linuxmalaysia · April 12, 2025 04:21
diff --git a/gistfile1.txt b/gistfile1.txt
 ```bash
 #!/bin/bash
 # By harisfazillah Jamel with Google Gemini Help
 # 20250411

 # This script is designed to enhance the security and monitoring capabilities
 # of an AlmaLinux 9 system by installing and configuring various security-related
 # tools and making some system-level adjustments.

 # --- Initial System Setup ---

 # Update package list:
 # This command refreshes the local package index, ensuring you have the latest
 # information about available packages and their versions from the configured
 # repositories.
 sudo dnf check-update

 # Upgrade packages:
 # This command upgrades all installed packages to their latest available versions
 # from the repositories. The `-y` flag automatically answers "yes" to all
 # prompts, making the process non-interactive. It's crucial to keep your system
 # up-to-date for security and stability.
 sudo dnf upgrade -y

 # --- Enable Additional Repositories ---

 # Install EPEL (Extra Packages for Enterprise Linux) and AlmaLinux CRB (Continuous
 # Release Branch) repositories.
 # Link to AlmaLinux Wiki for EPEL information:
 # https://wiki.almalinux.org/repos/Extras.html#epel

 # Enable the CRB repository:
 # The CRB repository provides packages that are not part of the standard
 # AlmaLinux releases but might be useful for specific hardware or workloads.
 sudo dnf config-manager --set-enabled crb

 # Alternatively, enable CRB directly (this might be redundant with the
 # config-manager command above, but ensures it's enabled):
 /usr/bin/crb enable

 # Install ELRepo (Enterprise Linux Repository):
 # ELRepo is a third-party repository that often provides newer versions of
 # kernel-related packages, especially drivers for hardware support.
 sudo dnf install elrepo-release

 # --- Install Essential Security Tools ---

 # Install a suite of important security and monitoring tools using dnf.
 # The `-y` flag automatically confirms the installation.
 sudo dnf install -y fail2ban aide lynis rkhunter clamav etckeeper openscap-utils sysstat dnf-automatic firewalld chrony sysstat

 # Explanation of the installed tools:
 # - fail2ban: Protects against brute-force attacks by monitoring log files
 #   and banning IPs that show malicious signs.
 # - aide (Advanced Intrusion Detection Environment): A file integrity checker
 #   that creates a database of file attributes and can detect unauthorized
 #   modifications.
 # - lynis: A security auditing tool that performs extensive security checks
 #   on the system.
 # - rkhunter (Rootkit Hunter): Scans the system for signs of rootkits and other
 #   malicious software.
 # - clamav: An open-source antivirus engine for detecting malware.
 # - etckeeper: A tool to store /etc in a version control system (like Git)
 #   to track configuration changes.
 # - openscap-utils: Utilities related to the Security Content Automation
 #   Protocol (SCAP) for security compliance checking.
 # - sysstat: A collection of performance monitoring tools (like sar, iostat)
 #   that can also be useful for detecting anomalies.
 # - dnf-automatic: A service that can automatically download and apply security
 #   updates.
 # - firewalld: A dynamic firewall manager that provides a framework for managing
 #   network security.
 # - chrony: An alternative Network Time Protocol (NTP) client and server for
 #   keeping the system clock synchronized.

 # Install qemu agent (optional):
 # This package is typically installed on virtual machines running under QEMU/KVM
 # to provide better communication and control between the host and guest.
 dnf -y install install qemu-guest-agent

 # --- Enable and Start Essential Security Services ---

 # Enable and immediately start key security services.
 sudo systemctl enable --now fail2ban etckeeper firewalld

 # Explanation:
 # - sudo systemctl enable <service>: Configures the service to start
 #   automatically at boot time.
 # - --now: Also starts the service immediately in the current session.

 # --- Configure etckeeper ---

 # Initialize etckeeper:
 # This command sets up the version control system (Git by default) in the
 # /etc directory.
 sudo etckeeper init

 # Navigate to the /etc directory:
 cd /etc

 # Configure global user for Git:
 # These commands set the user email and name that will be associated with
 # commits made by etckeeper. It's good practice to configure this.
 sudo git config --global user.email "[email protected]"
 sudo git config --global user.name "Harisfazillah Jamel"

 # --- Configure chrony ---

 # Install chrony (redundant as it was installed earlier, but ensures it's present):
 sudo dnf install -y chrony

