A new rule system_boot_in_fips_mode#12671
Conversation
|
Start a new ephemeral environment with changes proposed in this pull request: ol8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
b407b12 to
7dfd93c
Compare
is_fips_mode_enabled for RHEL 10system_boot_in_fips_mode
7dfd93c to
a9802f7
Compare
|
This new rule will check that the system currently runs in FIPS mode. But, How will we verify that the system is configured to start in FIPS mode? |
a9802f7 to
552c966
Compare
I have added the grub2 check as well. |
| title: 'Verify that the system was booted with fips=1' | ||
|
|
||
| description: |- | ||
| On a system where FIPS 14032 mode is enabled, the system must be booted with the |
There was a problem hiding this comment.
| On a system where FIPS 14032 mode is enabled, the system must be booted with the | |
| On a system where FIPS 140-2 mode is enabled, the system must be booted with the |
| On a system where FIPS 14032 mode is enabled, the system must be booted with the | |
| On a system where FIPS 140-3 mode is enabled, the system must be booted with the |
Which one is the correct one?
There was a problem hiding this comment.
In crypto's docs, we prefer to use "FIPS 140" now, since there may be a FIPS 140-4 a lot sooner than the time it took to go from -2 to -3.
|
|
||
|
|
||
| title: Verify '/proc/sys/crypto/fips_enabled' exists | ||
| title: Verify '/proc/sys/crypto/fips_enabled' exists |
There was a problem hiding this comment.
The mere existence of /proc/sys/crypto/fips_enabled is not sufficient. All kernels that support enabling FIPS mode will expose this file in user space. It must contain 1 for FIPS mode to be actually enabled.
There was a problem hiding this comment.
I have removed this rule from RHEL 10.
|
|
||
| <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_mode_exists" version="1"> | ||
| <ind:filepath>/proc/cmdline</ind:filepath> | ||
| <ind:pattern operation="pattern match">.+fips*=1.+</ind:pattern> |
There was a problem hiding this comment.
Why does the pattern have a * between fips and the equals sign?
If this is a regex (which the starting .+ seems to indicate), then this would match fipsssss=1 or fip=1, which don't enable FIPS mode.
Also, this would match notreallyfips=1 due to the .+ before; That regex should probably instead be anchored by matching a word boundary, or explicitly search for whitespace before and after fips=1.
However, there's really no difference between the kernel command line containing fips=1 and /proc/sys/crypto/fips_enabled containing 1, so I'd propose checking for the latter instead, because it's much easier to do.
There was a problem hiding this comment.
Thanks for the tip. That makes the check much easier.
| title: 'Verify that the system was booted with fips=1' | ||
|
|
||
| description: |- | ||
| On a system where FIPS 14032 mode is enabled, the system must be booted with the |
There was a problem hiding this comment.
In crypto's docs, we prefer to use "FIPS 140" now, since there may be a FIPS 140-4 a lot sooner than the time it took to go from -2 to -3.
7391a1d to
a5a3d90
Compare
jan-cerny
left a comment
There was a problem hiding this comment.
The rule description isn't consistent with the OVAL check. The rule description says that users should check /proc/cmdline, but the OVAL check reads /proc/sys/crypto/fips_enabled. Although both ways of checking are effectively equivalent, you should keep the OVAL check aligned with the rule description or explain this difference in the rule description.
I have adjust the rule description. |
|
Code Climate has analyzed commit e4afdf5 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 60.9% (0.0% change). View more on Code Climate. |
|
/packit retest-failed |
jan-cerny
left a comment
There was a problem hiding this comment.
I have built RHEL 10 content and verified that the rule is present in the built data stream.
Description:
Add new rule
system_boot_in_fips_mode.Rationale:
Since
fips-mode-setupis gone is RHEL 10 we need to adjust our content for it.