squash! Add actors for OpenSSL conf and IBMCA

* switch the severity for openssl config file to HIGH as per openssl team the system could be uneccessible in some cases * updated report msg for IBMCA; rhel 9+ uses "openssl providers" instead of engines, so keep proper wording. * also groups have been updated
oamg · Nov 3, 2023 · 6907124 · 6907124
1 parent 8f6a715
commit 6907124
Showing 1 changed file with 11 additions and 12 deletions.
diff --git a/repos/system_upgrade/common/actors/openssl/checkopensslconf/libraries/checkopensslconf.py b/repos/system_upgrade/common/actors/openssl/checkopensslconf/libraries/checkopensslconf.py
@@ -13,32 +13,32 @@ def check_ibmca():
         return
     if not has_package(InstalledRedHatSignedRPM, 'openssl-ibmca'):
         return
-    # TODO(pstodulk): check with @ksrot whether this is relevant for IPU 8 -> 9 also
-    # (orig msg was for IPU 7 -> 8 only); engine vs provider?
-    # https://www.ibm.com/docs/en/linux-on-z?topic=openssl-using-ibmca-provider
+    # In RHEL 9 has been introduced new technology: openssl provides. The engine
+    # is deprecated, so keep proper teminology to not confuse users.
+    dst_tech = 'engine' if version.get_target_major_version() == '8' else 'provides'
     summary = (
         'The presence of openssl-ibmca package suggests that the system may be configured'
         ' to use the IBMCA OpenSSL engine.'
         ' Due to major changes in OpenSSL and libica between RHEL {old} and RHEL {new} it is not'
         ' possible to migrate OpenSSL configuration files automatically. Therefore,'
-        ' it is necessary to enable IBMCA engine in the OpenSSL config file manually'
+        ' it is necessary to enable IBMCA {tech} in the OpenSSL config file manually'
         ' after the system upgrade.'
         .format(
             old=version.get_source_major_version(),
-            new=version.get_target_major_version()
+            new=version.get_target_major_version(),
+            tech=dst_tech
         )
     )
 
     hint = (
-        'Configure the IBMCA engine manually after the upgrade.'
+        'Configure the IBMCA {tech} manually after the upgrade.'
         ' Please, be aware that it is not recommended to configure the system default'
         ' /etc/pki/tls/openssl.cnf. Instead, it is recommended to configure a copy of'
         ' that file and used this copy only for particular applications that are supposed'
-        ' to utilize the IBMCA engine. The location of the OpenSSL configuration file'
+        ' to utilize the IBMCA {tech}. The location of the OpenSSL configuration file'
         ' can be specified using the OPENSSL_CONF environment variable.'
+        .format(tech=dst_tech)
     )
-    # TODO(pstodulk): is there a doc?
-    # TODO(pstodulk): encryption, security groups?
 
     reporting.create_report([
         reporting.Title('Detected possible use of IBMCA in OpenSSL'),
@@ -47,8 +47,7 @@ def check_ibmca():
         reporting.Severity(reporting.Severity.MEDIUM),
         reporting.Groups([
             reporting.Groups.POST,
-            reporting.Groups.SECURITY,
-            reporting.Groups.SERVICES
+            reporting.Groups.ENCRYPTION
         ]),
     ])
 
@@ -80,7 +79,7 @@ def check_default_openssl():
         reporting.Title('The /etc/pki/tls/openssl.cnf file will be replaced by the target RHEL default.'),
         reporting.Summary(summary),
         reporting.Remediation(hint=hint),
-        reporting.Severity(reporting.Severity.MEDIUM),
+        reporting.Severity(reporting.Severity.HIGH),
         reporting.Groups([reporting.Groups.POST, reporting.Groups.SECURITY]),
     ])