Issue
On AlmaLinux servers with FIPS mode enabled, false positives are observed when running OpenSCAP checks with OVAL definitions.
Example outputs indicating this issue are as follows:
# fips-mode-setup --check
FIPS mode is enabled.
# cat /proc/sys/crypto/fips_enabled
1
# oscap oval eval almalinux9.2-fips-oval.xml
Definition oval:com.tuxcare.clsa:def:1740142183: true
Definition oval:com.tuxcare.clsa:def:1738670922: true
Definition oval:com.tuxcare.clsa:def:1731956568: true
Definition oval:com.tuxcare.clsa:def:1729546717: false
Definition oval:com.tuxcare.clsa:def:1729546540: false
Definition oval:com.tuxcare.clsa:def:1729541873: true
Definition oval:com.tuxcare.clsa:def:1727351493: true
Definition oval:com.tuxcare.clsa:def:1725304408: true
Definition oval:com.tuxcare.clsa:def:1722530110: true
Definition oval:com.tuxcare.clsa:def:1719241565: true
Definition oval:com.tuxcare.clsa:def:1715000749: true
Definition oval:com.tuxcare.clsa:def:1712570434: true
Definition oval:com.tuxcare.clsa:def:1709548308: false
Some OVAL definitions are evaluated as false, even though the system is expected to meet these compliance criteria.
Environment
- AlmaLinux FIPS
- OpenSCAP
Solution
Our developers are aware of the issue. It is related to the way the information is generated by our oval-generator for the latest kernels. This doesn't affect compliance, and we've created an internal task to correct the problem (task ID is ELSIF-92).
Comments
0 comments
Please sign in to leave a comment.