grub2_enable_fips_mode prose guidance causes boot fail on an EFI system

[GaryGapinski]

(Tested on RHEL 7.4.)

The guidance lacks an additional grub.cfg argument identifying the rootfs location.

The guidance in https://access.redhat.com/solutions/137833 has been tested and found to work properly. If that guidance is determined to be doctrinally correct, it should be stolen for SSG.

Separately and additionally, the OVAL test for FIPS mode dfoes not actually determine if FIPS mode is in effect. It should be augmented (or replaced) with a sysctl test for crypto.fips_enabled = 1.

[matejak]

You probably mean this rule: https://github.com/OpenSCAP/scap-security-guide/blob/master/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule
Could you be more specific what is the main cause of trouble, or even better, be inspired by our guide and come up with a pull request?

[angystardust]

Hi @matejak I experienced the same issue described by @GaryGapinski on an AWS RHEL7.5 instance.
After enabling FIPS though oscap remediation scripts, my instance was no longer booting.
Here is the description and the solution to the issue: http://blog.kwnetapps.com/aws-centos-7-fips-mode/

[redhatrises]

It's a little funny that centos is used here considering it is not FedRAMP or FIPS certified.

[angystardust]

@redhatrises you're right: in the blog post the guy talks about a CentOS setup but I can tell you that the same issue happens also on a genuine RHEL

[matejak]

Relates to #3136

[mrabe142]

Hello,

I also ran into a very similar issue today (same boot failure but not using EFI). I deployed the latest official Amazon AWS RHEL 7.7 AMI. I installed the latest OpenSCAP (1.2.17-1) and latest SSG (0.1.45-1). After I ran the OpenSCAP online remediation and rebooted, the AMI would not boot anymore (goes from pending to stopped). It had "dracut: FATAL: FIPS integrity test failed" in the bootup log.

I found that same CentOS blog which put be on the right track. It appears that the remediation is always adding the "boot=" after the "fips=1" in the kernel boot command. From my understanding, you are only supposed to add the "boot=" portion IF "/boot" resides on a different partition/disk. Both the STIG guidance and the Red Hat guidance (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations) both state you only add that if there is a separate partition. The image i was using only had a single / partition so it did not meet that criteria.

After remaking the image, applying the OpenSCAP remediation but before rebooting, I edited the "/etc/default/grub" file and removed the "boot=" portion that was added but left the "fips=1". After rebuilding the grub config again, I rebooted and it came up as expected. I verified fips was enabled with the sysctl command.