From 33a664a7b02e17b900f72860a9bcf1f115e05881 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 4 Dec 2024 13:52:56 -0600 Subject: [PATCH 1/7] Add new rule system_boot_in_fips_mode --- components/fips.yml | 1 + controls/ism_o.yml | 2 +- .../srg_gpos/SRG-OS-000396-GPOS-00176.yml | 2 +- .../srg_gpos/SRG-OS-000478-GPOS-00223.yml | 4 +- .../fips/is_fips_mode_enabled/rule.yml | 5 +- .../system_boot_in_fips_mode/oval/shared.xml | 30 ++++++++++ .../fips/system_boot_in_fips_mode/rule.yml | 55 +++++++++++++++++++ shared/references/cce-redhat-avail.txt | 2 - 8 files changed, 92 insertions(+), 9 deletions(-) create mode 100644 linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/oval/shared.xml create mode 100644 linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/rule.yml diff --git a/components/fips.yml b/components/fips.yml index 276628d93fa..8df136e91f6 100644 --- a/components/fips.yml +++ b/components/fips.yml @@ -12,3 +12,4 @@ rules: - package_dracut-fips_installed - sebool_fips_mode - sysctl_crypto_fips_enabled +- system_boot_in_fips_mode diff --git a/controls/ism_o.yml b/controls/ism_o.yml index d7ff460aade..84329e0600b 100644 --- a/controls/ism_o.yml +++ b/controls/ism_o.yml @@ -430,7 +430,7 @@ use of device access control software or by disabling external communication int rules: - configure_crypto_policy - enable_dracut_fips_module - - enable_fips_mode + - system_boot_in_fips_mode - var_system_crypto_policy=fips status: automated diff --git a/controls/srg_gpos/SRG-OS-000396-GPOS-00176.yml b/controls/srg_gpos/SRG-OS-000396-GPOS-00176.yml index 0d5f623ef0f..721e536b920 100644 --- a/controls/srg_gpos/SRG-OS-000396-GPOS-00176.yml +++ b/controls/srg_gpos/SRG-OS-000396-GPOS-00176.yml @@ -8,6 +8,6 @@ controls: rules: - configure_crypto_policy - package_crypto-policies_installed - - enable_fips_mode + - system_boot_in_fips_mode - sysctl_crypto_fips_enabled status: automated diff --git a/controls/srg_gpos/SRG-OS-000478-GPOS-00223.yml b/controls/srg_gpos/SRG-OS-000478-GPOS-00223.yml index 90ffb78b68e..2c36b5ad43d 100644 --- a/controls/srg_gpos/SRG-OS-000478-GPOS-00223.yml +++ b/controls/srg_gpos/SRG-OS-000478-GPOS-00223.yml @@ -8,9 +8,7 @@ controls: protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.' rules: - - enable_dracut_fips_module - - enable_fips_mode - - sysctl_crypto_fips_enabled + - system_boot_in_fips_mode - aide_use_fips_hashes - configure_kerberos_crypto_policy status: automated diff --git a/linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml index ffc2142d63c..024031b0d9e 100644 --- a/linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml @@ -1,7 +1,7 @@ documentation_complete: true -title: Verify '/proc/sys/crypto/fips_enabled' exists +title: Verify '/proc/sys/crypto/fips_enabled' exists description: |- On a system where FIPS 140-2 mode is enabled, /proc/sys/crypto/fips_enabled must exist. @@ -17,6 +17,7 @@ rationale: |- severity: high identifiers: + cce@rhel10: CCE-86203-7 cce@sle12: CCE-83224-6 cce@sle15: CCE-85763-1 cce@slmicro5: CCE-93785-4 @@ -41,7 +42,7 @@ ocil: |- warnings: - general: |- To configure the OS to run in FIPS 140-2 mode, the kernel parameter "fips=1" needs to be added during its installation. - Enabling FIPS mode on a preexisting system involves a number of modifications to it. Refer to the vendor installation + Enabling FIPS mode on a preexisting system involves a number of modifications to it. Refer to the vendor installation guidances. - regulatory: |- System Crypto Modules must be provided by a vendor that undergoes diff --git a/linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/oval/shared.xml new file mode 100644 index 00000000000..e7cf37a0433 --- /dev/null +++ b/linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/oval/shared.xml @@ -0,0 +1,30 @@ + + + {{{ oval_metadata("The system must be booted with fips=1 and /proc/cmdline must not contain fips=0") }}} + + + + + + + + + + + + + + + + /proc/cmdline + .+fips*=1.+ + 1 + + + + /proc/cmdline + .+fips*=0.+ + 1 + + + diff --git a/linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/rule.yml new file mode 100644 index 00000000000..a02931a5471 --- /dev/null +++ b/linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/rule.yml @@ -0,0 +1,55 @@ +documentation_complete: true + +title: 'Verify that the system was booted with fips=1' + +description: |- + On a system where FIPS 14032 mode is enabled, the system must be booted with the + fips=1 kernel argument. + To verify FIPS mode, run the following command: + 
