Fix crypto policy settings in RHEL 8 CIS

jan-cerny · jan-cerny · commit 36a99f021721 · 2025-11-05T09:25:09.000+01:00
Add a new rule `crypto_sub_policies_cis_rhel8` that configures multiple custom crypto sub policy modules for RHEL 8 CIS. The new rule is very similar to `fips_custom_stig_sub_policy`. It configures new modules for system wide crypto policies that reduces the set of usable ciphers in sshd, MACs, and others. The rule is templated by a new template `crypto_sub_policies` that is also introduced in this commit so that the code can be reused in other similar rules. This change aligns the RHEL 8 CIS profiles in CaC with the CIS RHEL 8 Benchmark v4.0.0 requirements. All crypto requirements of this profile are now covered by this single rule. The reason for merging all of the sub module configuration is to prevent overriding crypto policy settings. If there would be multiple rules, each of them would call the `update-crypto-policies` commands with a different sub policy, overriding each other. This supersedes ComplianceAsCode#14050 Resolves: https://issues.redhat.com/browse/RHEL-111896
diff --git a/components/crypto-policies.yml b/components/crypto-policies.yml
@@ -12,6 +12,7 @@ rules:
 - configure_openssl_crypto_policy
 - configure_openssl_tls_crypto_policy
 - configure_ssh_crypto_policy
+- crypto_sub_policies_cis_rhel8
 - harden_openssl_crypto_policy
 - harden_ssh_client_crypto_policy
 - harden_sshd_ciphers_openssh_conf_crypto_policy
diff --git a/components/openssh.yml b/components/openssh.yml
@@ -9,6 +9,7 @@ packages:
 - openssh-clients
 - openssh-server
 rules:
+- crypto_sub_policies_cis_rhel8
 - directory_groupowner_sshd_config_d
 - directory_owner_sshd_config_d
 - directory_permissions_sshd_config_d
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
@@ -537,8 +537,7 @@ controls:
           - l1_workstation
       status: automated
       rules:
-          - configure_crypto_policy
-          - var_system_crypto_policy=default_nosha1
+          - crypto_sub_policies_cis_rhel8
 
     - id: 1.6.2
       title: Ensure system wide crypto policy disables sha1 hash and signature support (Automated)
@@ -549,31 +548,25 @@ controls:
       notes: |-
           This requirement is already satisfied by 1.6.1.
       related_rules:
-          - configure_crypto_policy
+          - crypto_sub_policies_cis_rhel8
 
     - id: 1.6.3
       title: Ensure system wide crypto policy disables cbc for ssh (Automated)
       levels:
           - l1_server
           - l1_workstation
-      status: pending
-      notes: |-
-          It is necessary a new rule to ensure a module disabling CBC in
-          /etc/crypto-policies/policies/modules/ so it can be used by update-crypto-policies command.
-      related_rules:
-          - configure_crypto_policy
+      status: automated
+      rules:
+          - crypto_sub_policies_cis_rhel8
 
     - id: 1.6.4
       title: Ensure system wide crypto policy disables macs less than 128 bits (Automated)
       levels:
           - l1_server
           - l1_workstation
-      status: pending
-      notes: |-
-          It is necessary a new rule to ensure a module disabling weak MACs in
-          /etc/crypto-policies/policies/modules/ so it can be used by update-crypto-policies command.
-      related_rules:
-          - configure_crypto_policy
+      status: automated
+      rules:
+          - crypto_sub_policies_cis_rhel8
 
     - id: 1.7.1
       title: Ensure message of the day is configured properly (Automated)
@@ -1504,8 +1497,7 @@ controls:
       notes: |-
           Introduced in CIS RHEL8 v3.0.0
       rules:
-          - sshd_use_approved_ciphers
-          - sshd_approved_ciphers=cis_rhel8
+          - crypto_sub_policies_cis_rhel8
 
