Introduce rule crypto_sub_policy_weak_macs

The rule crypto_sub_policy_weak_macs implements the approach
for disabling MACs using a custom crypto policy sub
module as requested in requirement 1.6.3 in CIS Benchmark
for RHEL 8 version 4.0.0.

Author: jan-cerny

components/crypto-policies.yml

@@ -12,6 +12,10 @@ rules:
 - configure_openssl_crypto_policy
 - configure_openssl_tls_crypto_policy
 - configure_ssh_crypto_policy
+- crypto_sub_policy_sshd_ciphers
+- crypto_sub_policy_sshd_macs
+- crypto_sub_policy_sshd_cbc
+- crypto_sub_policy_weak_macs
 - harden_openssl_crypto_policy
 - harden_ssh_client_crypto_policy
 - harden_sshd_ciphers_openssh_conf_crypto_policy

controls/cis_rhel8.yml

@@ -565,12 +565,9 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: pending
-      notes: |-
-          It is necessary a new rule to ensure a module disabling weak MACs in
-          /etc/crypto-policies/policies/modules/ so it can be used by update-crypto-policies command.
-      related_rules:
-          - configure_crypto_policy
+      status: automated
+      rules:
+          - crypto_sub_policy_weak_macs
 
     - id: 1.7.1
       title: Ensure message of the day is configured properly (Automated)

linux_os/guide/system/software/integrity/crypto/crypto_sub_policy_weak_macs/rule.yml

@@ -0,0 +1,38 @@
+documentation_complete: true
+
+title: Implement Custom Crypto Policy to Disable Weak MAC Algorithms
+
+{{% set module_name = "NO-WEAKMAC" %}}
+{{% set key = "mac" %}}
+{{% set value = "-*-128*" %}}
+
+description: |-
+    Create a custom crypto policy module to disable weak MACs.
+    {{{ describe_crypto_sub_policy(module_name, key, value) }}}
+
+rationale: |-
+    Message Authentication Codes (MACs) are cryptographic mechanisms used to verify the
+    integrity and authenticity of data transmitted over SSH connections. Weak MACs
+    that are used for authentication to the cryptographic module cannot be relied upon to
+    provide integrity, and system data may be compromised. Implementing a custom crypto
+    policy that disables weak MAC algorithms helps ensure that only strong, proven
+    cryptographic algorithms are used to protect system data.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86958-6
+
+references:
+
+ocil_clause: 'the custom crypto policy module to disable weak MACs does not exist'
+
+ocil: |-
+    {{{ ocil_crypto_sub_policy(module_name, key, value) }}}
+
+template:
+    name: crypto_sub_policy
+    vars:
+        module_name: {{{ module_name }}}
+        key: {{{ key }}}
+        value: {{{ value }}}

shared/references/cce-redhat-avail.txt

@@ -172,7 +172,6 @@ CCE-86935-4
 CCE-86936-2
 CCE-86937-0
 CCE-86955-2
-CCE-86958-6
 CCE-86959-4
 CCE-86963-6
 CCE-86965-1

tests/data/profile_stability/rhel8/cis.profile

@@ -112,6 +112,7 @@ coredump_disable_storage
 crypto_sub_policy_sshd_cbc
 crypto_sub_policy_sshd_ciphers
 crypto_sub_policy_sshd_macs
+crypto_sub_policy_weak_macs
 dconf_db_up_to_date
 dconf_gnome_banner_enabled
 dconf_gnome_disable_automount

tests/data/profile_stability/rhel8/cis_server_l1.profile

@@ -47,6 +47,7 @@ coredump_disable_storage
 crypto_sub_policy_sshd_cbc
 crypto_sub_policy_sshd_ciphers
 crypto_sub_policy_sshd_macs
+crypto_sub_policy_weak_macs
 dconf_db_up_to_date
 dconf_gnome_banner_enabled
 dconf_gnome_disable_automount

tests/data/profile_stability/rhel8/cis_workstation_l1.profile

@@ -47,6 +47,7 @@ coredump_disable_storage
 crypto_sub_policy_sshd_cbc
 crypto_sub_policy_sshd_ciphers
 crypto_sub_policy_sshd_macs
+crypto_sub_policy_weak_macs
 dconf_db_up_to_date
 dconf_gnome_banner_enabled
 dconf_gnome_disable_automount

tests/data/profile_stability/rhel8/cis_workstation_l2.profile

@@ -112,6 +112,7 @@ coredump_disable_storage
 crypto_sub_policy_sshd_cbc
 crypto_sub_policy_sshd_ciphers
 crypto_sub_policy_sshd_macs
+crypto_sub_policy_weak_macs
 dconf_db_up_to_date
 dconf_gnome_banner_enabled
 dconf_gnome_disable_automount