From 17844ccdf81a07244881949b7269adaef0328d16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 26 Nov 2018 14:17:10 +0100 Subject: [PATCH 1/7] New rule to enable FIPS mode on RHEL8 and Fedora On RHEL8, a different method is used to enable FIPS mode than on RHEL6/7. Package `dracut-fips` doesn't exist anymore, GRUB config file doesn't need to be edited. Instead, a new utility `fips-mode-setup` should be used to setup and configure FIPS mode. To verify that FIPS mode is enabled, the following 2 conditions have to be fulfilled: 1. /etc/system-fips exists 2. /proc/sys/crypto/fips_enabled is set to 1 We can also check if the Dracut FIPS module is configured to be loaded. In FIPS mode, the system-wide crypto policy is configured to to FIPS. The same facts apply also for Fedora 29. This commit adds a new rule `enable_fips_mode` for RHEL8 and Fedora, which replaces the old rule `grub2_enable_fips_mode` in RHEL8 and Fedora OSPP profiles. The platform in `grub2_enable_fips_mode` and dependent rule `package_dracut-fips_installed` in changed to exclude RHEL8 and Fedora. Currently it fails on both RHEL8 and Fedora because it depends on rule `installed_OS_is_certified` which allows only RHEL6 and RHEL7. --- fedora/profiles/ospp.profile | 3 +- .../enable_dracut_fips_module/oval/shared.xml | 32 +++++++++++++++ .../fips/enable_dracut_fips_module/rule.yml | 26 +++++++++++++ .../fips/enable_fips_mode/bash/shared.sh | 3 ++ .../fips/enable_fips_mode/oval/shared.xml | 19 +++++++++ .../integrity/fips/enable_fips_mode/rule.yml | 39 +++++++++++++++++++ .../etc_system_fips_exists/oval/shared.xml | 23 +++++++++++ .../fips/etc_system_fips_exists/rule.yml | 28 +++++++++++++ .../anaconda/shared.anaconda | 2 +- .../grub2_enable_fips_mode/bash/shared.sh | 2 +- .../grub2_enable_fips_mode/oval/shared.xml | 2 - .../fips/grub2_enable_fips_mode/rule.yml | 2 +- .../anaconda/shared.anaconda | 2 +- .../ansible/shared.yml | 2 +- .../bash/shared.sh | 2 +- .../oval/shared.xml | 4 +- .../package_dracut-fips_installed/rule.yml | 2 +- .../oval/shared.xml | 28 +++++++++++++ .../fips/sysctl_crypto_fips_enabled/rule.yml | 30 ++++++++++++++ rhel8/profiles/ospp.profile | 2 +- 20 files changed, 240 insertions(+), 13 deletions(-) create mode 100644 linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/oval/shared.xml create mode 100644 linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml create mode 100644 linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh create mode 100644 linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml create mode 100644 linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml create mode 100644 linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/oval/shared.xml create mode 100644 linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml create mode 100644 linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/oval/shared.xml create mode 100644 linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml diff --git a/fedora/profiles/ospp.profile b/fedora/profiles/ospp.profile index c115ab6bce..0eb3b8ec63 100644 --- a/fedora/profiles/ospp.profile +++ b/fedora/profiles/ospp.profile @@ -17,7 +17,8 @@ selections: - grub2_audit_argument - grub2_audit_backlog_limit_argument - service_auditd_enabled - - grub2_enable_fips_mode + - enable_fips_mode + - var_system_crypto_policy=fips - rpm_verify_hashes - selinux_all_devicefiles_labeled - selinux_confinement_of_daemons diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/oval/shared.xml new file mode 100644 index 0000000000..03ff256da2 --- /dev/null +++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/oval/shared.xml @@ -0,0 +1,32 @@ + + + + Enable Dracut FIPS Module + + Red Hat Enterprise Linux 8 + multi_platform_fedora + + fips module should be enabled in Dracut configuration + + + + + + + + + + + + + /etc/dracut.conf.d/40-fips.conf + ^\s*add_dracutmodules\+="\s*(\w*)\s*"\s*(?:|(?:#.*))?