From 96f31c4f682441a69e13acacac66e657d74d91ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= Date: Tue, 8 Jan 2019 18:33:29 +0100 Subject: [PATCH] Remove rules that are shadowed by crypto policies rules. `sshd_use_approved_ciphers` and `sshd_use_approved_macs` mandated usage of FIPS-enabled algorithms, I have replaced them with FIPS crypto policy setup rules. --- rhel8/profiles/cjis.profile | 4 +++- rhel8/profiles/hipaa.profile | 5 +++-- rhel8/profiles/rht-ccp.profile | 4 +++- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile index a7f8c0b16be3..ec225d89a4b3 100644 --- a/rhel8/profiles/cjis.profile +++ b/rhel8/profiles/cjis.profile @@ -99,7 +99,9 @@ selections: - sshd_disable_empty_passwords - sshd_enable_warning_banner - sshd_do_not_permit_user_env - - sshd_use_approved_ciphers + - var_system_crypto_policy=fips + - configure_crypto_policy + - configure_ssh_crypto_policy - kernel_module_dccp_disabled - kernel_module_sctp_disabled - service_firewalld_enabled diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile index feb98007cfe1..e3ea174cda79 100644 --- a/rhel8/profiles/hipaa.profile +++ b/rhel8/profiles/hipaa.profile @@ -66,8 +66,9 @@ selections: - sshd_set_keepalive - sshd_use_priv_separation - encrypt_partitions - - sshd_use_approved_ciphers - - sshd_use_approved_macs + - var_system_crypto_policy=fips + - configure_crypto_policy + - configure_ssh_crypto_policy - var_selinux_policy_name=targeted - var_selinux_state=enforcing - grub2_enable_selinux diff --git a/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile index 023663b214ef..77b6a8fe0c99 100644 --- a/rhel8/profiles/rht-ccp.profile +++ b/rhel8/profiles/rht-ccp.profile @@ -96,4 +96,6 @@ selections: - sshd_disable_empty_passwords - sshd_enable_warning_banner - sshd_do_not_permit_user_env - - sshd_use_approved_ciphers + - var_system_crypto_policy=fips + - configure_crypto_policy + - configure_ssh_crypto_policy