 # Use sed to append additional NTP servers to /etc/chrony.conf:
 # This adds a list of NTP servers, including servers in Malaysia and Google's
 # public NTP servers, to improve time synchronization accuracy and redundancy.
 # The 'iburst' option tells chrony to send a burst of packets initially to
 # speed up the initial synchronization.
 sudo sed -i '/pool 2.almalinux.pool.ntp.org iburst/a \
 server ntp1.sirim.my iburst \
 server ntp2.sirim.my iburst \
 server time.unisza.edu.my iburst \
 server time1.google.com iburst \
 server time2.google.com iburst \
 server time3.google.com iburst \
 server time4.google.com iburst' /etc/chrony.conf

 # Set the timezone to Asia/Kuala_Lumpur:
 sudo timedatectl set-timezone "Asia/Kuala_Lumpur"

 # Restart chrony to apply the configuration changes:
 sudo systemctl restart chronyd

 # Enable chrony to start at boot:
 sudo systemctl --now enable chronyd

 # Check the status of chrony:
 sudo systemctl status chronyd

 # Check the sources of time chrony is using:
 # The '-v' option provides verbose output.
 chronyc sources -v

 # Check the system's time synchronization status using chrony:
 chronyc tracking

 # Check the system's time synchronization status using timedatectl:
 timedatectl show-timesync

 # Display the current system time:
 date

 # --- Configure rkhunter ---

 # Configure rkhunter settings in /etc/sysconfig/rkhunter and /etc/rkhunter.conf
 # using sed to modify specific lines:

 # Enable daily cron job for rkhunter:
 sudo sed -i 's/CRON_DAILY_RUN=""/CRON_DAILY_RUN="true"/g' /etc/sysconfig/rkhunter

 # Enable updating mirrors for rkhunter's database:
 sudo sed -i 's/UPDATE_MIRRORS=0/UPDATE_MIRRORS=1/g' /etc/rkhunter.conf

 # Disable mirrors mode (use specific mirrors if configured):
 sudo sed -i 's/MIRRORS_MODE=1/MIRRORS_MODE=0/g' /etc/rkhunter.conf

 # Enable all tests during rkhunter checks:
 sudo sed -i 's/ENABLE_TESTS=.*$/ENABLE_TESTS=ALL/g' /etc/rkhunter.conf

 # Comment out the WEB_CMD line (likely related to web-based reporting, which is disabled):
 sudo sed -i 's/WEB_CMD=/#WEB_CMD=/g' /etc/rkhunter.conf

 # Update rkhunter's database of known good files and rootkit signatures:
 sudo rkhunter --update

 # Update file properties database:
 # This command creates or updates the baseline database of file properties
 # so that rkhunter can detect changes. It's important to run this after
 # initial setup and any intentional system changes.
 sudo rkhunter --propupd

 # Run a rootkit check:
 # The '--check' option initiates a scan, and '--sk' skips any interactive
 # prompts during the check.
 sudo rkhunter --check --sk

 # --- Configure fail2ban ---

 # Copy the default jail configuration to the local configuration file:
 # It's recommended to make customizations in jail.local to avoid overwriting
 # changes during package updates.
 sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

 # Restart the fail2ban service to apply any configuration changes:
 sudo systemctl restart fail2ban

 # Enable fail2ban to start automatically at boot:
 sudo systemctl --now enable fail2ban

 # Check the status of the fail2ban service:
 sudo systemctl status fail2ban

 # --- Configure sysstat ---

 # Enable sysstat data collection:
 # These sed commands modify the /etc/sysconfig/sysstat file to ensure that
 # historical performance data is collected and saved.
 sudo sed -i 's/^#HISTORY=.*/HISTORY=28/' /etc/sysconfig/sysstat
 sudo sed -i 's/^#SA_DIR=.*/SA_DIR=\/var\/log\/sa/' /etc/sysconfig/sysstat
 sudo sed -i 's/^#SA_CRON=.*/SA_CRON=YES/' /etc/sysconfig/sysstat

