[Ubuntu2404] Fix tests of rule grub2_password #13012
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi @alanmcanonical. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_enable_dracut_fips_module'.
--- xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
+++ xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
@@ -3,13 +3,18 @@
Enable Dracut FIPS Module
[description]:
-To enable FIPS mode, run the following command:
-fips-mode-setup --enable
+Red Hat Enterprise Linux 8 has an installation-time kernel flag that can enable FIPS mode.
+The installer must be booted with fips=1 for the system to have FIPS mode
+enabled. Enabling FIPS mode on a preexisting system is not supported. If
+this rule fails on an installed system, then this is a permanent
+finding and cannot be fixed.
+
To enable FIPS, the system requires that the fips module is added in dracut configuration.
Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips "
[warning]:
-The system needs to be rebooted for these changes to take effect.
+To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
[warning]:
System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications.
New data stream is missing bash remediation for rule 'xccdf_org.ssgproject.content_rule_enable_dracut_fips_module'.
New data stream is missing ansible remediation for rule 'xccdf_org.ssgproject.content_rule_enable_dracut_fips_module'.
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_enable_dracut_fips_module'
--- xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
+++ xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
@@ -1 +1 @@
-
+oval:ssg-bootc:def:1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode'.
--- xccdf_org.ssgproject.content_rule_enable_fips_mode
+++ xccdf_org.ssgproject.content_rule_enable_fips_mode
@@ -3,30 +3,22 @@
Enable FIPS Mode
[description]:
-To enable FIPS mode, run the following command:
-fips-mode-setup --enable
-
-The fips-mode-setup command will configure the system in
-FIPS mode by automatically configuring the following:
-Setting the kernel FIPS mode flag (/proc/sys/crypto/fips_enabled) to 1
- Creating /etc/system-fips
- Setting the system crypto policy in /etc/crypto-policies/config to 'xccdf_org.ssgproject.content_value_var_system_crypto_policy'
- Loading the Dracut fips module
-
-To enable FIPS mode at bootable container build time configure fips=1 kernel argument
-in /usr/lib/bootc/kargs.d/01-fips.toml:
-kargs = ["fips=1"]
-Then set the cryptographic policy to 'xccdf_org.ssgproject.content_value_var_system_crypto_policy':
-update-crypto-policies --no-reload --set 'xccdf_org.ssgproject.content_value_var_system_crypto_policy'
+Red Hat Enterprise Linux 8 has an installation-time kernel flag that can enable FIPS mode.
+The installer must be booted with fips=1 for the system to have FIPS mode
+enabled. Enabling FIPS mode on a preexisting system is not supported. If
+this rule fails on an installed system, then this is a permanent
+finding and cannot be fixed.
[warning]:
-The system needs to be rebooted for these changes to take effect.
+To configure Red Hat Enterprise Linux 8 to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+Only enabling FIPS 140 mode during the Red Hat Enterprise Linux 8 installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place.
+Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
[warning]:
This rule DOES NOT CHECK if the components of the operating system are FIPS certified.
You can find the list of FIPS certified modules at
https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search.
-This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means.
+This rule checks if the system is running in FIPS mode.
[reference]:
CCI-002450
OCIL for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode' differs.
--- ocil:ssg-enable_fips_mode_ocil:questionnaire:1
+++ ocil:ssg-enable_fips_mode_ocil:questionnaire:1
@@ -1,10 +1,6 @@
To verify that FIPS mode is enabled properly, run the following command:
-fips-mode-setup --check
-The output should contain the following:
-FIPS mode is enabled.
-To verify that the cryptographic policy has been configured correctly, run the
-following command:
-$ update-crypto-policies --show
-The output should return .
+cat /proc/sys/crypto/fips_enabled
+The output be must:
+1
Is it the case that FIPS mode is not enabled?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode' differs.
--- xccdf_org.ssgproject.content_rule_enable_fips_mode
+++ xccdf_org.ssgproject.content_rule_enable_fips_mode
@@ -1,31 +1,10 @@
# Remediation is applicable only in certain platforms
if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) && rpm --quiet -q kernel ); then
-var_system_crypto_policy=''
-
-
if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]]; then
- crypto_policies_no_reload="--no-reload"
cat > /usr/lib/bootc/kargs.d/01-fips.toml << EOF
kargs = ["fips=1"]
EOF
-else
- fips-mode-setup --enable
-fi
-
-stderr_of_call=$(update-crypto-policies $crypto_policies_no_reload --set ${var_system_crypto_policy} 2>&1 > /dev/null)
-rc=$?
-
-if test "$rc" = 127; then
- echo "$stderr_of_call" >&2
- echo "Make sure that the script is installed on the remediated system." >&2
- echo "See output of the 'dnf provides update-crypto-policies' command" >&2
- echo "to see what package to (re)install" >&2
-
- false # end with an error code
-elif test "$rc" != 0; then
- echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2
- false # end with an error code
fi
else
New data stream is missing ansible remediation for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode'.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_etc_system_fips_exists'.
--- xccdf_org.ssgproject.content_rule_etc_system_fips_exists
+++ xccdf_org.ssgproject.content_rule_etc_system_fips_exists
@@ -4,11 +4,16 @@
[description]:
On a system where FIPS mode is enabled, /etc/system-fips must exist.
