diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/ansible/shared.yml
index ffc7cacb0ae..d95af18669b 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/ansible/shared.yml
@@ -5,6 +5,7 @@
# disruption = medium
{{{ ansible_instantiate_variables("var_system_crypto_policy") }}}
+{{% if product != "rhel10" %}}
- name: "{{{ rule_title }}} - Check to See the Current Status of FIPS Mode"
ansible.builtin.command: /usr/bin/fips-mode-setup --check
register: is_fips_enabled
@@ -15,6 +16,7 @@
ansible.builtin.command: /usr/bin/fips-mode-setup --enable
when:
- is_fips_enabled.stdout.find('FIPS mode is enabled.') == -1
+{{% endif %}}
- name: "{{{ rule_title }}} - Configure Crypto Policy"
ansible.builtin.lineinfile:
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
index 113f57e75a4..94474c303a8 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh
@@ -6,8 +6,10 @@ if {{{ bash_bootc_build() }}}; then
cat > /usr/lib/bootc/kargs.d/01-fips.toml << EOF
kargs = ["fips=1"]
EOF
+{{% if product != "rhel10" %}}
else
fips-mode-setup --enable
+{{% endif %}}
fi
stderr_of_call=$(update-crypto-policies $crypto_policies_no_reload --set ${var_system_crypto_policy} 2>&1 > /dev/null)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
index a746494d3fe..190e99f5154 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
@@ -3,7 +3,22 @@ documentation_complete: true
title: Enable FIPS Mode
description: |-
-{{% if product != "rhcos4" %}}
+{{% if product == "rhcos4" %}}
+ OpenShift has an installation-time flag that can enable FIPS mode
+ for the cluster. The flag fips: true
must be enabled
+ at install time in the install-config.yaml
file. If
+ this rule fails on an installed cluster, then this is a permanent
+ finding and cannot be fixed.
+{{% elif product == "rhel10" %}}
+ Add the fips=1 option to the kernel command line during the system installation.
+ During the software selection stage, do not install any third-party software.
+ After the installation, the system starts in FIPS mode automatically.
+
+ After the system starts, check that FIPS mode is enabled:
+ cat /proc/sys/crypto/fips_enabled
+ 1
+
+{{% else %}}
To enable FIPS mode, run the following command:
fips-mode-setup --enable
@@ -15,19 +30,15 @@ description: |-
Setting the system crypto policy in /etc/crypto-policies/config to {{{ xccdf_value("var_system_crypto_policy") }}}
Loading the Dracut fips module
+{{% endif %}}
-
+{{% if bootable_containers_supported == "true" %}}
+
To enable FIPS mode at bootable container build time configure fips=1 kernel argument
in /usr/lib/bootc/kargs.d/01-fips.toml:
kargs = ["fips=1"]
Then set the cryptographic policy to {{{ xccdf_value("var_system_crypto_policy") }}}:
update-crypto-policies --no-reload --set {{{ xccdf_value("var_system_crypto_policy") }}}
-{{% else %}}
- OpenShift has an installation-time flag that can enable FIPS mode
- for the cluster. The flag fips: true
must be enabled
- at install time in the install-config.yaml
file. If
- this rule fails on an installed cluster, then this is a permanent
- finding and cannot be fixed.
{{% endif %}}
rationale: |-
@@ -58,17 +69,28 @@ ocil_clause: 'FIPS mode is not enabled'
ocil: |-
To verify that FIPS mode is enabled properly, run the following command:
+{{% if product == "rhel10" %}}
+ cat /proc/sys/crypto/fips_enabled
+ The output should contain the following:
+ 1
+{{% else %}}
fips-mode-setup --check
The output should contain the following:
FIPS mode is enabled.
+{{% endif %}}
To verify that the cryptographic policy has been configured correctly, run the
following command:
$ update-crypto-policies --show
The output should return {{{ xccdf_value("var_system_crypto_policy") }}}.
warnings:
+{{% if product == "rhel10" %}}
+ - general: |-
+ Only enabling FIPS mode during the RHEL installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place.
+{{% else %}}
- general: |-
The system needs to be rebooted for these changes to take effect.
+{{% endif %}}
- regulatory: |-
This rule DOES NOT CHECK if the components of the operating system are FIPS certified.
You can find the list of FIPS certified modules at {{{ weblink(link="https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search") }}}.
@@ -76,17 +98,21 @@ warnings:
fixtext: |-
Configure {{{ full_name }}} to run in FIPS mode.
-
+{{% if product == "rhel10" %}}
+ Add the fips=1 option to the kernel command line during the system installation.
+{{% else %}}
Run the following commands:
$ sudo fips-mode-setup --enable
$ sudo update-crypto-policies --set {{{ xccdf_value("var_system_crypto_policy") }}}
The system needs to be rebooted for these changes to take effect.
-
+{{% endif %}}
+{{% if bootable_containers_supported == "true" %}}
To enable FIPS mode at bootable container build time, add the following commands in Containerfile:
RUN echo 'kargs = ["fips=1"]' > /usr/lib/bootc/kargs.d/01-fips.toml
RUN update-crypto-policies --no-reload --set {{{ xccdf_value("var_system_crypto_policy") }}}
+{{% endif %}}
srg_requirement: '{{{ full_name }}} must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.'