Remove overly restrictive FIPS checks

[chuckatkins]

Description:

• This removes the OS FIPS certification check from testing the FIPS related configuration of various individual components.

Rationale:

• Whether or not a package is configured to use FIPS approved crypto algorithms and hashes or fips-related packages are installed is orthogonal to whether or not the installed operating system is FIPS certified. Whether or not the OS is FIPS certified still remains a stand alone rule by itself and should continue to be used in environments where necessary.

• Fixes Excessive FIPS checks #4917

[openscap-ci]

Can one of the admins verify this patch?

[redhatrises]

Sorry but NACK. FIPS cipher checks are required to meet FIPS validated ciphers of which CentOS is not FIPS validated.

[redhatrises]

Specifically NIST 800-53 SI-1 and SC-13 in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

[jamescassell]

This same issue causes all new point releases of RHEL to fail all fips rules until DISA adds the most recent version to the "supported" list... lots of false positives.

[chuckatkins]

Aren't the rules in question though just supposed to be checking that "only fips approved ciphers are being used", not "only fips approved ciphers are being used on a fips certified os"? Forgetting about RHEL derivatives for the moment, developing content for other distros, you'd still want to be able to test the crypto configuration regardless of whether or not the os is certified. There's already a separate rule that covers whether the os is approved or not. So doesn't it make sense then for the profiles to include all the fips related rules and the ones checking technical configuration should be able to pass on any distro if configured appropriately while the "os is certified" would always fail unless rhel proper at a certified minor release?