From 42449db708139a7e6dd1b2a3f3466f5153cf4537 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Fri, 20 Sep 2024 14:32:59 -0500
Subject: [PATCH 1/3] The /etc/system-fips file was depcreated in RHEL 9.

Also allow the source of truth /proc/sys/crypto/fips_enabled to
pass this file check.
---
 .../fips/enable_fips_mode/oval/shared.xml     | 20 +++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index 3b50e07060e..729bec3953e 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -2,8 +2,12 @@
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
     {{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
     <criteria operator="AND">
-      <extend_definition definition_ref="etc_system_fips_exists"
-        comment="check /etc/system-fips file existence"/>
+      <criteria operator="OR">
+        <extend_definition definition_ref="etc_system_fips_exists"
+          comment="check /etc/system-fips file existence"/>
+          <criterion test_ref="test_proc_sys_crypto_fips_enabled"
+            comment="check contents of /proc/sys/crypto/fips_enabled"/>
+      </criteria>
       <extend_definition definition_ref="sysctl_crypto_fips_enabled"
         comment="check option crypto.fips_enabled = 1 in sysctl"/>
       <extend_definition definition_ref="enable_dracut_fips_module"
@@ -91,6 +95,18 @@ to a crypto policy module that further restricts the modified crypto policy.">
   </ind:textfilecontent54_object>
   {{% endif %}}
 
+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+    comment="kernel runtime parameter crypto.fips_enabled set to 1"
+    id="test_proc_sys_crypto_fips_enabled" version="1">
+    <ind:object object_ref="obj_proc_sys_crypto_fips_enabled" />
+ </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_proc_sys_crypto_fips_enabled" version="1">
+    <ind:filepath>/proc/sys/crypto/fips_enabled</ind:filepath>
+    <ind:pattern operation="pattern match">^1$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
   <external_variable id="var_system_crypto_policy" version="1"
     datatype="string" comment="variable which selects the crypto policy"/>
 </def-group>

From 7d9e0c8073361638883738d86409edfed67e2a81 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Tue, 24 Sep 2024 11:43:25 -0500
Subject: [PATCH 2/3] Disable enable_dracut_fips_module check for FIPS

No longer used on RHEL10.
---
 .../software/integrity/fips/enable_fips_mode/oval/shared.xml    | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index 729bec3953e..8cbef376fe5 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -10,8 +10,10 @@
       </criteria>
       <extend_definition definition_ref="sysctl_crypto_fips_enabled"
         comment="check option crypto.fips_enabled = 1 in sysctl"/>
+      {{%- if product not in ["rhel10"] -%}}
       <extend_definition definition_ref="enable_dracut_fips_module"
         comment="dracut FIPS module is enabled"/>
+      {{%- endif -%}}
       <extend_definition definition_ref="configure_crypto_policy"
         comment="system cryptography policy is configured"/>
       <criterion test_ref="test_system_crypto_policy_value"

From 4be6192ec8b78c564dcd01c3eb3637fbb302988a Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 25 Sep 2024 12:12:56 -0500
Subject: [PATCH 3/3] Use /proc/sys/crypto/fips_enabled everywhere in
 enable_fips_modes

---
 .../integrity/fips/enable_fips_mode/oval/shared.xml         | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index 8cbef376fe5..267fc6b0df7 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -2,12 +2,8 @@
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
     {{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
     <criteria operator="AND">
-      <criteria operator="OR">
-        <extend_definition definition_ref="etc_system_fips_exists"
-          comment="check /etc/system-fips file existence"/>
-          <criterion test_ref="test_proc_sys_crypto_fips_enabled"
+        <criterion test_ref="test_proc_sys_crypto_fips_enabled"
             comment="check contents of /proc/sys/crypto/fips_enabled"/>
-      </criteria>
       <extend_definition definition_ref="sysctl_crypto_fips_enabled"
         comment="check option crypto.fips_enabled = 1 in sysctl"/>
       {{%- if product not in ["rhel10"] -%}}