From 1a2d048e08ebd2f8b70107a79256d8ec058cb8f1 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 30 Jan 2025 17:19:50 -0600
Subject: [PATCH 1/8] Update enable_fips_mode

---
 .../fips/enable_fips_mode/ansible/shared.yml  | 27 ---------------
 .../fips/enable_fips_mode/bash/shared.sh      | 18 ----------
 .../integrity/fips/enable_fips_mode/rule.yml  | 33 ++++++++-----------
 3 files changed, 13 insertions(+), 65 deletions(-)
 delete mode 100644 linux_os/guide/system/software/integrity/fips/enable_fips_mode/ansible/shared.yml

diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/ansible/shared.yml
deleted file mode 100644
index ffc7cacb0ae..00000000000
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/ansible/shared.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-# platform = multi_platform_all
-# reboot = true
-# strategy = restrict
-# complexity = medium
-# disruption = medium
-{{{ ansible_instantiate_variables("var_system_crypto_policy") }}}
-
-- name: "{{{ rule_title }}} - Check to See the Current Status of FIPS Mode"
-  ansible.builtin.command: /usr/bin/fips-mode-setup --check
-  register: is_fips_enabled
-  failed_when: false
-  changed_when: false
-
-- name: "{{{ rule_title }}} - Enable FIPS Mode"
-  ansible.builtin.command: /usr/bin/fips-mode-setup --enable
-  when:
-    - is_fips_enabled.stdout.find('FIPS mode is enabled.') == -1
-
-- name: "{{{ rule_title }}} - Configure Crypto Policy"
-  ansible.builtin.lineinfile:
-    path: /etc/crypto-policies/config
-    regexp: '^(?!#)(\S+)$'
-    line: "{{ var_system_crypto_policy }}"
-    create: yes
-
-- name: "{{{ rule_title }}} - Verify that Crypto Policy is Set (runtime)"
-  ansible.builtin.command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy }}
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
index 113f57e75a4..91574773a06 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
@@ -6,21 +6,3 @@ if {{{ bash_bootc_build() }}}; then
 	cat > /usr/lib/bootc/kargs.d/01-fips.toml << EOF
 kargs = ["fips=1"]
 EOF
-else
-	fips-mode-setup --enable
-fi
-
-stderr_of_call=$(update-crypto-policies $crypto_policies_no_reload --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
-	echo "$stderr_of_call" >&2
-	echo "Make sure that the script is installed on the remediated system." >&2
-	echo "See output of the 'dnf provides update-crypto-policies' command" >&2
-	echo "to see what package to (re)install" >&2
-
-	false  # end with an error code
-elif test "$rc" != 0; then
-	echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
-	false  # end with an error code
-fi
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
index a746494d3fe..eaaa03aa8b4 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
@@ -22,6 +22,12 @@ description: |-
     <pre>kargs = ["fips=1"]</pre>
     Then set the cryptographic policy to <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt>:
     <pre>update-crypto-policies --no-reload --set {{{ xccdf_value("var_system_crypto_policy") }}}</pre>
+{{% elif 'rhel' in product %}}
+    {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode.
+    The installer must be booted with <tt>fips=1</tt> for the system to have FIPS mode
+    enabled. Enabling FIPS mode on a preexisting system is not supported. If
+    this rule fails on an installed system, then this is a permanent
+    finding and cannot be fixed.
 {{% else %}}
     OpenShift has an installation-time flag that can enable FIPS mode
     for the cluster. The flag <pre>fips: true</pre> must be enabled
@@ -58,35 +64,22 @@ ocil_clause: 'FIPS mode is not enabled'
 
 ocil: |-
     To verify that FIPS mode is enabled properly, run the following command:
-    <pre>fips-mode-setup --check</pre>
-    The output should contain the following:
-    <pre>FIPS mode is enabled.</pre>
-    To verify that the cryptographic policy has been configured correctly, run the
-    following command:
-    <pre>$ update-crypto-policies --show</pre>
-    The output should return <pre>{{{ xccdf_value("var_system_crypto_policy") }}}</pre>.
+    <precat cat /proc/sys/crypto/fips_enabled</pre>
+    The output be must:
+    <pre>1</pre>
 
 warnings:
     - general: |-
-        The system needs to be rebooted for these changes to take effect.
+        To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
     - regulatory: |-
         This rule DOES NOT CHECK if the components of the operating system are FIPS certified.
         You can find the list of FIPS certified modules at {{{ weblink(link="https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search") }}}.
-        This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means.
+        This rule checks if the system is running in FIPS mode.
 
