Rule xccdf_org.ssgproject.content_rule_configure_crypto_policy fail if crypto policy is FIPS #13285
ss107-github
started this conversation in
General
Replies: 1 comment
-
|
It is expected. The profile you ran the scan with sets the variable var_system_crypto_policy for the expected crypto policy, in your case the profile sets it to |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
When I was using the datastream "ssg-al2023-ds.xml" v0.1.76 to scan a AmazonLinux 2023 docker image that has FIPS enabled using Option A in https://docs.aws.amazon.com/linux/al2023/ug/fips-mode-container.html:
The rule "xccdf_org.ssgproject.content_rule_configure_crypto_policy" returns "FAIL" because the crypto policy is not set to "DEFAULT". Why does it only accept the value "DEFAULT", should it not also accept "FIPS" as well a it is even more secure then DEFAULT? In other profile "xccdf_org.ssgproject.content_profile_stig" for RedHat 10, the same rule expect the value FIPS. However in this case there's no such STIG profile for AmazonLinux 2023, so we've to use the CIS benchmark profile which does not accept the value of FIPS.
Please let me know if this is expected? Thanks.
Beta Was this translation helpful? Give feedback.
All reactions