Add specific rules for individual policy sub modules

The problem is that rule `configure_custom_crypto_policy_cis` covers
multiple requirements in a single rule. That is insufficient granularity
for our project. We will solve this problem by introducing specialized
rules that check if the current crypto policy respects a given security
requirement (e.g. no weak mac), this rule would simply check if the
individual crypto policy sub module contains the right algorithm
restriction.  These fine granular rules have the same remediation as the
other rules using the `configure_custom_crypto_policy` template, so it
would simply reapply the same custom crypto-policy (with all the
requirements from the individual controls) if any of the individual rule
is failing.

Author: jan-cerny

components/crypto-policies.yml

@@ -13,6 +13,10 @@ rules:
 - configure_openssl_tls_crypto_policy
 - configure_ssh_crypto_policy
 - configure_custom_crypto_policy_cis
+- configure_custom_crypto_policy_cis_mac
+- configure_custom_crypto_policy_cis_ssh_cbc
+- configure_custom_crypto_policy_cis_ssh_ciphers
+- configure_custom_crypto_policy_cis_ssh_macs
 - harden_openssl_crypto_policy
 - harden_ssh_client_crypto_policy
 - harden_sshd_ciphers_openssh_conf_crypto_policy

controls/cis_rhel10.yml

@@ -624,7 +624,7 @@ controls:
           - l1_workstation
       status: automated
       rules:
-          - configure_custom_crypto_policy_cis
+          - configure_custom_crypto_policy_cis_mac
 
     - id: 1.6.4
       title: Ensure system wide crypto policy disables cbc for ssh (Automated)
@@ -633,7 +633,7 @@ controls:
           - l1_workstation
       status: automated
       rules:
-          - configure_custom_crypto_policy_cis
+          - configure_custom_crypto_policy_cis_ssh_cbc
 
     - id: 1.7.1
       title: Ensure /etc/motd is configured (Automated)
@@ -1628,7 +1628,7 @@ controls:
           - l1_workstation
       status: automated
       rules:
-          - configure_custom_crypto_policy_cis
+          - configure_custom_crypto_policy_cis_ssh_ciphers
 
     - id: 5.1.7
       title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured (Automated)
@@ -1729,7 +1729,7 @@ controls:
           - l1_workstation
       status: automated
       rules:
-          - configure_custom_crypto_policy_cis
+          - configure_custom_crypto_policy_cis_ssh_macs
 
     - id: 5.1.16
       title: Ensure sshd MaxAuthTries is configured (Automated)

controls/cis_rhel8.yml

@@ -557,7 +557,7 @@ controls:
           - l1_workstation
       status: automated
       rules:
-          - configure_custom_crypto_policy_cis
+          - configure_custom_crypto_policy_cis_ssh_cbc
 
     - id: 1.6.4
       title: Ensure system wide crypto policy disables macs less than 128 bits (Automated)
@@ -566,7 +566,7 @@ controls:
           - l1_workstation
       status: automated
       rules:
-          - configure_custom_crypto_policy_cis
+          - configure_custom_crypto_policy_cis_mac
 
     - id: 1.7.1
       title: Ensure message of the day is configured properly (Automated)
@@ -1497,7 +1497,7 @@ controls:
       notes: |-
           Introduced in CIS RHEL8 v3.0.0
       rules:
-          - configure_custom_crypto_policy_cis
+          - configure_custom_crypto_policy_cis_ssh_ciphers
 
     - id: 4.2.7
       title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured (Automated)
@@ -1586,7 +1586,7 @@ controls:
           - l1_workstation
       status: automated
       rules:
-          - configure_custom_crypto_policy_cis
+          - configure_custom_crypto_policy_cis_ssh_macs
 
     - id: 4.2.15
       title: Ensure sshd MaxAuthTries is configured (Automated)

linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis_mac/rule.yml

@@ -0,0 +1,34 @@
+documentation_complete: true
+
+title: Use Only Strong MACs Globally for CIS Benchmark
+
+description: |-
+    Create a custom crypto policy module to enforce the use of strong MACs globally.
+    {{{ describe_crypto_sub_policy("NO-WEAKMAC", sub_policies["NO-WEAKMAC"].key, sub_policies["NO-WEAKMAC"].value) }}}
+    Then, set the system wide crypto policy to use the custom policy.
+    <pre>
+    $ sudo update-crypto-policies --set {{{ base_policy }}}:{{{ sub_policies.keys() | join(":") }}}
+    </pre>
+
+rationale: |-
+    Implementing a custom crypto policy that disables weak MAC algorithms helps ensure that only strong, proven
+    cryptographic algorithms are used globally.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86661-6
+    cce@rhel9: CCE-86662-4
+    cce@rhel10: CCE-86663-2
+
+ocil_clause: 'the custom crypto policy modules do not exist'
+
+ocil: |-
+    {{{ ocil_crypto_sub_policy("NO-WEAKMAC", sub_policies["NO-WEAKMAC"].key, sub_policies["NO-WEAKMAC"].value) }}}
+
+template:
+    name: crypto_sub_policies
+    vars:
+        base_policy: {{{ base_policy }}}
+        sub_policies: {{{ sub_policies }}}
+        specific_module: "NO-WEAKMAC"

linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis_ssh_cbc/rule.yml

@@ -0,0 +1,35 @@
+documentation_complete: true
+
+title: Disable CBC Mode Ciphers in SSHD for CIS Benchmark
+
+description: |-
+    Create a custom crypto policy module to enforce the disabling of CBC mode ciphers in SSHD.
+    {{{ describe_crypto_sub_policy("NO-SSHCBC", sub_policies["NO-SSHCBC"].key, sub_policies["NO-SSHCBC"].value) }}}
+    Then, set the system wide crypto policy to use the custom policy.
+    <pre>
+    $ sudo update-crypto-policies --set {{{ base_policy }}}:{{{ sub_policies.keys() | join(":") }}}
+    </pre>
+
+rationale: |-
+    CBC mode ciphers are vulnerable to certain attacks, such as the BEAST attack.
+    Disabling CBC mode ciphers helps protect against these attacks and ensures that only
+    strong, proven cryptographic algorithms are used to protect SSH communications.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86647-5
+    cce@rhel9: CCE-86648-3
+    cce@rhel10: CCE-86650-9
+
+ocil_clause: 'the custom crypto policy modules do not exist'
+
+ocil: |-
+    {{{ ocil_crypto_sub_policy("NO-SSHCBC", sub_policies["NO-SSHCBC"].key, sub_policies["NO-SSHCBC"].value) }}}
+
+template:
+    name: crypto_sub_policies
+    vars:
+        base_policy: {{{ base_policy }}}
+        sub_policies: {{{ sub_policies }}}
+        specific_module: "NO-SSHCBC"

linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis_ssh_ciphers/rule.yml

@@ -0,0 +1,34 @@
+documentation_complete: true
+
+title: Use Only Strong Ciphers in SSHD for CIS Benchmark
+
+description: |-
+    Create a custom crypto policy module to enforce the use of strong ciphers in SSHD.
+    {{{ describe_crypto_sub_policy("NO-SSHWEAKCIPHERS", sub_policies["NO-SSHWEAKCIPHERS"].key, sub_policies["NO-SSHWEAKCIPHERS"].value) }}}
+    Then, set the system wide crypto policy to use the custom policy.
+    <pre>
+    $ sudo update-crypto-policies --set {{{ base_policy }}}:{{{ sub_policies.keys() | join(":") }}}
+    </pre>
+
+rationale: |-
+    Weak ciphers that are used for authentication to the cryptographic module cannot be
+    relied upon to provide confidentiality or integrity, and system data may be compromised.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86701-0
+    cce@rhel9: CCE-86702-8
+    cce@rhel10: CCE-86703-6
+
+ocil_clause: 'the custom crypto policy modules do not exist'
+
+ocil: |-
+    {{{ ocil_crypto_sub_policy("NO-SSHWEAKCIPHERS", sub_policies["NO-SSHWEAKCIPHERS"].key, sub_policies["NO-SSHWEAKCIPHERS"].value) }}}
+
+template:
+    name: crypto_sub_policies
+    vars:
+        base_policy: {{{ base_policy }}}
+        sub_policies: {{{ sub_policies }}}
+        specific_module: "NO-SSHWEAKCIPHERS"

linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis_ssh_macs/rule.yml

@@ -0,0 +1,38 @@
+documentation_complete: true
+
+title: Use Only Strong MACs in SSHD for CIS Benchmark
+
+description: |-
+    Create a custom crypto policy module to enforce the use of strong MACs in SSHD.
+    {{{ describe_crypto_sub_policy("NO-SSHWEAKMACS", sub_policies["NO-SSHWEAKMACS"].key, sub_policies["NO-SSHWEAKMACS"].value) }}}
+    Then, set the system wide crypto policy to use the custom policy.
+    <pre>
+    $ sudo update-crypto-policies --set {{{ base_policy }}}:{{{ sub_policies.keys() | join(":") }}}
+    </pre>
+
+rationale: |-
+    Message Authentication Codes (MACs) are cryptographic mechanisms used to verify the
+    integrity and authenticity of data transmitted over SSH connections. Weak MACs that
+    are used for authentication to the cryptographic module cannot be relied upon to
+    provide integrity, and system data may be compromised. Implementing a custom crypto
+    policy that disables weak MAC algorithms helps ensure that only strong, proven
+    cryptographic algorithms are used to protect SSH communications.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86726-7
+    cce@rhel9: CCE-86728-3
+    cce@rhel10: CCE-86730-9
+
+ocil_clause: 'the custom crypto policy modules do not exist'
+
+ocil: |-
+    {{{ ocil_crypto_sub_policy("NO-SSHWEAKMACS", sub_policies["NO-SSHWEAKMACS"].key, sub_policies["NO-SSHWEAKMACS"].value) }}}
+
+template:
+    name: crypto_sub_policies
+    vars:
+        base_policy: {{{ base_policy }}}
+        sub_policies: {{{ sub_policies }}}
+        specific_module: "NO-SSHWEAKMACS"

products/rhel9/controls/cis_rhel9.yml

@@ -580,7 +580,7 @@ controls:
           - l1_workstation
       status: automated
       rules:
-          - configure_custom_crypto_policy_cis
+          - configure_custom_crypto_policy_cis_mac
 
     - id: 1.6.5
       title: Ensure system wide crypto policy disables cbc for ssh (Automated)
@@ -589,7 +589,7 @@ controls:
           - l1_workstation
       status: automated
       rules:
-          - configure_custom_crypto_policy_cis
+          - configure_custom_crypto_policy_cis_ssh_cbc
 
     - id: 1.6.6
       title: Ensure system wide crypto policy disables chacha20-poly1305 for ssh (Automated)
@@ -1515,7 +1515,7 @@ controls:
           - l1_workstation
       status: automated
       rules:
-          - configure_custom_crypto_policy_cis
+          - configure_custom_crypto_policy_cis_ssh_ciphers
 
     - id: 5.1.5
       title: Ensure sshd KexAlgorithms is configured (Automated)
@@ -1537,7 +1537,7 @@ controls:
           - l1_workstation
       status: automated
       rules:
-          - configure_custom_crypto_policy_cis
+          - configure_custom_crypto_policy_cis_ssh_macs
 
     - id: 5.1.7
       title: Ensure sshd access is configured (Automated)

shared/references/cce-redhat-avail.txt

@@ -44,13 +44,8 @@ CCE-86631-9
 CCE-86633-5
 CCE-86637-6
 CCE-86641-8
-CCE-86648-3
-CCE-86650-9
 CCE-86652-5
 CCE-86654-1
-CCE-86661-6
-CCE-86662-4
-CCE-86663-2
 CCE-86664-0
 CCE-86665-7
 CCE-86666-5
@@ -65,19 +60,13 @@ CCE-86690-5
 CCE-86692-1
 CCE-86693-9
 CCE-86694-7
-CCE-86701-0
-CCE-86702-8
-CCE-86703-6
 CCE-86704-4
 CCE-86706-9
 CCE-86708-5
 CCE-86709-3
 CCE-86710-1
 CCE-86712-7
 CCE-86713-5
-CCE-86726-7
-CCE-86728-3
-CCE-86730-9
 CCE-86732-5
 CCE-86733-3
 CCE-86734-1

tests/data/profile_stability/rhel10/cis.profile

@@ -122,6 +122,10 @@ chronyd_run_as_chrony_user
 chronyd_specify_remote_server
 cis_banner_text=cis
 configure_custom_crypto_policy_cis
+configure_custom_crypto_policy_cis_mac
+configure_custom_crypto_policy_cis_ssh_cbc
+configure_custom_crypto_policy_cis_ssh_ciphers
+configure_custom_crypto_policy_cis_ssh_macs
 coredump_disable_backtraces
 coredump_disable_storage
 dconf_db_up_to_date