 fixtext: |-
     Configure {{{ full_name }}} to run in FIPS mode.
 
-    Run the following commands:
-
-    $ sudo fips-mode-setup --enable
-    $ sudo update-crypto-policies --set {{{ xccdf_value("var_system_crypto_policy") }}}
-
-    The system needs to be rebooted for these changes to take effect.
-
-    To enable FIPS mode at bootable container build time, add the following commands in Containerfile:
-
-    RUN echo 'kargs = ["fips=1"]' > /usr/lib/bootc/kargs.d/01-fips.toml
-    RUN update-crypto-policies --no-reload --set {{{ xccdf_value("var_system_crypto_policy") }}}
+    The installer for the system must be booted with kernel parameter <tt>fips=1</tt>.
 
 srg_requirement: '{{{ full_name }}} must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.'

From 3331dd081ed61cf9056f769b071306fb1630f27f Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 30 Jan 2025 17:21:51 -0600
Subject: [PATCH 2/8] Update enable_dracut_fips_module

Remove remediations for RHEL and update rule
---
 .../enable_dracut_fips_module/ansible/shared.yml     |  2 +-
 .../fips/enable_dracut_fips_module/bash/shared.sh    |  2 +-
 .../fips/enable_dracut_fips_module/rule.yml          | 12 ++++++++++++
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/ansible/shared.yml
index 9647791ef98..06020245392 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
+# platform = multi_platform_ol
 # reboot = true
 # strategy = restrict
 # complexity = medium
diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/bash/shared.sh
index 5da0c99e670..f56c424cbb1 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,Red Hat Virtualization 4
+# platform = multi_platform_ol,Red Hat Virtualization 4
 
 fips-mode-setup --enable
 FIPS_CONF="/etc/dracut.conf.d/40-fips.conf"
diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
index ea4eb058f9d..f3d8f516774 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
@@ -4,8 +4,16 @@ documentation_complete: true
 title: "Enable Dracut FIPS Module"
 
 description: |-
+    {{% if 'rhel' not in product %}}
     To enable FIPS mode, run the following command:
     <pre>fips-mode-setup --enable</pre>
+    {{% else %}}
+    {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode.
+    The installer must be booted with <tt>fips=1</tt> for the system to have FIPS mode
+    enabled. Enabling FIPS mode on a preexisting system is not supported. If
+    this rule fails on an installed system, then this is a permanent
+    finding and cannot be fixed.
+    {{% endif %}}
     To enable FIPS, the system requires that the <tt>fips</tt> module is added in <tt>dracut</tt> configuration.
     Check if <tt>/etc/dracut.conf.d/40-fips.conf</tt> contain <tt>add_dracutmodules+=" fips "</tt>
 
@@ -43,7 +51,11 @@ ocil: |-
 
 warnings:
     - general: |-
+        {{% if 'rhel' not in product %}}
         The system needs to be rebooted for these changes to take effect.
+        {{% else %}}
+        To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications.
         FIPS-140 is applicable to all Federal agencies that use cryptographic-based security

From 0674d9e1bb35cb02c80303505dcb5e3f0d981518 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 30 Jan 2025 17:23:54 -0600
Subject: [PATCH 3/8] Update FIPS rules for RHEL

