scap-security-guide/scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch

34 lines
1.8 KiB
Diff

From 61ff9fd6f455ee49608cab2c851a3819c180c30a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 16 Aug 2022 18:53:02 +0200
Subject: [PATCH] Don't fail rule if /etc/grubenv missing on s390x
There is no need to check /etc/grubenv for fips=1 on s390x systems, it
uses zIPL.
---
.../integrity/fips/enable_fips_mode/oval/shared.xml | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index 65056a654c6..7af675de0d3 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -7,9 +7,16 @@
<extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
<extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
<criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
- {{% if product in ["ol8","rhel8"] %}}
+ {{% if product in ["ol8"] %}}
<criterion comment="check if the kernel boot parameter is configured for FIPS mode"
test_ref="test_grubenv_fips_mode" />
+ {{% elif product in ["rhel8"] %}}
+ <criteria operator="OR">
+ <extend_definition comment="Generic test for s390x architecture"
+ definition_ref="system_info_architecture_s390_64" />
+ <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
+ test_ref="test_grubenv_fips_mode" />
+ </criteria>
{{% endif %}}
</criteria>
</definition>