-To enable FIPS mode, run the following command:
-fips-mode-setup --enable
+
+Red Hat Enterprise Linux 8 has an installation-time kernel flag that can enable FIPS mode.
+The installer must be booted with fips=1 for the system to have FIPS mode
+enabled. Enabling FIPS mode on a preexisting system is not supported. If
+this rule fails on an installed system, then this is a permanent
+finding and cannot be fixed.
[warning]:
-The system needs to be rebooted for these changes to take effect.
+To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
+Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
[warning]:
System Crypto Modules must be provided by a vendor that undergoes
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled'.
--- xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled
+++ xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled
@@ -5,8 +5,14 @@
[description]:
System running in FIPS mode is indicated by kernel parameter
'crypto.fips_enabled'. This parameter should be set to 1 in FIPS mode.
-To enable FIPS mode, run the following command:
-fips-mode-setup --enable
+
+Red Hat Enterprise Linux 8 has an installation-time kernel flag that can enable FIPS mode.
+The installer must be booted with fips=1 for the system to have FIPS mode
+enabled. Enabling FIPS mode on a preexisting system is not supported. If
+this rule fails on an installed system, then this is a permanent
+finding and cannot be fixed.
+
+
To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot
parameters during system installation so key generation is done with FIPS-approved algorithms
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs' differs.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs
@@ -55,11 +55,12 @@
has Minimum Value of 5000
ansible.builtin.replace:
path: /etc/login.defs
- regexp: (^\s*SHA_CRYPT_MIN_ROUNDS\s+)(?!(?:[5-9]\d{3,}|\d{5,}))\S*(\s*$)
+ regexp: (^\s*SHA_CRYPT_MIN_ROUNDS\s+)(?:\d+)(.*$)
replace: \g<1>{{ var_password_hashing_min_rounds_login_defs }}\g<2>
backup: false
- when: etc_login_defs_sha_crypt_min_rounds | length > 0 and etc_login_defs_sha_crypt_min_rounds
- | first | int < var_password_hashing_min_rounds_login_defs | int
+ when: etc_login_defs_sha_crypt_min_rounds is defined and etc_login_defs_sha_crypt_min_rounds
+ | length > 0 and etc_login_defs_sha_crypt_min_rounds | first | int < var_password_hashing_min_rounds_login_defs
+ | int
tags:
- CCE-89707-4
- DISA-STIG-RHEL-08-010130
@@ -74,11 +75,12 @@
has Minimum Value of 5000
ansible.builtin.replace:
path: /etc/login.defs
- regexp: (^\s*SHA_CRYPT_MAX_ROUNDS\s+)(?!(?:[5-9]\d{3,}|\d{5,}))\S*(\s*$)
+ regexp: (^\s*SHA_CRYPT_MAX_ROUNDS\s+)(?:\d+)(.*$)
replace: \g<1>{{ var_password_hashing_min_rounds_login_defs }}\g<2>
backup: false
- when: etc_login_defs_sha_crypt_max_rounds | length > 0 and etc_login_defs_sha_crypt_max_rounds
- | first | int < var_password_hashing_min_rounds_login_defs | int
+ when: etc_login_defs_sha_crypt_max_rounds is defined and etc_login_defs_sha_crypt_max_rounds
+ | length > 0 and etc_login_defs_sha_crypt_max_rounds | first | int < var_password_hashing_min_rounds_login_defs
+ | int
tags:
- CCE-89707-4
- DISA-STIG-RHEL-08-010130
@@ -89,7 +91,8 @@
- restrict_strategy
- set_password_hashing_min_rounds_logindefs
-- name: '{{ rule_title }} - SHA_CRYPT_MIN_ROUNDS add configuration if not found'
+- name: Set Password Hashing Rounds in /etc/login.defs - SHA_CRYPT_MIN_ROUNDS add
+ configuration if not found
ansible.builtin.lineinfile:
line: SHA_CRYPT_MIN_ROUNDS {{ var_password_hashing_min_rounds_login_defs }}
path: /etc/login.defs
@@ -105,7 +108,8 @@
- restrict_strategy
- set_password_hashing_min_rounds_logindefs
-- name: '{{ rule_title }} - SHA_CRYPT_MAX_ROUNDS add configuration if not found'
+- name: Set Password Hashing Rounds in /etc/login.defs - SHA_CRYPT_MAX_ROUNDS add
+ configuration if not found
ansible.builtin.lineinfile:
line: SHA_CRYPT_MAX_ROUNDS {{ var_password_hashing_min_rounds_login_defs }}
path: /etc/login.defs
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
@@ -8,7 +8,7 @@
for ARCH in "${RULE_ARCHS[@]}"
do
ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
-
+
OTHER_FILTERS="-C uid!=euid -F euid=0"
AUID_FILTERS=""
@@ -326,7 +326,7 @@
for ARCH in "${RULE_ARCHS[@]}"
do
ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
-
+
OTHER_FILTERS="-C gid!=egid -F egid=0"
AUID_FILTERS="" |
|
@dodys Please have a look. |
|
Code Climate has analyzed commit f641b78 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.9% (0.0% change). View more on Code Climate. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Rationale: