From ca053d15f569efe0c632d7b5ce6976bd6b12f9fd Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 21 Jul 2023 16:13:44 +0200
Subject: [PATCH 1/3] add OVAL tests to test for fips=1 in /boot/loader/entries
 and in kernel command line

---
 .../fips/enable_fips_mode/oval/shared.xml     | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index e805136fff0..5c7a9a5f9dc 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -20,6 +20,36 @@
       {{% endif %}}
     </criteria>
   </definition>
+
+  <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf"
+  comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf"
+  check="all" check_existence="all_exist" version="1">
+    <ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
+    <ind:state state_ref="state_fips_1_argument_in_boot_loader_entries_conf" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_fips_1_argument_in_boot_loader_entries_conf" version="1">
+    <ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_fips_1_argument_in_boot_loader_entries_conf" version="1">
+    <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
+  </ind:textfilecontent54_state>
+  <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline"
+  comment="Check if argument fips=1 is present in /etc/kernel/cmdline"
+  check="all" check_existence="all_exist" version="1">
+    <ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
+    <ind:state state_ref="state_fips_1_argument_in_etc_kernel_cmdline" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
+    <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
+    <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_fips_1_argument_in_etc_kernel_cmdline" version="1">
+    <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
+  </ind:textfilecontent54_state>
+
   <ind:variable_test check="at least one" comment="tests if var_system_crypto_policy is set to FIPS" id="test_system_crypto_policy_value" version="1">
     <ind:object object_ref="obj_system_crypto_policy_value" />
     <ind:state state_ref="ste_system_crypto_policy_value" />

From fde18585c7bbb739f83e728952f46a0268b24892 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 24 Jul 2023 16:46:26 +0200
Subject: [PATCH 2/3] rewrite criteria in OVAL

rewritten according to grub2_argument template
if RHEL8 or OL8, then the grubenv file is checked
if RHEL9 or OL9, then expanded /boot/loader/entries are checked
---
 .../fips/enable_fips_mode/oval/shared.xml     | 29 ++++++++++++++-----
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index 5c7a9a5f9dc..8491060abea 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -7,15 +7,28 @@
       <extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
       <extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
       <criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
-      {{% if product in ["ol8"] %}}
-      <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
-      test_ref="test_grubenv_fips_mode" />
-      {{% elif product in ["rhel8"] %}}
+      <criterion comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline" test_ref="test_fips_1_argument_in_etc_kernel_cmdline" />
+      {{% if "ol" in product or "rhel" in product %}}
       <criteria operator="OR">
-        <extend_definition comment="Generic test for s390x architecture"
-        definition_ref="system_info_architecture_s390_64" />
-        <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
-        test_ref="test_grubenv_fips_mode" />
+        <criteria operator="AND">
+          <extend_definition comment="Generic test for s390x architecture"
+          definition_ref="system_info_architecture_s390_64" />
+          <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
+          test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
+        </criteria>
+        <criteria operator="AND">
+          <criteria negate="true">
+            <extend_definition comment="Generic test for NOT s390x architecture"
+            definition_ref="system_info_architecture_s390_64" />
+          </criteria>
+          {{% if product in ["ol8", "rhel8"] %}}
+          <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
+          test_ref="test_grubenv_fips_mode" />
+          {{% else %}}
+          <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
+          test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
+          {{% endif %}}
+        </criteria>
       </criteria>
       {{% endif %}}
     </criteria>

From 78f087f497df8a56e7bcbc9d50f6474882dbe28a Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 25 Jul 2023 10:03:52 +0200
Subject: [PATCH 3/3] remove duplicate oval state

---
 .../integrity/fips/enable_fips_mode/oval/shared.xml      | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index 8491060abea..fe3f96f52a5 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -38,30 +38,27 @@
   comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf"
   check="all" check_existence="all_exist" version="1">
     <ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
-    <ind:state state_ref="state_fips_1_argument_in_boot_loader_entries_conf" />
+    <ind:state state_ref="state_fips_1_argument_in_captured_group" />
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_fips_1_argument_in_boot_loader_entries_conf" version="1">
     <ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
     <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
-  <ind:textfilecontent54_state id="state_fips_1_argument_in_boot_loader_entries_conf" version="1">
+  <ind:textfilecontent54_state id="state_fips_1_argument_in_captured_group" version="1">
     <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
   </ind:textfilecontent54_state>
   <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline"
   comment="Check if argument fips=1 is present in /etc/kernel/cmdline"
   check="all" check_existence="all_exist" version="1">
     <ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
-    <ind:state state_ref="state_fips_1_argument_in_etc_kernel_cmdline" />
+    <ind:state state_ref="state_fips_1_argument_in_captured_group" />
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
     <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
     <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
-  <ind:textfilecontent54_state id="state_fips_1_argument_in_etc_kernel_cmdline" version="1">
-    <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
-  </ind:textfilecontent54_state>
 
   <ind:variable_test check="at least one" comment="tests if var_system_crypto_policy is set to FIPS" id="test_system_crypto_policy_value" version="1">
     <ind:object object_ref="obj_system_crypto_policy_value" />