|Summary:||Simplify enabling/disabling FIPS mode|
|Product:||Red Hat Enterprise Linux 8||Reporter:||Miloslav Trmač <mitr>|
|Component:||fipscheck||Assignee:||Tomas Mraz <tmraz>|
|Status:||CLOSED DUPLICATE||QA Contact:||Ondrej Moriš <omoris>|
|Version:||8.0||CC:||degts, ksrot, nmavrogi, omoris, pvrabec, pwouters, sgrubb, tmraz|
|Fixed In Version:||Doc Type:||Enhancement|
|Doc Text:||Story Points:||---|
|Last Closed:||2018-12-10 14:55:07 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
|Bug Blocks:||1110706, 1191020|
Description Miloslav Trmač 2013-03-20 12:36:14 UTC
Enabling FIPS mode as documented on https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Processing_Standard.html requires 6, and users frequently omit at least one (typically prelink -u -a). Can we simplify this? 1) It would be good if fipscheck etc. could be taught about prelink so that it wouldn't be necessary to disable prelink - however tmraz says that can't work reliably. 2) Regardless of 1), we can (and IMHO should) provide a simple command that does the 6 steps for the user, e.g. > fips140 enable > fips140 disable > fips140 status or something similar. Really unsure against which component to file this... fipscheck is one possible place, or create a new package?
Comment 1 Miloslav Trmač 2013-03-20 12:43:33 UTC
Note that if this is implemented, the security guide will have to be updated as well.
Comment 3 Tomas Mraz 2013-03-20 14:07:51 UTC
As this would be a fairly simple script I think it could be included in the fipscheck package. Note that the instructions for RHEL-7 will slightly differ from RHEL-6 - at least due to change of boot loader to grub2.
Comment 4 Paul Wouters 2013-04-03 17:00:55 UTC
Reading through the instructions, I don't see anything about the cron job that prelinks at some weird unexpected interval. Regardless, I believe that the user should be requested a single thing. Add fips=1 to the kernel boot line. And maybe even have some script for them to run to do that because I seriously don't want to tell customers to look at grub2 "config files". Anything else should be done for them. Disable prelinking, undo prelinking, ensure the cronjob doesn't screw it up, etc. The cronjob should also be extended to NOT prelink when it detects it is running in FIPS mode, to avoid people shooting themselves in the foot. In the past I have removed prelink only to get it dragged in somehow on my system running in fips mode, running prelink because the stock /etc/sysconfig/prelink tells it to do so. I'd still say we should just never prelink anything that has FIPS checks on it, but I guess I lost that argument long ago.
Comment 5 Miloslav Trmač 2013-04-03 17:14:39 UTC
(In reply to comment #4) > Reading through the instructions, I don't see anything about the cron job > that prelinks at some weird unexpected interval. Setting PRELINKING=no disables the operation of the cron job; it's not necessarily to actually remove it. > Regardless, I believe that the user should be requested a single thing. Add > fips=1 to the kernel boot line. And maybe even have some script for them to > run to do that because I seriously don't want to tell customers to look at > grub2 "config files". Yes, that's what 2) in comment #0 proposes.
Comment 8 Paul Wouters 2014-02-10 17:07:00 UTC
just kill prelink. see the many many many bugzilla/fedora discussions :P at the very least, fix prelink so it runs prelink -ua on uninstall as I've proposed years ago.
Comment 9 Miloslav Trmač 2014-02-11 14:46:57 UTC
(In reply to Paul Wouters from comment #8) > at the very least, fix prelink so it runs prelink -ua on uninstall as I've > proposed years ago. This is already tracked as bug #1019225, and doesn't affect the need to simplify the other steps as well. Making the content of this bug overwhelmingly prelink-focused would miss the point.