Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

enhance OVAL for enable_fips_mode #10897

Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -7,19 +7,59 @@
<extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
<extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
<criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
{{% if product in ["ol8"] %}}
<criterion comment="check if the kernel boot parameter is configured for FIPS mode"
test_ref="test_grubenv_fips_mode" />
{{% elif product in ["rhel8"] %}}
<criterion comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline" test_ref="test_fips_1_argument_in_etc_kernel_cmdline" />
marcusburghardt marked this conversation as resolved.
Show resolved Hide resolved
{{% if "ol" in product or "rhel" in product %}}
<criteria operator="OR">
<extend_definition comment="Generic test for s390x architecture"
definition_ref="system_info_architecture_s390_64" />
<criterion comment="check if the kernel boot parameter is configured for FIPS mode"
test_ref="test_grubenv_fips_mode" />
<criteria operator="AND">
<extend_definition comment="Generic test for s390x architecture"
definition_ref="system_info_architecture_s390_64" />
<criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
</criteria>
<criteria operator="AND">
<criteria negate="true">
<extend_definition comment="Generic test for NOT s390x architecture"
definition_ref="system_info_architecture_s390_64" />
</criteria>
{{% if product in ["ol8", "rhel8"] %}}
<criterion comment="check if the kernel boot parameter is configured for FIPS mode"
test_ref="test_grubenv_fips_mode" />
{{% else %}}
<criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
{{% endif %}}
</criteria>
</criteria>
{{% endif %}}
</criteria>
</definition>

<ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf"
comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf"
check="all" check_existence="all_exist" version="1">
<ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_fips_1_argument_in_boot_loader_entries_conf" version="1">
<ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
<ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_state id="state_fips_1_argument_in_captured_group" version="1">
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
</ind:textfilecontent54_state>
<ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline"
comment="Check if argument fips=1 is present in /etc/kernel/cmdline"
check="all" check_existence="all_exist" version="1">
<ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
<ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
<ind:pattern operation="pattern match">^(.*)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>

<ind:variable_test check="at least one" comment="tests if var_system_crypto_policy is set to FIPS" id="test_system_crypto_policy_value" version="1">
<ind:object object_ref="obj_system_crypto_policy_value" />
<ind:state state_ref="ste_system_crypto_policy_value" />
Expand Down