$ + 1 + + + + fips + + + diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml new file mode 100644 index 0000000000..3de551d2ca --- /dev/null +++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml @@ -0,0 +1,26 @@ +documentation_complete: true + +prodtype: rhel8,fedora + +title: "Enable Dracut FIPS Module" + +description: |- + To enable FIPS, the system requires that the fips module is added in + dracut configuration. + Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips " + +rationale: |- + Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to + protect data. The operating system must implement cryptographic modules adhering to the higher + standards approved by the federal government since this provides assurance they have been tested + and validated. + +severity: medium + +ocil_clause: 'the Dracut FIPS module is not enabled' + +ocil: |- + To verify that the Dracut FIPS module is enabled, run the following command: + grep "add_dracutmodules" /etc/dracut.conf.d/40-fips.conf + The output should look like this: + add_dracutmodules+=" fips " diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh new file mode 100644 index 0000000000..b2138a5e1e --- /dev/null +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh @@ -0,0 +1,3 @@ +# platform = Red Hat Enterprise Linux 8, multi_platform_fedora + +fips-mode-setup --enable diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml new file mode 100644 index 0000000000..9e6e9b5608 --- /dev/null +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml @@ -0,0 +1,19 @@ + + + + Enable FIPS Mode + + Red Hat Enterprise Linux 8 + multi_platform_fedora + + Check if FIPS mode is enabled on the system + + + + + + + + + + diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml new file mode 100644 index 0000000000..b7fda5bee1 --- /dev/null +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml @@ -0,0 +1,39 @@ +documentation_complete: true + +prodtype: rhel8,fedora + +title: Enable FIPS Mode + +description: |- + To enable FIPS mode, run the following command: +
fips-mode-setup --enable
+ +rationale: |- + Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to + protect data. The operating system must implement cryptographic modules adhering to the higher + standards approved by the federal government since this provides assurance they have been tested + and validated. + +severity: high + +ocil_clause: 'FIPS mode is not enabled' + +ocil: |- + To verify that FIPS is enabled properly, run the following command: +
fips-mode-setup --check
+ The output should contain the following: +
FIPS mode is enabled.
+ +warnings: + - general: |- + The system needs to be rebooted for these changes to take effect. + - regulatory: |- + The ability to enable FIPS does not denote FIPS compliancy or certification. + Red Hat, Inc. and Red Hat Enterprise Linux are respectively FIPS certified and compliant. Community + projects such as CentOS, Scientific Linux, Fedora, etc. do not necessarily meet FIPS certification and compliancy. + Therefore, non-certified vendors and/or projects do not meet this requirement even if technically feasible. +

+ See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} + for a list of FIPS certified vendors. + +platform: machine diff --git a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/oval/shared.xml new file mode 100644 index 0000000000..8e0360543d --- /dev/null +++ b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/oval/shared.xml @@ -0,0 +1,23 @@ + + + + Check /etc/system-fips exists + + Red Hat Enterprise Linux 8 + multi_platform_fedora + + Check /etc/system-fips exists + + + + + + + + + + + + /etc/system-fips + + diff --git a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml new file mode 100644 index 0000000000..0f48cbf274 --- /dev/null +++ b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml @@ -0,0 +1,28 @@ +documentation_complete: true + +prodtype: rhel8,fedora + +title: Ensure '/etc/system-fips' exists + +description: |- + On a system where FIPS mode is enabled, /etc/system-fips must exist. + To enable FIPS mode, run the following command: +
fips-mode-setup --enable
+ +rationale: |- + Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to + protect data. The operating system must implement cryptographic modules adhering to the higher + standards approved by the federal government since this provides assurance they have been tested + and validated. + +severity: high + +ocil_clause: /etc/system-fips does not exist + +ocil: |- + To verify /etc/system-fips exists, run the following command: +
ls -l /etc/system-fips
+ The output should be similar to the the following: +
-rw-r--r--. 1 root root 36 Nov 26 11:31 /etc/system-fips
+ +platform: machine diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda index 089f104181..99693f62d6 100644 --- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda +++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda @@ -1,3 +1,3 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora +# platform = Red Hat Enterprise Linux 7 package --add=dracut-fips diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh index 097b64080d..b784f9f658 100644 --- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora +# platform = Red Hat Enterprise Linux 7 # include remediation functions library . /usr/share/scap-security-guide/remediation_functions diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml index b8f84e32d3..9dee4066d2 100644 --- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml @@ -4,8 +4,6 @@ Enable FIPS Mode in GRUB2 Red Hat Enterprise Linux 7 - Red Hat Enterprise Linux 8 - multi_platform_fedora Look for argument fips=1 in the kernel line in /etc/default/grub. diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml index c8c11f8a5e..82c3dc5f68 100644 --- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel7,rhel8,fedora +prodtype: rhel7 title: 'Enable FIPS Mode in GRUB2' diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/anaconda/shared.anaconda b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/anaconda/shared.anaconda index 38b5193e8e..e2ad6654f6 100644 --- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/anaconda/shared.anaconda +++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/anaconda/shared.anaconda @@ -1,3 +1,3 @@ -# platform = multi_platform_rhel, multi_platform_fedora +# platform = Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 package --add=dracut-fips diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/ansible/shared.yml index a3dadd7af0..13a1f0b372 100644 --- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel, multi_platform_fedora +# platform = Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 # reboot = false # strategy = enable # complexity = low diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/bash/shared.sh index fd319418d9..36ecb73c25 100644 --- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel, multi_platform_fedora +# platform = Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 # include remediation functions library . /usr/share/scap-security-guide/remediation_functions diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/oval/shared.xml index 1483429a6a..4d3de0bc3e 100644 --- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/oval/shared.xml @@ -8,8 +8,8 @@ Package dracut-fips Installed - multi_platform_rhel - multi_platform_fedora + Red Hat Enterprise Linux 6 + Red Hat Enterprise Linux 7 The RPM package dracut-fips should be installed. diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml index 5065cca35b..c7cd8552b0 100644 --- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel6,rhel7,rhel8,fedora +prodtype: rhel6,rhel7 title: 'Install the dracut-fips Package' diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/oval/shared.xml new file mode 100644 index 0000000000..1b34965949 --- /dev/null +++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/oval/shared.xml @@ -0,0 +1,28 @@ + + + + Kernel "crypto.fips_enabled" Parameter Runtime Check + + multi_platform_fedora + Red Hat Enterprise Linux 8 + + The kernel "crypto.fips_enabled" parameter should be set to "1" in system runtime. + + + + + + + + + + + + + crypto.fips_enabled + + + + 1 + + diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml new file mode 100644 index 0000000000..a8e9c0d36e --- /dev/null +++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml @@ -0,0 +1,30 @@ +documentation_complete: true + +prodtype: rhel8,fedora + +title: "Set kernel parameter 'crypto.fips_enabled' to 1" + +description: |- + System running in FIPS mode is indicated by kernel parameter + 'crypto.fips_enabled'. This parameter should be set to 1 + in FIPS mode. + To enable FIPS mode, run the following command: +
fips-mode-setup --enable
+ +rationale: |- + Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to + protect data. The operating system must implement cryptographic modules adhering to the higher + standards approved by the federal government since this provides assurance they have been tested + and validated. + +severity: high + +ocil_clause: 'crypto.fips_enabled is not 1' + +ocil: |- + To verify that kernel parameter 'crypto.fips_enabled' is set properly, run the following command: +
sysctl crypto.fips_enabled
+ The output should contain the following: +
crypto.fips_enabled =  1
