From 10ccb3b3859abd30ecad4bcdb176c22a39357715 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miguel=20Mart=C3=ADn?= Date: Thu, 16 Nov 2023 16:03:06 +0100 Subject: [PATCH] feature: check FIPS mode within the ostree images MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Check if the os has the system FIPS mode enabled when `fips="true"` is passed as an ansible variable. Signed-off-by: Miguel Martín --- test/data/ansible/check_ostree.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/test/data/ansible/check_ostree.yaml b/test/data/ansible/check_ostree.yaml index d11c32e76..2d2106e1f 100644 --- a/test/data/ansible/check_ostree.yaml +++ b/test/data/ansible/check_ostree.yaml @@ -13,6 +13,7 @@ ignition: "false" test_custom_dirs_files: "false" sysroot_ro: "false" + fips: "false" tasks: # current target host's IP address @@ -75,6 +76,22 @@ failed_counter: "{{ failed_counter | int + 1 }}" when: "'rt' in result_kernel.stdout" + - name: check system FIPS mode + block: + - name: run 'fips-mode-setup --check' + command: fips-mode-setup --check + register: fips_mode_setup + + - name: check 'fips-mode-setup --check' output + assert: + that: + - "'FIPS mode is enabled' in fips_mode_setup.stdout" + - "'FIPS mode is disabled' not in fips_mode_setup.stdout" + - "'Installation of FIPS modules is not completed' not in fips_mode_setup.stdout" + - "'Inconsistent state detected' not in fips_mode_setup.stdout" + fail_msg: "FIPS mode not enabled" + when: fips == "true" + # first installed or upgraded # first installed has one commit, but upgraded has two - name: determin which stage the checking is running on