Add new rule system_boot_in_fips_mode

ComplianceAsCode · Dec 4, 2024 · 7dfd93c · 7dfd93c
1 parent 4a525b7
commit 7dfd93c
Show file tree

Hide file tree

Showing 9 changed files with 95 additions and 9 deletions.
diff --git a/components/fips.yml b/components/fips.yml
@@ -12,3 +12,4 @@ rules:
 - package_dracut-fips_installed
 - sebool_fips_mode
 - sysctl_crypto_fips_enabled
+- system_boot_in_fips_mode
diff --git a/controls/ism_o.yml b/controls/ism_o.yml
@@ -430,7 +430,7 @@ use of device access control software or by disabling external communication int
         rules:
             - configure_crypto_policy
             - enable_dracut_fips_module
-            - enable_fips_mode
+            - system_boot_in_fips_mode
             - var_system_crypto_policy=fips
         status: automated
 

diff --git a/controls/srg_gpos/SRG-OS-000396-GPOS-00176.yml b/controls/srg_gpos/SRG-OS-000396-GPOS-00176.yml
@@ -8,6 +8,6 @@ controls:
         rules:
             - configure_crypto_policy
             - package_crypto-policies_installed
-            - enable_fips_mode
+            - system_boot_in_fips_mode
             - sysctl_crypto_fips_enabled
         status: automated
diff --git a/controls/srg_gpos/SRG-OS-000478-GPOS-00223.yml b/controls/srg_gpos/SRG-OS-000478-GPOS-00223.yml
@@ -8,9 +8,7 @@ controls:
     protection in accordance with applicable federal laws, Executive Orders, directives,
     policies, regulations, and standards.'
         rules:
-            - enable_dracut_fips_module
-            - enable_fips_mode
-            - sysctl_crypto_fips_enabled
+            - system_boot_in_fips_mode
             - aide_use_fips_hashes
             - configure_kerberos_crypto_policy
         status: automated
diff --git a/linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml
@@ -1,7 +1,7 @@
 documentation_complete: true
 
 
-title: Verify '/proc/sys/crypto/fips_enabled' exists  
+title: Verify '/proc/sys/crypto/fips_enabled' exists
 
 description: |-
     On a system where FIPS 140-2 mode is enabled, <tt>/proc/sys/crypto/fips_enabled</tt> must exist.
@@ -17,6 +17,7 @@ rationale: |-
 severity: high
 
 identifiers:
+    cce@rhel10: CCE-86203-7
     cce@sle12: CCE-83224-6
     cce@sle15: CCE-85763-1
     cce@slmicro5: CCE-93785-4
@@ -41,7 +42,7 @@ ocil: |-
 warnings:
     - general: |-
         To configure the OS to run in FIPS 140-2 mode, the kernel parameter "fips=1" needs to be added during its installation.
-        Enabling FIPS mode on a preexisting system involves a number of modifications to it. Refer to the vendor installation 
+        Enabling FIPS mode on a preexisting system involves a number of modifications to it. Refer to the vendor installation
         guidances.
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes

diff --git a/linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/oval/shared.xml
@@ -0,0 +1,30 @@
+<def-group>
+    <definition class="compliance" id="{{{ rule_id }}}" version="1">
+        {{{ oval_metadata("The system must be booted with fips=1 and /proc/cmdline must not contain fips=0") }}}
+        <criteria operator="AND">
+            <criterion comment="FIPS mode is enabled" test_ref="test_{{{ rule_id }}}_mode_exists" />
+            <criterion comment="FIPS mode is not disabled" test_ref="test_{{{ rule_id }}}_not_disabled" />
+        </criteria>
+    </definition>
+
+    <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="FIPS mode is enabled" id="test_{{{ rule_id }}}_mode_exists" version="1">
+        <ind:object object_ref="obj_{{{ rule_id }}}_mode_exists" />
+    </ind:textfilecontent54_test>
+
+    <ind:textfilecontent54_test check="all" check_existence="none_exist" id="test_{{{ rule_id }}}_not_disabled" version="1" comment="FIPS mode isn't disable">
+        <ind:object object_ref="obj_{{{ rule_id }}}_not_disabled" />
+    </ind:textfilecontent54_test>
+
+    <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_mode_exists" version="1">
+        <ind:filepath>/proc/cmdline</ind:filepath>
+        <ind:pattern operation="pattern match">.+fips*=1.+</ind:pattern>
+        <ind:instance datatype="int">1</ind:instance>
+    </ind:textfilecontent54_object>
+
+    <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_not_disabled" version="1">
+        <ind:filepath>/proc/cmdline</ind:filepath>
+        <ind:pattern operation="pattern match">.+fips*=0.+</ind:pattern>
+        <ind:instance datatype="int">1</ind:instance>
+    </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/rule.yml
@@ -0,0 +1,55 @@
+documentation_complete: true
+
+title: 'Verify that the system was booted with fips=1'
+
+description: |-
+    On a system where FIPS 14032 mode is enabled, the system must be booted with the
+    <tt>fips=1</tt> kernel argument.
+    To verify FIPS mode, run the following command:
+    <pre>cat /proc/cmdline</pre>
+
+rationale: |-
+    Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
+    protect data. The operating system must implement cryptographic modules adhering to the higher
+    standards approved by the federal government since this provides assurance they have been tested
+    and validated.
+
+severity: high
+
+identifiers:
+    cce@rhel10: CCE-86247-4
+
+references:
+    disa: CCI-002450
+    nist: SC-12(2),SC-12(3),SC-13
+    srg: SRG-OS-000396-GPOS-00176,SRG-OS-000478-GPOS-00223
+
+ocil_clause: 'thee system is not booted with fips=1'
+
+ocil: |-
+    To verify that system is booted with <tt>fips=1</tt> run the following command:
+    $ cat /proc/cmdline
+
+    The output must contain <tt>fips=1</tt>
+
+warnings:
+    - general: |-
+        To configure the OS to run in FIPS 140-3 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
+    - regulatory: |-
+        System Crypto Modules must be provided by a vendor that undergoes
+        FIPS-140 certifications.
+        FIPS-140 is applicable to all Federal agencies that use
+        cryptographic-based security systems to protect sensitive information
+        in computer and telecommunication systems (including voice systems) as
+        defined in Section 5131 of the Information Technology Management Reform
+        Act of 1996, Public Law 104-106. This standard shall be used in
+        designing and implementing cryptographic modules that Federal
+        departments and agencies operate or are operated for them under
+        contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf") }}}</b>
+        To meet this, the system has to have cryptographic software provided by
+        a vendor that has undergone this certification. This means providing
+        documentation, test results, design information, and independent third
+        party review by an accredited lab. While open source software is
+        capable of meeting this, it does not meet FIPS-140 unless the vendor
+        submits to this process.
diff --git a/linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/tests/default.pass.sh b/linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/tests/default.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo ''
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -13,7 +13,6 @@ CCE-86196-3
 CCE-86198-9
 CCE-86199-7
 CCE-86202-9
-CCE-86203-7
 CCE-86204-5
 CCE-86206-0
 CCE-86207-8
@@ -26,7 +25,6 @@ CCE-86216-9
 CCE-86217-7
 CCE-86243-3
 CCE-86246-6
-CCE-86247-4
 CCE-86250-8
 CCE-86253-2
 CCE-86254-0