Updated bash remediation for the rule grub2_enable_fips_mode #4291
Conversation
- Install dracut-fips-aesni on supported hardware - Disable ed25519 key in SSH configuration - Correct sed quoting syntax
|
Can one of the admins verify this patch? |
|
The inspection completed: No new issues |
| @@ -7,6 +7,11 @@ disable_prelink | |||
|
|
|||
| package_install dracut-fips | |||
|
|
|||
| # Enable AESNI if supported | |||
| if grep -q -m1 -o aes /proc/cpuinfo; then | |||
There was a problem hiding this comment.
Preferentially, this would be in an OVAL file and added to the OVAL grub FIPS check using the OVAL and bash templates.
There was a problem hiding this comment.
This is a preferred configuration, but not a security requirement. I would think that the OVAL should only check that the security requirement is met.
There was a problem hiding this comment.
OVAL is more than about meeting security requirements. Please add an extended_definition check to the grub2_enabled_fips OVAL for AES as there is a configuration change here. So, there needs to be:
- An extended_definition check added to grub2_enable_fips_mode OVAL
- A dracut-fips-aesni OVAL check in shared/checks that checks for AESNI enabled processors and that the
dracut-fips-aesnipackage is installed. - The
dracut-fips-aesnipackage needs to be added to the correct OS templates.
| # Disable ed25519 key in SSH configuration (does not work in FIPS mode) | ||
| if grep -q '^HostKey /etc/ssh/ssh_host_ed25519_key' /etc/ssh/sshd_config; then | ||
| sed -i 's|^HostKey /etc/ssh/ssh_host_ed25519_key|#HostKey /etc/ssh/ssh_host_ed25519_key|' /etc/ssh/sshd_config | ||
| fi |
There was a problem hiding this comment.
Hmmmm..... not sure that this makes sense to be in the FIPS grub rememdiation.....
There was a problem hiding this comment.
I am not sure where else you would put this. The need for this change is directly tied to enabling FIPS mode.
There was a problem hiding this comment.
This is a separate rule with separate OVAL and remediations then as the SSH HostKey's now need to be verified against FIPS.
|
I am not familiar with writing XCCDF and OVAL, so I will leave this for someone else to implement. |
| @@ -26,8 +31,13 @@ if grep -q '^GRUB_CMDLINE_LINUX=".*boot=.*"' /etc/default/grub; then | |||
| sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)boot=[^[:space:]]*\(.*"\)/\1 boot=UUID='"${BOOT_UUID} \2/" /etc/default/ grub | |||
| else | |||
| # no existing boot=arg is present, append it | |||
| sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 boot=UUID='${BOOT_UUID}'"/' /etc/default/grub | |||
| sed -i "s/\(^GRUB_CMDLINE_LINUX=\".*\)\"/\1 boot=UUID=${BOOT_UUID}\"/" /etc/default/grub | |||
There was a problem hiding this comment.
This line could be the fix for #3136!
There was a problem hiding this comment.
I tested this line that currently exists in the code, and it did seem to work properly even if it was imperfect.
Your referenced issue looks like it was fixed with this commit:
2a044d5
Anyone with that issue was most likely using an older version that did not contain that change.
Updated bash remediation for the rule grub2_enable_fips_mode
Install dracut-fips-aesni on supported hardware
Disable ed25519 key in SSH configuration
ed25519 is not supported in FIPS mode. If sshd attempts to load a non-existent key, it displays a warning every time it starts. If the key was previously generated while the system was in non-FIPS mode, it can cause sshd to fail.
Correct sed quoting syntax
This line has a shellcheck error:
sed -i 's/(^GRUB_CMDLINE_LINUX=".*)"/\1 boot=UUID='${BOOT_UUID}'"/' /etc/default/grub
SC2086: Double quote to prevent globbing and word splitting.
The syntax is unusual, with the sed command made up of two single quoted strings and an unquoted variable in the middle. I put double quotes around the whole thing so that the variable expands and escaped the double quotes inside.