+ +platform: machine diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile index 4c8fe02f17..a78060a355 100644 --- a/rhel8/profiles/ospp.profile +++ b/rhel8/profiles/ospp.profile @@ -12,7 +12,7 @@ selections: - grub2_audit_argument - grub2_audit_backlog_limit_argument - service_auditd_enabled - - grub2_enable_fips_mode + - enable_fips_mode - rpm_verify_hashes - selinux_all_devicefiles_labeled - selinux_confinement_of_daemons From fc10f00b21ca8303cb1e83189d969991069b9d1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 5 Dec 2018 17:41:39 +0100 Subject: [PATCH 2/7] Improve description of rule "Enable FIPS mode" Describes the process based on `fips-mode-setup` manual page and describes the facts that are checked by the rule. --- .../integrity/fips/enable_fips_mode/rule.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml index b7fda5bee1..67090ea863 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml @@ -7,6 +7,20 @@ title: Enable FIPS Mode description: |- To enable FIPS mode, run the following command:
fips-mode-setup --enable
+
+ The fips-mode-setup command completes the installation of FIPS + modules by calling fips-finish-install. Then, it changes the + system crypto policy to FIPS by calling update-crypto-policies + tool. Also, the command modifies the boot loader configuration to add + fips=1 and boot=<boot-device> options to the kernel + command line. +
+ On a system running in FIPS mode, the kernel FIPS mode flag + (/proc/sys/crypto/fips_enabled) should be set to 1 and + the /etc/system-fips should exist. The system crypto policy should + be set to FIPS in /etc/crypto-policies/config. Also, the Dracut + fips module should be loaded. Furthermore, the system running in + FIPS mode should be FIPS certified. rationale: |- Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to From 420be5900a27772422d14489c0c776754a3621e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 11 Dec 2018 08:55:45 +0100 Subject: [PATCH 3/7] Remove a paragraph from rule description --- .../software/integrity/fips/enable_fips_mode/rule.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml index 67090ea863..7532191961 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml @@ -8,13 +8,6 @@ description: |- To enable FIPS mode, run the following command:
fips-mode-setup --enable

- The fips-mode-setup command completes the installation of FIPS - modules by calling fips-finish-install. Then, it changes the - system crypto policy to FIPS by calling update-crypto-policies - tool. Also, the command modifies the boot loader configuration to add - fips=1 and boot=<boot-device> options to the kernel - command line. -
On a system running in FIPS mode, the kernel FIPS mode flag (/proc/sys/crypto/fips_enabled) should be set to 1 and the /etc/system-fips should exist. The system crypto policy should From bdf0a27ef924c7cf8bf26dc4a650ae47d51195d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 11 Dec 2018 09:56:23 +0100 Subject: [PATCH 4/7] Check if external variable has the expected value This commit adds a new criterion to OVAL definition for rule `enable_fips_mode`. The test checks if `var_system_crypto_policy` is set to FIPS. This solves the situation when user tailors his profile and refines the XCCDF value `var_system_crypto_policy` to a different value than FIPS. In this situation the rule passes, although the FIPS mode is not enabled. It is obvious that this tailoring does not make any sense, but we should be more anticipatory. --- .../integrity/fips/enable_fips_mode/oval/shared.xml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml index 9e6e9b5608..9324989899 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml @@ -14,6 +14,17 @@ + + + + + + + var_system_crypto_policy + + + FIPS + From 92fe3acfc3785c18a696696dd0a1827a399136c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 11 Dec 2018 11:39:52 +0100 Subject: [PATCH 5/7] Add missing external_variable in OVAL --- .../software/integrity/fips/enable_fips_mode/oval/shared.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml index 9324989899..2c1e52c831 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml @@ -27,4 +27,5 @@ FIPS + From e59104a23b01bbf5f2bc141e5480e594eb2a30ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 12 Dec 2018 09:04:25 +0100 Subject: [PATCH 6/7] Add warnings to other FIPS-related rules --- .../fips/enable_dracut_fips_module/rule.yml | 14 ++++++++++++++ .../integrity/fips/etc_system_fips_exists/rule.yml | 12 ++++++++++++ .../fips/sysctl_crypto_fips_enabled/rule.yml | 12 ++++++++++++ 3 files changed, 38 insertions(+) diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml index 3de551d2ca..b23d2e8c46 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml @@ -5,6 +5,8 @@ prodtype: rhel8,fedora title: "Enable Dracut FIPS Module" description: |- + To enable FIPS mode, run the following command: +
