Update rule enable_fips_mode for RHEL 10 #12916
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jan-cerny
added
productization-issue
|
Skipping CI for Draft Pull Request. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode'.
--- xccdf_org.ssgproject.content_rule_enable_fips_mode
+++ xccdf_org.ssgproject.content_rule_enable_fips_mode
@@ -12,12 +12,6 @@
Creating /etc/system-fips
Setting the system crypto policy in /etc/crypto-policies/config to 'xccdf_org.ssgproject.content_value_var_system_crypto_policy'
Loading the Dracut fips module
-
-To enable FIPS mode at bootable container build time configure fips=1 kernel argument
-in /usr/lib/bootc/kargs.d/01-fips.toml:
-kargs = ["fips=1"]
-Then set the cryptographic policy to 'xccdf_org.ssgproject.content_value_var_system_crypto_policy':
-update-crypto-policies --no-reload --set 'xccdf_org.ssgproject.content_value_var_system_crypto_policy'
[warning]:
The system needs to be rebooted for these changes to take effect.
OCIL for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode' differs.
--- ocil:ssg-enable_fips_mode_ocil:questionnaire:1
+++ ocil:ssg-enable_fips_mode_ocil:questionnaire:1
@@ -1,7 +1,9 @@
To verify that FIPS mode is enabled properly, run the following command:
+
fips-mode-setup --check
The output should contain the following:
FIPS mode is enabled.
+
To verify that the cryptographic policy has been configured correctly, run the
following command:
$ update-crypto-policies --show
bash remediation for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode' differs.
--- xccdf_org.ssgproject.content_rule_enable_fips_mode
+++ xccdf_org.ssgproject.content_rule_enable_fips_mode
@@ -9,8 +9,10 @@
cat > /usr/lib/bootc/kargs.d/01-fips.toml << EOF
kargs = ["fips=1"]
EOF
+
else
fips-mode-setup --enable
+
fi
stderr_of_call=$(update-crypto-policies $crypto_policies_no_reload --set ${var_system_crypto_policy} 2>&1 > /dev/null) |
To enable FIPS mode in RHEL 10 you need to enable FIPS mode during system installation. The `fips-mode-setup` tool doesn't exist in RHEL 10. We will remove all occurences of `fips-mode-setup`. We will update the prose accordingly. See: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10-beta/html/security_hardening/switching-rhel-to-fips-mode#installing-the-system-with-fips-mode-enabled https://issues.redhat.com/browse/RHEL-65652
|
Code Climate has analyzed commit cfed082 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.9% (0.0% change). View more on Code Climate. |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
Mab879
reviewed
Jan 29, 2025
| at install time in the <pre>install-config.yaml</pre> file. If | ||
| this rule fails on an installed cluster, then this is a permanent | ||
| finding and cannot be fixed. | ||
| {{% elif product == "rhel10" %}} |
There was a problem hiding this comment.
Could we do something like 'rhel' in product and product not in ["rhel8", "rhel9"] so we don't have to come back in RHEL 11?
|
Possibly superseded by #12946 |
|
Yes, we will do a better change in #12946. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
To enable FIPS mode in RHEL 10 you need to enable FIPS mode during system installation. The
fips-mode-setuptool doesn't exist in RHEL 10.We will remove all occurences of
fips-mode-setup. We will update the prose accordingly.See:
Review Hints:
Originally, I proposed this verification approach:
But, the problem is that the test will fail because the produced virtual machine isn't in FIPS mode. I tried to add a kickstart remediation with
bootloader fips=1. However, this doesn't work either, the produced VM won't boot. The reason is that thefips=1argument can't be in the kickstart but needs to be an argument ofvirt-install.