{"description": "\nTo enable FIPS mode, run the following command:\n<pre>fips-mode-setup --enable</pre>\n\nTo enable FIPS, the system requires that the <tt>fips</tt> module is added in <tt>dracut</tt> configuration.\nCheck if <tt>/etc/dracut.conf.d/40-fips.conf</tt> contain <tt>add_dracutmodules+=\" fips \"</tt>", "rationale": "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to\nprotect data. The operating system must implement cryptographic modules adhering to the higher\nstandards approved by the federal government since this provides assurance they have been tested\nand validated.", "severity": "high", "references": {"nerc-cip": ["CIP-003-8 R4.2", "CIP-007-3 R5.1"], "nist": ["SC-12(2)", "SC-12(3)", "IA-7", "SC-13", "CM-6(a)", "SC-12"], "ospp": ["FCS_RBG_EXT.1"], "srg": ["SRG-OS-000478-GPOS-00223"], "ism": ["1446"]}, "control_references": {"ism": ["1446"]}, "components": [], "identifiers": {}, "ocil_clause": "the Dracut FIPS module is not enabled", "ocil": "To verify that the Dracut FIPS module is enabled, run the following command:\n<tt>grep \"add_dracutmodules\" /etc/dracut.conf.d/40-fips.conf</tt>\nThe output should look like this:\n<tt>add_dracutmodules+=\" fips \"</tt>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to run in FIPS mode.\n\nRun the following command to enable FIPS mode:\n$ sudo fips-mode-setup --enable\n\nCheck the /etc/dracut.conf.d/40-fips.conf file and make sure it includes the following line:\nadd_dracutmodules+=\" fips \"\n\nThe system needs to be rebooted for these changes to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards", "warnings": [{"general": "\nThe system needs to be rebooted for these changes to take effect."}, {"regulatory": "System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications.\nFIPS-140 is applicable to all Federal agencies that use cryptographic-based security\nsystems to protect sensitive information in computer and telecommunication systems\n(including voice systems) as defined in Section 5131 of the Information Technology\nManagement Reform Act of 1996, Public Law 104-106. This standard shall be used in designing\nand implementing cryptographic modules that Federal departments and agencies operate or are\noperated for them under contract.\nSee <b>\n<a xmlns='http://www.w3.org/1999/xhtml' href='https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf'>https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf</a></b>\nTo meet this, the system has to have cryptographic software provided by a vendor that has\nundergone this certification. This means providing documentation, test results, design\ninformation, and independent third party review by an accredited lab. While open source\nsoftware is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to\nthis process."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 Must Implement Nist Fips-Validated Cryptography For The Following: To Provision Digital Signatures, To Generate Cryptographic Hashes, And To Protect Unclassified Information Requiring Confidentiality And Cryptographic Protection In Accordance With Applicable Federal Laws, Executive Orders, Directives, Policies, Regulations, And Standards.", "vuldiscussion": "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to\nprotect data. The operating system must implement cryptographic modules adhering to the higher\nstandards approved by the federal government since this provides assurance they have been tested\nand validated.", "checktext": "$ sudo dnf list --installed dracut", "fixtext": "Configure Ubuntu 22.04 to run in FIPS mode.\n\nRun the following command to enable FIPS mode:\n$ sudo fips-mode-setup --enable\n\nCheck the /etc/dracut.conf.d/40-fips.conf file and make sure it includes the following line:\nadd_dracutmodules+=\" fips \"\n\nThe system needs to be rebooted for these changes to take effect."}}, "platform": "not bootc and system_with_kernel and not osbuild", "platforms": ["not bootc and system_with_kernel and not osbuild"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["not_bootc_and_not_osbuild_and_system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Enable Dracut FIPS Module", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml", "template": null}