Automated ingestion of profiles

Signed-off-by: MITRE SAF <[email protected]>
wdower · Dec 1, 2023 · 290896e · 290896e
1 parent b1e0e7f
commit 290896e
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/src/assets/data/baselineProfiles/redhat-enterprise-linux-8-stig-baseline.json b/src/assets/data/baselineProfiles/redhat-enterprise-linux-8-stig-baseline.json
@@ -9520,7 +9520,7 @@
           "AC-17 (2)"
         ]
       },
-      "code": "control 'SV-230223' do\n  title 'RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.'\n  desc 'Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nRHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the \"kernelopts\" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command \"fips-mode-setup\" modifies the \"kernelopts\" variable, which in turn updates all kernel boot entries. \n\nThe fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key.'\n  desc 'check', 'Verify the operating system implements DOD-approved encryption to protect the confidentiality of remote access sessions.\n\nCheck to see if FIPS mode is enabled with the following command:\n\n     $ fips-mode-setup --check\n     FIPS mode is enabled\n\nIf FIPS mode is \"enabled\", check to see if the kernel boot parameter is configured for FIPS mode with the following command:\n\n     $ sudo grub2-editenv list | grep fips\n     kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf the kernel boot parameter is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command:\n\n     $ sudo cat /proc/sys/crypto/fips_enabled\n     1\n\nIf FIPS mode is not \"on\", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of \"1\" for \"fips_enabled\" in \"/proc/sys/crypto\", this is a finding.'\n  desc 'fix', 'Configure the operating system to implement DOD-approved encryption by following the steps below:\n\nTo enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot parameters during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.\n\nEnable FIPS mode after installation (not strict FIPS-compliant) with the following command:\n\n     $ sudo fips-mode-setup --enable\n\nReboot the system for the changes to take effect.'\n  impact 0.7\n  tag severity: 'high'\n  tag gtitle: 'SRG-OS-000033-GPOS-00014'\n  tag satisfies: ['SRG-OS-000033-GPOS-00014', 'SRG-OS-000125-GPOS-00065', 'SRG-OS-000396-GPOS-00176', 'SRG-OS-000423-GPOS-00187', 'SRG-OS-000478-GPOS-00223']\n  tag gid: 'V-230223'\n  tag rid: 'SV-230223r928585_rule'\n  tag stig_id: 'RHEL-08-010020'\n  tag fix_id: 'F-32867r928584_fix'\n  tag cci: ['CCI-000068']\n  tag nist: ['AC-17 (2)']\n\n  if virtualization.system.eql?('docker')\n    describe 'Control not applicable within a container' do\n      skip \"Enforcement of Federal Government approved encryption algorithms should be enabled on the container as well.  Both Container OS and Host OS should be set to FIPS mode, which will require a set of FIPS-compliant cryptographic algorithms to be used on the system. Since checking the host's FIPS compliance can't be done within the container this check should be performed manually.\"\n    end\n  else\n    describe command('fips-mode-setup --check') do\n      its('stdout.strip') { should match /FIPS mode is enabled/ }\n    end\n\n    grub_config = command('grub2-editenv - list').stdout\n\n    describe parse_config(grub_config) do\n      its('kernelopts') { should match /fips=1/ }\n    end\n\n    describe file('/proc/sys/crypto/fips_enabled') do\n      its('content.strip') { should cmp '1' }\n    end\n  end\nend\n",
+      "code": "control 'SV-230223' do\n  title 'RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.'\n  desc 'Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nRHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the \"kernelopts\" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command \"fips-mode-setup\" modifies the \"kernelopts\" variable, which in turn updates all kernel boot entries. \n\nThe fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key.'\n  desc 'check', 'Verify the operating system implements DOD-approved encryption to protect the confidentiality of remote access sessions.\n\nCheck to see if FIPS mode is enabled with the following command:\n\n     $ fips-mode-setup --check\n     FIPS mode is enabled\n\nIf FIPS mode is \"enabled\", check to see if the kernel boot parameter is configured for FIPS mode with the following command:\n\n     $ sudo grub2-editenv list | grep fips\n     kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf the kernel boot parameter is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command:\n\n     $ sudo cat /proc/sys/crypto/fips_enabled\n     1\n\nIf FIPS mode is not \"on\", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of \"1\" for \"fips_enabled\" in \"/proc/sys/crypto\", this is a finding.'\n  desc 'fix', 'Configure the operating system to implement DOD-approved encryption by following the steps below:\n\nTo enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot parameters during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.\n\nEnable FIPS mode after installation (not strict FIPS-compliant) with the following command:\n\n     $ sudo fips-mode-setup --enable\n\nReboot the system for the changes to take effect.'\n  impact 0.7\n  tag severity: 'high'\n  tag gtitle: 'SRG-OS-000033-GPOS-00014'\n  tag satisfies: ['SRG-OS-000033-GPOS-00014', 'SRG-OS-000125-GPOS-00065', 'SRG-OS-000396-GPOS-00176', 'SRG-OS-000423-GPOS-00187', 'SRG-OS-000478-GPOS-00223']\n  tag gid: 'V-230223'\n  tag rid: 'SV-230223r928585_rule'\n  tag stig_id: 'RHEL-08-010020'\n  tag fix_id: 'F-32867r928584_fix'\n  tag cci: ['CCI-000068']\n  tag nist: ['AC-17 (2)']\n\n  if virtualization.system.eql?('docker')\n    impact 0.0\n    describe 'Control not applicable in a container' do\n      skip \"The host OS controls the FIPS mode settings. The host OS should also be scanned with the applicable OS validation profile.\"\n    end\n  else\n    describe command('fips-mode-setup --check') do\n      its('stdout.strip') { should match /FIPS mode is enabled/ }\n    end\n\n    grub_config = command('grub2-editenv - list').stdout\n\n    describe parse_config(grub_config) do\n      its('kernelopts') { should match /fips=1/ }\n    end\n\n    describe file('/proc/sys/crypto/fips_enabled') do\n      its('content.strip') { should cmp '1' }\n    end\n  end\nend\n",
       "source_location": {
         "ref": "./Red Hat 8 STIG/controls/SV-230223.rb",
         "line": 1
@@ -15578,7 +15578,7 @@
       "id": "controls/SV-230400.rb"
     }
   ],
-  "sha256": "88903fd2c802c7fd886590aacc1beada94805178be987a0d9482085a311487eb",
+  "sha256": "45edb208a562a8a874740f6b88ee5be882f2d87998f01c647ea1ed050862857d",
   "status_message": "",
   "status": "loaded",
   "generator": {