     - id: 4.2.7
       title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured (Automated)
@@ -1594,8 +1586,7 @@ controls:
           - l1_workstation
       status: automated
       rules:
-          - sshd_use_strong_macs
-          - sshd_strong_macs=cis_rhel8
+          - crypto_sub_policies_cis_rhel8
 
     - id: 4.2.15
       title: Ensure sshd MaxAuthTries is configured (Automated)
diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
@@ -253,6 +253,27 @@
 
 -   Languages: OVAL, Kubernetes
 
+#### crypto_sub_policies
+-   Configures a sub policy for system wide crypto policies. Creates a module
+    file `module_name.pmod` in `/etc/crypto-policies/policies/modules/` that
+    contains `key = value`. Then, it applies this module. The template allows
+    to specify multiple crypto policy sub modules at once, which is convenient
+    for use in benchmarks that require multiple custom crypto settings.
+
+-   Parameters:
+
+    -   **base_policy** - The base system wide crypto policy, eg. `DEFAULT`
+
+    -   **sub_policies** - A list of dictionaries. Each dictionary represents one custom crypto sub policy module. The dictionary has the following members:
+
+        -   **module_name** - crypto sub policy name, eg. `NO-SSHWEAKCIPHERS`
+
+        -   **key** - entry key, eg. `cipher@SSH`
+
+        -   **value** - entry value, eg. `-3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305`
+
+-   Languages: Ansible, Bash, OVAL
+
 #### dconf_ini_file
 -   Checks for `dconf` configuration. Additionally checks if the
     configuration is locked so it cannot be overridden by the user.
diff --git a/linux_os/guide/system/software/integrity/crypto/crypto_sub_policies_cis_rhel8/rule.yml b/linux_os/guide/system/software/integrity/crypto/crypto_sub_policies_cis_rhel8/rule.yml
@@ -0,0 +1,67 @@
+documentation_complete: true
+
+title: Implement Custom Crypto Policy Modules for CIS Benchmark for Red Hat Enterprise Linux 8
+
+{{% set sub_policies = [
+    {
+        "module_name": "NO-SSHCBC",
+        "key": "cipher@SSH",
+        "value": "-*-CBC"
+    },
+    {
+        "module_name": "NO-SSHWEAKCIPHERS",
+        "key": "cipher@SSH",
+        "value": "-3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305"
+    },
+    {
+        "module_name": "NO-SSHWEAKMACS",
+        "key": "mac@SSH",
+        "value": "-HMAC-MD5* -UMAC-64* -UMAC-128*"
+    },
+    {
+        "module_name": "NO-WEAKMAC",
+        "key": "mac",
+        "value": "-*-128*"
+    },
+] %}}
+
+description: |-
+    Create a custom crypto policy module to enforce the use of strong ciphers and MACs in SSHD, disable CBC mode ciphers in SSHD and disable the use of weak MACs globally.
+    {{% for sub_policy in sub_policies %}}
+    {{{ describe_crypto_sub_policy(sub_policy.module_name, sub_policy.key, sub_policy.value) }}}
+    {{% endfor %}}
+    Then, set the system wide crypto policy to use the custom policy.
+    <pre>
+    $ sudo update-crypto-policies --set DEFAULT:NO-SHA1:NO-SSHCBC:NO-SSHWEAKCIPHERS:NO-SSHWEAKMACS:NO-WEAKMAC
+    </pre>
+
+rationale: |-
+    CBC mode ciphers are vulnerable to certain attacks, such as the BEAST attack.
+    Disabling CBC mode ciphers helps protect against these attacks and ensures that only
+    strong, proven cryptographic algorithms are used to protect SSH communications.
+    Weak ciphers that are used for authentication to the cryptographic module cannot be
+    relied upon to provide confidentiality or integrity, and system data may be compromised.
