documentation_complete: true


title: Ensure '/etc/system-fips' exists

description: |-
    On a system where FIPS mode is enabled, <tt>/etc/system-fips</tt> must exist.
    {{% if 'rhel' not in product %}}
    To enable FIPS mode, run the following command:
    <pre>fips-mode-setup --enable</pre>
    {{% else %}}
    {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode.
    The installer must be booted with <tt>fips=1</tt> for the system to have FIPS mode
    enabled. Enabling FIPS mode on a preexisting system is not supported. If
    this rule fails on an installed system, then this is a permanent
    finding and cannot be fixed.
    {{% endif %}}
{{% if bootable_containers_supported == "true" %}}
    <br />
    To enable FIPS mode at bootable container build time configure <tt>fips=1</tt> kernel argument
    in <tt>/usr/lib/bootc/kargs.d/01-fips.toml</tt>:
    <pre>kargs = ["fips=1"]</pre>
    Then set the cryptographic policy to <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt>:
    <pre>update-crypto-policies --no-reload --set {{{ xccdf_value("var_system_crypto_policy") }}}</pre>
{{% endif %}}

rationale: |-
    Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
    protect data. The operating system must implement cryptographic modules adhering to the higher
    standards approved by the federal government since this provides assurance they have been tested
    and validated.

severity: high

references:
    nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
    nist: SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12

ocil_clause: /etc/system-fips does not exist

ocil: |-
    To verify <tt>/etc/system-fips</tt> exists, run the following command:
    <pre>ls -l /etc/system-fips</pre>
    The output should be similar to the following:
    <pre>-rw-r--r--. 1 root root 36 Nov 26 11:31 /etc/system-fips</pre>

warnings:
    - general: |-
        {{% if 'rhel' not in product %}}
        The system needs to be rebooted for these changes to take effect.
        {{% else %}}
        To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
        Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
        {{% endif %}}
    - regulatory: |-
        System Crypto Modules must be provided by a vendor that undergoes
        FIPS-140 certifications.
        FIPS-140 is applicable to all Federal agencies that use
        cryptographic-based security systems to protect sensitive information
        in computer and telecommunication systems (including voice systems) as
        defined in Section 5131 of the Information Technology Management Reform
        Act of 1996, Public Law 104-106. This standard shall be used in
        designing and implementing cryptographic modules that Federal
        departments and agencies operate or are operated for them under
        contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
        To meet this, the system has to have cryptographic software provided by
        a vendor that has undergone this certification. This means providing
        documentation, test results, design information, and independent third
        party review by an accredited lab. While open source software is
        capable of meeting this, it does not meet FIPS-140 unless the vendor
        submits to this process.

platform: system_with_kernel and not osbuild