Configure OpenSSL library to use System Crypto Policy

Classification:

compliance

Framework:

Control:

Description

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSL is supported by crypto policy, but the OpenSSL configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file available under /etc/pki/tls/openssl.cnf. This file has the ini format, and it enables crypto policy support if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive.

Rationale

Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, and makes system configuration more fragmented.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

OPENSSL\_CRYPTO\_POLICY\_SECTION='[ crypto\_policy ]'
OPENSSL\_CRYPTO\_POLICY\_SECTION\_REGEX='\[\s\*crypto\_policy\s\*\]'
OPENSSL\_CRYPTO\_POLICY\_INCLUSION='.include = /etc/crypto-policies/back-ends/opensslcnf.config'
OPENSSL\_CRYPTO\_POLICY\_INCLUSION\_REGEX='^\s\*\.include\s\*(?:=\s\*)?/etc/crypto-policies/back-ends/opensslcnf.config$'


 


function remediate\_openssl\_crypto\_policy() {
 CONFIG\_FILE=/etc/pki/tls/openssl.cnf
 if test -f "$CONFIG\_FILE"; then
 if ! grep -q "^\\s\*$OPENSSL\_CRYPTO\_POLICY\_SECTION\_REGEX" "$CONFIG\_FILE"; then
 printf '\n%s\n\n%s' "$OPENSSL\_CRYPTO\_POLICY\_SECTION" "$OPENSSL\_CRYPTO\_POLICY\_INCLUSION" >> "$CONFIG\_FILE"
 return 0
 elif ! grep -q "^\\s\*$OPENSSL\_CRYPTO\_POLICY\_INCLUSION\_REGEX" "$CONFIG\_FILE"; then
 sed -i "s|$OPENSSL\_CRYPTO\_POLICY\_SECTION\_REGEX|&\\n\\n$OPENSSL\_CRYPTO\_POLICY\_INCLUSION\\n|" "$CONFIG\_FILE"
 return 0
 fi
 else
 echo "Aborting remediation as '$CONFIG\_FILE' was not even found." >&2
 return 1
 fi
}

remediate\_openssl\_crypto\_policy

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Test for crypto\_policy group
 command: grep '^\s\*\[\s\*crypto\_policy\s\*]' /etc/pki/tls/openssl.cnf
 register: test\_crypto\_policy\_group
 ignore\_errors: true
 changed\_when: false
 check\_mode: false
 tags:
 - NIST-800-53-AC-17(2)
 - NIST-800-53-AC-17(a)
 - NIST-800-53-CM-6(a)
 - NIST-800-53-MA-4(6)
 - NIST-800-53-SC-12(2)
 - NIST-800-53-SC-12(3)
 - NIST-800-53-SC-13
 - PCI-DSS-Req-2.2
 - configure\_openssl\_crypto\_policy
 - low\_complexity
 - medium\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - unknown\_strategy

- name: Add .include for opensslcnf.config to crypto\_policy section
 lineinfile:
 create: true
 insertafter: ^\s\*\[\s\*crypto\_policy\s\*]\s\*
 line: .include = /etc/crypto-policies/back-ends/opensslcnf.config
 path: /etc/pki/tls/openssl.cnf
 when:
 - test\_crypto\_policy\_group.stdout is defined
 - test\_crypto\_policy\_group.stdout | length > 0
 tags:
 - NIST-800-53-AC-17(2)
 - NIST-800-53-AC-17(a)
 - NIST-800-53-CM-6(a)
 - NIST-800-53-MA-4(6)
 - NIST-800-53-SC-12(2)
 - NIST-800-53-SC-12(3)
 - NIST-800-53-SC-13
 - PCI-DSS-Req-2.2
 - configure\_openssl\_crypto\_policy
 - low\_complexity
 - medium\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - unknown\_strategy

- name: Add crypto\_policy group and set include opensslcnf.config
 lineinfile:
 create: true
 line: |-
 [crypto\_policy]
 .include = /etc/crypto-policies/back-ends/opensslcnf.config
 path: /etc/pki/tls/openssl.cnf
 when:
 - test\_crypto\_policy\_group.stdout is defined
 - test\_crypto\_policy\_group.stdout | length < 1
 tags:
 - NIST-800-53-AC-17(2)
 - NIST-800-53-AC-17(a)
 - NIST-800-53-CM-6(a)
 - NIST-800-53-MA-4(6)
 - NIST-800-53-SC-12(2)
 - NIST-800-53-SC-12(3)
 - NIST-800-53-SC-13
 - PCI-DSS-Req-2.2
 - configure\_openssl\_crypto\_policy
 - low\_complexity
 - medium\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - unknown\_strategy