Configure BIND to use System Crypto Policy

An XCCDF Rule

Description

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. BIND is supported by crypto policy, but the BIND configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the /etc/named.conf includes the appropriate configuration: In the options section of /etc/named.conf, make sure that the following line is not commented out or superseded by later includes: include "/etc/crypto-policies/back-ends/bind.config";

Rationale

Overriding the system crypto policy makes the behavior of the BIND service violate expectations, and makes system configuration more fragmented.

ID: xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy
Severity: High
References: CIP-003-8 R4.2 CIP-007-3 R5.1

SC-12(2) SC-12(3) SC-13

SRG-OS-000423-GPOS-00187 SRG-OS-000426-GPOS-00190

CCI-002418 CCI-002422

SV-230223r1017042_rule
Updated: 5 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-RHEL-08-010020
  - NIST-800-53-SC-12(2)  - NIST-800-53-SC-12(3)
  - NIST-800-53-SC-13
  - configure_bind_crypto_policy
  - configure_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed

- name: Configure BIND to use System Crypto Policy - Check BIND configuration file
    exists
  ansible.builtin.stat:
    path: /etc/named.conf
  register: bind_config_file
  when: '"bind" in ansible_facts.packages'
  tags:
  - DISA-STIG-RHEL-08-010020
  - NIST-800-53-SC-12(2)
  - NIST-800-53-SC-12(3)
  - NIST-800-53-SC-13
  - configure_bind_crypto_policy
  - configure_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed

- name: Configure BIND to use System Crypto Policy - Aborting remediation, file not
    found
  ansible.builtin.debug:
    msg: Aborting remediation as '/etc/named.conf' was not found.
  when:
  - '"bind" in ansible_facts.packages'
  - not bind_config_file.stat.exists
  tags:
  - DISA-STIG-RHEL-08-010020
  - NIST-800-53-SC-12(2)
  - NIST-800-53-SC-12(3)
  - NIST-800-53-SC-13
  - configure_bind_crypto_policy
  - configure_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed

- name: Configure BIND to use System Crypto Policy - Insert crypto-policy into BIND
    config
  ansible.builtin.lineinfile:
    path: /etc/named.conf
    insertafter: ^\s*options\s*{
    line: ' include "/etc/crypto-policies/back-ends/bind.config";'
    state: present
  when:
  - '"bind" in ansible_facts.packages'
  - bind_config_file.stat.exists
  tags:
  - DISA-STIG-RHEL-08-010020
  - NIST-800-53-SC-12(2)
  - NIST-800-53-SC-12(3)
  - NIST-800-53-SC-13
  - configure_bind_crypto_policy
  - configure_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed

# Remediation is applicable only in certain platforms
if rpm --quiet -q bind; then

function remediate_bind_crypto_policy() {
	CONFIG_FILE="/etc/named.conf"
	if test -f "$CONFIG_FILE"; then		sed -i 's|options {|&\n\tinclude "/etc/crypto-policies/back-ends/bind.config";|' "$CONFIG_FILE"
		return 0
	else
		echo "Aborting remediation as '$CONFIG_FILE' was not even found." >&2
		return 1
	fi
}

remediate_bind_crypto_policy

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure BIND to use System Crypto Policy

Description

Rationale

Remediation - Ansible

Remediation - Shell Script