openstack/ansible-hardening
Code Issues Proposed changes

Enable FIPS [+Docs]

Browse Source 
This patch installs `dracut-fips` and checks to see if the deployer has FIPS
enabled at boot time. Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I9a6da4dc753fbfc3949f0c78e53af3bb5e3083ef
This commit is contained in:
Major Hayden 2016-12-13 10:57:47 -06:00
parent a0b88da6bb
commit 1cf9fba0d3
4 changed files with 47 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
doc/metadata/rhel7/RHEL-07-021280.rst
View File

@ -1,7 +1,23 @@
--- ---
id: RHEL-07-021280 id: RHEL-07-021280
status: not implemented status: implemented - red hat only
tag: misc tag: misc
--- ---
This STIG requirement is not yet implemented. The tasks in the Ansible role install the ``dracut-fips`` and
``dracut-fips-aesni`` packages and check to see if FIPS is enabled on the
system. If it is not enabled, a warning message is printed in the Ansible
output.
Enabling FIPS at boot time requires additional manual configuration. Refer to
`Chapter 7. Federal Standards and Regulations`_ in the Red Hat documentation
for more details. Section 7.1.1 contains the steps required for updating
the bootloader configuration and regenerating the initramfs.
.. _Chapter 7. Federal Standards and Regulations : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Federal_Standards_and_Regulations.html
.. note::
This change only applies to CentOS and Red Hat Enterprise Linux. Ubuntu
does not use dracut by default and the process for enabling the FIPS
functionality at boot time is more complex.

24
tasks/rhel7stig/kernel.yml
View File

@ -67,3 +67,27 @@
- kernel - kernel
- medium - medium
- RHEL-07-021230 - RHEL-07-021230
- name: Check if FIPS is enabled
command: cat /proc/sys/crypto/fips_enabled
register: fips_check
changed_when: False
check_mode: no
when:
- ansible_os_family | lower == 'redhat'
tags:
- always
- name: Print a warning if FIPS isn't enabled
debug:
msg: >
FIPS is not enabled at boot time on this server.
The STIG requires FIPS to be enabled at boot time.
when:
- ansible_os_family | lower == 'redhat'
- fips_check is defined
- fips_check.stdout == '0'
tags:
- high
- misc
- RHEL-07-021280

5
tasks/rhel7stig/packages.yml
View File

@ -30,9 +30,10 @@
- packages - packages
- services - services
- RHEL-07-010072 - RHEL-07-010072
- RHEL-07-021910
- RHEL-07-020000 - RHEL-07-020000
- RHEL-08-020010 - RHEL-07-020010
- RHEL-07-021280
- RHEL-07-021910
- RHEL-07-030810 - RHEL-07-030810
- RHEL-07-040260 - RHEL-07-040260
- RHEL-07-040500 - RHEL-07-040500

2
vars/redhat.yml
View File

@ -102,6 +102,8 @@ stig_packages_rhel7:
- audispd-plugins - audispd-plugins
- audit - audit
- aide - aide
- dracut-fips
- dracut-fips-aesni
- openssh-clients - openssh-clients
- openssh-server - openssh-server
- screen - screen