issue(blocking): RHEL 9 STIG V-258236 - crypto policy setting in role task not correct.

[jacollins121]

Description of problem:

RHEL 9 STIG V-258236 addressed via line 3155 in tasks/main.yml

ansible.builtin.command: update-crypto-policies --set FIPS:STIG
should be:
ansible.builtin.command: update-crypto-policies --set FIPS

This being incorrectly set opens a CAT I STIG item.

SCAP Security Guide Version:

V2

Operating System Version:

RHEL 9

Steps to Reproduce:

1. Run the role.

2. Verify that RHEL 9 cryptographic policies are not overridden.

Verify that the configured policy matches the generated policy with the following command:

$ sudo update-crypto-policies --check

The configured policy matches the generated policy

If the returned message does not match the above, but instead matches the following, this is a finding:

The configured policy does NOT match the generated policy

List all of the crypto backends configured on the system with the following command:

$ ls -l /etc/crypto-policies/back-ends/

lrwxrwxrwx. 1 root root 40 Nov 13 16:29 bind.config -> /usr/share/crypto-policies/FIPS/bind.txt
lrwxrwxrwx. 1 root root 42 Nov 13 16:29 gnutls.config -> /usr/share/crypto-policies/FIPS/gnutls.txt
lrwxrwxrwx. 1 root root 40 Nov 13 16:29 java.config -> /usr/share/crypto-policies/FIPS/java.txt
lrwxrwxrwx. 1 root root 46 Nov 13 16:29 javasystem.config -> /usr/share/crypto-policies/FIPS/javasystem.txt
lrwxrwxrwx. 1 root root 40 Nov 13 16:29 krb5.config -> /usr/share/crypto-policies/FIPS/krb5.txt
lrwxrwxrwx. 1 root root 45 Nov 13 16:29 libreswan.config -> /usr/share/crypto-policies/FIPS/libreswan.txt
lrwxrwxrwx. 1 root root 42 Nov 13 16:29 libssh.config -> /usr/share/crypto-policies/FIPS/libssh.txt
-rw-r--r--. 1 root root 398 Nov 13 16:29 nss.config
lrwxrwxrwx. 1 root root 43 Nov 13 16:29 openssh.config -> /usr/share/crypto-policies/FIPS/openssh.txt
lrwxrwxrwx. 1 root root 49 Nov 13 16:29 opensshserver.config -> /usr/share/crypto-policies/FIPS/opensshserver.txt
lrwxrwxrwx. 1 root root 46 Nov 13 16:29 opensslcnf.config -> /usr/share/crypto-policies/FIPS/opensslcnf.txt
lrwxrwxrwx. 1 root root 43 Nov 13 16:29 openssl.config -> /usr/share/crypto-policies/FIPS/openssl.txt
lrwxrwxrwx. 1 root root 48 Nov 13 16:29 openssl_fips.config -> /usr/share/crypto-policies/FIPS/openssl_fips.txt

If the paths do not point to the respective files under /usr/share/crypto-policies/FIPS path, this is a finding.

Note: nss.config should not be symlinked.

Actual Results:

Files in /etc/crypto-policies/back-ends/ are not sym-links

Expected Results:

Files in /etc/crypto-policies/back-ends/ should sym-link to /usr/share/crypto-policies/FIPS/

Additional Information/Debugging Steps:

https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening - Default selections does not have FIPS:STIG

[Mab879]

The STIG sub-policy is created by RHEL-09-215105 so using FIPS:STIG is correct. We might have an ordering issue though.

[jacollins121]

Thank you for the clarity @Mab879. Is it then expected for these not to be symlinks with this subpolicy?