Skip to content

Remove rules that are shadowed by crypto policies rules.#3677

Merged
shawndwells merged 1 commit intoComplianceAsCode:masterfrom
matejak:remove_sshd_crypto_overlap
Jan 10, 2019
Merged

Remove rules that are shadowed by crypto policies rules.#3677
shawndwells merged 1 commit intoComplianceAsCode:masterfrom
matejak:remove_sshd_crypto_overlap

Conversation

@matejak
Copy link
Copy Markdown
Member

@matejak matejak commented Jan 8, 2019

sshd_use_approved_ciphers and sshd_use_approved_macs mandated usage of FIPS-enabled algorithms, I have replaced them with FIPS crypto policy setup rules.

Since introduction of crypto policies, those old rules are completely irrelevant - all modifications to the sshd config is overriden by current crypto policy setup in RHEL8 and Fedora.
Those rules were not present in Fedora profiles.

@matejak
Remove rules that are shadowed by crypto policies rules.
96f31c4 
`sshd_use_approved_ciphers` and `sshd_use_approved_macs` mandated usage of FIPS-enabled algorithms,
I have replaced them with FIPS crypto policy setup rules.
@matejak matejak added this to the 0.1.43 milestone Jan 8, 2019
@scrutinizer-notifier
Copy link
Copy Markdown

scrutinizer-notifier commented Jan 8, 2019

The inspection completed: No new issues

@redhatrises
Copy link
Copy Markdown
Contributor

redhatrises commented Jan 8, 2019

This PR makes sense to me. @shawndwells agree or foresee any issues?

@shawndwells
Copy link
Copy Markdown
Member

shawndwells commented Jan 8, 2019

How do we make sure the available ciphers are only those that are FIPS validated, vs the machine being in FIPS mode?

@matejak
Copy link
Copy Markdown
Member Author

matejak commented Jan 9, 2019

@shawndwells Crypto policies are only about setting algorithms in sshd, TLS, SSL libraries etc. The policy may be set to safe defaults, strong settings, legacy settings and FIPS settings, which is the case in this PR.
In other words, the system crypto policy may be set to FIPS without the system running in FIPS mode, because the FIPS policy is like any other crypto policy. On the other hand, when the system is switched into the FIPS mode, I am pretty sure that flipping the current crypto policy to FIPS is part of the process.
I hope that this answers your question - enforcing FIPS crypto policies doesn't mean that the system runs in FIPS mode and exactly that is the case of profiles that I have modified. If we want to ensure the FIPS mode, we have to add another rule, and it certainly wouldn't hurt to have the FIPS crypto policies around as well, which is the case of the current RHEL8 OSPP profile.

@yuumasato
Copy link
Copy Markdown
Member

yuumasato commented Jan 10, 2019

On the other hand, when the system is switched into the FIPS mode, I am pretty sure that flipping the current crypto policy to FIPS is part of the process.

Yes, command fips-mode-setup --enable will select crypto-policy FIPS. Additionaly, rule enable_fips_mode checks that selected crypto-policy is FIPS.

@yuumasato yuumasato added enhancement General enhancements to the project. Profile labels Jan 10, 2019
@redhatrises
Copy link
Copy Markdown
Contributor

redhatrises commented Jan 10, 2019

@shawndwells do the statements above satisfy your questions?

@shawndwells shawndwells merged commit 15bdb21 into ComplianceAsCode:master Jan 10, 2019
@shawndwells
Copy link
Copy Markdown
Member

shawndwells commented Jan 10, 2019

@redhatrises yeah, seems good!

@shawndwells shawndwells self-assigned this Jan 10, 2019
@shawndwells shawndwells self-requested a review January 10, 2019 16:15
@matejak matejak deleted the remove_sshd_crypto_overlap branch March 26, 2019 10:40
@yuumasato yuumasato mentioned this pull request Aug 5, 2019
Merged
@yuumasato yuumasato mentioned this pull request Apr 1, 2020
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shawndwells shawndwells Awaiting requested review from shawndwells

Assignees

@shawndwells shawndwells

Labels

enhancement General enhancements to the project.

Projects

None yet

Milestone

0.1.43

Development

Successfully merging this pull request may close these issues.

5 participants

@matejak @scrutinizer-notifier @redhatrises @shawndwells @yuumasato