Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enhance OVAL for enable_fips_mode #10897

Merged
merged 3 commits into from
Jul 25, 2023
Merged

enhance OVAL for enable_fips_mode #10897

merged 3 commits into from
Jul 25, 2023

Conversation

vojtapolasek
Copy link
Collaborator

Description:

  • add more tests to check /etc/kernel/cmdline and also /boot/loader/entries/*.conf files
  • use correct check based on prodtype, inspired by grub2_template
  • if we are on S390X architecture, check /boot/loader/entries/*.conf only, there is no grubenv file

Rationale:

Review Hints:

  1. provision X86 and S390X RHEL 8 and RHEL 9 machines
  2. ./build_product rhel8 rhel9
  3. on each machine run fips-mode-setup --enable && update-crypto-policies --set fips:ospp
  4. run oscap xccdf eval --profile ospp --report result.html --rule xccdf_org.ssgproject.content_rule_enable_fips_mode <datastream.xml>
  5. inspect the HTML report to see that checks are checking corect things

@vojtapolasek
add OVAL tests to test for fips=1 in /boot/loader/entries and in kern…
ca053d1 
…el command line
@vojtapolasek
rewrite criteria in OVAL
fde1858 
rewritten according to grub2_argument template
if RHEL8 or OL8, then the grubenv file is checked
if RHEL9 or OL9, then expanded /boot/loader/entries are checked
@vojtapolasek vojtapolasek added bugfix Fixes to reported bugs. OVAL OVAL update. Related to the systems assessments. OSPP OSPP benchmark related. labels Jul 24, 2023
@vojtapolasek vojtapolasek added this to the 0.1.70 milestone Jul 24, 2023
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions
Copy link

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
OVAL for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode' differs.
--- oval:ssg-enable_fips_mode:def:1
+++ oval:ssg-enable_fips_mode:def:1
@@ -4,6 +4,12 @@
 extend_definition oval:ssg-enable_dracut_fips_module:def:1
 extend_definition oval:ssg-configure_crypto_policy:def:1
 criterion oval:ssg-test_system_crypto_policy_value:tst:1
+criterion oval:ssg-test_fips_1_argument_in_etc_kernel_cmdline:tst:1
 criteria OR
+criteria AND
+extend_definition oval:ssg-system_info_architecture_s390_64:def:1
+criterion oval:ssg-test_fips_1_argument_in_boot_loader_entries_conf:tst:1
+criteria AND
+criteria None
 extend_definition oval:ssg-system_info_architecture_s390_64:def:1
 criterion oval:ssg-test_grubenv_fips_mode:tst:1

@marcusburghardt marcusburghardt self-assigned this Jul 25, 2023
marcusburghardt
marcusburghardt requested changes Jul 25, 2023
View reviewed changes
Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the update. It is difficult to test this rule and I believe this is the reason to not have test scenario scripts. I have some comments. Could you take a look on them, please?

linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml Outdated Show resolved Hide resolved
linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml Show resolved Hide resolved
marcusburghardt
marcusburghardt approved these changes Jul 25, 2023
View reviewed changes
Copy link
Member

@marcusburghardt marcusburghardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for updating this rule @vojtapolasek .

We have discussed privately on how to include test scenarios for this rule and concluded it would be possible but would not be simple. So we can merge this PR now to not block the fix and work on test scenarios in a separate PR.

@codeclimate
Copy link

codeclimate bot commented Jul 25, 2023

Code Climate has analyzed commit 78f087f and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.2% (0.0% change).

View more on Code Climate.

@vojtapolasek vojtapolasek mentioned this pull request Jul 25, 2023
Merged
@marcusburghardt marcusburghardt merged commit dc450a8 into ComplianceAsCode:master Jul 25, 2023
jan-cerny added a commit to jan-cerny/scap-security-guide that referenced this pull request Aug 8, 2023
@jan-cerny
Remove kernel cmdline check
75dd0e7 
The OVAL in rule enable_fips_mode contains multiple checks. One
of these checks tests presence of `fips=1` in `/etc/kernel/cmdline`.
Although this is useful for latest RHEL versions, this file doesn't
exist on RHEL 8.6 and 9.0. This causes that the rule fails after
remediation on these RHEL versions.

We want the same OVAL behavior on all minor RHEL releases, therefore
we will remove this test from the OVAL completely.

Related to: ComplianceAsCode#10897
@jan-cerny jan-cerny mentioned this pull request Aug 8, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcusburghardt marcusburghardt marcusburghardt approved these changes

Assignees

@marcusburghardt marcusburghardt

Labels
bugfix Fixes to reported bugs. OSPP OSPP benchmark related. OVAL OVAL update. Related to the systems assessments.
Projects
None yet
Milestone
0.1.70
Development

Successfully merging this pull request may close these issues.
2 participants
@vojtapolasek @marcusburghardt