+    Message Authentication Codes (MACs) are cryptographic mechanisms used to verify the
+    integrity and authenticity of data transmitted over SSH connections. Weak MACs that
+    are used for authentication to the cryptographic module cannot be relied upon to
+    provide integrity, and system data may be compromised. Implementing a custom crypto
+    policy that disables weak MAC algorithms helps ensure that only strong, proven
+    cryptographic algorithms are used to protect SSH communications.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86707-7
+
+ocil_clause: 'the custom crypto policy modules do not exist'
+
+ocil: |-
+    {{% for sub_policy in sub_policies %}}
+    {{{ ocil_crypto_sub_policy(sub_policy.module_name, sub_policy.key, sub_policy.value) }}}
+    {{% endfor %}}
+
+template:
+    name: crypto_sub_policies
+    vars:
+        base_policy: "DEFAULT:NO-SHA1"
+        sub_policies: {{{ sub_policies }}}
diff --git a/products/rhel8/profiles/default.profile b/products/rhel8/profiles/default.profile
@@ -726,3 +726,4 @@ selections:
     - service_rlogin_disabled
     - service_zebra_disabled
     - package_rsh-server_removed
+    - sshd_use_strong_macs
diff --git a/shared/macros/01-general.jinja b/shared/macros/01-general.jinja
@@ -1446,3 +1446,20 @@ Create a rule description for rules using the `audit_rules_kernel_module_loading
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility,
     add the line to file <tt>/etc/audit/audit.rules</tt>.
 {{% endmacro %}}
+
+{{#
+Create a description text for rules that use the crypto_sub_policies template.
+
+:param module_name: crypto sub policy name, eg. `NO-SSHWEAKCIPHERS`
+:type module_name: str
+:param key: The entry key, eg. cipher@SSH
+:type key: str
+:param value: The entry value, eg. -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305
+:type value: str
+#}}
+{{% macro describe_crypto_sub_policy(module_name, key, value) %}}
+    Add the following line to the file <tt>/etc/crypto-policies/policies/modules/{{{ module_name }}}.pmod</tt>:
+    <pre>
+    {{{ key }}} = {{{ value }}}
+    </pre>
+{{%- endmacro %}}
diff --git a/shared/macros/10-ocil.jinja b/shared/macros/10-ocil.jinja
@@ -1538,3 +1538,20 @@ Create an OCIL text for rules that use the audit_rules_watch platform.
     -w {{{ path }}} -p wa -k {{{ key }}}
 {{% endif %}}
 {{% endmacro %}}
+
+{{#
+Create an OCIL text for rules that use the crypto_sub_policies template.
+
+:param module_name: crypto sub policy name, eg. `NO-SSHWEAKCIPHERS`
+:type module_name: str
+:param key: The entry key, eg. cipher@SSH
+:type key: str
+:param value: The entry value, eg. -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC -CHACHA20-POLY1305
+:type value: str
+#}}
+{{% macro ocil_crypto_sub_policy(module_name, key, value) %}}
+    Verify that <tt>/etc/crypto-policies/policies/modules/{{{ module_name }}}.pmod</tt> exists and has the following content:
+    <pre>
+    {{{ key }}} = {{{ value }}}
+    </pre>
+{{% endmacro %}}
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -72,7 +72,6 @@ CCE-86702-8
 CCE-86703-6
 CCE-86704-4
 CCE-86706-9
-CCE-86707-7
 CCE-86708-5
 CCE-86709-3
 CCE-86710-1
diff --git a/shared/templates/crypto_sub_policies/ansible.template b/shared/templates/crypto_sub_policies/ansible.template
@@ -0,0 +1,28 @@
+# platform = multi_platform_all
+# reboot = true
+# strategy = configure
+# complexity = low
+# disruption = low
+
+{{% for sub_policy in SUB_POLICIES %}}
+-   name: "{{{ rule_title }}} - Create custom crypto policy module {{{ sub_policy.module_name }}}"
+    ansible.builtin.lineinfile:
+        path: /etc/crypto-policies/policies/modules/{{{ sub_policy.module_name }}}.pmod
+        owner: root
+        group: root
+        mode: '0644'
+        line: {{{ sub_policy.key }}} = {{{ sub_policy.value }}}
+        create: true
+        regexp: "{{{ sub_policy.key }}}"
+{{% endfor %}}
+
+-   name: "{{{ rule_title }}} - Check current crypto policy"
+    ansible.builtin.command: update-crypto-policies --show
+    register: current_crypto_policy
+    changed_when: false
+    failed_when: false
+    check_mode: false
+
+-   name: "{{{ rule_title }}} - Update crypto-policies"
+    ansible.builtin.command: update-crypto-policies --set {{{ BASE_POLICY }}}:{{{ CONFIGURE_CRYPTO_POLICY_MODULES }}}
+    when: current_crypto_policy.stdout.strip() != "{{{ BASE_POLICY }}}:{{{ CONFIGURE_CRYPTO_POLICY_MODULES }}}"
diff --git a/shared/templates/crypto_sub_policies/bash.template b/shared/templates/crypto_sub_policies/bash.template
@@ -0,0 +1,11 @@
+# platform = multi_platform_all
+# reboot = true
+# strategy = configure
+# complexity = low
+# disruption = low
+
+{{% for sub_policy in SUB_POLICIES %}}
+{{{ bash_file_contents("/etc/crypto-policies/policies/modules/" ~ sub_policy.module_name ~ ".pmod", sub_policy.key ~ " = " ~ sub_policy.value) }}}
+{{% endfor %}}
+
+sudo update-crypto-policies --set {{{ BASE_POLICY }}}:{{{ CONFIGURE_CRYPTO_POLICY_MODULES }}}
diff --git a/shared/templates/crypto_sub_policies/oval.template b/shared/templates/crypto_sub_policies/oval.template
@@ -0,0 +1,25 @@
+<def-group>
+    <definition class="compliance" id="{{{ rule_id }}}" version="1">
+        {{{ oval_metadata("Ensure that the custom crypto policy module is configured", rule_title=rule_title) }}}
+        <criteria operator="AND" comment="Ensure that all of the correct lines are in the file.">
+        {{% for sub_policy in SUB_POLICIES %}}
+            <criterion comment="Check that {{{ sub_policy.key }}} is configured in {{{ sub_policy.name }}}"
+                       test_ref="test_{{{ rule_id }}}_{{{ sub_policy.module_name }}}"/>
+        {{% endfor %}}
+        </criteria>
+    </definition>
+        {{% for sub_policy in SUB_POLICIES %}}
+        <ind:textfilecontent54_test check="all"
+                                    comment="Tests that {{{ sub_policy.key }}} is configured correctly."
+                                    id="test_{{{ rule_id }}}_{{{ sub_policy.module_name }}}" version="1">
+
+            <ind:object object_ref="obj_{{{ rule_id }}}_{{{ sub_policy.module_name }}}"/>
+        </ind:textfilecontent54_test>
+        <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_{{{ sub_policy.module_name }}}" version="1">
+            <ind:path>/etc/crypto-policies/policies/modules/</ind:path>
+            <ind:filename>{{{ sub_policy.module_name }}}.pmod</ind:filename>
+            <ind:pattern operation="pattern match">^{{{ sub_policy.key }}} = {{{ sub_policy.value | escape_regex }}}$</ind:pattern>
+            <ind:instance datatype="int">1</ind:instance>
+        </ind:textfilecontent54_object>
+        {{% endfor %}}
+</def-group>
diff --git a/shared/templates/crypto_sub_policies/template.py b/shared/templates/crypto_sub_policies/template.py
@@ -0,0 +1,3 @@
+def preprocess(data, lang):
+    data["configure_crypto_policy_modules"] = ":".join([sub_policy["module_name"] for sub_policy in data["sub_policies"]])
+    return data
