skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Clone
Source Code
GIT

Blame SOURCES/crypto_nss_fix.patch

c7 c7-alt c7-beta c8 c8-beta c8s
  1.   575137e6a33f80e1d70ec7248ee82b9a9e1a9913
  2.   SOURCES
  3.   crypto_nss_fix.patch
Blob History Raw
575137 
From c8d00d88a253efc7d3eed11349c4481f8a7e344d Mon Sep 17 00:00:00 2001
575137 
From: Watson Sato <wsato@redhat.com>
575137 
Date: Mon, 11 Feb 2019 14:40:25 +0100
575137 
Subject: [PATCH 1/3] Add test scenario for crypto-policy nss.config
575137
575137 
---
575137 
 .../nss_config_as_file.pass.sh                       | 12 ++++++++++++
575137 
 .../nss_config_as_symlink.pass.sh                    | 12 ++++++++++++
575137 
 2 files changed, 24 insertions(+)
575137 
 create mode 100644 tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_file.pass.sh
575137 
 create mode 100644 tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_symlink.pass.sh
575137
575137 
diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_file.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_file.pass.sh
575137 
new file mode 100644
575137 
index 0000000000..89927d0537
575137 
--- /dev/null
575137 
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_file.pass.sh
575137 
@@ -0,0 +1,12 @@
575137 
+#!/bin/bash
575137 
+# platform = multi_platform_fedora, Red Hat Enterprise Linux 8
575137 
+# profiles = xccdf_org.ssgproject.content_profile_ospp
575137 
+
575137 
+update-crypto-policies --set "FIPS"
575137 
+
575137 
+CRYPTO_POLICY_LIB_FILE="/etc/crypto-policies/back-ends/nss.config"
575137 
+SYMLINK_TO_FOLDER="/usr/share/crypto-policies/FIPS/"
575137 
+SYMLINK_TO_FILE="nss.txt"
575137 
+rm -f $CRYPTO_POLICY_LIB_FILE
575137 
+mkdir -p $SYMLINK_TO_FOLDER
575137 
+cp $SYMLINK_TO_FOLDER$SYMLINK_TO_FILE $CRYPTO_POLICY_LIB_FILE
575137 
diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_symlink.pass.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_symlink.pass.sh
575137 
new file mode 100644
575137 
index 0000000000..28d704e54f
575137 
--- /dev/null
575137 
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/nss_config_as_symlink.pass.sh
575137 
@@ -0,0 +1,12 @@
575137 
+#!/bin/bash
575137 
+# platform = multi_platform_fedora, Red Hat Enterprise Linux 8
575137 
+# profiles = xccdf_org.ssgproject.content_profile_ospp
575137 
+
575137 
+update-crypto-policies --set "FIPS"
575137 
+
575137 
+CRYPTO_POLICY_LIB_FILE="/etc/crypto-policies/back-ends/nss.config"
575137 
+SYMLINK_TO_FOLDER="/usr/share/crypto-policies/FIPS/"
575137 
+SYMLINK_TO_FILE="nss.txt"
575137 
+rm -f $CRYPTO_POLICY_LIB_FILE
575137 
+mkdir -p $SYMLINK_TO_FOLDER
575137 
+ln -s $SYMLINK_TO_FOLDER$SYMLINK_TO_FILE $CRYPTO_POLICY_LIB_FILE
575137
575137 
From 0c3fb5b64f19fef3ae2dac8bbeb71d9d2ae29b54 Mon Sep 17 00:00:00 2001
575137 
From: Watson Sato <wsato@redhat.com>
575137 
Date: Mon, 11 Feb 2019 14:41:01 +0100
575137 
Subject: [PATCH 2/3] Update check for configure_crypto_policy
575137
575137 
---
575137 
 .../crypto/configure_crypto_policy/oval/shared.xml       | 9 ++++++++-
575137 
 1 file changed, 8 insertions(+), 1 deletion(-)
575137
575137 
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/oval/shared.xml
575137 
index 2d42ac26d1..446c584a76 100644
575137 
--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/oval/shared.xml
575137 
+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/oval/shared.xml
575137 
@@ -55,11 +55,11 @@
575137 
       {{{ crypto_policy_symlink_criterion(library="java") }}}
575137 
       {{{ crypto_policy_symlink_criterion(library="krb5") }}}
575137 
       {{{ crypto_policy_symlink_criterion(library="libreswan") }}}
575137 
-      {{{ crypto_policy_symlink_criterion(library="nss") }}}
575137 
       {{{ crypto_policy_symlink_criterion(library="openssh") }}}
575137 
       {{{ crypto_policy_symlink_criterion(library="opensshserver") }}}
575137 
       {{{ crypto_policy_symlink_criterion(library="openssl") }}}
575137 
   {{% endif %}}
575137 
+      <criterion comment="Check if /etc/crypto-policies/back-ends/nss.config exists" test_ref="test_crypto_policy_nss_config" />
575137 
     </criteria>
575137 
   </definition>
575137
575137 
@@ -146,6 +146,13 @@ id="object_crypto_policies_config_file_modified_time" version="1">
575137 
   {{{ crypto_policy_symlink_check(library="openssl") }}}
575137 
 {{% endif %}}
575137
575137 
+  <unix:file_test check="all" check_existence="all_exist" comment="Check if /etc/crypto-policies/back-ends/nss.config exists" id="test_crypto_policy_nss_config" version="1">
575137 
+    <unix:object object_ref="object_crypto_policy_nss_config" />
575137 
+  </unix:file_test>
575137 
+  <unix:file_object id="object_crypto_policy_nss_config" version="1">
575137 
+    <unix:filepath>/etc/crypto-policies/back-ends/nss.config</unix:filepath>
575137 
+  </unix:file_object>
575137 
+
575137
575137 
   id="var_system_crypto_policy" version="1" />
575137
575137
575137 
From e43c26bbcbedf32607a5c997b786b48973df2bcf Mon Sep 17 00:00:00 2001
575137 
From: Watson Sato <wsato@redhat.com>
575137 
Date: Mon, 11 Feb 2019 17:47:51 +0100
575137 
Subject: [PATCH 3/3] Add negative test for crypto-policy nss.config
575137
575137 
---
575137 
 .../missing_nss_config.fail.sh                             | 7 +++++++
575137 
 1 file changed, 7 insertions(+)
575137 
 create mode 100644 tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_nss_config.fail.sh
575137
575137 
diff --git a/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_nss_config.fail.sh b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_nss_config.fail.sh
575137 
new file mode 100644
575137 
index 0000000000..7611efd3f3
575137 
--- /dev/null
575137 
+++ b/tests/data/group_system/group_software/group_integrity/group_crypto/rule_configure_crypto_policy/missing_nss_config.fail.sh
575137 
@@ -0,0 +1,7 @@
575137 
+#!/bin/bash
575137 
+# platform = multi_platform_fedora, Red Hat Enterprise Linux 8
575137 
+# profiles = xccdf_org.ssgproject.content_profile_ospp
575137 
+
575137 
+update-crypto-policies --set "FIPS"
575137 
+
575137 
+rm -f "/etc/crypto-policies/back-ends/nss.config"

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation