Bug 806865

Summary: Aide doesn't initialize its database when FIPS is enabled
Product: Red Hat Enterprise Linux 5 Reporter: Chris Balke <christopher.balke.ctr>
Component: aideAssignee: Daniel Kopeček <dkopecek>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 5.4CC: jjennings, kremzeek, ksrot, rstclair, smijolovic
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 553137 Environment:
Last Closed: 2012-07-03 09:05:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris Balke 2012-03-26 11:36:53 UTC 
+++ This bug was initially created as a clone of Bug #553137 +++

Created attachment 382173 [details]
Attachment contains bug info including the console log of the bug verification

Description of problem:

When FIPS is enabled (in kernel or even only by creating /etc/gcrypt/fips_enabled file) aide fails to initialize the database producing the error:

[root@dell-pe1420-01 aide-tst]# aide -c /tmp/aide-tst/aide.conf -i
libgcrypt selftest: binary  (0): No such file or directory
gcrypt_md_open failed


Version-Release number of selected component (if applicable):
aide-0.13.1-6.el5
aide-0.13.1-4.el5


How reproducible:
always


Steps to Reproduce:
1. # touch /etc/gcrypt/fips_enabled
2. prepare simple aide.conf file which uses only FIPS "supported" cryptography (no md5 etc.), you may use the file below as a template
3. initialize aide database
   # aide -c PATH_TO_YOUR_CONF_FILE/aide.conf -i  


Actual results:
.qa.[root@ia64-5s-m1 aide-test]# aide -c /tmp/aide-test/aide.conf -i
libgcrypt selftest: binary  (0): Invalid argument
gcrypt_md_open failed


Expected results:
proper initialization of aide database


Additional info:

Please see the attachment for console log of the bug verification

# ---------------------
# sample aide.conf file for the test
# ---------------------

@@define DBDIR /tmp/aide-test/db
@@define LOGDIR /tmp/aide-test/log

# The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz

# The location of the database to be written.
database_out=file:@@{DBDIR}/aide.db.new.gz
database_new=file:@@{DBDIR}/aide.db.new.gz

# Whether to gzip the output to database
gzip_dbout=yes

# Default.
verbose=5

report_url=file:@@{LOGDIR}/aide.log
report_url=stdout

NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

# files to watch
/etc/passwd   NORMAL

--- Additional comment from pm-rhel on 2010-08-09 15:05:07 EDT ---

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

--- Additional comment from jared.jennings.ctr.mil on 2011-06-06 16:45:01 EDT ---

I've seen what I think is this same issue, under RHEL6.1, and reported it as BZ711216, with debugging results.

--- Additional comment from jared.jennings.ctr.mil on 2011-06-06 16:49:48 EDT ---

Oops, I should have said, Bug #711216.

--- Additional comment from pm-rhel on 2011-06-07 03:38:16 EDT ---

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

--- Additional comment from pm-rhel on 2011-09-22 20:38:14 EDT ---

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

--- Additional comment from smijolovic on 2011-10-05 00:00:04 EDT ---

Looks like your fix in aide-0.13.1-15.el6.src.rpm was the only one that I could find that worked in FIPS mode.  I ran rpmbuild on it for el5 and it compiled with no errors.  Initialization and and check tested working with sha512 checksums.  Working src rpm here:

http://ftp.redhat.de/pub/redhat/rhel/beta/6.0/source/SRPMS/

--- Additional comment from smijolovic on 2012-01-10 17:05:07 EST ---

I should provide more context for clarity.  At this point I have only been able to get aes256 and aes512 to work with the mhash libraries while the kernel is in FIPS mode.  The mhash libraries are not part of the RHEL distribution and there are no plans to include them have them FIPS validated by Red Hat.

I have been trying to compile them from source to use libgcrypt but I am striking out.

--- Additional comment from smijolovic on 2012-01-10 17:10:59 EST ---

correction: should be sha256, sha512..not aes.
Comment 1 Karel Srot 2012-03-26 11:53:13 UTC 
Hi Chris, what is the purpose of this bug? 
It is filed for RHEL5 such as the original bug 553137.
Comment 2 Karel Srot 2012-07-03 09:05:43 UTC 
Closing this bug as duplicate to 553137

*** This bug has been marked as a duplicate of bug 553137 ***