{"description": "\nTo ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands:\n\n$ apt-get install dracut-fips\ndracut -f
\nAfter the dracut command has been run, add the argument fips=1 to the default\nGRUB 2 command line for the Linux operating system in\n/etc/default/grub, in the manner below:\nGRUB_CMDLINE_LINUX=\"crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1\"
\nFinally, rebuild the grub.cfg file by using the\ngrub2-mkconfig -o
command as follows:\n\n\nTo ensure FIPS mode is enabled, run the following commands:\n\n\n$ apt-get install dracut-fips\n
", "rationale": "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to\nprotect data. The operating system must implement cryptographic modules adhering to the higher\nstandards approved by the federal government since this provides assurance they have been tested\nand validated.", "severity": "high", "references": {"cis-csc": ["12", "15", "8"], "cjis": ["5.10.1.2"], "cobit5": ["APO13.01", "DSS01.04", "DSS05.02", "DSS05.03"], "cui": ["3.13.8", "3.13.11"], "isa-62443-2009": ["4.3.3.6.6"], "isa-62443-2013": ["SR 1.13", "SR 2.6", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.6.2.1", "A.6.2.2"], "nerc-cip": ["CIP-003-8 R4.2", "CIP-007-3 R5.1"], "nist": ["SC-12(2)", "SC-12(3)", "IA-7", "SC-13", "CM-6(a)", "SC-12"], "nist-csf": ["PR.AC-3", "PR.PT-4"], "srg": ["SRG-OS-000033-GPOS-00014", "SRG-OS-000185-GPOS-00079", "SRG-OS-000396-GPOS-00176", "SRG-OS-000405-GPOS-00184", "SRG-OS-000478-GPOS-00223"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "FIPS is not configured or enabled in grub", "ocil": "To verify that FIPS is enabled properly in grub, run the following command:\n$ grep fips /etc/default/grub
\nThe output should contain fips=1", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"functionality": "Running dracut -f
will overwrite the existing initramfs file."}, {"general": "\nThe system needs to be rebooted for these changes to take effect."}, {"regulatory": "System Crypto Modules must be provided by a vendor that undergoes\nFIPS-140 certifications.\nFIPS-140 is applicable to all Federal agencies that use\ncryptographic-based security systems to protect sensitive information\nin computer and telecommunication systems (including voice systems) as\ndefined in Section 5131 of the Information Technology Management Reform\nAct of 1996, Public Law 104-106. This standard shall be used in\ndesigning and implementing cryptographic modules that Federal\ndepartments and agencies operate or are operated for them under\ncontract. See \nhttps://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf\nTo meet this, the system has to have cryptographic software provided by\na vendor that has undergone this certification. This means providing\ndocumentation, test results, design information, and independent third\nparty review by an accredited lab. While open source software is\ncapable of meeting this, it does not meet FIPS-140 unless the vendor\nsubmits to this process."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "grub2 and system_with_kernel and not osbuild", "platforms": ["grub2 and system_with_kernel and not osbuild"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["grub2_and_not_osbuild_and_system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Enable FIPS Mode in GRUB2", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml", "template": null}