Merge pull request #11506 from marcusburghardt/review_cis_crypto_reqs

Update CIS RHEL8 requirements related to crypto
ComplianceAsCode · Jan 30, 2024 · acd6a73 · acd6a73
2 parents e1e034c + e655a4f
commit acd6a73
Showing 1 changed file with 16 additions and 6 deletions.
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
@@ -531,34 +531,44 @@ controls:
       - l1_server
       - l1_workstation
     status: automated
-    notes: The selected crypto-policy cannot be legacy
     rules:
       - configure_crypto_policy
-      - var_system_crypto_policy=default_policy
+      - var_system_crypto_policy=default_nosha1
 
   - id: 1.6.2
     title: Ensure system wide crypto policy disables sha1 hash and signature support (Automated)
     levels:
       - l1_server
       - l1_workstation
-    status: pending
-    notes: More investigation is necessary on this new requirement.
+    status: automated
+    notes: |-
+      This requirement is already satisfied by 1.6.1.
+    related_rules:
+      - configure_crypto_policy
 
   - id: 1.6.3
     title: Ensure system wide crypto policy disables cbc for ssh (Automated)
     levels:
       - l1_server
       - l1_workstation
     status: pending
-    notes: More investigation is necessary on this new requirement.
+    notes: |-
+      It is necessary a new rule to ensure a module disabling CBC in
+      /etc/crypto-policies/policies/modules/ so it can be used by update-crypto-policies command.
+    related_rules:
+      - configure_crypto_policy
 
   - id: 1.6.4
     title: Ensure system wide crypto policy disables macs less than 128 bits (Automated)
     levels:
       - l1_server
       - l1_workstation
     status: pending
-    notes: More investigation is necessary on this new requirement.
+    notes: |-
+      It is necessary a new rule to ensure a module disabling weak MACs in
+      /etc/crypto-policies/policies/modules/ so it can be used by update-crypto-policies command.
+    related_rules:
+      - configure_crypto_policy
 
   - id: 1.7.1
     title: Ensure message of the day is configured properly (Automated)