{"description": "On a system where FIPS 140 mode is enabled, the system must be booted with the\nThe file <tt>/proc/sys/crypto/fips_enabled</tt> must have the contents of <tt>1</tt>\n\nTo verify the system has been booted in FIPS mode, run the following command:\n<pre>\n# cat /proc/sys/crypto/fips_enabled\n1\n</pre>", "rationale": "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to\nprotect data. The operating system must implement cryptographic modules adhering to the higher\nstandards approved by the federal government since this provides assurance they have been tested\nand validated.", "severity": "high", "references": {"nist": ["SC-12(2)", "SC-12(3)", "SC-13"], "srg": ["SRG-OS-000396-GPOS-00176", "SRG-OS-000478-GPOS-00223"], "ism": ["1446"]}, "control_references": {"ism": ["1446"]}, "components": [], "identifiers": {}, "ocil_clause": "the system is not booted in fips mode", "ocil": "To verify that the system is booted with fips mode by running the following command:\n$ cat /proc/sys/crypto/fips_enabled\n\nThe output must be <tt>1</tt>.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "To configure Ubuntu 22.04 to run in FIPS 140 mode, the kernel parameter \"fips=1\" needs to be added during its installation.\nOnly enabling FIPS 140 mode during the Ubuntu 22.04 installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place.\nEnabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported."}, {"regulatory": "System Crypto Modules must be provided by a vendor that undergoes\nFIPS-140 certifications.\nFIPS-140 is applicable to all Federal agencies that use\ncryptographic-based security systems to protect sensitive information\nin computer and telecommunication systems (including voice systems) as\ndefined in Section 5131 of the Information Technology Management Reform\nAct of 1996, Public Law 104-106. This standard shall be used in\ndesigning and implementing cryptographic modules that Federal\ndepartments and agencies operate or are operated for them under\ncontract. See <b>\n<a xmlns='http://www.w3.org/1999/xhtml' href='https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf'>https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf</a></b>\nTo meet this, the system has to have cryptographic software provided by\na vendor that has undergone this certification. This means providing\ndocumentation, test results, design information, and independent third\nparty review by an accredited lab. While open source software is\ncapable of meeting this, it does not meet FIPS-140 unless the vendor\nsubmits to this process."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must implement NIST FIPS-validated cryptography for the following: to\nprovision digital signatures, to generate cryptographic hashes, and to\nprotect data requiring data-at-rest protections in accordance with\napplicable federal laws, Executive Orders, directives, policies,\nregulations, and standards.", "vuldiscussion": "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to\nprotect data. The operating system must implement cryptographic modules adhering to the higher\nstandards approved by the federal government since this provides assurance they have been tested\nand validated.", "checktext": "Verify that Ubuntu 22.04 is in FIPS mode with the following command:\n\ncat /proc/sys/crypto/fips_enabled\n\nIf the command doesn't return 1, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to implement FIPS mode by starting the installer kernel parameter with fips=1.\n\nIf this checks fails on an installed system it is a permanent finding until the system is reinstalled."}}, "platform": "system_with_kernel and not osbuild", "platforms": ["system_with_kernel and not osbuild"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["not_osbuild_and_system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Verify that the system was booted with fips=1", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml", "template": null}