rhcos4: Add relevant instructions to configure_crypto_policy rule

Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>
ComplianceAsCode · Apr 8, 2021 · d6e9255 · d6e9255
1 parent 4ffa281
commit d6e9255
Showing 1 changed file with 35 additions and 0 deletions.
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
@@ -6,8 +6,43 @@ title: 'Configure System Cryptography Policy'
 
 description: |-
     To configure the system cryptography policy to use ciphers only from the <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt>
+    {{% if product != "rhcos4" -%}}
     policy, run the following command:
     <pre>$ sudo update-crypto-policies --set {{{ xccdf_value("var_system_crypto_policy") }}}</pre>
+    {{% else -%}}
+    policy, create a <tt>MachineConfig</tt> as follows:
+    <pre>
+    ---
+    apiVersion: machineconfiguration.openshift.io/v1
+    kind: MachineConfig
+    metadata:
+      labels:
+        machineconfiguration.openshift.io/role: master
+      name: 50-master-configure-crypto-policy
+    spec:
+      config:
+        ignition:
+          version: 3.1.0
+        systemd:
+          units:
+            - name: configure-crypto-policy.service
+              enabled: true
+              contents: |
+                [Unit]
+                Before=kubelet.service
+                [Service]
+                Type=oneshot
+                ExecStart=update-crypto-policies --set {{{ xccdf_value("var_system_crypto_policy") }}}
+                RemainAfterExit=yes
+                [Install]
+                WantedBy=multi-user.target
+    </pre>
+    <p>
+    This will configure the crypto policy appropriately in all the
+    nodes labeled with the "master" role.
+    </p>
+    {{{ machineconfig_description_footer() | indent(4) }}}
+    {{% endif -%}}
     The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the <tt>/etc/crypto-policies/back-ends</tt> are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied.
     Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.