Introduce support for dracut-fips-aesni package in Anaconda

[dahaic]

Package dracut-fips-aesni enables usage of aes instruction set of x86 CPUs. This has significant impact for some crypto related workflows. It does not have (AFAIK) functionality implications.

We cannot install it indiscriminately, as supported configuration for Red Hat Enterprise Linux 7 is this package installed only in case CPU supports given instruction set. So if we want to install package, we need to first check the support.

That means we cannot (at least without changes to anaconda addon) install it during installation whatsoever. So there would be discrepancy between installation hardening and normal bash runtime hardening.

It is not clear if we should put it to the OVAL.

[boydhako]

Anaconda doesn't do some sort of logical system assesment?

[dahaic]

Well, oscap anaconda addon has no such logic at the moment, and this would probably be the only use case.

Is there anything comparable in the core anaconda, @poncovka? Installation of packages based on capabilities of the machine?

[trevor-vaughan]

You'll want to make this something that is configurable by the user.

A run time implementation can be found at https://github.com/simp/pupmod-simp-fips/blob/master/manifests/init.pp that includes tests if you need a reference for anything.

[poncovka]

@dahaic, for example, Anaconda installs packages based on the detected virtualized environment (if any).

[jan-cerny]

I think there needs to be a custom rule for this because we can't use templates because we need to check architecture of the target system.

[yuumasato]

I'm reopening this ticket, and changing scope for Anaconda remediation.

[ggbecker]

#4986 Enables dracut-fips-aesni to Anaconda Remediation as research shown that there was no harm by installing the package even if the processor doesn't have support for AES. Closing this issue and creating a new one on OAA which should handle system characteristics when applying remediation.