A new rule system_boot_in_fips_mode

[Mab879]

Description:

Add new rule system_boot_in_fips_mode.

Rationale:

Since fips-mode-setup is gone is RHEL 10 we need to adjust our content for it.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

ol8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[jan-cerny]

This new rule will check that the system currently runs in FIPS mode. But, How will we verify that the system is configured to start in FIPS mode?

[Mab879]

This new rule will check that the system currently runs in FIPS mode. But, How will we verify that the system is configured to start in FIPS mode?

I have added the grub2 check as well.

[ggbecker]

Suggested change

	On a system where FIPS 14032 mode is enabled, the system must be booted with the
	On a system where FIPS 140-2 mode is enabled, the system must be booted with the

Suggested change

	On a system where FIPS 14032 mode is enabled, the system must be booted with the
	On a system where FIPS 140-3 mode is enabled, the system must be booted with the

Which one is the correct one?

[Mab879]

140-3

[neverpanic]

In crypto's docs, we prefer to use "FIPS 140" now, since there may be a FIPS 140-4 a lot sooner than the time it took to go from -2 to -3.

[neverpanic]

The mere existence of /proc/sys/crypto/fips_enabled is not sufficient. All kernels that support enabling FIPS mode will expose this file in user space. It must contain 1 for FIPS mode to be actually enabled.

[Mab879]

I have removed this rule from RHEL 10.

[neverpanic]

Why does the pattern have a * between fips and the equals sign?

If this is a regex (which the starting .+ seems to indicate), then this would match fipsssss=1 or fip=1, which don't enable FIPS mode.

Also, this would match notreallyfips=1 due to the .+ before; That regex should probably instead be anchored by matching a word boundary, or explicitly search for whitespace before and after fips=1.

However, there's really no difference between the kernel command line containing fips=1 and /proc/sys/crypto/fips_enabled containing 1, so I'd propose checking for the latter instead, because it's much easier to do.

[Mab879]

Thanks for the tip. That makes the check much easier.

[neverpanic]

In crypto's docs, we prefer to use "FIPS 140" now, since there may be a FIPS 140-4 a lot sooner than the time it took to go from -2 to -3.

[jan-cerny]

The rule description isn't consistent with the OVAL check. The rule description says that users should check /proc/cmdline, but the OVAL check reads /proc/sys/crypto/fips_enabled. Although both ways of checking are effectively equivalent, you should keep the OVAL check aligned with the rule description or explain this difference in the rule description.

[Mab879]

The rule description isn't consistent with the OVAL check. The rule description says that users should check /proc/cmdline, but the OVAL check reads /proc/sys/crypto/fips_enabled. Although both ways of checking are effectively equivalent, you should keep the OVAL check aligned with the rule description or explain this difference in the rule description.

I have adjust the rule description.

[codeclimate]

Code Climate has analyzed commit e4afdf5 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 60.9% (0.0% change).

View more on Code Climate.

[Mab879]

/packit retest-failed

[jan-cerny]

I have built RHEL 10 content and verified that the rule is present in the built data stream.