diff --git a/shared/templates/crypto_sub_policies/template.yml b/shared/templates/crypto_sub_policies/template.yml
@@ -0,0 +1,4 @@
+supported_languages:
+  - ansible
+  - bash
+  - oval
diff --git a/shared/templates/crypto_sub_policies/tests/correct.pass.sh b/shared/templates/crypto_sub_policies/tests/correct.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+{{% for sub_policy in SUB_POLICIES %}}
+cat > /etc/crypto-policies/policies/modules/{{{ sub_policy.module_name }}}.pmod << EOF
+{{{ sub_policy.key }}} = {{{ sub_policy.value }}}
+EOF
+{{% endfor %}}
diff --git a/shared/templates/crypto_sub_policies/tests/empty.fail.sh b/shared/templates/crypto_sub_policies/tests/empty.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+{{% for sub_policy in SUB_POLICIES %}}
+touch /etc/crypto-policies/policies/modules/{{{ sub_policy.module_name }}}.pmod
+{{% endfor %}}
diff --git a/shared/templates/crypto_sub_policies/tests/file_dne.fail.sh b/shared/templates/crypto_sub_policies/tests/file_dne.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+{{% for sub_policy in SUB_POLICIES %}}
+if [[ -f /etc/crypto-policies/policies/modules/{{{ sub_policy.module_name }}}.pmod ]] ; then
+  rm /etc/crypto-policies/policies/modules/{{{ sub_policy.module_name }}}.pmod
+fi
+{{% endfor %}}
diff --git a/shared/templates/crypto_sub_policies/tests/invalid.fail.sh b/shared/templates/crypto_sub_policies/tests/invalid.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+{{% for sub_policy in SUB_POLICIES %}}
+cat > /etc/crypto-policies/policies/modules/{{{ sub_policy.module_name }}}.pmod << EOF
+{{{ sub_policy.key }}} = ABCDEFGHIJKLMNOPQRSTUVWXYZ
+EOF
+{{% endfor %}}
diff --git a/shared/templates/crypto_sub_policies/tests/some_missing.fail.sh b/shared/templates/crypto_sub_policies/tests/some_missing.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+{{% for sub_policy in SUB_POLICIES[1:] %}}  
+cat > /etc/crypto-policies/policies/modules/{{{ sub_policy.module_name }}}.pmod << EOF
+{{{ sub_policy.key }}} = {{{ sub_policy.value }}}
+EOF
+{{% endfor %}}
diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile
@@ -105,10 +105,10 @@ banner_etc_motd_cis
 chronyd_run_as_chrony_user
 chronyd_specify_remote_server
 cis_banner_text=cis
-configure_crypto_policy
 configure_ssh_crypto_policy
 coredump_disable_backtraces
 coredump_disable_storage
+crypto_sub_policies_cis_rhel8
 dconf_db_up_to_date
 dconf_gnome_banner_enabled
 dconf_gnome_disable_automount
@@ -349,7 +349,6 @@ set_password_hashing_algorithm_logindefs
 set_password_hashing_algorithm_passwordauth
 set_password_hashing_algorithm_systemauth
 socket_systemd-journal-remote_disabled
-sshd_approved_ciphers=cis_rhel8
 sshd_disable_empty_passwords
 sshd_disable_rhosts
 sshd_disable_root_login
@@ -367,10 +366,7 @@ sshd_set_max_auth_tries
 sshd_set_max_sessions
 sshd_set_maxstartups
 sshd_strong_kex=cis_rhel8
-sshd_strong_macs=cis_rhel8
-sshd_use_approved_ciphers
 sshd_use_strong_kex
-sshd_use_strong_macs
 sudo_add_use_pty
 sudo_custom_logfile
 sudo_require_authentication
@@ -456,7 +452,6 @@ var_sshd_max_sessions=10
 var_sshd_set_keepalive=1
 var_sshd_set_login_grace_time=60
 var_sshd_set_maxstartups=10:30:60
-var_system_crypto_policy=default_nosha1
 var_user_initialization_files_regex=all_dotfiles
 wireless_disable_interfaces
 xwindows_runlevel_target
diff --git a/tests/data/profile_stability/rhel8/cis_server_l1.profile b/tests/data/profile_stability/rhel8/cis_server_l1.profile
diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile
diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
