What were you trying to do that didn't work?

The bug https://issues.redhat.com/browse/RHEL-65432 complained about failing multiple rules related to FIPS. Rules related to sshd have been fixed in the fix for that bug. But, rule aide_use_fips_hashes still fails as of now.

The reason why aide_use_fips_hashes fails is that the OVAL check references check installed_os_is_fips_certified which fails because RHEL 9 isn't listed as FIPS certified in installed_os_is_fips_certified.

We should either add RHEL 9 to the list in installed_os_is_fips_certified or better remove installed_os_is_fips_certified from everywhere it's used. The latter solution seems to be better because operating systems are not FIPS certified but the specific crypto modules are FIPS certified.

We need to investigate and fix also other rules that use the installed_os_is_fips_certified check.

What is the impact of this issue to you?

None

Please provide the package NVR for which the bug is seen:

scap-security-guide-0.1.76-1.el9

How reproducible is this bug?:

deterministically

Steps to reproduce

1. oscap xccdf eval --oval-results --profile xccdf_org.ssgproject.content_profile_stig --report ~/report.html --results ~/results.xml /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

Expected results

rule_aide_use_fips_hashes : pass

Actual results

rule_aide_use_fips_hashes: fail

Related upstream tickets:
https://github.com/ComplianceAsCode/content/issues/11576

Contest waiver:
https://github.com/RHSecurityCompliance/contest/blob/331e61b657e0e0e1496a5f1630616a1df11eae7f/conf/waivers/20-long-term#L60C2-L60C3

Related:
https://access.redhat.com/compliance/fips