RHEL FIPS Clean Up #12946
Merged
RHEL FIPS Clean Up #12946
+94
−78
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
jan-cerny
reviewed
Jan 31, 2025
| @@ -6,21 +6,3 @@ if {{{ bash_bootc_build() }}}; then | |||
| cat > /usr/lib/bootc/kargs.d/01-fips.toml << EOF | |||
| kargs = ["fips=1"] | |||
| EOF | |||
| else | |||
There was a problem hiding this comment.
Please remove also lines 2 and 5 in this file.
| The system needs to be rebooted for these changes to take effect. | ||
| {{% else %}} | ||
| To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation. | ||
| Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported. |
| warnings: | ||
| - general: |- | ||
| The system needs to be rebooted for these changes to take effect. | ||
| To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation. | ||
| Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported. |
There was a problem hiding this comment.
I would add:
Only enabling FIPS mode during the RHEL installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place.
| @@ -56,7 +65,7 @@ warnings: | |||
| See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b> | |||
| To meet this, the system has to have cryptographic software provided by a vendor that has | |||
| undergone this certification. This means providing documentation, test results, design | |||
| information, and independent third party review by an accredited lab. While open source | |||
| information, and independent third parenable_dracut_fips_modulety review by an accredited lab. While open source | |||
| @@ -22,6 +22,12 @@ description: |- | |||
| <pre>kargs = ["fips=1"]</pre> | |||
| Then set the cryptographic policy to <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt>: | |||
| <pre>update-crypto-policies --no-reload --set {{{ xccdf_value("var_system_crypto_policy") }}}</pre> | |||
| {{% elif 'rhel' in product %}} | |||
There was a problem hiding this comment.
You need to change the conditions in the description.
- The first block of the description (about fips-mode-setup) shouldn't go to RHEL 10 and maybe it should go to any RHEL.
- "To enable FIPS mode at bootable container build time ..." should only go to products that support bootable containers, currently RHEL 9 and 10, or you can use the
bootable_containers_supportedvariable. - The "Openshift ..." block should only go to rhcos4.
Comment on lines
67
to
70
| <precat cat /proc/sys/crypto/fips_enabled</pre> | ||
| The output be must: | ||
| <pre>1</pre> |
| @@ -7,6 +7,7 @@ description: |- | |||
| To ensure FIPS mode is enabled, install package <tt>dracut-fips</tt>, and rebuild <tt>initramfs</tt> by running the following commands: | |||
| <pre>{{{ package_install("dracut-fips") }}} | |||
| dracut -f</pre> | |||
| {{% if 'rhel' not in product %}} | |||
There was a problem hiding this comment.
The description now looks weird for RHEL products. First, it says that to enable FIPS mode you should install dracut-fips and rebuild initramfs. Then, it says that this action will be worthless because it won't set FIPS up and you should have installed the system differently.
We need to reword this completely. Maybe start with describing the installation flag and then explain that the dracut thing serves to verify that the system is still in a good state.
Mab879
added a commit
to Mab879/content
that referenced
this pull request
Jan 31, 2025
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_enable_dracut_fips_module'.
--- xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
+++ xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
@@ -3,13 +3,18 @@
Enable Dracut FIPS Module
[description]:
-To enable FIPS mode, run the following command:
-fips-mode-setup --enable
+Red Hat Enterprise Linux 8 has an installation-time kernel flag that can enable FIPS mode.
+The installer must be booted with fips=1 for the system to have FIPS mode
+enabled. Enabling FIPS mode on a preexisting system is not supported. If
+this rule fails on an installed system, then this is a permanent
+finding and cannot be fixed.
+
To enable FIPS, the system requires that the fips module is added in dracut configuration.
Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips "
[warning]:
-The system needs to be rebooted for these changes to take effect.
+To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
[warning]:
System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications.
New data stream is missing bash remediation for rule 'xccdf_org.ssgproject.content_rule_enable_dracut_fips_module'.
New data stream is missing ansible remediation for rule 'xccdf_org.ssgproject.content_rule_enable_dracut_fips_module'.
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_enable_dracut_fips_module'
--- xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
+++ xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
@@ -1 +1 @@
-
+oval:ssg-bootc:def:1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode'.
--- xccdf_org.ssgproject.content_rule_enable_fips_mode
+++ xccdf_org.ssgproject.content_rule_enable_fips_mode
@@ -3,30 +3,22 @@
Enable FIPS Mode
[description]:
-To enable FIPS mode, run the following command:
-fips-mode-setup --enable
-
-The fips-mode-setup command will configure the system in
-FIPS mode by automatically configuring the following:
-Setting the kernel FIPS mode flag (/proc/sys/crypto/fips_enabled) to 1
- Creating /etc/system-fips
- Setting the system crypto policy in /etc/crypto-policies/config to 'xccdf_org.ssgproject.content_value_var_system_crypto_policy'
- Loading the Dracut fips module
-
-To enable FIPS mode at bootable container build time configure fips=1 kernel argument
-in /usr/lib/bootc/kargs.d/01-fips.toml:
-kargs = ["fips=1"]
-Then set the cryptographic policy to 'xccdf_org.ssgproject.content_value_var_system_crypto_policy':
-update-crypto-policies --no-reload --set 'xccdf_org.ssgproject.content_value_var_system_crypto_policy'
+Red Hat Enterprise Linux 8 has an installation-time kernel flag that can enable FIPS mode.
