[stabilization] Backport RHEL FIPS Clean Up to 0.1.76 #12977
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Remove remediations for RHEL and update rule
Update rules for RHEL to state must install via fips=1.
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_enable_dracut_fips_module'.
--- xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
+++ xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
@@ -3,13 +3,18 @@
Enable Dracut FIPS Module
[description]:
-To enable FIPS mode, run the following command:
-fips-mode-setup --enable
+Red Hat Enterprise Linux 8 has an installation-time kernel flag that can enable FIPS mode.
+The installer must be booted with fips=1 for the system to have FIPS mode
+enabled. Enabling FIPS mode on a preexisting system is not supported. If
+this rule fails on an installed system, then this is a permanent
+finding and cannot be fixed.
+
To enable FIPS, the system requires that the fips module is added in dracut configuration.
Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips "
[warning]:
-The system needs to be rebooted for these changes to take effect.
+To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
[warning]:
System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications.
New data stream is missing bash remediation for rule 'xccdf_org.ssgproject.content_rule_enable_dracut_fips_module'.
New data stream is missing ansible remediation for rule 'xccdf_org.ssgproject.content_rule_enable_dracut_fips_module'.
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_enable_dracut_fips_module'
--- xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
+++ xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
@@ -1 +1 @@
-
+oval:ssg-bootc:def:1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode'.
--- xccdf_org.ssgproject.content_rule_enable_fips_mode
+++ xccdf_org.ssgproject.content_rule_enable_fips_mode
@@ -3,30 +3,22 @@
Enable FIPS Mode
[description]:
-To enable FIPS mode, run the following command:
-fips-mode-setup --enable
-
-The fips-mode-setup command will configure the system in
-FIPS mode by automatically configuring the following:
-Setting the kernel FIPS mode flag (/proc/sys/crypto/fips_enabled) to 1
- Creating /etc/system-fips
- Setting the system crypto policy in /etc/crypto-policies/config to 'xccdf_org.ssgproject.content_value_var_system_crypto_policy'
- Loading the Dracut fips module
-
-To enable FIPS mode at bootable container build time configure fips=1 kernel argument
-in /usr/lib/bootc/kargs.d/01-fips.toml:
-kargs = ["fips=1"]
-Then set the cryptographic policy to 'xccdf_org.ssgproject.content_value_var_system_crypto_policy':
-update-crypto-policies --no-reload --set 'xccdf_org.ssgproject.content_value_var_system_crypto_policy'
+Red Hat Enterprise Linux 8 has an installation-time kernel flag that can enable FIPS mode.
+The installer must be booted with fips=1 for the system to have FIPS mode
+enabled. Enabling FIPS mode on a preexisting system is not supported. If
+this rule fails on an installed system, then this is a permanent
+finding and cannot be fixed.
[warning]:
-The system needs to be rebooted for these changes to take effect.
+To configure Red Hat Enterprise Linux 8 to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+Only enabling FIPS 140 mode during the Red Hat Enterprise Linux 8 installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place.
+Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
[warning]:
This rule DOES NOT CHECK if the components of the operating system are FIPS certified.
You can find the list of FIPS certified modules at
https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search.
-This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means.
+This rule checks if the system is running in FIPS mode.
[reference]:
CCI-002450
OCIL for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode' differs.
--- ocil:ssg-enable_fips_mode_ocil:questionnaire:1
+++ ocil:ssg-enable_fips_mode_ocil:questionnaire:1
@@ -1,10 +1,6 @@
To verify that FIPS mode is enabled properly, run the following command:
-fips-mode-setup --check
-The output should contain the following:
-FIPS mode is enabled.
-To verify that the cryptographic policy has been configured correctly, run the
-following command:
-$ update-crypto-policies --show
-The output should return .
+cat /proc/sys/crypto/fips_enabled
+The output be must:
+1
Is it the case that FIPS mode is not enabled?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode' differs.
--- xccdf_org.ssgproject.content_rule_enable_fips_mode
+++ xccdf_org.ssgproject.content_rule_enable_fips_mode
@@ -1,31 +1,10 @@
# Remediation is applicable only in certain platforms
if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) && rpm --quiet -q kernel ); then
-var_system_crypto_policy=''
-
-
if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]]; then
- crypto_policies_no_reload="--no-reload"
cat > /usr/lib/bootc/kargs.d/01-fips.toml << EOF
kargs = ["fips=1"]
EOF
-else
- fips-mode-setup --enable
-fi
-
-stderr_of_call=$(update-crypto-policies $crypto_policies_no_reload --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
fi
else
New data stream is missing ansible remediation for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode'.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_etc_system_fips_exists'.
--- xccdf_org.ssgproject.content_rule_etc_system_fips_exists
+++ xccdf_org.ssgproject.content_rule_etc_system_fips_exists
@@ -4,11 +4,16 @@
[description]:
On a system where FIPS mode is enabled, /etc/system-fips must exist.
-To enable FIPS mode, run the following command:
-fips-mode-setup --enable
+
+Red Hat Enterprise Linux 8 has an installation-time kernel flag that can enable FIPS mode.
+The installer must be booted with fips=1 for the system to have FIPS mode
+enabled. Enabling FIPS mode on a preexisting system is not supported. If
+this rule fails on an installed system, then this is a permanent
+finding and cannot be fixed.
[warning]:
-The system needs to be rebooted for these changes to take effect.
+To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
[warning]:
System Crypto Modules must be provided by a vendor that undergoes
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled'.
--- xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled
+++ xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled
@@ -5,8 +5,14 @@
[description]:
System running in FIPS mode is indicated by kernel parameter
'crypto.fips_enabled'. This parameter should be set to 1 in FIPS mode.
-To enable FIPS mode, run the following command:
-fips-mode-setup --enable
+
+Red Hat Enterprise Linux 8 has an installation-time kernel flag that can enable FIPS mode.
+The installer must be booted with fips=1 for the system to have FIPS mode
+enabled. Enabling FIPS mode on a preexisting system is not supported. If
+this rule fails on an installed system, then this is a permanent
+finding and cannot be fixed.
+
+
To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot
parameters during system installation so key generation is done with FIPS-approved algorithms |
jan-cerny
changed the title
jan-cerny
merged commit 89778bf
into
ComplianceAsCode:stabilization-v0.1.76
89 of 96 checks passed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #12946