Update rules for RHEL to state must install via fips=1.
---
 .../integrity/fips/etc_system_fips_exists/rule.yml  |  8 ++++++++
 .../integrity/fips/grub2_enable_fips_mode/rule.yml  | 13 +++++++++++++
 .../fips/sysctl_crypto_fips_enabled/rule.yml        | 11 ++++++++++-
 .../fips/system_booted_in_fips_mode/rule.yml        |  2 +-
 4 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml
index fe0bd8ffb48..5ec317d92cb 100644
--- a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml
@@ -5,8 +5,16 @@ title: Ensure '/etc/system-fips' exists
 
 description: |-
     On a system where FIPS mode is enabled, <tt>/etc/system-fips</tt> must exist.
+    {{% if 'rhel' not in product %}}
     To enable FIPS mode, run the following command:
     <pre>fips-mode-setup --enable</pre>
+    {{% else %}}
+    {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode.
+    The installer must be booted with <tt>fips=1</tt> for the system to have FIPS mode
+    enabled. Enabling FIPS mode on a preexisting system is not supported. If
+    this rule fails on an installed system, then this is a permanent
+    finding and cannot be fixed.
+    {{% endif %}}
 
 rationale: |-
     Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
index affa378f4a8..840c7acac53 100644
--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
@@ -7,6 +7,7 @@ description: |-
     To ensure FIPS mode is enabled, install package <tt>dracut-fips</tt>, and rebuild <tt>initramfs</tt> by running the following commands:
     <pre>{{{ package_install("dracut-fips") }}}
     dracut -f</pre>
+    {{% if 'rhel' not in product %}}
     After the <tt>dracut</tt> command has been run, add the argument <tt>fips=1</tt> to the default
     GRUB 2 command line for the Linux operating system in
     <tt>/etc/default/grub</tt>, in the manner below:
@@ -19,6 +20,14 @@ description: |-
     <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
     <pre>~]# grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre></li>
     </ul>
+    {{% else %}}
+    {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode.
+    The installer must be booted with <tt>fips=1</tt> for the system to have FIPS mode
+    enabled. Enabling FIPS mode on a preexisting system is not supported. If
+    this rule fails on an installed system, then this is a permanent
+    finding and cannot be fixed.
+    {{% endif %}}
+
 
 rationale: |-
     Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
@@ -60,7 +69,11 @@ warnings:
     - functionality: |-
         Running <pre>dracut -f</pre> will overwrite the existing initramfs file.
     - general: |-
+        {{% if 'rhel' not in product %}}
         The system needs to be rebooted for these changes to take effect.
+        {{% else %}}
+        To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes
         FIPS-140 certifications.
diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
index b990669200c..5d28e1c2808 100644
--- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
@@ -6,8 +6,17 @@ title: "Set kernel parameter 'crypto.fips_enabled' to 1"
 description: |-
     System running in FIPS mode is indicated by kernel parameter
     <tt>'crypto.fips_enabled'</tt>. This parameter should be set to <tt>1</tt> in FIPS mode.
+    {{% if 'rhel' not in product %}}
     To enable FIPS mode, run the following command:
     <pre>fips-mode-setup --enable</pre>
+    {{% else %}}
+    {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode.
+    The installer must be booted with <tt>fips=1</tt> for the system to have FIPS mode
+    enabled. Enabling FIPS mode on a preexisting system is not supported. If
+    this rule fails on an installed system, then this is a permanent
+    finding and cannot be fixed.
+    {{% endif %}}
+
 
     To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot
     parameters during system installation so key generation is done with FIPS-approved algorithms
@@ -56,7 +65,7 @@ warnings:
         See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
         To meet this, the system has to have cryptographic software provided by a vendor that has
         undergone this certification. This means providing documentation, test results, design
-        information, and independent third party review by an accredited lab. While open source
+        information, and independent third parenable_dracut_fips_modulety review by an accredited lab. While open source
         software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to
         this process.
 
diff --git a/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml
index 9438b2e0513..42d01098718 100644
--- a/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml
@@ -38,7 +38,7 @@ ocil: |-
 
 warnings:
     - general: |-
-        To configure the OS to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
         Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes

From 2a9885b473657f823f1e0875d1156ff1cff42a77 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Fri, 31 Jan 2025 07:28:12 -0600
Subject: [PATCH 4/8] Address feedback in #12946

---
 .../fips/enable_dracut_fips_module/rule.yml   |  1 +
 .../fips/enable_fips_mode/bash/shared.sh      |  3 +-
 .../integrity/fips/enable_fips_mode/rule.yml  | 33 ++++++++++---------
 .../fips/etc_system_fips_exists/rule.yml      | 13 ++++++++
 .../fips/grub2_enable_fips_mode/rule.yml      | 13 ++++++--
 .../fips/sysctl_crypto_fips_enabled/rule.yml  |  2 +-
 .../fips/system_booted_in_fips_mode/rule.yml  |  2 +-
 7 files changed, 44 insertions(+), 23 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
index f3d8f516774..2490db3747f 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
@@ -56,6 +56,7 @@ warnings:
         {{% else %}}
         To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
         Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
+        {{% endif %}}
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications.
         FIPS-140 is applicable to all Federal agencies that use cryptographic-based security
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
index 91574773a06..0d0a79438e9 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
@@ -1,8 +1,7 @@
 # platform = multi_platform_all
-{{{ bash_instantiate_variables("var_system_crypto_policy") }}}
 
 if {{{ bash_bootc_build() }}}; then
-	crypto_policies_no_reload="--no-reload"
 	cat > /usr/lib/bootc/kargs.d/01-fips.toml << EOF
 kargs = ["fips=1"]
 EOF
+fi
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
index eaaa03aa8b4..93b391ee0c6 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
@@ -3,7 +3,19 @@ documentation_complete: true
 title: Enable FIPS Mode
 
 description: |-
-{{% if product != "rhcos4" %}}
+{{% if product == "rhcos4" %}}
+    OpenShift has an installation-time flag that can enable FIPS mode
+    for the cluster. The flag <pre>fips: true</pre> must be enabled
+    at install time in the <pre>install-config.yaml</pre> file. If
+    this rule fails on an installed cluster, then this is a permanent
+    finding and cannot be fixed.
+{{% elif 'rhel' in product %}}
+    {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode.
+    The installer must be booted with <tt>fips=1</tt> for the system to have FIPS mode
+    enabled. Enabling FIPS mode on a preexisting system is not supported. If
+    this rule fails on an installed system, then this is a permanent
+    finding and cannot be fixed.
+{{% else %}}
     To enable FIPS mode, run the following command:
     <pre>fips-mode-setup --enable</pre>
     <br />
@@ -15,25 +27,14 @@ description: |-
     <li>Setting the system crypto policy in <tt>/etc/crypto-policies/config</tt> to <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt></li>
     <li>Loading the Dracut <tt>fips</tt> module</li>
     </ul>
-
+{{% endif %}}
+{{% if bootable_containers_supported == "true" %}}
     <br />
     To enable FIPS mode at bootable container build time configure <tt>fips=1</tt> kernel argument
     in <tt>/usr/lib/bootc/kargs.d/01-fips.toml</tt>:
     <pre>kargs = ["fips=1"]</pre>
     Then set the cryptographic policy to <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt>:
     <pre>update-crypto-policies --no-reload --set {{{ xccdf_value("var_system_crypto_policy") }}}</pre>
-{{% elif 'rhel' in product %}}
-    {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode.
-    The installer must be booted with <tt>fips=1</tt> for the system to have FIPS mode
-    enabled. Enabling FIPS mode on a preexisting system is not supported. If
-    this rule fails on an installed system, then this is a permanent
-    finding and cannot be fixed.
-{{% else %}}
-    OpenShift has an installation-time flag that can enable FIPS mode
-    for the cluster. The flag <pre>fips: true</pre> must be enabled
-    at install time in the <pre>install-config.yaml</pre> file. If
-    this rule fails on an installed cluster, then this is a permanent
-    finding and cannot be fixed.
 {{% endif %}}
 
