Add rule crypto_policy_not_overridden for RHEL-09-672020

[ggbecker]

Description:

• Add new rule crypto_policy_not_overridden to address RHEL-09-672020 ("RHEL 9 cryptographic policy
  must not be overridden"). The rule includes an SCE check using update-crypto-policies --check, a Bash
  remediation, an Ansible remediation, and Automatus test scenarios. The RHEL 9 STIG control entry is
  updated from pending to automated.

Rationale:

• The DISA STIG requires verifying that the system-wide cryptographic policy has not been overridden by
  individual applications. The update-crypto-policies --check command authoritatively verifies this by
  regenerating the policy from the current config and byte-comparing the result against the live
  /etc/crypto-policies/back-ends/ and state/ directories. An SCE check is the most appropriate
  implementation because this logic would be tedious and fragile to replicate in OVAL.

• Fixes https://redhat.atlassian.net/browse/RHEL-104411

Review Hints:

• To test the SCE check, SCE support must be enabled in OpenSCAP and the openscap-engine-sce package
  must be installed on the target system. Without it, the SCE check will be skipped. Example scan command
  with SCE enabled:
  oscap xccdf eval --rule xccdf_org.ssgproject.content_rule_crypto_policy_not_overridden --profile xccdf_org.ssgproject.content_profile_stig build/ssg-rhel9-ds.xml

• The two fail scenarios cover the two ways update-crypto-policies --check can detect an override: a
  backend config file whose content has been replaced (backend_file_overridden.fail.sh), and a config
  file changed without re-running update-crypto-policies (config_changed_not_applied.fail.sh).

• The previous pending status and its explanatory notes in stig_rhel9.yml are intentionally removed
  as the control is now automated via the new rule.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[jan-cerny]

I think it should be either multi_platform_all because that would apply for all products that the rule is part of or Red Hat Enterprise Linux if we assume that it won't be reused.

[ggbecker]

Done.

[ggbecker]

Test results:

tests/automatus.py rule --libvirt qemu:///system rhel9 --debug --datastream build/ssg-rhel9-ds.xml --remediate-using ansible --dontclean crypto_policy_not_overridden 
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into logs/rule-custom-2026-05-25-1215/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_crypto_policy_not_overridden
INFO - Script backend_file_overridden.fail.sh using profile (all) OK
INFO - Script config_changed_not_applied.fail.sh using profile (all) OK
INFO - Script correct_policy_applied.pass.sh using profile (all) OK

c:604:_xccdf_policy_rule_get_applicable_check]
I: oscap: Executing SCE check 'rhel9/checks/sce/crypto_policy_not_overridden.sh' [oscap(8044):oscap(7ff3ee14e940):sce_engine.c:373:sce_engine_eval_rule]
I: oscap: /tmp/oscap.pfr0oD/rhel9/checks/sce/crypto_policy_not_overridden.sh isn't executable, oscap-run-sce-script will be used. [oscap(8044):oscap(7ff3ee14e940):sce_engine.c:398:sce_engine_eval_rule]
D: oscap: pcre_compile: patt=([0-9]+)\.([0-9]+)(?:\.([0-9]+))?(?::([0-9]+)\.([0-9]+)(?:\.([0-9]+))?)? [oscap(8044):oscap(7ff3ee14e940):oscap_pcre.c:155:oscap_pcre_compile]
D: oscap: pcre_exec: subj=5.11 [oscap(8044):oscap(7ff3ee14e940):oscap_pcre.c:220:oscap_pcre_exec]
D: oscap: pcre_exec: rc=3,  [oscap(8044):oscap(7ff3ee14e940):oscap_pcre.c:222:oscap_pcre_exec]
D: oscap: pcre_compile: patt=([0-9]+)\.([0-9]+)(?:\.([0-9]+))?(?::([0-9]+)\.([0-9]+)(?:\.([0-9]+))?)? [oscap(8044):oscap(7ff3ee14e940):oscap_pcre.c:155:oscap_pcre_compile]
D: oscap: pcre_exec: subj=5.10 [oscap(8044):oscap(7ff3ee14e940):oscap_pcre.c:220:oscap_pcre_exec]
D: oscap: pcre_exec: rc=3,  [oscap(8044):oscap(7ff3ee14e940):oscap_pcre.c:222:oscap_pcre_exec]
D: oscap: pcre_compile: patt=([0-9]+)\.([0-9]+)(?:\.([0-9]+))?(?::([0-9]+)\.([0-9]+)(?:\.([0-9]+))?)? [oscap(8044):oscap(7ff3ee14e940):oscap_pcre.c:155:oscap_pcre_compile]
D: oscap: pcre_exec: subj=5.11 [oscap(8044):oscap(7ff3ee14e940):oscap_pcre.c:220:oscap_pcre_exec]
D: oscap: pcre_exec: rc=3,  [oscap(8044):oscap(7ff3ee14e940):oscap_pcre.c:222:oscap_pcre_exec]
D: oscap: pcre_compile: patt=([0

[jan-cerny]

Is it necessary to always reinstall?

[ggbecker]

probably not, but it might make sense to check if the package is installed and then install it, also using the right package manager variable

[ggbecker]

I have rebased the PR and unified all the changes into a single commit.

[jan-cerny]

This CI fail in /hardening/host-os/ansible/stig (https://artifacts.dev.testing-farm.io/dae2d564-eda7-418c-87d5-7e3676bd1bbc/#work-stig2qxd149s_plans-upstream-parallel-ansible-stig_1_default-0) looks serious

2026-05-26 11:09:49 test.py:36: lib.results.report_plain:205: FAIL playbook: Ensure System Cryptographic Policy Is Not Overridden - Ensure crypto-policies-scripts package is installed ({"msg": "The conditional check 'crypto_policy_check.rc != 0' failed. The error was: error while evaluating conditional (crypto_policy_check.rc != 0): 'crypto_policy_check' is undefined. 'crypto_policy_check' is undefined\n\nThe error appears to be in '/usr/share/scap-security-guide/ansible/cs9-playbook-stig.yml': line 265, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n  - name: Ensure System Cryptographic Policy Is Not Overridden - Ensure crypto-policies-scripts\n    ^ here\n"})

It might be related to the optimization that we do in our profile playbooks which is that we move all packages to the beginning.

[jan-cerny]

The CI fails also in Check mode on CS 9
/scanning/host-os/ansible-check/check-mode/stig

2026-05-26 10:38:46 test.py:25: lib.results.report_plain:205: FAIL playbook: Ensure System Cryptographic Policy Is Not Overridden - Ensure crypto-policies-scripts package is installed ({"msg": "The conditional check 'crypto_policy_check.rc != 0' failed. The error was: error while evaluating conditional (crypto_policy_check.rc != 0): 'crypto_policy_check' is undefined. 'crypto_policy_check' is undefined\n\nThe error appears to be in '/usr/share/scap-security-guide/ansible/cs9-playbook-stig.yml': line 265, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n  - name: Ensure System Cryptographic Policy Is Not Overridden - Ensure crypto-policies-scripts\n    ^ here\n"})

[ggbecker]

ok, I have rebased, let's see if it works. But basically I removed the when clause because it was not necessary.

[openshift-ci]

@ggbecker: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-openshift-platform-compliance	28e4367	link	true	/test e2e-aws-openshift-platform-compliance
ci/prow/e2e-aws-openshift-node-compliance	28e4367	link	true	/test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.