cat /proc/cmdline
+ +rationale: |- + Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to + protect data. The operating system must implement cryptographic modules adhering to the higher + standards approved by the federal government since this provides assurance they have been tested + and validated. + +severity: high + +identifiers: + cce@rhel10: CCE-86247-4 + +references: + disa: CCI-002450 + nist: SC-12(2),SC-12(3),SC-13 + srg: SRG-OS-000396-GPOS-00176,SRG-OS-000478-GPOS-00223 + +ocil_clause: 'thee system is not booted with fips=1' + +ocil: |- + To verify that system is booted with fips=1 run the following command: + $ cat /proc/cmdline + + The output must contain fips=1 + +warnings: + - general: |- + To configure the OS to run in FIPS 140-3 mode, the kernel parameter "fips=1" needs to be added during its installation. + Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported. + - regulatory: |- + System Crypto Modules must be provided by a vendor that undergoes + FIPS-140 certifications. + FIPS-140 is applicable to all Federal agencies that use + cryptographic-based security systems to protect sensitive information + in computer and telecommunication systems (including voice systems) as + defined in Section 5131 of the Information Technology Management Reform + Act of 1996, Public Law 104-106. This standard shall be used in + designing and implementing cryptographic modules that Federal + departments and agencies operate or are operated for them under + contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf") }}} + To meet this, the system has to have cryptographic software provided by + a vendor that has undergone this certification. This means providing + documentation, test results, design information, and independent third + party review by an accredited lab. While open source software is + capable of meeting this, it does not meet FIPS-140 unless the vendor + submits to this process. diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index fee68f16e4d..ff34bcd2152 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -13,7 +13,6 @@ CCE-86196-3 CCE-86198-9 CCE-86199-7 CCE-86202-9 -CCE-86203-7 CCE-86204-5 CCE-86206-0 CCE-86207-8 @@ -26,7 +25,6 @@ CCE-86216-9 CCE-86217-7 CCE-86243-3 CCE-86246-6 -CCE-86247-4 CCE-86250-8 CCE-86253-2 CCE-86254-0 From 552c96678a503855a795e57b977cb36742a785cb Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 5 Dec 2024 07:18:47 -0600 Subject: [PATCH 2/7] Add grub2_enable_fips_mode to RHEL 10 --- controls/ism_o.yml | 1 + controls/srg_gpos/SRG-OS-000396-GPOS-00176.yml | 1 + controls/srg_gpos/SRG-OS-000478-GPOS-00223.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/controls/ism_o.yml b/controls/ism_o.yml index 84329e0600b..b428cc2085d 100644 --- a/controls/ism_o.yml +++ b/controls/ism_o.yml @@ -432,6 +432,7 @@ use of device access control software or by disabling external communication int - enable_dracut_fips_module - system_boot_in_fips_mode - var_system_crypto_policy=fips + - grub2_enable_fips_mode status: automated - id: '1449' diff --git a/controls/srg_gpos/SRG-OS-000396-GPOS-00176.yml b/controls/srg_gpos/SRG-OS-000396-GPOS-00176.yml index 721e536b920..557ffb432ea 100644 --- a/controls/srg_gpos/SRG-OS-000396-GPOS-00176.yml +++ b/controls/srg_gpos/SRG-OS-000396-GPOS-00176.yml @@ -10,4 +10,5 @@ controls: - package_crypto-policies_installed - system_boot_in_fips_mode - sysctl_crypto_fips_enabled + - grub2_enable_fips_mode status: automated diff --git a/controls/srg_gpos/SRG-OS-000478-GPOS-00223.yml b/controls/srg_gpos/SRG-OS-000478-GPOS-00223.yml index 2c36b5ad43d..17d887e3443 100644 --- a/controls/srg_gpos/SRG-OS-000478-GPOS-00223.yml +++ b/controls/srg_gpos/SRG-OS-000478-GPOS-00223.yml @@ -11,4 +11,5 @@ controls: - system_boot_in_fips_mode - aide_use_fips_hashes - configure_kerberos_crypto_policy + - grub2_enable_fips_mode status: automated From ba9ef1b73c6f361772b448e2eb959e31167ffdc3 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 10 Dec 2024 07:17:18 -0600 Subject: [PATCH 3/7] Fix FIPS verison in system_boot_in_fips_mode description --- .../software/integrity/fips/system_boot_in_fips_mode/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/rule.yml index a02931a5471..0b43a0b2091 100644 --- a/linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/rule.yml @@ -3,7 +3,7 @@ documentation_complete: true title: 'Verify that the system was booted with fips=1' description: |- - On a system where FIPS 14032 mode is enabled, the system must be booted with the + On a system where FIPS 140-3 mode is enabled, the system must be booted with the fips=1 kernel argument. To verify FIPS mode, run the following command: 
cat /proc/cmdline
From 8d2768a281067d8ca42bf14809dca127c212bf8c Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 10 Dec 2024 08:00:18 -0600 Subject: [PATCH 4/7] Add RHEL 10 CCI to grub2_enable_fips_mode --- .../software/integrity/fips/grub2_enable_fips_mode/rule.yml | 3 +++ shared/references/cce-redhat-avail.txt | 1 - 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml index 4cecedc1549..affa378f4a8 100644 --- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml @@ -31,6 +31,9 @@ severity: high platforms: - grub2 +identifiers: + cce@rhel10: CCE-86191-4 + references: cis-csc: 12,15,8 cjis: 5.10.1.2 diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index ff34bcd2152..4082354fa6f 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -7,7 +7,6 @@ CCE-86186-4 CCE-86187-2 CCE-86188-0 CCE-86190-6 -CCE-86191-4 CCE-86193-0 CCE-86196-3 CCE-86198-9 From 407bd4d3607d600551bd3d69678b5dc3a41004f5 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 11 Dec 2024 12:26:54 -0600 Subject: [PATCH 5/7] Updated system_booted_in_fips_mode based on reviewer feedback --- components/fips.yml | 2 +- controls/ism_o.yml | 2 +- .../srg_gpos/SRG-OS-000396-GPOS-00176.yml | 2 +- .../srg_gpos/SRG-OS-000478-GPOS-00223.yml | 2 +- .../system_boot_in_fips_mode/oval/shared.xml | 30 ------------------- .../oval/shared.xml | 1 + .../rule.yml | 4 +-- 7 files changed, 7 insertions(+), 36 deletions(-) delete mode 100644 linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/oval/shared.xml create mode 100644 linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/oval/shared.xml rename linux_os/guide/system/software/integrity/fips/{system_boot_in_fips_mode => system_booted_in_fips_mode}/rule.yml (91%) diff --git a/components/fips.yml b/components/fips.yml index 8df136e91f6..c6f7a745d12 100644 --- a/components/fips.yml +++ b/components/fips.yml @@ -12,4 +12,4 @@ rules: - package_dracut-fips_installed - sebool_fips_mode - sysctl_crypto_fips_enabled -- system_boot_in_fips_mode +- system_booted_in_fips_mode diff --git a/controls/ism_o.yml b/controls/ism_o.yml index b428cc2085d..55af5b117a6 100644 --- a/controls/ism_o.yml +++ b/controls/ism_o.yml @@ -430,7 +430,7 @@ use of device access control software or by disabling external communication int rules: - configure_crypto_policy - enable_dracut_fips_module - - system_boot_in_fips_mode + - system_booted_in_fips_mode - var_system_crypto_policy=fips - grub2_enable_fips_mode status: automated diff --git a/controls/srg_gpos/SRG-OS-000396-GPOS-00176.yml b/controls/srg_gpos/SRG-OS-000396-GPOS-00176.yml index 557ffb432ea..04a7279d693 100644 --- a/controls/srg_gpos/SRG-OS-000396-GPOS-00176.yml +++ b/controls/srg_gpos/SRG-OS-000396-GPOS-00176.yml @@ -8,7 +8,7 @@ controls: rules: - configure_crypto_policy - package_crypto-policies_installed - - system_boot_in_fips_mode + - system_booted_in_fips_mode - sysctl_crypto_fips_enabled - grub2_enable_fips_mode status: automated diff --git a/controls/srg_gpos/SRG-OS-000478-GPOS-00223.yml b/controls/srg_gpos/SRG-OS-000478-GPOS-00223.yml index 17d887e3443..57493d49358 100644 --- a/controls/srg_gpos/SRG-OS-000478-GPOS-00223.yml +++ b/controls/srg_gpos/SRG-OS-000478-GPOS-00223.yml @@ -8,7 +8,7 @@ controls: protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.' rules: - - system_boot_in_fips_mode + - system_booted_in_fips_mode - aide_use_fips_hashes - configure_kerberos_crypto_policy - grub2_enable_fips_mode diff --git a/linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/oval/shared.xml deleted file mode 100644 index e7cf37a0433..00000000000 --- a/linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/oval/shared.xml +++ /dev/null @@ -1,30 +0,0 @@ - - - {{{ oval_metadata("The system must be booted with fips=1 and /proc/cmdline must not contain fips=0") }}} - - - - - - - - - - - - - - - - /proc/cmdline - .+fips*=1.+ - 1 - - - - /proc/cmdline - .