 rationale: |-
@@ -64,13 +65,13 @@ ocil_clause: 'FIPS mode is not enabled'
 
 ocil: |-
     To verify that FIPS mode is enabled properly, run the following command:
-    <precat cat /proc/sys/crypto/fips_enabled</pre>
+    <pre>cat /proc/sys/crypto/fips_enabled</pre>
     The output be must:
     <pre>1</pre>
 
 warnings:
     - general: |-
-        To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        To configure {{{ full_name }}} to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
         Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
     - regulatory: |-
         This rule DOES NOT CHECK if the components of the operating system are FIPS certified.
diff --git a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml
index 5ec317d92cb..609d4cc0ebe 100644
--- a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml
@@ -15,6 +15,14 @@ description: |-
     this rule fails on an installed system, then this is a permanent
     finding and cannot be fixed.
     {{% endif %}}
+{{% if bootable_containers_supported == "true" %}}
+    <br />
+    To enable FIPS mode at bootable container build time configure <tt>fips=1</tt> kernel argument
+    in <tt>/usr/lib/bootc/kargs.d/01-fips.toml</tt>:
+    <pre>kargs = ["fips=1"]</pre>
+    Then set the cryptographic policy to <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt>:
+    <pre>update-crypto-policies --no-reload --set {{{ xccdf_value("var_system_crypto_policy") }}}</pre>
+{{% endif %}}
 
 rationale: |-
     Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
@@ -39,7 +47,12 @@ ocil: |-
 
 warnings:
     - general: |-
+        {{% if 'rhel' not in product %}}
         The system needs to be rebooted for these changes to take effect.
+        {{% else %}}
+        To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
+        {{% endif %}}
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes
         FIPS-140 certifications.
diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
index 840c7acac53..dd03fd5b004 100644
--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
@@ -4,10 +4,10 @@ documentation_complete: true
 title: 'Enable FIPS Mode in GRUB2'
 
 description: |-
+    {{% if 'rhel' not in product %}}
     To ensure FIPS mode is enabled, install package <tt>dracut-fips</tt>, and rebuild <tt>initramfs</tt> by running the following commands:
     <pre>{{{ package_install("dracut-fips") }}}
     dracut -f</pre>
-    {{% if 'rhel' not in product %}}
     After the <tt>dracut</tt> command has been run, add the argument <tt>fips=1</tt> to the default
     GRUB 2 command line for the Linux operating system in
     <tt>/etc/default/grub</tt>, in the manner below:
@@ -26,8 +26,14 @@ description: |-
     enabled. Enabling FIPS mode on a preexisting system is not supported. If
     this rule fails on an installed system, then this is a permanent
     finding and cannot be fixed.
-    {{% endif %}}
 
+    Verifying that the package <tt>dracut-fips</tt> is installed ensures FIPS mode is in
+    a good.
+    {{% endif %}}
+    To ensure FIPS mode is enabled, run the following commands:
+    <pre>
+    {{{ package_install("dracut-fips") }}}
+    </pre>
 
 rationale: |-
     Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
@@ -72,8 +78,9 @@ warnings:
         {{% if 'rhel' not in product %}}
         The system needs to be rebooted for these changes to take effect.
         {{% else %}}
-        To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        To configure {{{ full_name }}} to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
         Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
+        {{% endif %}}
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes
         FIPS-140 certifications.
diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
index 5d28e1c2808..61093f4b27c 100644
--- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
@@ -65,7 +65,7 @@ warnings:
         See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
         To meet this, the system has to have cryptographic software provided by a vendor that has
         undergone this certification. This means providing documentation, test results, design
-        information, and independent third parenable_dracut_fips_modulety review by an accredited lab. While open source
+        information, and independent third party review by an accredited lab. While open source
         software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to
         this process.
 
diff --git a/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml
index 42d01098718..baa361388aa 100644
--- a/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml
@@ -38,7 +38,7 @@ ocil: |-
 
 warnings:
     - general: |-
-        To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        To configure {{{ full_name }}} to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
         Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes

From 0cbb36d207dc9433d10ae8549cdc2fd988b919cf Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Fri, 31 Jan 2025 07:50:16 -0600
Subject: [PATCH 5/8] Adjust warnings for FIPS mode.