 # The commented-out lines below were intended to create a directory for daily
 # reports and a cron job to generate them. However, the standard sysstat
 # configuration usually handles data collection and reporting.
 ###sudo mkdir -p /var/log/sa/daily
 ###echo "0 0 * * * /usr/lib/sysstat/./sa1 -C /var/log/sa/daily" >> /etc/crontab

 # Restart the sysstat service:
 sudo systemctl restart sysstat

 # Enable sysstat to start at boot:
 sudo systemctl --now enable sysstat

 # Check the status of the sysstat service:
 sudo systemctl status sysstat

 # --- Configure Lynis ---

 # Check if the default profile file exists:
 if [ -f /etc/lynis/default.prf ]; then
    # Copy the default profile to a custom profile:
    sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf

    # Modify the custom profile to enable specific features:
    sudo sed -i 's/^#cronjob_update = yes$/cronjob_update = yes/g' /etc/lynis/custom.prf
    sudo sed -i 's/^#upload_test_results = no$/upload_test_results = no/g' /etc/lynis/custom.prf
    sudo sed -i 's/^#upload_rootkit_results = yes$/upload_rootkit_results = yes/g' /etc/lynis/custom.prf
    sudo sed -i 's/^#suid_scan_allow = bin\/mail$/suid_scan_allow = /g' /etc/lynis/custom.prf
    sudo sed -i 's/^#suid_scan_deny = ALL$/suid_scan_deny = \/usr\/bin\/newgrp \/usr\/bin\/chsh \/usr\/bin\/gpasswd/g' /etc/lynis/custom.prf
 else
    echo "default.prf file not found, skipping Lynis configuration"
 fi

 # Escape the exclamation marks in the custom.prf file:
 # Exclamation marks have special meaning in sed, so they need to be escaped
 # if present in the file.
 sudo sed -i 's/!/\!/' /etc/lynis/custom.prf

 # Schedule Lynis to run daily using cron:
 # This adds a cron job that runs the Lynis audit at 3:16 AM daily using
 # the custom profile and in cronjob mode (non-interactive).
 sudo bash -c "echo '16 3 * * * root /usr/sbin/lynis audit system --profile /etc/lynis/custom.prf --cronjob' > /etc/cron.d/lynis" || echo "Failed to schedule Lynis with cron"

 # Run a Lynis audit immediately using the custom profile:
 sudo lynis audit system --profile /etc/lynis/custom.prf || echo "Lynis audit failed"

 # --- Update rsyslog for High Precision Timestamps ---

 # The script attempts to modify the rsyslog configuration to enable high-precision
 # timestamps in the log files. However, the commented-out sed command suggests
 # the user intended to uncomment a specific line but might have had issues.
 # The "Do manual" comment indicates that this step might require manual
 # intervention.

 # The following commented-out sed command was likely intended to uncomment a line
 # related to the traditional file format, but it's not directly enabling
 # high-precision timestamps.
 #sudo sed -i 's/#load="builtin:omfile" #Template="RSYSLOG_TraditionalFileFormat"/load="builtin:omfile" #Template="RSYSLOG_TraditionalFileFormat"/' /etc/rsyslog.conf

 # Restart the rsyslog service to apply any configuration changes (even if the
 # sed command above didn't do what was intended):
 sudo systemctl restart rsyslog

 # Generate a log message with a known timestamp to verify the format:
 # This command uses the 'date' command with a high-precision format (%s.%N -
 # seconds since epoch and nanoseconds) and pipes it to 'logger' to create a
 # syslog message.
 date +%s.%N | logger "This is a test with high-precision timestamp"

 # Check the syslog for the test message and verify the timestamp format:
 # This command tails the /var/log/messages file and uses grep to find the
 # test message, allowing the user to inspect the timestamp format.
 tail /var/log/messages | grep "This is a test with high-precision timestamp"

 # --- Enable FIPS Mode (Federal Information Processing Standards) ---

 # Install the fips-mode-setup package:
 sudo dnf install fips-mode-setup

 # Enable FIPS mode:
 # This command modifies the system configuration to operate in FIPS-compliant
 # mode, which enforces specific cryptographic algorithms and security policies.
 # Enabling FIPS mode requires a system reboot to take full effect.
 fips-mode-setup --enable

 # The output of the fips-mode-setup command informs the user about the reboot
 # requirement.

