RHEL FIPS Clean Up

linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
+# platform = multi_platform_ol
 # reboot = true
 # strategy = restrict
 # complexity = medium

linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,Red Hat Virtualization 4
+# platform = multi_platform_ol,Red Hat Virtualization 4
 
 fips-mode-setup --enable
 FIPS_CONF="/etc/dracut.conf.d/40-fips.conf"

linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml

@@ -4,8 +4,16 @@ documentation_complete: true
 title: "Enable Dracut FIPS Module"
 
 description: |-
+    {{% if 'rhel' not in product %}}
     To enable FIPS mode, run the following command:
     <pre>fips-mode-setup --enable</pre>
+    {{% else %}}
+    {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode.
+    The installer must be booted with <tt>fips=1</tt> for the system to have FIPS mode
+    enabled. Enabling FIPS mode on a preexisting system is not supported. If
+    this rule fails on an installed system, then this is a permanent
+    finding and cannot be fixed.
+    {{% endif %}}
     To enable FIPS, the system requires that the <tt>fips</tt> module is added in <tt>dracut</tt> configuration.
     Check if <tt>/etc/dracut.conf.d/40-fips.conf</tt> contain <tt>add_dracutmodules+=" fips "</tt>
 
@@ -41,9 +49,16 @@ ocil: |-
     The output should look like this:
     <tt>add_dracutmodules+=" fips "</tt>
 
+platform: not bootc
+
 warnings:
     - general: |-
+        {{% if 'rhel' not in product %}}
         The system needs to be rebooted for these changes to take effect.
+        {{% else %}}
+        To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
+        {{% endif %}}
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications.
         FIPS-140 is applicable to all Federal agencies that use cryptographic-based security

linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh

@@ -1,26 +1,7 @@
 # platform = multi_platform_all
-{{{ bash_instantiate_variables("var_system_crypto_policy") }}}
 
 if {{{ bash_bootc_build() }}}; then
-	crypto_policies_no_reload="--no-reload"
 	cat > /usr/lib/bootc/kargs.d/01-fips.toml << EOF
 kargs = ["fips=1"]
 EOF
-else
-	fips-mode-setup --enable
-fi
-
-stderr_of_call=$(update-crypto-policies $crypto_policies_no_reload --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
-	echo "$stderr_of_call" >&2
-	echo "Make sure that the script is installed on the remediated system." >&2
-	echo "See output of the 'dnf provides update-crypto-policies' command" >&2
-	echo "to see what package to (re)install" >&2
-
-	false  # end with an error code
-elif test "$rc" != 0; then
-	echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
-	false  # end with an error code
 fi

linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml

@@ -7,7 +7,7 @@
       <criteria operator="AND">
         <extend_definition definition_ref="bootc" comment="The system is RHEL Image Mode"/>
         <extend_definition definition_ref="installed_env_is_a_container" comment="The system is container"/>
-        {{%- if product not in ["rhel10"] -%}}
+        {{%- if product not in ["rhel10", "rhel9"] -%}}
         <extend_definition definition_ref="enable_dracut_fips_module"
           comment="dracut FIPS module is enabled"/>
         {{%- endif -%}}

linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml

@@ -3,7 +3,19 @@ documentation_complete: true
 title: Enable FIPS Mode
 
 description: |-
-{{% if product != "rhcos4" %}}
+{{% if product == "rhcos4" %}}
+    OpenShift has an installation-time flag that can enable FIPS mode
+    for the cluster. The flag <pre>fips: true</pre> must be enabled
+    at install time in the <pre>install-config.yaml</pre> file. If
+    this rule fails on an installed cluster, then this is a permanent
+    finding and cannot be fixed.
+{{% elif 'rhel' in product %}}
+    {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode.
+    The installer must be booted with <tt>fips=1</tt> for the system to have FIPS mode
+    enabled. Enabling FIPS mode on a preexisting system is not supported. If
+    this rule fails on an installed system, then this is a permanent
+    finding and cannot be fixed.
+{{% else %}}
     To enable FIPS mode, run the following command:
     <pre>fips-mode-setup --enable</pre>
     <br />
@@ -15,19 +27,14 @@ description: |-
     <li>Setting the system crypto policy in <tt>/etc/crypto-policies/config</tt> to <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt></li>
     <li>Loading the Dracut <tt>fips</tt> module</li>
     </ul>
-
+{{% endif %}}
+{{% if bootable_containers_supported == "true" %}}
     <br />
     To enable FIPS mode at bootable container build time configure <tt>fips=1</tt> kernel argument
     in <tt>/usr/lib/bootc/kargs.d/01-fips.toml</tt>:
     <pre>kargs = ["fips=1"]</pre>
     Then set the cryptographic policy to <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt>:
     <pre>update-crypto-policies --no-reload --set {{{ xccdf_value("var_system_crypto_policy") }}}</pre>
-{{% else %}}
-    OpenShift has an installation-time flag that can enable FIPS mode
-    for the cluster. The flag <pre>fips: true</pre> must be enabled
-    at install time in the <pre>install-config.yaml</pre> file. If
-    this rule fails on an installed cluster, then this is a permanent
-    finding and cannot be fixed.
 {{% endif %}}
 
 rationale: |-
@@ -58,35 +65,23 @@ ocil_clause: 'FIPS mode is not enabled'
 
 ocil: |-
     To verify that FIPS mode is enabled properly, run the following command:
-    <pre>fips-mode-setup --check</pre>
-    The output should contain the following:
-    <pre>FIPS mode is enabled.</pre>
-    To verify that the cryptographic policy has been configured correctly, run the
-    following command:
-    <pre>$ update-crypto-policies --show</pre>
-    The output should return <pre>{{{ xccdf_value("var_system_crypto_policy") }}}</pre>.
+    <pre>cat /proc/sys/crypto/fips_enabled</pre>
+    The output be must:
+    <pre>1</pre>
 
 warnings:
     - general: |-
-        The system needs to be rebooted for these changes to take effect.
+        To configure {{{ full_name }}} to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        Only enabling FIPS 140 mode during the {{{ full_name }}} installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place.
+        Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
     - regulatory: |-
         This rule DOES NOT CHECK if the components of the operating system are FIPS certified.
         You can find the list of FIPS certified modules at {{{ weblink(link="https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search") }}}.
-        This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means.
+        This rule checks if the system is running in FIPS mode.
 
 fixtext: |-
     Configure {{{ full_name }}} to run in FIPS mode.
 
-    Run the following commands:
-
-    $ sudo fips-mode-setup --enable
-    $ sudo update-crypto-policies --set {{{ xccdf_value("var_system_crypto_policy") }}}
-
-    The system needs to be rebooted for these changes to take effect.
-
-    To enable FIPS mode at bootable container build time, add the following commands in Containerfile:
-
-    RUN echo 'kargs = ["fips=1"]' > /usr/lib/bootc/kargs.d/01-fips.toml
-    RUN update-crypto-policies --no-reload --set {{{ xccdf_value("var_system_crypto_policy") }}}
+    The installer for the system must be booted with kernel parameter <tt>fips=1</tt>.
 
 srg_requirement: '{{{ full_name }}} must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.'

linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml

@@ -5,8 +5,24 @@ title: Ensure '/etc/system-fips' exists
 
 description: |-
     On a system where FIPS mode is enabled, <tt>/etc/system-fips</tt> must exist.
+    {{% if 'rhel' not in product %}}
     To enable FIPS mode, run the following command:
     <pre>fips-mode-setup --enable</pre>
+    {{% else %}}
+    {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode.
+    The installer must be booted with <tt>fips=1</tt> for the system to have FIPS mode
+    enabled. Enabling FIPS mode on a preexisting system is not supported. If
+    this rule fails on an installed system, then this is a permanent
+    finding and cannot be fixed.
+    {{% endif %}}
+{{% if bootable_containers_supported == "true" %}}
+    <br />
+    To enable FIPS mode at bootable container build time configure <tt>fips=1</tt> kernel argument
+    in <tt>/usr/lib/bootc/kargs.d/01-fips.toml</tt>:
+    <pre>kargs = ["fips=1"]</pre>
+    Then set the cryptographic policy to <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt>:
+    <pre>update-crypto-policies --no-reload --set {{{ xccdf_value("var_system_crypto_policy") }}}</pre>
+{{% endif %}}
 
 rationale: |-
     Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
@@ -31,7 +47,12 @@ ocil: |-
 
 warnings:
     - general: |-
+        {{% if 'rhel' not in product %}}
         The system needs to be rebooted for these changes to take effect.
+        {{% else %}}
+        To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
+        {{% endif %}}
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes
         FIPS-140 certifications.

linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml

@@ -4,6 +4,7 @@ documentation_complete: true
 title: 'Enable FIPS Mode in GRUB2'
 
 description: |-
+    {{% if 'rhel' not in product %}}
     To ensure FIPS mode is enabled, install package <tt>dracut-fips</tt>, and rebuild <tt>initramfs</tt> by running the following commands:
     <pre>{{{ package_install("dracut-fips") }}}
     dracut -f</pre>
@@ -19,6 +20,20 @@ description: |-
     <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
     <pre>~]# grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre></li>
     </ul>
+    {{% else %}}
+    {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode.
+    The installer must be booted with <tt>fips=1</tt> for the system to have FIPS mode
+    enabled. Enabling FIPS mode on a preexisting system is not supported. If
+    this rule fails on an installed system, then this is a permanent
+    finding and cannot be fixed.
+
+    Verifying that the package <tt>dracut-fips</tt> is installed ensures FIPS mode is in
+    a good state.
+    {{% endif %}}
+    To ensure FIPS mode is enabled, run the following commands:
+    <pre>
+    {{{ package_install("dracut-fips") }}}
+    </pre>
 
 rationale: |-
     Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
@@ -60,7 +75,13 @@ warnings:
     - functionality: |-
         Running <pre>dracut -f</pre> will overwrite the existing initramfs file.
     - general: |-
+        {{% if 'rhel' not in product %}}
         The system needs to be rebooted for these changes to take effect.
+        {{% else %}}
+        To configure {{{ full_name }}} to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        Only enabling FIPS 140 mode during the {{{ full_name }}} installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place.
+        Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
+        {{% endif %}}
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes
         FIPS-140 certifications.

linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml

@@ -6,8 +6,17 @@ title: "Set kernel parameter 'crypto.fips_enabled' to 1"
 description: |-
     System running in FIPS mode is indicated by kernel parameter
     <tt>'crypto.fips_enabled'</tt>. This parameter should be set to <tt>1</tt> in FIPS mode.
+    {{% if 'rhel' not in product %}}
     To enable FIPS mode, run the following command:
     <pre>fips-mode-setup --enable</pre>
+    {{% else %}}
+    {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode.
+    The installer must be booted with <tt>fips=1</tt> for the system to have FIPS mode
+    enabled. Enabling FIPS mode on a preexisting system is not supported. If
+    this rule fails on an installed system, then this is a permanent
+    finding and cannot be fixed.
+    {{% endif %}}
+
 
     To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot
     parameters during system installation so key generation is done with FIPS-approved algorithms

linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml

@@ -38,7 +38,8 @@ ocil: |-
 
 warnings:
     - general: |-
-        To configure the OS to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        To configure {{{ full_name }}} to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        Only enabling FIPS 140 mode during the {{{ full_name }}} installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place.
         Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes