forked from ComplianceAsCode/content
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Showing
5 changed files
with
109 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
17 changes: 17 additions & 0 deletions
17
...ide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| # platform = Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Oracle Linux 7 | ||
| # reboot = false | ||
| # strategy = enable | ||
| # complexity = low | ||
| # disruption = low | ||
| - name: Check if system supports AES-NI | ||
| command: grep -q -m1 -o aes /proc/cpuinfo | ||
| failed_when: aesni_supported.rc > 1 | ||
| register: aesni_supported | ||
|
|
||
| - name: Ensure dracut-fips-aesni is installed | ||
| package: | ||
| name: dracut-fips-aesni | ||
| state: present | ||
| when: | ||
| - aesni_supported.rc == "0" | ||
| - ansible_distribution == 'RedHat' |
8 changes: 8 additions & 0 deletions
8
...s/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/bash/shared.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # platform = Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Oracle Linux 7 | ||
|
|
||
| # include remediation functions library | ||
| . /usr/share/scap-security-guide/remediation_functions | ||
|
|
||
| if grep -q -m1 -o aes /proc/cpuinfo; then | ||
| package_install dracut-fips-aesni | ||
| fi |
44 changes: 44 additions & 0 deletions
44
.../guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/oval/shared.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| <!-- DO NOT TEMPLATE this check. dracut-fips-aesni should only be installed on | ||
| certified systems, and changes to this file should be scrutinized through the | ||
| review process. | ||
| --> | ||
| <def-group> | ||
| <definition class="compliance" id="package_dracut-fips-aesni_installed" | ||
| version="1"> | ||
| <metadata> | ||
| <title>Package dracut-fips-aesni Installed</title> | ||
| <affected family="unix"> | ||
| <platform>Red Hat Enterprise Linux 6</platform> | ||
| <platform>Red Hat Enterprise Linux 7</platform> | ||
| <platform>Oracle Linux 7</platform> | ||
| </affected> | ||
| <description>The RPM package dracut-fips-aesni should be installed.</description> | ||
| </metadata> | ||
| <criteria operator="OR"> | ||
| <criterion comment="System does not support AES instruction set" test_ref="test_processor_aes_instruction" /> | ||
| <criteria operator="AND"> | ||
| <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" /> | ||
| <criterion comment="package dracut-fips-aesni is installed" | ||
| test_ref="test_package_dracut-fips-aesni_installed" /> | ||
| </criteria> | ||
| </criteria> | ||
| </definition> | ||
|
|
||
| <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="query /proc/cpuinfo" id="test_processor_aes_instruction" version="1"> | ||
| <ind:object object_ref="object_processor_aes_instruction" /> | ||
| </ind:textfilecontent54_test> | ||
| <ind:textfilecontent54_object id="object_processor_aes_instruction" version="1"> | ||
| <ind:filepath>/proc/meminfo</ind:filepath> | ||
| <ind:pattern operation="pattern match">^[\s]*flags[\s]*:[\s]*.*aes.*$</ind:pattern> | ||
| <ind:instance datatype="int" operation="equals">1</ind:instance> | ||
| </ind:textfilecontent54_object> | ||
|
|
||
| <linux:rpminfo_test check="all" check_existence="all_exist" | ||
| id="test_package_dracut-fips-aesni_installed" version="1" | ||
| comment="package dracut-fips-aesni is installed"> | ||
| <linux:object object_ref="obj_package_dracut-fips-aesni_installed" /> | ||
| </linux:rpminfo_test> | ||
| <linux:rpminfo_object id="obj_package_dracut-fips-aesni_installed" version="1"> | ||
| <linux:name>dracut-fips-aesni</linux:name> | ||
| </linux:rpminfo_object> | ||
| </def-group> |
39 changes: 39 additions & 0 deletions
39
linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| documentation_complete: true | ||
|
|
||
| prodtype: rhel6,rhel7,ol7,rhv4 | ||
|
|
||
| title: 'Install the dracut-fips-aesni Package' | ||
|
|
||
| description: |- | ||
| To enable FIPS on system that support the Advanced Encryption Standard (AES) or New | ||
| Instructions (AES-NI) engine, the system requires that the <tt>dracut-fips-aesni</tt> | ||
| package be installed. | ||
| {{{ describe_package_install(package="dracut-fips-aesni") }}} | ||
| rationale: |- | ||
| Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to | ||
| protect data. The operating system must implement cryptographic modules adhering to the higher | ||
| standards approved by the federal government since this provides assurance they have been tested | ||
| and validated. | ||
| severity: medium | ||
|
|
||
| references: | ||
| cjis: 5.10.1.2 | ||
| cui: 3.13.11,3.13.8 | ||
| disa: 68,803,2450 | ||
| nist: AC-17(2),IA-7,SC-13 | ||
| nist-csf: PR.AC-3,PR.PT-4 | ||
| srg: SRG-OS-000033-GPOS-00014,SRG-OS-000396-GPOS-00176,SRG-OS-000478-GPOS-00223 | ||
| vmmsrg: SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000396-VMM-001590 | ||
| isa-62443-2013: 'SR 1.13,SR 2.6,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6' | ||
| isa-62443-2009: 4.3.3.6.6 | ||
| cobit5: APO13.01,DSS01.04,DSS05.02,DSS05.03 | ||
| iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.14.1.3,A.6.2.1,A.6.2.2 | ||
| cis-csc: 12,15,8 | ||
|
|
||
| ocil_clause: 'the package is not installed' | ||
|
|
||
| ocil: '{{{ ocil_package(package="dracut-fips-aesni") }}}' | ||
|
|
||
| platform: machine |