Address feedback in ComplianceAsCode#12946

Mab879 · Feb 3, 2025 · 44a25cc · 44a25cc
1 parent 122c160
commit 44a25cc
Show file tree

Hide file tree

Showing 7 changed files with 44 additions and 23 deletions.
diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
@@ -56,6 +56,7 @@ warnings:
         {{% else %}}
         To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
         Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
+        {{% endif %}}
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications.
         FIPS-140 is applicable to all Federal agencies that use cryptographic-based security

diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
@@ -1,8 +1,7 @@
 # platform = multi_platform_all
-{{{ bash_instantiate_variables("var_system_crypto_policy") }}}
 
 if {{{ bash_bootc_build() }}}; then
-	crypto_policies_no_reload="--no-reload"
 	cat > /usr/lib/bootc/kargs.d/01-fips.toml << EOF
 kargs = ["fips=1"]
 EOF
+fi
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
@@ -3,7 +3,19 @@ documentation_complete: true
 title: Enable FIPS Mode
 
 description: |-
-{{% if product != "rhcos4" %}}
+{{% if product == "rhcos4" %}}
+    OpenShift has an installation-time flag that can enable FIPS mode
+    for the cluster. The flag <pre>fips: true</pre> must be enabled
+    at install time in the <pre>install-config.yaml</pre> file. If
+    this rule fails on an installed cluster, then this is a permanent
+    finding and cannot be fixed.
+{{% elif 'rhel' in product %}}
+    {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode.
+    The installer must be booted with <tt>fips=1</tt> for the system to have FIPS mode
+    enabled. Enabling FIPS mode on a preexisting system is not supported. If
+    this rule fails on an installed system, then this is a permanent
+    finding and cannot be fixed.
+{{% else %}}
     To enable FIPS mode, run the following command:
     <pre>fips-mode-setup --enable</pre>
     <br />
@@ -15,25 +27,14 @@ description: |-
     <li>Setting the system crypto policy in <tt>/etc/crypto-policies/config</tt> to <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt></li>
     <li>Loading the Dracut <tt>fips</tt> module</li>
     </ul>
-
+{{% endif %}}
+{{% if bootable_containers_supported == "true" %}}
     <br />
     To enable FIPS mode at bootable container build time configure <tt>fips=1</tt> kernel argument
     in <tt>/usr/lib/bootc/kargs.d/01-fips.toml</tt>:
     <pre>kargs = ["fips=1"]</pre>
     Then set the cryptographic policy to <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt>:
     <pre>update-crypto-policies --no-reload --set {{{ xccdf_value("var_system_crypto_policy") }}}</pre>
-{{% elif 'rhel' in product %}}
-    {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode.
-    The installer must be booted with <tt>fips=1</tt> for the system to have FIPS mode
-    enabled. Enabling FIPS mode on a preexisting system is not supported. If
-    this rule fails on an installed system, then this is a permanent
-    finding and cannot be fixed.
-{{% else %}}
-    OpenShift has an installation-time flag that can enable FIPS mode
-    for the cluster. The flag <pre>fips: true</pre> must be enabled
-    at install time in the <pre>install-config.yaml</pre> file. If
-    this rule fails on an installed cluster, then this is a permanent
-    finding and cannot be fixed.
 {{% endif %}}
 
 rationale: |-
@@ -64,13 +65,13 @@ ocil_clause: 'FIPS mode is not enabled'
 
 ocil: |-
     To verify that FIPS mode is enabled properly, run the following command:
-    <precat cat /proc/sys/crypto/fips_enabled</pre>
+    <pre>cat /proc/sys/crypto/fips_enabled</pre>
     The output be must:
     <pre>1</pre>
 
 warnings:
     - general: |-
-        To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        To configure {{{ full_name }}} to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
         Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
     - regulatory: |-
         This rule DOES NOT CHECK if the components of the operating system are FIPS certified.

diff --git a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml
@@ -15,6 +15,14 @@ description: |-
     this rule fails on an installed system, then this is a permanent
     finding and cannot be fixed.
     {{% endif %}}
+{{% if bootable_containers_supported == "true" %}}
+    <br />
+    To enable FIPS mode at bootable container build time configure <tt>fips=1</tt> kernel argument
+    in <tt>/usr/lib/bootc/kargs.d/01-fips.toml</tt>:
+    <pre>kargs = ["fips=1"]</pre>
+    Then set the cryptographic policy to <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt>:
+    <pre>update-crypto-policies --no-reload --set {{{ xccdf_value("var_system_crypto_policy") }}}</pre>
+{{% endif %}}
 
 rationale: |-
     Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
@@ -39,7 +47,12 @@ ocil: |-
 
 warnings:
     - general: |-
+        {{% if 'rhel' not in product %}}
         The system needs to be rebooted for these changes to take effect.
+        {{% else %}}
+        To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
+        {{% endif %}}
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes
         FIPS-140 certifications.

diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml
@@ -4,10 +4,10 @@ documentation_complete: true
 title: 'Enable FIPS Mode in GRUB2'
 
 description: |-
+    {{% if 'rhel' not in product %}}
     To ensure FIPS mode is enabled, install package <tt>dracut-fips</tt>, and rebuild <tt>initramfs</tt> by running the following commands:
     <pre>{{{ package_install("dracut-fips") }}}
     dracut -f</pre>
-    {{% if 'rhel' not in product %}}
     After the <tt>dracut</tt> command has been run, add the argument <tt>fips=1</tt> to the default
     GRUB 2 command line for the Linux operating system in
     <tt>/etc/default/grub</tt>, in the manner below:
@@ -26,8 +26,14 @@ description: |-
     enabled. Enabling FIPS mode on a preexisting system is not supported. If
     this rule fails on an installed system, then this is a permanent
     finding and cannot be fixed.
-    {{% endif %}}
 
+    Verifying that the package <tt>dracut-fips</tt> is installed ensures FIPS mode is in
+    a good.
+    {{% endif %}}
+    To ensure FIPS mode is enabled, run the following commands:
+    <pre>
+    {{{ package_install("dracut-fips") }}}
+    </pre>
 
 rationale: |-
     Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
@@ -72,8 +78,9 @@ warnings:
         {{% if 'rhel' not in product %}}
         The system needs to be rebooted for these changes to take effect.
         {{% else %}}
-        To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        To configure {{{ full_name }}} to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
         Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
+        {{% endif %}}
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes
         FIPS-140 certifications.

diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml
@@ -65,7 +65,7 @@ warnings:
         See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
         To meet this, the system has to have cryptographic software provided by a vendor that has
         undergone this certification. This means providing documentation, test results, design
-        information, and independent third parenable_dracut_fips_modulety review by an accredited lab. While open source
+        information, and independent third party review by an accredited lab. While open source
         software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to
         this process.
 

diff --git a/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml
@@ -38,7 +38,7 @@ ocil: |-
 
 warnings:
     - general: |-
-        To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        To configure {{{ full_name }}} to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
         Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes