import scap-security-guide-0.1.63-4.el8

2022-08-19 18:19:13 +00:00 · 2022-08-19 18:19:13 +00:00 · 0f125f7174
commit 0f125f7174
parent 6c1cb717a2
2 changed files with 38 additions and 1 deletions
--- a/SOURCES/scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch
+++ b/SOURCES/scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch
@ -0,0 +1,33 @@
+From 61ff9fd6f455ee49608cab2c851a3819c180c30a Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 16 Aug 2022 18:53:02 +0200
+Subject: [PATCH] Don't fail rule if /etc/grubenv missing on s390x
+
+There is no need to check  /etc/grubenv for fips=1 on s390x systems, it
+uses zIPL.
+---
+ .../integrity/fips/enable_fips_mode/oval/shared.xml      | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+index 65056a654c6..7af675de0d3 100644
+--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+@@ -7,9 +7,16 @@
+       <extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
+       <extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
+       <criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
+-      {{% if product in ["ol8","rhel8"] %}}
+      {{% if product in ["ol8"] %}}
+       <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
+       test_ref="test_grubenv_fips_mode" />
+      {{% elif product in ["rhel8"] %}}
+      <criteria operator="OR">
+        <extend_definition comment="Generic test for s390x architecture"
+        definition_ref="system_info_architecture_s390_64" />
+        <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
+        test_ref="test_grubenv_fips_mode" />
+      </criteria>
+       {{% endif %}}
+     </criteria>
+   </definition>
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@ -6,7 +6,7 @@

 Name:		scap-security-guide
 Version:	0.1.63
-Release:	3%{?dist}
+Release:	4%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 Group:		Applications/System
@ -34,6 +34,7 @@ Patch12:		scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_920
 Patch13:		scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch
 Patch14:		scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch
 Patch15:		scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch
+Patch16:		scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch

 BuildRequires:	libxslt
 BuildRequires:	expat
@ -138,6 +139,9 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
 %endif

 %changelog
+* Wed Aug 17 2022 Watson Sato <wsato@redhat.com> - 0.1.63-4
+- Fix check of enable_fips_mode on s390x (RHBZ#2070564)
+
 * Mon Aug 15 2022 Watson Sato <wsato@redhat.com> - 0.1.63-3
 - Fix Ansible partition conditional (RHBZ#2032403)