From a0a3682a209914bb0123de1aabb33f3c4b6710cc Mon Sep 17 00:00:00 2001
From: Chad Pellitt <chad.pellitt@navy.mil>
Date: Thu, 18 Apr 2019 16:30:13 -0400
Subject: [PATCH] Updated bash remediation for the rule grub2_enable_fips_mode

- Install dracut-fips-aesni on supported hardware
- Disable ed25519 key in SSH configuration
- Correct sed quoting syntax
---
 .../fips/grub2_enable_fips_mode/bash/shared.sh       | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh
index 815b67d7ac6..70526c93417 100644
--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh
@@ -7,6 +7,11 @@ disable_prelink
 
 package_install dracut-fips
 
+# Enable AESNI if supported
+if grep -q -m1 -o aes /proc/cpuinfo; then
+	package_install dracut-fips-aesni
+fi
+
 dracut -f
 
 # Correct the form of default kernel command line in  grub
@@ -26,8 +31,13 @@ if grep -q '^GRUB_CMDLINE_LINUX=".*boot=.*"'  /etc/default/grub; then
 	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)boot=[^[:space:]]*\(.*"\)/\1 boot=UUID='"${BOOT_UUID} \2/" /etc/default/ grub
 else
 	# no existing boot=arg is present, append it
-	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 boot=UUID='${BOOT_UUID}'"/'  /etc/default/grub
+	sed -i "s/\(^GRUB_CMDLINE_LINUX=\".*\)\"/\1 boot=UUID=${BOOT_UUID}\"/" /etc/default/grub
 fi
 
 # Correct the form of kernel command line for each installed kernel in the bootloader
 /sbin/grubby --update-kernel=ALL --args="fips=1 boot=UUID=${BOOT_UUID}"
+
+# Disable ed25519 key in SSH configuration (does not work in FIPS mode)
+if grep -q '^HostKey /etc/ssh/ssh_host_ed25519_key' /etc/ssh/sshd_config; then
+	sed -i 's|^HostKey /etc/ssh/ssh_host_ed25519_key|#HostKey /etc/ssh/ssh_host_ed25519_key|' /etc/ssh/sshd_config
+fi