Merge pull request #12671 from Mab879/fix_fips_rhel10

A new rule `system_boot_in_fips_mode`

components/fips.yml

@@ -12,3 +12,4 @@ rules:
 - package_dracut-fips_installed
 - sebool_fips_mode
 - sysctl_crypto_fips_enabled
+- system_booted_in_fips_mode

controls/ism_o.yml

@@ -430,8 +430,9 @@ use of device access control software or by disabling external communication int
         rules:
             - configure_crypto_policy
             - enable_dracut_fips_module
-            - enable_fips_mode
+            - system_booted_in_fips_mode
             - var_system_crypto_policy=fips
+            - grub2_enable_fips_mode
         status: automated
 
     -   id: '1449'

controls/srg_gpos/SRG-OS-000396-GPOS-00176.yml

@@ -8,6 +8,7 @@ controls:
         rules:
             - configure_crypto_policy
             - package_crypto-policies_installed
-            - enable_fips_mode
+            - system_booted_in_fips_mode
             - sysctl_crypto_fips_enabled
+            - grub2_enable_fips_mode
         status: automated

controls/srg_gpos/SRG-OS-000478-GPOS-00223.yml

@@ -8,9 +8,8 @@ controls:
     protection in accordance with applicable federal laws, Executive Orders, directives,
     policies, regulations, and standards.'
         rules:
-            - enable_dracut_fips_module
-            - enable_fips_mode
-            - sysctl_crypto_fips_enabled
+            - system_booted_in_fips_mode
             - aide_use_fips_hashes
             - configure_kerberos_crypto_policy
+            - grub2_enable_fips_mode
         status: automated

linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml

@@ -31,6 +31,9 @@ severity: high
 platforms:
     - grub2
 
+identifiers:
+    cce@rhel10: CCE-86191-4
+
 references:
     cis-csc: 12,15,8
     cjis: 5.10.1.2

linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml

@@ -1,7 +1,7 @@
 documentation_complete: true
 
 
-title: Verify '/proc/sys/crypto/fips_enabled' exists  
+title: Verify '/proc/sys/crypto/fips_enabled' exists
 
 description: |-
     On a system where FIPS 140-2 mode is enabled, <tt>/proc/sys/crypto/fips_enabled</tt> must exist.
@@ -41,7 +41,7 @@ ocil: |-
 warnings:
     - general: |-
         To configure the OS to run in FIPS 140-2 mode, the kernel parameter "fips=1" needs to be added during its installation.
-        Enabling FIPS mode on a preexisting system involves a number of modifications to it. Refer to the vendor installation 
+        Enabling FIPS mode on a preexisting system involves a number of modifications to it. Refer to the vendor installation
         guidances.
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes

linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/oval/shared.xml

@@ -0,0 +1 @@
+{{{ oval_file_contents("/proc/sys/crypto/fips_enabled", rule_id + "_fips_enabled", "1") }}}

linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml

@@ -0,0 +1,59 @@
+documentation_complete: true
+
+title: 'Verify that the system was booted with fips=1'
+
+description: |-
+    On a system where FIPS 140 mode is enabled, the system must be booted with the
+    The file <tt>/proc/sys/crypto/fips_enabled</tt> must have the contents of <tt>1</tt>
+
+    To verify the system has been booted in FIPS mode, run the following command:
+    <pre>
+    # cat /proc/sys/crypto/fips_enabled
+    1
+    </pre>
+
+rationale: |-
+    Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
+    protect data. The operating system must implement cryptographic modules adhering to the higher
+    standards approved by the federal government since this provides assurance they have been tested
+    and validated.
+
+severity: high
+
+identifiers:
+    cce@rhel10: CCE-86247-4
+
+references:
+    disa: CCI-002450
+    nist: SC-12(2),SC-12(3),SC-13
+    srg: SRG-OS-000396-GPOS-00176,SRG-OS-000478-GPOS-00223
+
+ocil_clause: 'the system is not booted in fips mode'
+
+ocil: |-
+    To verify that the system is booted with fips mode by running the following command:
+    $ cat /proc/sys/crypto/fips_enabled
+
+    The output must be <tt>1</tt>.
+
+warnings:
+    - general: |-
+        To configure the OS to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+        Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
+    - regulatory: |-
+        System Crypto Modules must be provided by a vendor that undergoes
+        FIPS-140 certifications.
+        FIPS-140 is applicable to all Federal agencies that use
+        cryptographic-based security systems to protect sensitive information
+        in computer and telecommunication systems (including voice systems) as
+        defined in Section 5131 of the Information Technology Management Reform
+        Act of 1996, Public Law 104-106. This standard shall be used in
+        designing and implementing cryptographic modules that Federal
+        departments and agencies operate or are operated for them under
+        contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf") }}}</b>
+        To meet this, the system has to have cryptographic software provided by
+        a vendor that has undergone this certification. This means providing
+        documentation, test results, design information, and independent third
+        party review by an accredited lab. While open source software is
+        capable of meeting this, it does not meet FIPS-140 unless the vendor
+        submits to this process.

shared/references/cce-redhat-avail.txt

@@ -5,14 +5,13 @@ CCE-86186-4
 CCE-86187-2
 CCE-86188-0
 CCE-86190-6
-CCE-86191-4
 CCE-86193-0
 CCE-86196-3
 CCE-86198-9
 CCE-86199-7
 CCE-86202-9
-CCE-86203-7
 CCE-86204-5
+CCE-86203-7
 CCE-86206-0
 CCE-86207-8
 CCE-86209-4
@@ -24,7 +23,6 @@ CCE-86216-9
 CCE-86217-7
 CCE-86243-3
 CCE-86246-6
-CCE-86247-4
 CCE-86250-8
 CCE-86253-2
 CCE-86254-0