|
|
5fd106 |
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
|
|
5fd106 |
index ff3736711dd..5c3d5f34ea8 100644
|
|
|
5fd106 |
--- a/controls/anssi.yml
|
|
|
5fd106 |
+++ b/controls/anssi.yml
|
|
|
5fd106 |
@@ -72,6 +72,7 @@ controls:
|
|
|
5fd106 |
SELinux policies limit the privileges of services and daemons to only what they require.
|
|
|
5fd106 |
rules:
|
|
|
5fd106 |
- selinux_state
|
|
|
5fd106 |
+ - var_selinux_state=enforcing
|
|
|
5fd106 |
|
|
|
5fd106 |
- id: R4
|
|
|
5fd106 |
levels:
|
|
|
5fd106 |
diff --git a/products/rhel8/profiles/anssi_bp28_enhanced.profile b/products/rhel8/profiles/anssi_bp28_enhanced.profile
|
|
|
5fd106 |
index 2a49527c10a..8f2ee31493b 100644
|
|
|
5fd106 |
--- a/products/rhel8/profiles/anssi_bp28_enhanced.profile
|
|
|
5fd106 |
+++ b/products/rhel8/profiles/anssi_bp28_enhanced.profile
|
|
|
5fd106 |
@@ -17,4 +17,3 @@ description: |-
|
|
|
5fd106 |
|
|
|
5fd106 |
selections:
|
|
|
5fd106 |
- anssi:all:enhanced
|
|
|
5fd106 |
- - '!selinux_state'
|
|
|
5fd106 |
diff --git a/products/rhel9/profiles/anssi_bp28_enhanced.profile b/products/rhel9/profiles/anssi_bp28_enhanced.profile
|
|
|
5fd106 |
index 89e0d260390..da048c9b556 100644
|
|
|
5fd106 |
--- a/products/rhel9/profiles/anssi_bp28_enhanced.profile
|
|
|
5fd106 |
+++ b/products/rhel9/profiles/anssi_bp28_enhanced.profile
|
|
|
5fd106 |
@@ -17,4 +17,3 @@ description: |-
|
|
|
5fd106 |
|
|
|
5fd106 |
selections:
|
|
|
5fd106 |
- anssi:all:enhanced
|
|
|
5fd106 |
- - '!selinux_state'
|
|
|
5fd106 |
diff --git a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
|
|
5fd106 |
index 2e60ec43532..b201c495b8d 100644
|
|
|
5fd106 |
--- a/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
|
|
5fd106 |
+++ b/tests/unit/ssg-module/data/controls_dir/abcd-levels.yml
|
|
|
5fd106 |
@@ -42,3 +42,29 @@ controls:
|
|
|
5fd106 |
rules:
|
|
|
5fd106 |
- var_password_pam_minlen=2
|
|
|
5fd106 |
- var_some_variable=3
|
|
|
5fd106 |
+
|
|
|
5fd106 |
+ # S5, S6 and S7 are used to test if level inheritance is working corectly
|
|
|
5fd106 |
+ # when multiple levels select the same rule
|
|
|
5fd106 |
+ - id: S5
|
|
|
5fd106 |
+ title: Default Crypto Policy
|
|
|
5fd106 |
+ levels:
|
|
|
5fd106 |
+ - low
|
|
|
5fd106 |
+ rules:
|
|
|
5fd106 |
+ - configure_crypto_policy
|
|
|
5fd106 |
+ - var_system_crypto_policy=default_policy
|
|
|
5fd106 |
+
|
|
|
5fd106 |
+ - id: S6
|
|
|
5fd106 |
+ title: FIPS Crypto Policy
|
|
|
5fd106 |
+ levels:
|
|
|
5fd106 |
+ - medium
|
|
|
5fd106 |
+ rules:
|
|
|
5fd106 |
+ - configure_crypto_policy
|
|
|
5fd106 |
+ - var_system_crypto_policy=fips
|
|
|
5fd106 |
+
|
|
|
5fd106 |
+ - id: S7
|
|
|
5fd106 |
+ title: Future Crypto Policy
|
|
|
5fd106 |
+ levels:
|
|
|
5fd106 |
+ - high
|
|
|
5fd106 |
+ rules:
|
|
|
5fd106 |
+ - configure_crypto_policy
|
|
|
5fd106 |
+ - var_system_crypto_policy=future
|
|
|
5fd106 |
diff --git a/tests/unit/ssg-module/test_controls.py b/tests/unit/ssg-module/test_controls.py
|
|
|
5fd106 |
index d3d6280042a..fb569280736 100644
|
|
|
5fd106 |
--- a/tests/unit/ssg-module/test_controls.py
|
|
|
5fd106 |
+++ b/tests/unit/ssg-module/test_controls.py
|
|
|
5fd106 |
@@ -92,6 +92,20 @@ def test_controls_levels():
|
|
|
5fd106 |
c_4b = controls_manager.get_control("abcd-levels", "S4.b")
|
|
|
5fd106 |
assert c_4b.levels == ["high"]
|
|
|
5fd106 |
|
|
|
5fd106 |
+ c_5 = controls_manager.get_control("abcd-levels", "S5")
|
|
|
5fd106 |
+ assert c_5.levels == ["low"]
|
|
|
5fd106 |
+
|
|
|
5fd106 |
+ c_6 = controls_manager.get_control("abcd-levels", "S6")
|
|
|
5fd106 |
+ assert c_6.levels == ["medium"]
|
|
|
5fd106 |
+
|
|
|
5fd106 |
+ c_7 = controls_manager.get_control("abcd-levels", "S7")
|
|
|
5fd106 |
+ assert c_7.levels == ["high"]
|
|
|
5fd106 |
+
|
|
|
5fd106 |
+ # test if all crypto-policy controls have the rule selected
