Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update FIPS warning message to focus on vendor submitting modules for certification #4853

Merged
merged 3 commits into from
Sep 23, 2019
Merged

Update FIPS warning message to focus on vendor submitting modules for certification #4853

merged 3 commits into from
Sep 23, 2019

Conversation

vojtapolasek
Copy link
Collaborator

Description:

added rhel8 to oval check of the rule installed_OS_is_FIPS_certified
changed warning for rules from fips group

@vojtapolasek
made fips rules passing for rhel8
0454264 
added rhel8 to oval check of the rule installed_OS_is_FIPS_certified
changed warning for rules from fips group
@yuumasato yuumasato requested review from shawndwells and redhatrises and removed request for shawndwells September 20, 2019 11:52
@yuumasato yuumasato added this to the 0.1.47 milestone Sep 20, 2019
@vojtapolasek vojtapolasek changed the title WIP: fips rules passing for rhel8 fips rules passing for rhel8 Sep 20, 2019
@redhatrises redhatrises mentioned this pull request Sep 20, 2019
Closed
@redhatrises
Copy link
Contributor

@vojtapolasek please add/update the banner for the following rules:

  • sshd_use_approved_macs
  • sshd_use_approved_ciphers
  • configure_crypto_policy
  • installed_OS_is_FIPS_certified
  • aide_use_fips_hashes

@redhatrises redhatrises self-assigned this Sep 20, 2019
@yuumasato
Copy link
Member

@vojtapolasek I apologize. on Friday, I might have miss guided you a bit.
I think it makes sense to have all warning updated and synchronized.

@redhatrises As he will be out for a while, I'll address the issues.
Hope you don't mind, Vojta.

@yuumasato
Add/update regulatory warning for FIPS rules
430dec1
@yuumasato
Do not use macro for approved_ciphers check
9709dd9 
oval_sshd_config is not suitable for sshd_use_approved_ciphers check.
The check extends installed_OS_is_FIPS_certified.

Reverts the check to state before 117db27.
Note: Only this check is reverted.
@yuumasato
Copy link
Member

@redhatrises FIPS regulatory warnings updated.

I found an issue with check for sshd_use_approved_ciphers, it used the macro oval_sshd_config, but it doesn't extend installed_OS_is_FIPS_certified.
I hope it is okay to piggyback the fix in this PR.

@yuumasato
Copy link
Member

@redhatrises What do you think of a macro for these FIPS regulatory warnings? Something like yuumasato@d36f907

I think you mentioned that checks for FIPS rules should be explicit, that they cannot be templated. Would this restriction apply to the rule text as well?
These warning are currently repeated 12 times in the repo.

@redhatrises redhatrises added the bugfix Fixes to reported bugs. label Sep 23, 2019
@redhatrises
Copy link
Contributor

@redhatrises What do you think of a macro for these FIPS regulatory warnings? Something like yuumasato@d36f907

I think you mentioned that checks for FIPS rules should be explicit, that they cannot be templated. Would this restriction apply to the rule text as well?
These warning are currently repeated 12 times in the repo.

Personally, not a fan of macros for duplicated word text as we are always going to have duplicated content, and there is such a thing as over-macro'ing something. However if you choose to macro, only macro the value and not the yaml key.

@yuumasato
Copy link
Member

yuumasato commented Sep 23, 2019
edited
Loading

Personally, not a fan of macros for duplicated word text as we are always going to have duplicated content, and there is such a thing as over-macro'ing something.

In this case, it would make it very easy for content developer to update the warning message.
But it can be tricky for whoever is reading the rule.yml with a macro to understand what it does.

However if you choose to macro, only macro the value and not the yaml key.

The macro in yuumasato@d36f907 is just adding a value for regulatory warning.

We have changed the FIPS warning so frequently that I though it would deserve a macro. But I also think that this warning needs to be as visible as possible.
So I won't macro it... now. Maybe next time a change is needed.

@redhatrises
Copy link
Contributor

Personally, not a fan of macros for duplicated word text as we are always going to have duplicated content, and there is such a thing as over-macro'ing something.

In this case, it would make it very easy for content developer to update the warning message.
But it can be tricky for whoever is reading the rule.yml with a macro to understand what it does.

However if you choose to macro, only macro the value and not the yaml key.

The macro in yuumasato@d36f907 is just adding a value for regulatory warning.

We have changed the FIPS warning so frequently that I though it would deserve a macro. But I also think that this warning needs to be as visible as possible.
So I won't macro it... now. Maybe next time a change is needed.

Good point. Although, now I don't see us changing to really at all. (I know.... famous last words.)

@redhatrises
Copy link
Contributor

LGTM

@redhatrises redhatrises merged commit 7217851 into ComplianceAsCode:master Sep 23, 2019
@yuumasato yuumasato changed the title fips rules passing for rhel8 Update FIPS warning message to focus on vendor submitting modules for certification Sep 23, 2019
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@redhatrises redhatrises Awaiting requested review from redhatrises

@shawndwells shawndwells Awaiting requested review from shawndwells

Assignees

@redhatrises redhatrises

Labels
bugfix Fixes to reported bugs.
Projects
None yet
Milestone
0.1.47
Development

Successfully merging this pull request may close these issues.
3 participants
@vojtapolasek @redhatrises @yuumasato