Updated bash remediation for the rule grub2_enable_fips_mode #4291
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -7,6 +7,11 @@ disable_prelink | |
|
|
||
| package_install dracut-fips | ||
|
|
||
| # Enable AESNI if supported | ||
| if grep -q -m1 -o aes /proc/cpuinfo; then | ||
| package_install dracut-fips-aesni | ||
| fi | ||
|
|
||
| dracut -f | ||
|
|
||
| # Correct the form of default kernel command line in grub | ||
|
|
@@ -26,8 +31,13 @@ if grep -q '^GRUB_CMDLINE_LINUX=".*boot=.*"' /etc/default/grub; then | |
| sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)boot=[^[:space:]]*\(.*"\)/\1 boot=UUID='"${BOOT_UUID} \2/" /etc/default/ grub | ||
| else | ||
| # no existing boot=arg is present, append it | ||
| sed -i "s/\(^GRUB_CMDLINE_LINUX=\".*\)\"/\1 boot=UUID=${BOOT_UUID}\"/" /etc/default/grub | ||
|
There was a problem hiding this comment. This line could be the fix for #3136! There was a problem hiding this comment. I tested this line that currently exists in the code, and it did seem to work properly even if it was imperfect. Your referenced issue looks like it was fixed with this commit: Anyone with that issue was most likely using an older version that did not contain that change. |
||
| fi | ||
|
|
||
| # Correct the form of kernel command line for each installed kernel in the bootloader | ||
| /sbin/grubby --update-kernel=ALL --args="fips=1 boot=UUID=${BOOT_UUID}" | ||
|
|
||
| # Disable ed25519 key in SSH configuration (does not work in FIPS mode) | ||
| if grep -q '^HostKey /etc/ssh/ssh_host_ed25519_key' /etc/ssh/sshd_config; then | ||
| sed -i 's|^HostKey /etc/ssh/ssh_host_ed25519_key|#HostKey /etc/ssh/ssh_host_ed25519_key|' /etc/ssh/sshd_config | ||
| fi | ||
|
There was a problem hiding this comment. Hmmmm..... not sure that this makes sense to be in the FIPS grub rememdiation..... There was a problem hiding this comment. I am not sure where else you would put this. The need for this change is directly tied to enabling FIPS mode. There was a problem hiding this comment. This is a separate rule with separate OVAL and remediations then as the SSH HostKey's now need to be verified against FIPS. |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Preferentially, this would be in an OVAL file and added to the OVAL grub FIPS check using the OVAL and bash templates.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a preferred configuration, but not a security requirement. I would think that the OVAL should only check that the security requirement is met.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OVAL is more than about meeting security requirements. Please add an
extended_definitioncheck to the grub2_enabled_fips OVAL for AES as there is a configuration change here. So, there needs to be:dracut-fips-aesnipackage is installed.dracut-fips-aesnipackage needs to be added to the correct OS templates.