|
|
|
5fd106 |
+ assert "configure_crypto_policy" in c_5.selections
|
|
|
5fd106 |
+ assert "configure_crypto_policy" in c_6.selections
|
|
|
5fd106 |
+ assert "configure_crypto_policy" in c_7.selections
|
|
|
5fd106 |
+
|
|
|
5fd106 |
# just the essential controls
|
|
|
5fd106 |
low_controls = controls_manager.get_all_controls_of_level(
|
|
|
5fd106 |
"abcd-levels", "low")
|
|
|
5fd106 |
@@ -104,25 +118,34 @@ def test_controls_levels():
|
|
|
5fd106 |
|
|
|
5fd106 |
assert len(high_controls) == len(all_controls)
|
|
|
5fd106 |
assert len(low_controls) <= len(high_controls)
|
|
|
5fd106 |
- assert len(low_controls) == 4
|
|
|
5fd106 |
- assert len(medium_controls) == 5
|
|
|
5fd106 |
+ assert len(low_controls) == 5
|
|
|
5fd106 |
+ assert len(medium_controls) == 7
|
|
|
5fd106 |
|
|
|
5fd106 |
# test overriding of variables in levels
|
|
|
5fd106 |
assert c_2.variables["var_password_pam_minlen"] == "1"
|
|
|
5fd106 |
assert "var_password_pam_minlen" not in c_3.variables.keys()
|
|
|
5fd106 |
assert c_4b.variables["var_password_pam_minlen"] == "2"
|
|
|
5fd106 |
|
|
|
5fd106 |
+ variable_found = False
|
|
|
5fd106 |
for c in low_controls:
|
|
|
5fd106 |
if "var_password_pam_minlen" in c.variables.keys():
|
|
|
5fd106 |
+ variable_found = True
|
|
|
5fd106 |
assert c.variables["var_password_pam_minlen"] == "1"
|
|
|
5fd106 |
+ assert variable_found
|
|
|
5fd106 |
|
|
|
5fd106 |
+ variable_found = False
|
|
|
5fd106 |
for c in medium_controls:
|
|
|
5fd106 |
if "var_password_pam_minlen" in c.variables.keys():
|
|
|
5fd106 |
+ variable_found = True
|
|
|
5fd106 |
assert c.variables["var_password_pam_minlen"] == "1"
|
|
|
5fd106 |
+ assert variable_found
|
|
|
5fd106 |
|
|
|
5fd106 |
+ variable_found = False
|
|
|
5fd106 |
for c in high_controls:
|
|
|
5fd106 |
if "var_password_pam_minlen" in c.variables.keys():
|
|
|
5fd106 |
+ variable_found = True
|
|
|
5fd106 |
assert c.variables["var_password_pam_minlen"] == "2"
|
|
|
5fd106 |
+ assert variable_found
|
|
|
5fd106 |
|
|
|
5fd106 |
# now test if controls of lower level has the variable definition correctly removed
|
|
|
5fd106 |
# because it is overriden by higher level controls
|
|
|
5fd106 |
@@ -141,6 +164,28 @@ def test_controls_levels():
|
|
|
5fd106 |
assert s2_low[0].variables["var_some_variable"] == "1"
|
|
|
5fd106 |
assert s2_low[0].variables["var_password_pam_minlen"] == "1"
|
|
|
5fd106 |
|
|
|
5fd106 |
+ # check that low, medium and high levels have crypto policy selected
|
|
|
5fd106 |
+ s5_low = [c for c in low_controls if c.id == "S5"]
|
|
|
5fd106 |
+ assert len(s5_low) == 1
|
|
|
5fd106 |
+ assert "configure_crypto_policy" in s5_low[0].selections
|
|
|
5fd106 |
+
|
|
|
5fd106 |
+ s5_medium = [c for c in medium_controls if c.id == "S5"]
|
|
|
5fd106 |
+ assert len(s5_medium) == 1
|
|
|
5fd106 |
+ assert "configure_crypto_policy" in s5_medium[0].selections
|
|
|
5fd106 |
+ s6_medium = [c for c in medium_controls if c.id == "S6"]
|
|
|
5fd106 |
+ assert len(s6_medium) == 1
|
|
|
5fd106 |
+ assert "configure_crypto_policy" in s6_medium[0].selections
|
|
|
5fd106 |
+
|
|
|
5fd106 |
+ s5_high = [c for c in high_controls if c.id == "S5"]
|
|
|
5fd106 |
+ assert len(s5_high) == 1
|
|
|
5fd106 |
+ assert "configure_crypto_policy" in s5_high[0].selections
|
|
|
5fd106 |
+ s6_high = [c for c in high_controls if c.id == "S6"]
|
|
|
5fd106 |
+ assert len(s6_high) == 1
|
|
|
5fd106 |
+ assert "configure_crypto_policy" in s6_high[0].selections
|
|
|
5fd106 |
+ s7_high = [c for c in high_controls if c.id == "S7"]
|
|
|
5fd106 |
+ assert len(s7_high) == 1
|
|
|
5fd106 |
+ assert "configure_crypto_policy" in s7_high[0].selections
|
|
|
5fd106 |
+
|
|
|
5fd106 |
|
|
|
5fd106 |
def test_controls_load_product():
|
|
|
5fd106 |
product_yaml = os.path.join(ssg_root, "products", "rhel8", "product.yml")
|