Skip to content

Adding a note on a FIPS compliance for RHEL-09-672020 #14119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Mab879 merged 4 commits into from
Nov 14, 2025
Merged

Adding a note on a FIPS compliance for RHEL-09-672020 #14119

Mab879 merged 4 commits into from
Nov 14, 2025

Conversation

@Arden97
Copy link
Contributor

@Arden97 Arden97 commented Nov 12, 2025

Description:

  • These changes add a comment explaining why we don't have a rule implemented for RHEL-09-672020.

Rationale:

  • Fixes RHEL-104411
  • After a brief discussion with @Mab879, @ggbecker, and @jan-cerny, we concluded that the best resolution is to add this comment (both to control file and to JIRA ticket) explaining the proper usage of FIPS mode
  • An addition of a specific rule would cause further confusion, since for SCE-only mode most users would get notchecked result in their reports

@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Nov 12, 2025
@openshift-ci
Copy link

openshift-ci bot commented Nov 12, 2025

Hi @Arden97. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@Mab879 Mab879 self-assigned this Nov 12, 2025
@Mab879 Mab879 added this to the 0.1.79 milestone Nov 12, 2025
Mab879
Mab879 requested changes Nov 12, 2025
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some minor rewording

products/rhel9/controls/stig_rhel9.yml Outdated
levels:
- medium
title: RHEL 9 crypto policy must not be overridden.
notes: The rule for this STIG is intentionally not implemented. Checking whether files under /etc/crypto-policies/back-ends/
Copy link
Member

@Mab879 Mab879 Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
notes: The rule for this STIG is intentionally not implemented. Checking whether files under /etc/crypto-policies/back-ends/
notes: Rules for this control are intentionally not implemented. Checking whether files under /etc/crypto-policies/back-ends/

products/rhel9/controls/stig_rhel9.yml Outdated
title: RHEL 9 crypto policy must not be overridden.
notes: The rule for this STIG is intentionally not implemented. Checking whether files under /etc/crypto-policies/back-ends/
are symlinks is not an appropriate way to verify the consistency of the system's cryptographic settings.
The suggested fix for the mentioned STIG does not fully satisfy its own requirements, as it also symlinks the nss.config file.
Copy link
Member

@Mab879 Mab879 Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The suggested fix for the mentioned STIG does not fully satisfy its own requirements, as it also symlinks the nss.config file.
The suggested fix for the mentioned in the STIG does not fully satisfy its own requirements, as it also symlinks the nss.config file.

Copy link
Contributor Author

@Arden97 Arden97 Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed in b7a0787

jan-cerny
jan-cerny reviewed Nov 13, 2025
View reviewed changes
products/rhel9/controls/stig_rhel9.yml
The suggested fix for the mentioned STIG does not fully satisfy its own requirements, as it also symlinks the nss.config file.
Furthermore, running sudo 'update-crypto-policies --set FIPS' is not a reliable way to ensure FIPS compliance. Customers should
refer to the official Red Hat Documentation and use the 'fips=1' kernel option during system installation to ensure the system is
in FIPS mode.
Copy link
Collaborator

@jan-cerny jan-cerny Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it can be useful to add a link to the documentation here.

https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/switching-rhel-to-fips-mode_security-hardening

Copy link
Contributor Author

@Arden97 Arden97 Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added in 915a08d

@Arden97
Copy link
Contributor Author

Arden97 commented Nov 13, 2025
edited
Loading

@jan-cerny, @Mab879 thank you for your review! Do you mind if I leave a comment for reporter with similar wording on the original issue on JIRA?

@jan-cerny
Copy link
Collaborator

jan-cerny commented Nov 14, 2025

/packit build

@Mab879 Mab879 merged commit d6b4255 into ComplianceAsCode:master Nov 14, 2025
129 of 130 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jan-cerny jan-cerny jan-cerny left review comments

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels

needs-ok-to-test Used by openshift-ci bot.

Projects

None yet

Milestone

0.1.79

Development

Successfully merging this pull request may close these issues.

3 participants

@Arden97 @jan-cerny @Mab879