-
Bug
-
Resolution: Not a Bug
-
Undefined
-
None
-
rhel-8.10
-
Yes
-
Important
-
rhel-security-compliance
-
ssg_security
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
What were you trying to do that didn't work?
The rhel8-playbook-stig.yml playbook in scap-security-guide 0.1.76 no longer contains the parameters to enable FIPS.
It appears that this may have been removed from the yml file included in security-guide-0.1.76-1.el8.rpm and newer.
===============================
security-guide-0.1.76-1.el8 rpm
===============================
[root@R8/76] # cat rhel8-playbook-stig.yml |grep -i fips
var_system_crypto_policy: !!str FIPS
- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config'
- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config'
==================================
[scap-security-guide-0.1.75-1.el8]
==================================
[root@R8/75] # cat rhel8-playbook-stig.yml |grep -i fips
var_system_crypto_policy: !!str FIPS
- enable_dracut_fips_module
- name: Check to see the current status of FIPS mode
command: /usr/bin/fips-mode-setup --check
register: is_fips_enabled - enable_dracut_fips_module
- name: Enable FIPS mode
command: /usr/bin/fips-mode-setup --enable - is_fips_enabled.stdout.find('FIPS mode is enabled.') == -1
- enable_dracut_fips_module
- name: Enable Dracut FIPS Module
path: /etc/dracut.conf.d/40-fips.conf
line: add_dracutmodules+=" fips " - enable_dracut_fips_module
- enable_fips_mode
- name: Enable FIPS Mode - Check to See the Current Status of FIPS Mode
ansible.builtin.command: /usr/bin/fips-mode-setup --check
register: is_fips_enabled - enable_fips_mode
- name: Enable FIPS Mode - Enable FIPS Mode
ansible.builtin.command: /usr/bin/fips-mode-setup --enable - is_fips_enabled.stdout.find('FIPS mode is enabled.') == -1
- enable_fips_mode
- name: Enable FIPS Mode - Configure Crypto Policy
- enable_fips_mode
- name: Enable FIPS Mode - Verify that Crypto Policy is Set (runtime)
- enable_fips_mode
- name: 'Configure SSH Daemon to Use FIPS 140-2 Validated Ciphers: openssh.config'
- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config:
- name: 'Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config'
- name: 'Configure SSH Daemon to Use FIPS 140-2 Validated MACs: openssh.config'
- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config:
- name: 'Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config'
What is the impact of this issue to you?
FIPS is not enabled as expected which causes them to be rejected from operating on the network.
How reproducible is this bug?:
This occurs when the rhel8-playbook-stig.yml provided with security-guide-0.1.76-1.el8 rpm is utilized
Steps to reproduce
Execute openscap scan/remediation using rhel8-playbook-stig.yml with security-guide-0.1.76-1.el8
Expected results
The execution of this playbook should result in FIPS being enabled on the system
Actual results
FIPS is not enabled