 # Check if FIPS mode is enabled:
 # This command reads a kernel parameter that indicates whether FIPS mode is active.
 # It will likely return '1' after a reboot if FIPS mode was successfully enabled.
 cat /proc/sys/crypto/fips_enabled
 ```
	```bash
	#!/bin/bash
	# By harisfazillah Jamel with Google Gemini Help
	# 20250411

	# This script is designed to enhance the security and monitoring capabilities
	# of an AlmaLinux 9 system by installing and configuring various security-related
	# tools and making some system-level adjustments.

	# --- Initial System Setup ---

	# Update package list:
	# This command refreshes the local package index, ensuring you have the latest
	# information about available packages and their versions from the configured
	# repositories.
	sudo dnf check-update

	# Upgrade packages:
	# This command upgrades all installed packages to their latest available versions
	# from the repositories. The `-y` flag automatically answers "yes" to all
	# prompts, making the process non-interactive. It's crucial to keep your system
	# up-to-date for security and stability.
	sudo dnf upgrade -y

	# --- Enable Additional Repositories ---

	# Install EPEL (Extra Packages for Enterprise Linux) and AlmaLinux CRB (Continuous
	# Release Branch) repositories.
	# Link to AlmaLinux Wiki for EPEL information:
	# https://wiki.almalinux.org/repos/Extras.html#epel

	# Enable the CRB repository:
	# The CRB repository provides packages that are not part of the standard
	# AlmaLinux releases but might be useful for specific hardware or workloads.
	sudo dnf config-manager --set-enabled crb

	# Alternatively, enable CRB directly (this might be redundant with the
	# config-manager command above, but ensures it's enabled):
	/usr/bin/crb enable

	# Install ELRepo (Enterprise Linux Repository):
	# ELRepo is a third-party repository that often provides newer versions of
	# kernel-related packages, especially drivers for hardware support.
	sudo dnf install elrepo-release

	# --- Install Essential Security Tools ---

	# Install a suite of important security and monitoring tools using dnf.
	# The `-y` flag automatically confirms the installation.
	sudo dnf install -y fail2ban aide lynis rkhunter clamav etckeeper openscap-utils sysstat dnf-automatic firewalld chrony sysstat

	# Explanation of the installed tools:
	# - fail2ban: Protects against brute-force attacks by monitoring log files
	# and banning IPs that show malicious signs.
	# - aide (Advanced Intrusion Detection Environment): A file integrity checker
	# that creates a database of file attributes and can detect unauthorized
	# modifications.
	# - lynis: A security auditing tool that performs extensive security checks
	# on the system.
	# - rkhunter (Rootkit Hunter): Scans the system for signs of rootkits and other
	# malicious software.
	# - clamav: An open-source antivirus engine for detecting malware.
	# - etckeeper: A tool to store /etc in a version control system (like Git)
	# to track configuration changes.
	# - openscap-utils: Utilities related to the Security Content Automation
	# Protocol (SCAP) for security compliance checking.
	# - sysstat: A collection of performance monitoring tools (like sar, iostat)
	# that can also be useful for detecting anomalies.
	# - dnf-automatic: A service that can automatically download and apply security
	# updates.
	# - firewalld: A dynamic firewall manager that provides a framework for managing
	# network security.
	# - chrony: An alternative Network Time Protocol (NTP) client and server for
	# keeping the system clock synchronized.

	# Install qemu agent (optional):
	# This package is typically installed on virtual machines running under QEMU/KVM
	# to provide better communication and control between the host and guest.
	dnf -y install install qemu-guest-agent

	# --- Enable and Start Essential Security Services ---

	# Enable and immediately start key security services.
	sudo systemctl enable --now fail2ban etckeeper firewalld

	# Explanation:
	# - sudo systemctl enable <service>: Configures the service to start
	# automatically at boot time.
	# - --now: Also starts the service immediately in the current session.

	# --- Configure etckeeper ---

	# Initialize etckeeper:
	# This command sets up the version control system (Git by default) in the
	# /etc directory.
	sudo etckeeper init

	# Navigate to the /etc directory:
	cd /etc

	# Configure global user for Git:
	# These commands set the user email and name that will be associated with
	# commits made by etckeeper. It's good practice to configure this.
	sudo git config --global user.email "[email protected]"
	sudo git config --global user.name "Harisfazillah Jamel"

	# --- Configure chrony ---

	# Install chrony (redundant as it was installed earlier, but ensures it's present):
	sudo dnf install -y chrony

	# Use sed to append additional NTP servers to /etc/chrony.conf:
	# This adds a list of NTP servers, including servers in Malaysia and Google's
	# public NTP servers, to improve time synchronization accuracy and redundancy.
	# The 'iburst' option tells chrony to send a burst of packets initially to
	# speed up the initial synchronization.
	sudo sed -i '/pool 2.almalinux.pool.ntp.org iburst/a \
	server ntp1.sirim.my iburst \
	server ntp2.sirim.my iburst \
	server time.unisza.edu.my iburst \
	server time1.google.com iburst \
	server time2.google.com iburst \
	server time3.google.com iburst \
	server time4.google.com iburst' /etc/chrony.conf

	# Set the timezone to Asia/Kuala_Lumpur:
	sudo timedatectl set-timezone "Asia/Kuala_Lumpur"

	# Restart chrony to apply the configuration changes:
	sudo systemctl restart chronyd

	# Enable chrony to start at boot:
	sudo systemctl --now enable chronyd

	# Check the status of chrony:
	sudo systemctl status chronyd

	# Check the sources of time chrony is using:
	# The '-v' option provides verbose output.
	chronyc sources -v

	# Check the system's time synchronization status using chrony:
	chronyc tracking

	# Check the system's time synchronization status using timedatectl:
	timedatectl show-timesync

	# Display the current system time:
	date

	# --- Configure rkhunter ---

	# Configure rkhunter settings in /etc/sysconfig/rkhunter and /etc/rkhunter.conf
	# using sed to modify specific lines:

	# Enable daily cron job for rkhunter:
	sudo sed -i 's/CRON_DAILY_RUN=""/CRON_DAILY_RUN="true"/g' /etc/sysconfig/rkhunter

	# Enable updating mirrors for rkhunter's database:
	sudo sed -i 's/UPDATE_MIRRORS=0/UPDATE_MIRRORS=1/g' /etc/rkhunter.conf

	# Disable mirrors mode (use specific mirrors if configured):
	sudo sed -i 's/MIRRORS_MODE=1/MIRRORS_MODE=0/g' /etc/rkhunter.conf

	# Enable all tests during rkhunter checks:
	sudo sed -i 's/ENABLE_TESTS=.*$/ENABLE_TESTS=ALL/g' /etc/rkhunter.conf

	# Comment out the WEB_CMD line (likely related to web-based reporting, which is disabled):
	sudo sed -i 's/WEB_CMD=/#WEB_CMD=/g' /etc/rkhunter.conf

	# Update rkhunter's database of known good files and rootkit signatures:
	sudo rkhunter --update

	# Update file properties database:
	# This command creates or updates the baseline database of file properties
	# so that rkhunter can detect changes. It's important to run this after
	# initial setup and any intentional system changes.
	sudo rkhunter --propupd

	# Run a rootkit check:
	# The '--check' option initiates a scan, and '--sk' skips any interactive
	# prompts during the check.
	sudo rkhunter --check --sk

	# --- Configure fail2ban ---

	# Copy the default jail configuration to the local configuration file:
	# It's recommended to make customizations in jail.local to avoid overwriting
	# changes during package updates.
	sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

	# Restart the fail2ban service to apply any configuration changes:
	sudo systemctl restart fail2ban

	# Enable fail2ban to start automatically at boot:
	sudo systemctl --now enable fail2ban

	# Check the status of the fail2ban service:
	sudo systemctl status fail2ban

	# --- Configure sysstat ---

	# Enable sysstat data collection:
	# These sed commands modify the /etc/sysconfig/sysstat file to ensure that
	# historical performance data is collected and saved.
	sudo sed -i 's/^#HISTORY=.*/HISTORY=28/' /etc/sysconfig/sysstat
	sudo sed -i 's/^#SA_DIR=.*/SA_DIR=\/var\/log\/sa/' /etc/sysconfig/sysstat
	sudo sed -i 's/^#SA_CRON=.*/SA_CRON=YES/' /etc/sysconfig/sysstat