+The installer must be booted with fips=1 for the system to have FIPS mode
+enabled. Enabling FIPS mode on a preexisting system is not supported. If
+this rule fails on an installed system, then this is a permanent
+finding and cannot be fixed.
[warning]:
-The system needs to be rebooted for these changes to take effect.
+To configure Red Hat Enterprise Linux 8 to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+Only enabling FIPS 140 mode during the Red Hat Enterprise Linux 8 installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place.
+Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
[warning]:
This rule DOES NOT CHECK if the components of the operating system are FIPS certified.
You can find the list of FIPS certified modules at
https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search.
-This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means.
+This rule checks if the system is running in FIPS mode.
[reference]:
CCI-002450
OCIL for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode' differs.
--- ocil:ssg-enable_fips_mode_ocil:questionnaire:1
+++ ocil:ssg-enable_fips_mode_ocil:questionnaire:1
@@ -1,10 +1,6 @@
To verify that FIPS mode is enabled properly, run the following command:
-fips-mode-setup --check
-The output should contain the following:
-FIPS mode is enabled.
-To verify that the cryptographic policy has been configured correctly, run the
-following command:
-$ update-crypto-policies --show
-The output should return .
+cat /proc/sys/crypto/fips_enabled
+The output be must:
+1
Is it the case that FIPS mode is not enabled?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode' differs.
--- xccdf_org.ssgproject.content_rule_enable_fips_mode
+++ xccdf_org.ssgproject.content_rule_enable_fips_mode
@@ -1,31 +1,10 @@
# Remediation is applicable only in certain platforms
if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) && rpm --quiet -q kernel ); then
-var_system_crypto_policy=''
-
-
if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]]; then
- crypto_policies_no_reload="--no-reload"
cat > /usr/lib/bootc/kargs.d/01-fips.toml << EOF
kargs = ["fips=1"]
EOF
-else
- fips-mode-setup --enable
-fi
-
-stderr_of_call=$(update-crypto-policies $crypto_policies_no_reload --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
fi
else
New data stream is missing ansible remediation for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode'.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_etc_system_fips_exists'.
--- xccdf_org.ssgproject.content_rule_etc_system_fips_exists
+++ xccdf_org.ssgproject.content_rule_etc_system_fips_exists
@@ -4,11 +4,16 @@
[description]:
On a system where FIPS mode is enabled, /etc/system-fips must exist.
-To enable FIPS mode, run the following command:
-fips-mode-setup --enable
+
+Red Hat Enterprise Linux 8 has an installation-time kernel flag that can enable FIPS mode.
+The installer must be booted with fips=1 for the system to have FIPS mode
+enabled. Enabling FIPS mode on a preexisting system is not supported. If
+this rule fails on an installed system, then this is a permanent
+finding and cannot be fixed.
[warning]:
-The system needs to be rebooted for these changes to take effect.
+To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
[warning]:
System Crypto Modules must be provided by a vendor that undergoes
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled'.
--- xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled
+++ xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled
@@ -5,8 +5,14 @@
[description]:
System running in FIPS mode is indicated by kernel parameter
'crypto.fips_enabled'. This parameter should be set to 1 in FIPS mode.
-To enable FIPS mode, run the following command:
-fips-mode-setup --enable
+
+Red Hat Enterprise Linux 8 has an installation-time kernel flag that can enable FIPS mode.
+The installer must be booted with fips=1 for the system to have FIPS mode
+enabled. Enabling FIPS mode on a preexisting system is not supported. If
+this rule fails on an installed system, then this is a permanent
+finding and cannot be fixed.
+
+
To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot
parameters during system installation so key generation is done with FIPS-approved algorithms |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
RHSecurityCompliance/contest#322 has been merged, so let's try to rerun |
|
/packit build |
jan-cerny
reviewed
Feb 3, 2025
linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
Outdated
Show resolved
Hide resolved
Mab879
added a commit
to Mab879/content
that referenced
this pull request
Feb 3, 2025
Mab879
added a commit
to Mab879/content
that referenced
this pull request
Feb 3, 2025
Mab879
added a commit
to Mab879/content
that referenced
this pull request
Feb 3, 2025
|
/packit build |
|
With the changes from this PR the rule I would propose to:
|
|
This PR also causes
to be removed from the RHEL-8 datastream, so they should be added to the default profile (?). |
|
Also, this is likely what now breaks STIG profiles, a curious piece of remediation 😄 For some reason, the install fails and there is no |
This will be fixed by #12966 I will update the PR based for the Initramfs issue. |
Remove remediations for RHEL and update rule
Update rules for RHEL to state must install via fips=1.
|
@Mab879 And what about this?
|
|
Code Climate has analyzed commit 42fbc27 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.9% (0.0% change). View more on Code Climate. |
|
/packit test centos-stream-8-x86_64:/static-checks |
jan-cerny
approved these changes
Feb 5, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
This makes it so the only way to enable FIPS mode on RHEL versions is
fips=1on install.Rationale:
The
fips-mode-setupcommand doesn't full get the system into FIPS 140 compliance.For example it does not regenerate key material.