Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-4722

When run with fips=1, anaconda resets FIPS crypto policy module set by an addon

XMLWordPrintable

    • None
    • None
    • rhel-sst-installer
    • ssg_front_door
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None

      Description of problem:

      When anaconda is booted with fips=1 kernel command line parameter, it ultimately invokes fips-mode-setup --enable --no-bootcfg to enable the FIPS mode in the provisioned environment as well.

      It does so even when some addon has already configured FIPS mode which itself wouldn't be a problem.

      However, when the addon also configured the crypto policy to be a module of FIPS policy, for example FIPS:OSPP, that fips-mode-setup --enable will flip the policy back to the "core" FIPS.

      So anaconda effectively resets the work that the addon has already done.

      Version-Release number of selected component (if applicable):

      /var/log/anaconda/anaconda.log says
      10:19:17,404 INF main: /sbin/anaconda 34.25.0.20-1.el9

      How reproducible:

      Deterministic.

      Steps to Reproduce:
      1. Have a RHEL kickstart with the following specific changes:

      1. Comment out autopart or the following part commands will not work
      2. autopart
      1. Anaconda like these to exist
        part / --size 3000 --fstype xfs
        part /boot --size 500 --fstype xfs
      1. The OSPP SCAP profile when processed with com_redhat_oscap addon
      2. insists that these partitions exist, or installation does not continue
        part /var --recommended --fstype xfs
        part /var/log --recommended --fstype xfs
        part /var/log/audit --size 500 --fstype xfs
        part /var/tmp --recommended --fstype xfs
        part /home --size 500 --fstype xfs
        part /tmp --size 500 --fstype tmpfs
      1. OSPP profile disables root's ssh logons, this might be needed if remote
      2. access desired
      3. user --name test2 --plaintext --password Secret123 --uid 5678
      4. %post
      5. echo "test2 ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
      6. %end
      1. Invoke configuring the system using the OSPP SCAP profile
        %addon com_redhat_oscap
        content-type = scap-security-guide
        profile = ospp
        %end

      2. Run anaconda with fips=1 kernel command line parameter.
      3. On the system, run
      fips-mode-setup --check ; update-crypto-policies --show ; update-crypto-policies --check

      Actual results:

      FIPS mode is enabled.
      FIPS
      The configured policy is applied

      Expected results:

      FIPS mode is enabled.
      FIPS:OSPP
      The configured policy is applied

      Additional info:

      The expected result comes from the same kickstart being used but without the fips=1 kernel command line parameter.

      The OSPP SCAP profile used by the com_redhat_oscap addon has rules xccdf_org.ssgproject.content_rule_enable_fips_mode and xccdf_org.ssgproject.content_rule_configure_crypto_policy that enable FIPS mode but also configure the crypto policy to FIPS:OSPP, instead of the default (for FIPS mode) FIPS.

      Anaconda should not override that work.

              anaconda-maint-list anaconda-maint-list
              rhn-engineering-jpazdziora Jan Pazdziora
              anaconda-maint-list anaconda-maint-list
              Release Test Team Release Test Team
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: