Skip to content

Adjust FIPS enable_fips_mode for RHEL 10 #12414

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jan-cerny merged 3 commits into from
Sep 26, 2024
Merged

Adjust FIPS enable_fips_mode for RHEL 10 #12414

jan-cerny merged 3 commits into from
Sep 26, 2024

Conversation

@Mab879
Copy link
Member

@Mab879 Mab879 commented Sep 24, 2024

Description:

Adjust FIPS enable_fips_mode for RHEL 10

Rationale:

Fixes #12405

@Mab879
The /etc/system-fips file was depcreated in RHEL 9.
42449db 
Also allow the source of truth /proc/sys/crypto/fips_enabled to
pass this file check.
@Mab879
Disable enable_dracut_fips_module check for FIPS
7d9e0c8 
No longer used on RHEL10.
@Mab879 Mab879 added Update Rule Issues or pull requests related to Rules updates. RHEL10 Red Hat Enterprise Linux 10 product related. labels Sep 24, 2024
@Mab879 Mab879 added this to the 0.1.75 milestone Sep 24, 2024
@github-actions
Copy link

github-actions bot commented Sep 24, 2024

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions
Copy link

github-actions bot commented Sep 24, 2024
edited
Loading

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
OVAL for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode' differs.
--- oval:ssg-enable_fips_mode:def:1
+++ oval:ssg-enable_fips_mode:def:1
@@ -1,5 +1,5 @@
 criteria AND
-extend_definition oval:ssg-etc_system_fips_exists:def:1
+criterion oval:ssg-test_proc_sys_crypto_fips_enabled:tst:1
 extend_definition oval:ssg-sysctl_crypto_fips_enabled:def:1
 extend_definition oval:ssg-enable_dracut_fips_module:def:1
 extend_definition oval:ssg-configure_crypto_policy:def:1

@github-actions
Copy link

github-actions bot commented Sep 24, 2024
edited
Loading

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12414
This image was built from commit: 4be6192

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12414

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12414 make deploy-local

jan-cerny
jan-cerny reviewed Sep 25, 2024
View reviewed changes
linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml Outdated
Comment on lines 6 to 9
<extend_definition definition_ref="etc_system_fips_exists"
comment="check /etc/system-fips file existence"/>
<criterion test_ref="test_proc_sys_crypto_fips_enabled"
comment="check contents of /proc/sys/crypto/fips_enabled"/>
Copy link
Collaborator

@jan-cerny jan-cerny Sep 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the check for /proc/sys be used on all systems? Isn't it only for RHEL 10? And should the /etc/system-fips be checked on RHEL 10 if it's deprecated?

Copy link
Member Author

@Mab879 Mab879 Sep 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The /proc/sys/crypto/fips_enabled does exist on RHEL 7. I will just use it everywhere.

@qlty-cloud-legacy
Copy link

qlty-cloud-legacy bot commented Sep 25, 2024

Code Climate has analyzed commit 4be6192 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.5% (0.0% change).

View more on Code Climate.

@jan-cerny jan-cerny self-assigned this Sep 26, 2024
@jan-cerny jan-cerny merged commit a779644 into ComplianceAsCode:master Sep 26, 2024
@Mab879 Mab879 deleted the fix_12405 branch September 26, 2024 12:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jan-cerny jan-cerny jan-cerny approved these changes

Assignees

@jan-cerny jan-cerny

Labels

RHEL10 Red Hat Enterprise Linux 10 product related. Update Rule Issues or pull requests related to Rules updates.

Projects

None yet

Milestone

0.1.75

Development

Successfully merging this pull request may close these issues.

Rule enable_fips_mode fails to remediate on RHEL-10

2 participants

@Mab879 @jan-cerny