Update FIPS rules for RHEL

Update rules for RHEL to state must install via fips=1.
Mab879 · Feb 3, 2025 · 122c160 · 122c160
1 parent ca02fc1
commit 122c160
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 2 deletions.
diff --git a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml
@@ -5,8 +5,16 @@ title: Ensure '/etc/system-fips' exists
 
 description: |-
     On a system where FIPS mode is enabled, <tt>/etc/system-fips</tt> must exist.
+    {{% if 'rhel' not in product %}}
     To enable FIPS mode, run the following command:
     <pre>fips-mode-setup --enable</pre>
+    {{% else %}}
+    {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode.
+    The installer must be booted with <tt>fips=1</tt> for the system to have FIPS mode
+    enabled. Enabling FIPS mode on a preexisting system is not supported. If
+    this rule fails on an installed system, then this is a permanent
+    finding and cannot be fixed.
+    {{% endif %}}
 
 rationale: |-
     Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to

diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
@@ -7,6 +7,7 @@ description: |-
     To ensure FIPS mode is enabled, install package <tt>dracut-fips</tt>, and rebuild <tt>initramfs</tt> by running the following commands:
     <pre>{{{ package_install("dracut-fips") }}}
     dracut -f</pre>
+    {{% if 'rhel' not in product %}}
     After the <tt>dracut</tt> command has been run, add the argument <tt>fips=1</tt> to the default
     GRUB 2 command line for the Linux operating system in
     <tt>/etc/default/grub</tt>, in the manner below:
@@ -19,6 +20,14 @@ description: |-
     <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
     <pre>~]# grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre></li>
     </ul>
+    {{% else %}}
+    {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode.
+    The installer must be booted with <tt>fips=1</tt> for the system to have FIPS mode
+    enabled. Enabling FIPS mode on a preexisting system is not supported. If
+    this rule fails on an installed system, then this is a permanent
+    finding and cannot be fixed.
+    {{% endif %}}
+
 
 rationale: |-
     Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
@@ -60,7 +69,11 @@ warnings:
     - functionality: |-
         Running <pre>dracut -f</pre> will overwrite the existing initramfs file.
     - general: |-
+        {{% if 'rhel' not in product %}}
         The system needs to be rebooted for these changes to take effect.
+        {{% else %}}
+        To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes
         FIPS-140 certifications.

diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
@@ -6,8 +6,17 @@ title: "Set kernel parameter 'crypto.fips_enabled' to 1"
 description: |-
     System running in FIPS mode is indicated by kernel parameter
     <tt>'crypto.fips_enabled'</tt>. This parameter should be set to <tt>1</tt> in FIPS mode.
+    {{% if 'rhel' not in product %}}
     To enable FIPS mode, run the following command:
     <pre>fips-mode-setup --enable</pre>
+    {{% else %}}
+    {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode.
+    The installer must be booted with <tt>fips=1</tt> for the system to have FIPS mode
+    enabled. Enabling FIPS mode on a preexisting system is not supported. If
+    this rule fails on an installed system, then this is a permanent
+    finding and cannot be fixed.
+    {{% endif %}}
+
 
     To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot
     parameters during system installation so key generation is done with FIPS-approved algorithms
@@ -56,7 +65,7 @@ warnings:
         See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
         To meet this, the system has to have cryptographic software provided by a vendor that has
         undergone this certification. This means providing documentation, test results, design
-        information, and independent third party review by an accredited lab. While open source
+        information, and independent third parenable_dracut_fips_modulety review by an accredited lab. While open source
         software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to
         this process.
 

diff --git a/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml
@@ -38,7 +38,7 @@ ocil: |-
 
 warnings:
     - general: |-
-        To configure the OS to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
         Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes