Install the dracut-fips Package

An XCCDF Rule

Description

To enable FIPS, the system requires that the dracut-fips package be installed. The dracut-fips package can be installed with the following command:

$ sudo yum install dracut-fips

warning alert: Regulatory Warning

System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.

Rationale

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

ID: xccdf_org.ssgproject.content_rule_package_dracut-fips_installed
Severity: Medium
References: 12 15 8

5.10.1.2

APO13.01 DSS01.04 DSS05.02 DSS05.03

3.13.11 3.13.8

CCI-000068 CCI-000803 CCI-002450

4.3.3.6.6

SR 1.13 SR 2.6 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6

A.11.2.6 A.13.1.1 A.13.2.1 A.14.1.3 A.6.2.1 A.6.2.2

CIP-003-8 R4.2 CIP-007-3 R5.1

CM-6(a) IA-7 SC-12 SC-12(2) SC-12(3) SC-13

PR.AC-3 PR.PT-4

SRG-OS-000033-GPOS-00014 SRG-OS-000396-GPOS-00176 SRG-OS-000478-GPOS-00223
Updated: about 1 year ago


package --add=dracut-fips


[[packages]]
name = "dracut-fips"
version = "*"

- name: Ensure dracut-fips is installed
  package:
    name: dracut-fips
    state: present
  when:
  - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]    and not ( lookup("env", "container") == "bwrap-osbuild" ) )
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CJIS-5.10.1.2
  - NIST-800-171-3.13.11
  - NIST-800-171-3.13.8
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-7
  - NIST-800-53-SC-12
  - NIST-800-53-SC-12(2)
  - NIST-800-53-SC-12(3)
  - NIST-800-53-SC-13
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_dracut-fips_installed

include install_dracut-fips

class install_dracut-fips {
  package { 'dracut-fips':
    ensure => 'installed',
  }}

# Remediation is applicable only in certain platforms
if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && ! ( [ "${container:-}" == "bwrap-osbuild" ] ) ) && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

if ! rpm -q --quiet "dracut-fips" ; then
    yum install -y "dracut-fips"
fi
else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Install the dracut-fips Package

Description

Rationale

Remediation - Anaconda Pre-Install Instructions

Remediation - OS Build Blueprint

Remediation - Ansible

Remediation - Puppet

Remediation - Shell Script