From bc2f72ff8a23b508cef88a363e75e73474625775 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 22 Feb 2022 17:15:43 +0100 Subject: [PATCH 1/3] remove extend definition from ovals --- .../software/integrity/fips/enable_fips_mode/oval/rhcos4.xml | 1 - .../software/integrity/fips/enable_fips_mode/oval/shared.xml | 1 - 2 files changed, 2 deletions(-) diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml index c5ae0550e6b..52d86fd4478 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml @@ -5,7 +5,6 @@ - diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml index 699dca06dd1..6c3f57e143f 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml @@ -6,7 +6,6 @@ - From dbbea1998e189c4a27edc700478f55e2dfda56f8 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 22 Feb 2022 17:17:28 +0100 Subject: [PATCH 2/3] chang warning and description --- .../integrity/fips/enable_fips_mode/rule.yml | 25 ++++--------------- 1 file changed, 5 insertions(+), 20 deletions(-) diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml index 9d89114b07f..6b055eac8ff 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml @@ -13,11 +13,9 @@ description: |-
  • Setting the kernel FIPS mode flag (/proc/sys/crypto/fips_enabled) to 1
  • Creating /etc/system-fips
    • -
  • Setting the system crypto policy in /etc/crypto-policies/config to FIPS
    • +
  • Setting the system crypto policy in /etc/crypto-policies/config to {{{ xccdf_value("var_system_crypto_policy") }}}
  • Loading the Dracut fips module
- This rule also ensures that the system policy is set to {{{ xccdf_value("var_system_crypto_policy") }}}. - Furthermore, the system running in FIPS mode should be FIPS certified by NIST. rationale: |- Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to @@ -48,7 +46,7 @@ references: ocil_clause: 'FIPS mode is not enabled' ocil: |- - To verify that FIPS is enabled properly, run the following command: + To verify that FIPS mode is enabled properly, run the following command: 
fips-mode-setup --check
The output should contain the following: 
FIPS mode is enabled.
@@ -61,19 +59,6 @@ warnings: - general: |- The system needs to be rebooted for these changes to take effect. - regulatory: |- - System Crypto Modules must be provided by a vendor that undergoes - FIPS-140 certifications. - FIPS-140 is applicable to all Federal agencies that use - cryptographic-based security systems to protect sensitive information - in computer and telecommunication systems (including voice systems) as - defined in Section 5131 of the Information Technology Management Reform - Act of 1996, Public Law 104-106. This standard shall be used in - designing and implementing cryptographic modules that Federal - departments and agencies operate or are operated for them under - contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}} - To meet this, the system has to have cryptographic software provided by - a vendor that has undergone this certification. This means providing - documentation, test results, design information, and independent third - party review by an accredited lab. While open source software is - capable of meeting this, it does not meet FIPS-140 unless the vendor - submits to this process. + This rule DOES NOT CHECK if the components of the operating system are FIPS certified. + You can find the list of FIPS certified modules at {{{ weblink(link="https://csrc.nist.rip/groups/STM/cmvp/documents/140-1/1401vend.htm") }}}. + This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means. From 3c72eec95c617ee295099522d2817c6d217a7e63 Mon Sep 17 00:00:00 2001 From: vojtapolasek Date: Wed, 23 Feb 2022 09:16:09 +0100 Subject: [PATCH 3/3] Update linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml Co-authored-by: Gabriel Becker --- .../system/software/integrity/fips/enable_fips_mode/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml index 6b055eac8ff..30cbc939bed 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml @@ -60,5 +60,5 @@ warnings: The system needs to be rebooted for these changes to take effect. - regulatory: |- This rule DOES NOT CHECK if the components of the operating system are FIPS certified. - You can find the list of FIPS certified modules at {{{ weblink(link="https://csrc.nist.rip/groups/STM/cmvp/documents/140-1/1401vend.htm") }}}. + You can find the list of FIPS certified modules at {{{ weblink(link="https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search") }}}. This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means.