Bug 553137 - Aide doesn't initialize its database when FIPS is enabled
Summary: Aide doesn't initialize its database when FIPS is enabled
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: aide
Version: 5.4
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Daniel Kopeček
QA Contact: Karel Srot
URL:
Whiteboard:
: 806865 (view as bug list)
Depends On:
Blocks: 574770 811936
TreeView+ depends on / blocked
 
Reported: 2010-01-07 08:27 UTC by Karel Srot
Modified: 2018-11-28 21:09 UTC (History)
9 users (show)

Fixed In Version: aide-0.13.1-7.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 574770 806865 (view as bug list)
Environment:
Last Closed: 2012-07-27 07:53:17 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Attachment contains bug info including the console log of the bug verification (5.48 KB, text/plain)
2010-01-07 08:27 UTC, Karel Srot
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:1119 0 normal SHIPPED_LIVE aide bug fix update 2012-07-27 11:50:22 UTC

Description Karel Srot 2010-01-07 08:27:49 UTC
Created attachment 382173 [details]
Attachment contains bug info including the console log of the bug verification

Description of problem:

When FIPS is enabled (in kernel or even only by creating /etc/gcrypt/fips_enabled file) aide fails to initialize the database producing the error:

[root@dell-pe1420-01 aide-tst]# aide -c /tmp/aide-tst/aide.conf -i
libgcrypt selftest: binary  (0): No such file or directory
gcrypt_md_open failed


Version-Release number of selected component (if applicable):
aide-0.13.1-6.el5
aide-0.13.1-4.el5


How reproducible:
always


Steps to Reproduce:
1. # touch /etc/gcrypt/fips_enabled
2. prepare simple aide.conf file which uses only FIPS "supported" cryptography (no md5 etc.), you may use the file below as a template
3. initialize aide database
   # aide -c PATH_TO_YOUR_CONF_FILE/aide.conf -i  


Actual results:
.qa.[root@ia64-5s-m1 aide-test]# aide -c /tmp/aide-test/aide.conf -i
libgcrypt selftest: binary  (0): Invalid argument
gcrypt_md_open failed


Expected results:
proper initialization of aide database


Additional info:

Please see the attachment for console log of the bug verification

# ---------------------
# sample aide.conf file for the test
# ---------------------

@@define DBDIR /tmp/aide-test/db
@@define LOGDIR /tmp/aide-test/log

# The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz

# The location of the database to be written.
database_out=file:@@{DBDIR}/aide.db.new.gz
database_new=file:@@{DBDIR}/aide.db.new.gz

# Whether to gzip the output to database
gzip_dbout=yes

# Default.
verbose=5

report_url=file:@@{LOGDIR}/aide.log
report_url=stdout

NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

# files to watch
/etc/passwd   NORMAL

Comment 2 RHEL Program Management 2010-08-09 19:05:07 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Comment 3 jared jennings 2011-06-06 20:45:01 UTC
I've seen what I think is this same issue, under RHEL6.1, and reported it as BZ711216, with debugging results.

Comment 4 jared jennings 2011-06-06 20:49:48 UTC
Oops, I should have said, Bug #711216.

Comment 5 RHEL Program Management 2011-06-07 07:38:16 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Comment 6 RHEL Program Management 2011-09-23 00:38:14 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Comment 7 Simon Mijolovic 2011-10-05 04:00:04 UTC
Looks like your fix in aide-0.13.1-15.el6.src.rpm was the only one that I could find that worked in FIPS mode.  I ran rpmbuild on it for el5 and it compiled with no errors.  Initialization and and check tested working with sha512 checksums.  Working src rpm here:

http://ftp.redhat.de/pub/redhat/rhel/beta/6.0/source/SRPMS/

Comment 8 Simon Mijolovic 2012-01-10 22:05:07 UTC
I should provide more context for clarity.  At this point I have only been able to get aes256 and aes512 to work with the mhash libraries while the kernel is in FIPS mode.  The mhash libraries are not part of the RHEL distribution and there are no plans to include them have them FIPS validated by Red Hat.

I have been trying to compile them from source to use libgcrypt but I am striking out.

Comment 9 Simon Mijolovic 2012-01-10 22:10:59 UTC
correction: should be sha256, sha512..not aes.

Comment 24 Karel Srot 2012-07-03 09:05:43 UTC
*** Bug 806865 has been marked as a duplicate of this bug. ***

Comment 27 errata-xmlrpc 2012-07-27 07:53:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-1119.html


Note You need to log in before you can comment on or make changes to this bug.