fips-mode-setup --enable
To enable FIPS, the system requires that the fips module is added in dracut configuration. Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips " @@ -24,3 +26,15 @@ ocil: |- grep "add_dracutmodules" /etc/dracut.conf.d/40-fips.conf The output should look like this: add_dracutmodules+=" fips " + +warnings: + - general: |- + The system needs to be rebooted for these changes to take effect. + - regulatory: |- + The ability to enable FIPS does not denote FIPS compliancy or certification. + Red Hat, Inc. and Red Hat Enterprise Linux are respectively FIPS certified and compliant. Community + projects such as CentOS, Scientific Linux, Fedora, etc. do not necessarily meet FIPS certification and compliancy. + Therefore, non-certified vendors and/or projects do not meet this requirement even if technically feasible. +

+ See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} + for a list of FIPS certified vendors. diff --git a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml index 0f48cbf274..0f1b398a0e 100644 --- a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml @@ -25,4 +25,16 @@ ocil: |- The output should be similar to the the following:
-rw-r--r--. 1 root root 36 Nov 26 11:31 /etc/system-fips
+warnings: + - general: |- + The system needs to be rebooted for these changes to take effect. + - regulatory: |- + The ability to enable FIPS does not denote FIPS compliancy or certification. + Red Hat, Inc. and Red Hat Enterprise Linux are respectively FIPS certified and compliant. Community + projects such as CentOS, Scientific Linux, Fedora, etc. do not necessarily meet FIPS certification and compliancy. + Therefore, non-certified vendors and/or projects do not meet this requirement even if technically feasible. +

+ See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} + for a list of FIPS certified vendors. + platform: machine diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml index a8e9c0d36e..734fa558a7 100644 --- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml @@ -27,4 +27,16 @@ ocil: |- The output should contain the following:
crypto.fips_enabled =  1
+warnings: + - general: |- + The system needs to be rebooted for these changes to take effect. + - regulatory: |- + The ability to enable FIPS does not denote FIPS compliancy or certification. + Red Hat, Inc. and Red Hat Enterprise Linux are respectively FIPS certified and compliant. Community + projects such as CentOS, Scientific Linux, Fedora, etc. do not necessarily meet FIPS certification and compliancy. + Therefore, non-certified vendors and/or projects do not meet this requirement even if technically feasible. +

+ See {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm") }}} + for a list of FIPS certified vendors. + platform: machine From 4c3c890a63a6061d380c5171f32f048165af0ee8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 13 Dec 2018 17:33:39 +0100 Subject: [PATCH 7/7] Improve wording in rule description enable_fips_mode --- .../integrity/fips/enable_fips_mode/rule.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml index 7532191961..72db413dff 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml @@ -8,12 +8,15 @@ description: |- To enable FIPS mode, run the following command:
fips-mode-setup --enable

- On a system running in FIPS mode, the kernel FIPS mode flag - (/proc/sys/crypto/fips_enabled) should be set to 1 and - the /etc/system-fips should exist. The system crypto policy should - be set to FIPS in /etc/crypto-policies/config. Also, the Dracut - fips module should be loaded. Furthermore, the system running in - FIPS mode should be FIPS certified. + The fips-mode-setup command will configure the system in + FIPS mode by automatically configuring the following: +
    +
  • Setting the kernel FIPS mode flag (/proc/sys/crypto/fips_enabled) to 1
  • +
  • Creating /etc/system-fips
  • +
  • Setting the system crypto policy in /etc/crypto-policies/config to FIPS
  • +
  • Loading the Dracut fips module
  • +
+ Furthermore, the system running in FIPS mode should be FIPS certified by NIST. rationale: |- Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to