	# The commented-out lines below were intended to create a directory for daily
	# reports and a cron job to generate them. However, the standard sysstat
	# configuration usually handles data collection and reporting.
	###sudo mkdir -p /var/log/sa/daily
	###echo "0 0 * * * /usr/lib/sysstat/./sa1 -C /var/log/sa/daily" >> /etc/crontab

	# Restart the sysstat service:
	sudo systemctl restart sysstat

	# Enable sysstat to start at boot:
	sudo systemctl --now enable sysstat

	# Check the status of the sysstat service:
	sudo systemctl status sysstat

	# --- Configure Lynis ---

	# Check if the default profile file exists:
	if [ -f /etc/lynis/default.prf ]; then
	# Copy the default profile to a custom profile:
	sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf

	# Modify the custom profile to enable specific features:
	sudo sed -i 's/^#cronjob_update = yes$/cronjob_update = yes/g' /etc/lynis/custom.prf
	sudo sed -i 's/^#upload_test_results = no$/upload_test_results = no/g' /etc/lynis/custom.prf
	sudo sed -i 's/^#upload_rootkit_results = yes$/upload_rootkit_results = yes/g' /etc/lynis/custom.prf
	sudo sed -i 's/^#suid_scan_allow = bin\/mail$/suid_scan_allow = /g' /etc/lynis/custom.prf
	sudo sed -i 's/^#suid_scan_deny = ALL$/suid_scan_deny = \/usr\/bin\/newgrp \/usr\/bin\/chsh \/usr\/bin\/gpasswd/g' /etc/lynis/custom.prf
	else
	echo "default.prf file not found, skipping Lynis configuration"
	fi

	# Escape the exclamation marks in the custom.prf file:
	# Exclamation marks have special meaning in sed, so they need to be escaped
	# if present in the file.
	sudo sed -i 's/!/\!/' /etc/lynis/custom.prf

	# Schedule Lynis to run daily using cron:
	# This adds a cron job that runs the Lynis audit at 3:16 AM daily using
	# the custom profile and in cronjob mode (non-interactive).
	sudo bash -c "echo '16 3 * * * root /usr/sbin/lynis audit system --profile /etc/lynis/custom.prf --cronjob' > /etc/cron.d/lynis" \|\| echo "Failed to schedule Lynis with cron"

	# Run a Lynis audit immediately using the custom profile:
	sudo lynis audit system --profile /etc/lynis/custom.prf \|\| echo "Lynis audit failed"

	# --- Update rsyslog for High Precision Timestamps ---

	# The script attempts to modify the rsyslog configuration to enable high-precision
	# timestamps in the log files. However, the commented-out sed command suggests
	# the user intended to uncomment a specific line but might have had issues.
	# The "Do manual" comment indicates that this step might require manual
	# intervention.

	# The following commented-out sed command was likely intended to uncomment a line
	# related to the traditional file format, but it's not directly enabling
	# high-precision timestamps.
	#sudo sed -i 's/#load="builtin:omfile" #Template="RSYSLOG_TraditionalFileFormat"/load="builtin:omfile" #Template="RSYSLOG_TraditionalFileFormat"/' /etc/rsyslog.conf

	# Restart the rsyslog service to apply any configuration changes (even if the
	# sed command above didn't do what was intended):
	sudo systemctl restart rsyslog

	# Generate a log message with a known timestamp to verify the format:
	# This command uses the 'date' command with a high-precision format (%s.%N -
	# seconds since epoch and nanoseconds) and pipes it to 'logger' to create a
	# syslog message.
	date +%s.%N \| logger "This is a test with high-precision timestamp"

	# Check the syslog for the test message and verify the timestamp format:
	# This command tails the /var/log/messages file and uses grep to find the
	# test message, allowing the user to inspect the timestamp format.
	tail /var/log/messages \| grep "This is a test with high-precision timestamp"

	# --- Enable FIPS Mode (Federal Information Processing Standards) ---

	# Install the fips-mode-setup package:
	sudo dnf install fips-mode-setup

	# Enable FIPS mode:
	# This command modifies the system configuration to operate in FIPS-compliant
	# mode, which enforces specific cryptographic algorithms and security policies.
	# Enabling FIPS mode requires a system reboot to take full effect.
	fips-mode-setup --enable

	# The output of the fips-mode-setup command informs the user about the reboot
	# requirement.

	# Check if FIPS mode is enabled:
	# This command reads a kernel parameter that indicates whether FIPS mode is active.
	# It will likely return '1' after a reboot if FIPS mode was successfully enabled.
	cat /proc/sys/crypto/fips_enabled
	```