{"description": "Crypto Policies are means of enforcing certain cryptographic settings for\nselected applications including OpenSSL. OpenSSL is by default configured to\nmodify its configuration based on currently configured Crypto Policy.\nHowever, in certain cases it might be needed to override the Crypto Policy\nspecific to OpenSSL and leave rest of the Crypto Policy intact. This can\nbe done by dropping a file named <tt>opensslcnf-xxx.config</tt>, replacing\n<tt>xxx</tt> with arbitrary identifier, into\n<tt>/etc/crypto-policies/local.d</tt>. This has to be followed by running\n<tt>update-crypto-policies</tt> so that changes are applied. Changes are\npropagated into <tt>/etc/crypto-policies/back-ends/opensslcnf.config</tt>.\nThis rule checks if this file contains predefined <tt>Ciphersuites</tt>\nvariable configured with predefined value.", "rationale": "The Common Criteria requirements specify that certain parameters for OpenSSL\nare configured e.g. cipher suites. Currently particular requirements\nspecified by CC are stricter compared to any existing Crypto Policy.", "severity": "medium", "references": {"nerc-cip": ["CIP-003-8 R4.2", "CIP-007-3 R5.1"], "nist": ["SC-8(1)", "SC-13"], "srg": ["SRG-OS-000396-GPOS-00176", "SRG-OS-000424-GPOS-00188", "SRG-OS-000478-GPOS-00223"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "Crypto Policy for OpenSSL is not configured according to CC requirements", "ocil": "To verify if the OpenSSL uses defined Crypto Policy, run:\n<pre>$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1</pre>\nand verify that the line matches\n<pre>Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Harden OpenSSL Crypto Policy", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/crypto/harden_openssl_crypto_policy/rule.yml", "template": null}