+fips*=0.+ - 1 - - - diff --git a/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/oval/shared.xml new file mode 100644 index 00000000000..5eae6e59f1a --- /dev/null +++ b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/oval/shared.xml @@ -0,0 +1 @@ +{{{ oval_file_contents("/proc/sys/crypto/fips_enabled", "{{{ rule_id }}}_fips_enabled", "1") }}} diff --git a/linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml similarity index 91% rename from linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/rule.yml rename to linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml index 0b43a0b2091..4ac9d056c74 100644 --- a/linux_os/guide/system/software/integrity/fips/system_boot_in_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml @@ -3,7 +3,7 @@ documentation_complete: true title: 'Verify that the system was booted with fips=1' description: |- - On a system where FIPS 140-3 mode is enabled, the system must be booted with the + On a system where FIPS 140 mode is enabled, the system must be booted with the fips=1 kernel argument. To verify FIPS mode, run the following command: 
cat /proc/cmdline
@@ -34,7 +34,7 @@ ocil: |- warnings: - general: |- - To configure the OS to run in FIPS 140-3 mode, the kernel parameter "fips=1" needs to be added during its installation. + To configure the OS to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation. Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported. - regulatory: |- System Crypto Modules must be provided by a vendor that undergoes From a5a3d90902cd6e54a17209fb6a8fdd260175662f Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 11 Dec 2024 12:27:24 -0600 Subject: [PATCH 6/7] Remove is_fips_mode_enabled from RHEL 10 --- .../software/integrity/fips/is_fips_mode_enabled/rule.yml | 1 - .../integrity/fips/system_booted_in_fips_mode/oval/shared.xml | 2 +- shared/references/cce-redhat-avail.txt | 1 + 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml index 024031b0d9e..22c765a1946 100644 --- a/linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml @@ -17,7 +17,6 @@ rationale: |- severity: high identifiers: - cce@rhel10: CCE-86203-7 cce@sle12: CCE-83224-6 cce@sle15: CCE-85763-1 cce@slmicro5: CCE-93785-4 diff --git a/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/oval/shared.xml index 5eae6e59f1a..69762f91490 100644 --- a/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/oval/shared.xml @@ -1 +1 @@ -{{{ oval_file_contents("/proc/sys/crypto/fips_enabled", "{{{ rule_id }}}_fips_enabled", "1") }}} +{{{ oval_file_contents("/proc/sys/crypto/fips_enabled", rule_id + "_fips_enabled", "1") }}} diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 4082354fa6f..1aaf4ace68b 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -13,6 +13,7 @@ CCE-86198-9 CCE-86199-7 CCE-86202-9 CCE-86204-5 +CCE-86203-7 CCE-86206-0 CCE-86207-8 CCE-86209-4 From e4afdf5a77b52988c8b0a76c1c59d7db8dfb4d1b Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 13 Dec 2024 07:17:01 -0600 Subject: [PATCH 7/7] Adjust system_booted_in_fips_mode prose based on new OVAL check --- .../fips/system_booted_in_fips_mode/rule.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml index 4ac9d056c74..9438b2e0513 100644 --- a/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml @@ -4,9 +4,13 @@ title: 'Verify that the system was booted with fips=1' description: |- On a system where FIPS 140 mode is enabled, the system must be booted with the - fips=1 kernel argument. - To verify FIPS mode, run the following command: - 
cat /proc/cmdline
+ The file /proc/sys/crypto/fips_enabled must have the contents of 1 + + To verify the system has been booted in FIPS mode, run the following command: + 
+    # cat /proc/sys/crypto/fips_enabled
+    1
+
rationale: |- Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to @@ -24,13 +28,13 @@ references: nist: SC-12(2),SC-12(3),SC-13 srg: SRG-OS-000396-GPOS-00176,SRG-OS-000478-GPOS-00223 -ocil_clause: 'thee system is not booted with fips=1' +ocil_clause: 'the system is not booted in fips mode' ocil: |- - To verify that system is booted with fips=1 run the following command: - $ cat /proc/cmdline + To verify that the system is booted with fips mode by running the following command: + $ cat /proc/sys/crypto/fips_enabled - The output must contain fips=1 + The output must be 1. warnings: - general: |-