Update enable_fips_mode for bootable containers #12825
Conversation
This commit extends rule `enable_fips_mode` for bootable containers. To enable FIPS mode at bootable container build time we need to configure `fips=1` kernel argument through a configuration file in `/usr/lib/bootc/kargs.d/` directory and set the cryptographic policy to `FIPS`. The OVAL check of the rule has also been updated to distinguish between bootable container build environment and other environments. For more details see: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10-beta/html/using_image_mode_for_rhel_to_build_deploy_and_manage_operating_systems/enabling-the-fips-mode-while-building-a-bootc-image#enabling-the-fips-mode-while-building-a-bootc-image
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode'.
--- xccdf_org.ssgproject.content_rule_enable_fips_mode
+++ xccdf_org.ssgproject.content_rule_enable_fips_mode
@@ -12,6 +12,12 @@
Creating /etc/system-fips
Setting the system crypto policy in /etc/crypto-policies/config to 'xccdf_org.ssgproject.content_value_var_system_crypto_policy'
Loading the Dracut fips module
+
+To enable FIPS mode at bootable container build time configure fips=1 kernel argument
+in /usr/lib/bootc/kargs.d/01-fips.toml:
+kargs = ["fips=1"]
+Then set the cryptographic policy to 'xccdf_org.ssgproject.content_value_var_system_crypto_policy':
+update-crypto-policies --no-reload --set 'xccdf_org.ssgproject.content_value_var_system_crypto_policy'
[warning]:
The system needs to be rebooted for these changes to take effect.
bash remediation for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode' differs.
--- xccdf_org.ssgproject.content_rule_enable_fips_mode
+++ xccdf_org.ssgproject.content_rule_enable_fips_mode
@@ -4,9 +4,16 @@
var_system_crypto_policy=''
-fips-mode-setup --enable
+if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]]; then
+ crypto_policies_no_reload="--no-reload"
+ cat > /usr/lib/bootc/kargs.d/01-fips.toml << EOF
+kargs = ["fips=1"]
+EOF
+else
+ fips-mode-setup --enable
+fi
-stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
+stderr_of_call=$(update-crypto-policies $crypto_policies_no_reload --set ${var_system_crypto_policy} 2>&1 > /dev/null)
rc=$?
if test "$rc" = 127; then |
|
Code Climate has analyzed commit d153cfd and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.8% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
Using the data stream built from this PR contents, I have built a CentOS Stream 9 bootable container image hardened with the STIG profile. I have deployed a VM from the built image. I have performed a scan of the VM. In the remediation scan the rule enable_fips_mode has been evaluated as "fixed" and in the after boot scan the rule has been evaluated as "pass".
This commit extends rule
enable_fips_modefor bootable containers.To enable FIPS mode at bootable container build time we need to configure
fips=1kernel argument through a configuration file in/usr/lib/bootc/kargs.d/directory and set the cryptographic policy toFIPS.The OVAL check of the rule has also been updated to distinguish between bootable container build environment and other environments.
For more details see:
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10-beta/html/using_image_mode_for_rhel_to_build_deploy_and_manage_operating_systems/enabling-the-fips-mode-while-building-a-bootc-image#enabling-the-fips-mode-while-building-a-bootc-image