Harden OpenSSL Crypto Policy

An XCCDF Rule

Description

Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL. OpenSSL is by default configured to modify its configuration based on currently configured Crypto Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSL and leave rest of the Crypto Policy intact. This can be done by dropping a file named opensslcnf-xxx.config, replacing xxx with arbitrary identifier, into /etc/crypto-policies/local.d. This has to be followed by running update-crypto-policies so that changes are applied. Changes are propagated into /etc/crypto-policies/back-ends/opensslcnf.config. This rule checks if this file contains predefined Ciphersuites variable configured with predefined value.

Rationale

The Common Criteria requirements specify that certain parameters for OpenSSL are configured e.g. cipher suites. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.

ID: xccdf_org.ssgproject.content_rule_harden_openssl_crypto_policy
Severity: Medium
References: CIP-003-8 R4.2 CIP-007-3 R5.1

SC-13 SC-8(1)

FCS_TLSC_EXT.1.1

SRG-OS-000396-GPOS-00176 SRG-OS-000424-GPOS-00188 SRG-OS-000478-GPOS-00223

CCE-84286-4
Updated: about 1 year ago


cp="Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
file="/etc/crypto-policies/local.d/opensslcnf-ospp.config"
backend_file="/etc/crypto-policies/back-ends/opensslcnf.config"

sed -i "/Ciphersuites\s*=\s*/d" "$backend_file"printf "\n%s\n" "$cp" >> "$file"
update-crypto-policies

- name: Remove configuration from backend file /etc/crypto-policies/back-ends/opensslcnf.config
  lineinfile:
    path: /etc/crypto-policies/back-ends/opensslcnf.config
    regexp: Ciphersuites\s*=\s*.*
    state: absent
  tags:  - CCE-84286-4
  - NIST-800-53-SC-13
  - NIST-800-53-SC-8(1)
  - harden_openssl_crypto_policy
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Ensure that the correct crypto policy configuration exists in /etc/crypto-policies/local.d/opensslcnf-ospp.config
  copy:
    dest: /etc/crypto-policies/local.d/opensslcnf-ospp.config
    content: |2

      Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
  tags:
  - CCE-84286-4
  - NIST-800-53-SC-13
  - NIST-800-53-SC-8(1)
  - harden_openssl_crypto_policy
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Update system crypto policy for changes to take effect
  command:
    cmd: update-crypto-policies
  tags:
  - CCE-84286-4
  - NIST-800-53-SC-13
  - NIST-800-53-SC-8(1)
  - harden_openssl_crypto_policy
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

Harden OpenSSL Crypto Policy

Description

Rationale

Remediation - Shell Script

Remediation - Ansible