117 lines
7.4 KiB
Diff
117 lines
7.4 KiB
Diff
From bc2f72ff8a23b508cef88a363e75e73474625775 Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Tue, 22 Feb 2022 17:15:43 +0100
|
|
Subject: [PATCH 1/3] remove extend definition from ovals
|
|
|
|
---
|
|
.../software/integrity/fips/enable_fips_mode/oval/rhcos4.xml | 1 -
|
|
.../software/integrity/fips/enable_fips_mode/oval/shared.xml | 1 -
|
|
2 files changed, 2 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml
|
|
index c5ae0550e6b..52d86fd4478 100644
|
|
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml
|
|
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml
|
|
@@ -5,7 +5,6 @@
|
|
<extend_definition comment="check /etc/system-fips exists" definition_ref="etc_system_fips_exists" />
|
|
<extend_definition comment="check sysctl crypto.fips_enabled = 1" definition_ref="proc_sys_crypto_fips_enabled" />
|
|
<extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
|
|
- <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
|
|
<criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
|
|
</criteria>
|
|
</definition>
|
|
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
|
index 699dca06dd1..6c3f57e143f 100644
|
|
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
|
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
|
@@ -6,7 +6,6 @@
|
|
<extend_definition comment="check sysctl crypto.fips_enabled = 1" definition_ref="sysctl_crypto_fips_enabled" />
|
|
<extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
|
|
<extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
|
|
- <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
|
|
<criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
|
|
</criteria>
|
|
</definition>
|
|
|
|
From dbbea1998e189c4a27edc700478f55e2dfda56f8 Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Tue, 22 Feb 2022 17:17:28 +0100
|
|
Subject: [PATCH 2/3] chang warning and description
|
|
|
|
---
|
|
.../integrity/fips/enable_fips_mode/rule.yml | 25 ++++---------------
|
|
1 file changed, 5 insertions(+), 20 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
|
|
index 9d89114b07f..6b055eac8ff 100644
|
|
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
|
|
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
|
|
@@ -13,11 +13,9 @@ description: |-
|
|
<ul>
|
|
<li>Setting the kernel FIPS mode flag (<tt>/proc/sys/crypto/fips_enabled</tt>) to <tt>1</tt></li>
|
|
<li>Creating <tt>/etc/system-fips</tt></li>
|
|
- <li>Setting the system crypto policy in <tt>/etc/crypto-policies/config</tt> to <tt>FIPS</tt></li>
|
|
+ <li>Setting the system crypto policy in <tt>/etc/crypto-policies/config</tt> to <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt></li>
|
|
<li>Loading the Dracut <tt>fips</tt> module</li>
|
|
</ul>
|
|
- This rule also ensures that the system policy is set to <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt>.
|
|
- Furthermore, the system running in FIPS mode should be FIPS certified by NIST.
|
|
|
|
rationale: |-
|
|
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
|
|
@@ -48,7 +46,7 @@ references:
|
|
ocil_clause: 'FIPS mode is not enabled'
|
|
|
|
ocil: |-
|
|
- To verify that FIPS is enabled properly, run the following command:
|
|
+ To verify that FIPS mode is enabled properly, run the following command:
|
|
<pre>fips-mode-setup --check</pre>
|
|
The output should contain the following:
|
|
<pre>FIPS mode is enabled.</pre>
|
|
@@ -61,19 +59,6 @@ warnings:
|
|
- general: |-
|
|
The system needs to be rebooted for these changes to take effect.
|
|
- regulatory: |-
|
|
- System Crypto Modules must be provided by a vendor that undergoes
|
|
- FIPS-140 certifications.
|
|
- FIPS-140 is applicable to all Federal agencies that use
|
|
- cryptographic-based security systems to protect sensitive information
|
|
- in computer and telecommunication systems (including voice systems) as
|
|
- defined in Section 5131 of the Information Technology Management Reform
|
|
- Act of 1996, Public Law 104-106. This standard shall be used in
|
|
- designing and implementing cryptographic modules that Federal
|
|
- departments and agencies operate or are operated for them under
|
|
- contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
|
|
- To meet this, the system has to have cryptographic software provided by
|
|
- a vendor that has undergone this certification. This means providing
|
|
- documentation, test results, design information, and independent third
|
|
- party review by an accredited lab. While open source software is
|
|
- capable of meeting this, it does not meet FIPS-140 unless the vendor
|
|
- submits to this process.
|
|
+ This rule DOES NOT CHECK if the components of the operating system are FIPS certified.
|
|
+ You can find the list of FIPS certified modules at {{{ weblink(link="https://csrc.nist.rip/groups/STM/cmvp/documents/140-1/1401vend.htm") }}}.
|
|
+ This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means.
|
|
|
|
From 3c72eec95c617ee295099522d2817c6d217a7e63 Mon Sep 17 00:00:00 2001
|
|
From: vojtapolasek <krecoun@gmail.com>
|
|
Date: Wed, 23 Feb 2022 09:16:09 +0100
|
|
Subject: [PATCH 3/3] Update
|
|
linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
|
|
|
|
Co-authored-by: Gabriel Becker <ggasparb@redhat.com>
|
|
---
|
|
.../system/software/integrity/fips/enable_fips_mode/rule.yml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
|
|
index 6b055eac8ff..30cbc939bed 100644
|
|
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
|
|
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
|
|
@@ -60,5 +60,5 @@ warnings:
|
|
The system needs to be rebooted for these changes to take effect.
|
|
- regulatory: |-
|
|
This rule DOES NOT CHECK if the components of the operating system are FIPS certified.
|
|
- You can find the list of FIPS certified modules at {{{ weblink(link="https://csrc.nist.rip/groups/STM/cmvp/documents/140-1/1401vend.htm") }}}.
|
|
+ You can find the list of FIPS certified modules at {{{ weblink(link="https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search") }}}.
|
|
This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means.
|