-2.el9.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. Provision RHEL with

%addon com_redhat_oscap
  content-type = scap-security-guide
  profile = ospp
%end

or remediate RHEL installation with OSPP profile using

# oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_ospp /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

2. Check that FIPS:OSPP got set in /etc/crypto-policies/config.
3. Check with the STIG profile:

# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml | grep -B3 'Result.*fail'

Actual results:

There are multiple failing rules, including

Title   Enable FIPS Mode
Rule    xccdf_org.ssgproject.content_rule_enable_fips_mode
Ident   CCE-88742-2
Result  fail
--
Title   Configure System Cryptography Policy
Rule    xccdf_org.ssgproject.content_rule_configure_crypto_policy
Ident   CCE-83450-7
Result  fail

Expected results:

There might be multiple failing rules but xccdf_org.ssgproject.content_rule_enable_fips_mode and xccdf_org.ssgproject.content_rule_configure_crypto_policy should not be among them.

Additional info:
Comment 3 Jan Pazdziora (Red Hat) 2022-09-20 07:23:17 UTC 
Note (to self) that a work dealing with crypto subpolicies was also done in bug 2057082.
Comment 4 Matěj Týč 2022-09-20 09:59:22 UTC 
This seems to be a problem with policies rather than with rules implementation.

Historically, high-level profiles s.a. CIS or OSPP treated variations of the FIPS Crypto Policy equally. The https://bugzilla.redhat.com/show_bug.cgi?id=2057082 has restricted that, so in RHEL9, only FIPS and FIPS:OSPP are treated equally.

Regarding STIG, the problem is that it is a low-level profile that prescribes exact configuration, so even if there was an imaginary FIPS:FIPS policy that would simply be an ailas to FIPS, system with such policy are expected be labelled as STIG-incompliant. Therefore, the FIPS:OSPP incompatibility with RHEL STIG follows from the STIG definition that is made by DISA, and it has to be addressed there. Then, we can think of how to implement it - as the rule in question is based on an XCCDF variable, we will have to alter the check or even remediation code, so a selected list of modified policies are also allowed.
Comment 5 RHEL Program Management 2023-08-30 13:40:29 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.
Comment 6 RHEL Program Management 2023-08-30 13:55:40 UTC 
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues.
Note You need to log in before you can comment on or make changes to this bug.