---
 .../system/software/integrity/fips/enable_fips_mode/rule.yml    | 1 +
 .../software/integrity/fips/grub2_enable_fips_mode/rule.yml     | 2 ++
 .../software/integrity/fips/system_booted_in_fips_mode/rule.yml | 1 +
 3 files changed, 4 insertions(+)

diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
index 93b391ee0c6..1687fcac929 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
@@ -72,6 +72,7 @@ ocil: |-
 warnings:
     - general: |-
         To configure {{{ full_name }}} to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        Only enabling FIPS 140 mode during the {{{ full_name }}} installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place.
         Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
     - regulatory: |-
         This rule DOES NOT CHECK if the components of the operating system are FIPS certified.
diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
index dd03fd5b004..7275f38726c 100644
--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
@@ -79,7 +79,9 @@ warnings:
         The system needs to be rebooted for these changes to take effect.
         {{% else %}}
         To configure {{{ full_name }}} to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        Only enabling FIPS 140 mode during the {{{ full_name }}} installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place.
         Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
+
         {{% endif %}}
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes
diff --git a/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml
index baa361388aa..4abe60437a7 100644
--- a/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml
@@ -39,6 +39,7 @@ ocil: |-
 warnings:
     - general: |-
         To configure {{{ full_name }}} to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        Only enabling FIPS 140 mode during the {{{ full_name }}} installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place.
         Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes

From 79cdcf53988eaf2c383559355f4400f375f52517 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Mon, 3 Feb 2025 07:29:25 -0600
Subject: [PATCH 6/8] Apply feedback in #12946

---
 .../software/integrity/fips/grub2_enable_fips_mode/rule.yml    | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
index 7275f38726c..7c6d66886ab 100644
--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
@@ -28,7 +28,7 @@ description: |-
     finding and cannot be fixed.
 
     Verifying that the package <tt>dracut-fips</tt> is installed ensures FIPS mode is in
-    a good.
+    a good state.
     {{% endif %}}
     To ensure FIPS mode is enabled, run the following commands:
     <pre>
@@ -81,7 +81,6 @@ warnings:
         To configure {{{ full_name }}} to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
         Only enabling FIPS 140 mode during the {{{ full_name }}} installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place.
         Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
-
         {{% endif %}}
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes

From e345d9e4ec16ed5cd628b2ebae4ce9f1b38cc25a Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Tue, 4 Feb 2025 09:41:39 -0600
Subject: [PATCH 7/8] Remove enable_dracut_fips_module for RHEL 9

---
 .../software/integrity/fips/enable_fips_mode/oval/shared.xml    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index fa7a4a7378a..d3314b2f51d 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -7,7 +7,7 @@
       <criteria operator="AND">
         <extend_definition definition_ref="bootc" comment="The system is RHEL Image Mode"/>
         <extend_definition definition_ref="installed_env_is_a_container" comment="The system is container"/>
-        {{%- if product not in ["rhel10"] -%}}
+        {{%- if product not in ["rhel10", "rhel9"] -%}}
         <extend_definition definition_ref="enable_dracut_fips_module"
           comment="dracut FIPS module is enabled"/>
         {{%- endif -%}}

From 42fbc2794efe09f154a9e0c07772015b3b36e618 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Tue, 4 Feb 2025 11:02:27 -0600
Subject: [PATCH 8/8] Exclude enable_dracut_fips_module from bootc

---
 .../software/integrity/fips/enable_dracut_fips_module/rule.yml  | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
index 2490db3747f..187038823bb 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
@@ -49,6 +49,8 @@ ocil: |-
     The output should look like this:
     <tt>add_dracutmodules+=" fips "</tt>
 
+platform: not bootc
+
 warnings:
     - general: |-
         {{% if 'rhel' not in product %}}