rhcos4: Add relevant instructions to configure_crypto_policy rule

Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>
ComplianceAsCode · Apr 8, 2021 · 99b8f66 · 99b8f66
1 parent 4ffa281
commit 99b8f66
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 1 deletion.
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
@@ -6,8 +6,43 @@ title: 'Configure System Cryptography Policy'
 
 description: |-
     To configure the system cryptography policy to use ciphers only from the <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt>
+    {{% if product != "rhcos4" -%}}
     policy, run the following command:
     <pre>$ sudo update-crypto-policies --set {{{ xccdf_value("var_system_crypto_policy") }}}</pre>
+    {{% else -%}}
+    policy, create a <tt>MachineConfig</tt> as follows:
+    <pre>
+    ---
+    apiVersion: machineconfiguration.openshift.io/v1
+    kind: MachineConfig
+    metadata:
+      labels:
+        machineconfiguration.openshift.io/role: master
+      name: 50-master-configure-crypto-policy
+    spec:
+      config:
+        ignition:
+          version: 3.1.0
+        systemd:
+          units:
+            - name: configure-crypto-policy.service
+              enabled: true
+              contents: |
+                [Unit]
+                Before=kubelet.service
+                [Service]
+                Type=oneshot
+                ExecStart=update-crypto-policies --set {{{ xccdf_value("var_system_crypto_policy") }}}
+                RemainAfterExit=yes
+                [Install]
+                WantedBy=multi-user.target
+    </pre>
+    <p>
+    This will configure the crypto policy appropriately in all the
+    nodes labeled with the "master" role.
+    </p>
+    {{{ machineconfig_description_footer() | indent(4) }}}
+    {{% endif -%}}
     The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the <tt>/etc/crypto-policies/back-ends</tt> are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied.
     Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.
 

diff --git a/shared/macros.jinja b/shared/macros.jinja
@@ -757,6 +757,9 @@ Operator see
     As a user with administrator privileges, log into a node in the relevant pool:
     <pre>
     $ oc debug node/$NODE_NAME
-    sh-4.4# chroot /host
+    </pre>
+    At the <pre>sh-4.4#</pre> prompt, run:
+    <pre>
+    # chroot /host
     </pre>
 {{% endmacro %}}