Bug 553137
| Summary: | Aide doesn't initialize its database when FIPS is enabled | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Karel Srot <ksrot> | ||||
| Component: | aide | Assignee: | Daniel Kopeček <dkopecek> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Karel Srot <ksrot> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 5.4 | CC: | christopher.balke.ctr, degts, jjennings, jrieden, kremzeek, rstclair, sgrubb, smijolovic, syeghiay | ||||
| Target Milestone: | rc | Keywords: | ZStream | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | aide-0.13.1-7.el5 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 574770 806865 (view as bug list) | Environment: | |||||
| Last Closed: | 2012-07-27 07:53:17 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 574770, 811936 | ||||||
| Attachments: |
|
||||||
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. I've seen what I think is this same issue, under RHEL6.1, and reported it as BZ711216, with debugging results. Oops, I should have said, Bug #711216. This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. Looks like your fix in aide-0.13.1-15.el6.src.rpm was the only one that I could find that worked in FIPS mode. I ran rpmbuild on it for el5 and it compiled with no errors. Initialization and and check tested working with sha512 checksums. Working src rpm here: http://ftp.redhat.de/pub/redhat/rhel/beta/6.0/source/SRPMS/ I should provide more context for clarity. At this point I have only been able to get aes256 and aes512 to work with the mhash libraries while the kernel is in FIPS mode. The mhash libraries are not part of the RHEL distribution and there are no plans to include them have them FIPS validated by Red Hat. I have been trying to compile them from source to use libgcrypt but I am striking out. correction: should be sha256, sha512..not aes. *** Bug 806865 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-1119.html |
Created attachment 382173 [details] Attachment contains bug info including the console log of the bug verification Description of problem: When FIPS is enabled (in kernel or even only by creating /etc/gcrypt/fips_enabled file) aide fails to initialize the database producing the error: [root@dell-pe1420-01 aide-tst]# aide -c /tmp/aide-tst/aide.conf -i libgcrypt selftest: binary (0): No such file or directory gcrypt_md_open failed Version-Release number of selected component (if applicable): aide-0.13.1-6.el5 aide-0.13.1-4.el5 How reproducible: always Steps to Reproduce: 1. # touch /etc/gcrypt/fips_enabled 2. prepare simple aide.conf file which uses only FIPS "supported" cryptography (no md5 etc.), you may use the file below as a template 3. initialize aide database # aide -c PATH_TO_YOUR_CONF_FILE/aide.conf -i Actual results: .qa.[root@ia64-5s-m1 aide-test]# aide -c /tmp/aide-test/aide.conf -i libgcrypt selftest: binary (0): Invalid argument gcrypt_md_open failed Expected results: proper initialization of aide database Additional info: Please see the attachment for console log of the bug verification # --------------------- # sample aide.conf file for the test # --------------------- @@define DBDIR /tmp/aide-test/db @@define LOGDIR /tmp/aide-test/log # The location of the database to be read. database=file:@@{DBDIR}/aide.db.gz # The location of the database to be written. database_out=file:@@{DBDIR}/aide.db.new.gz database_new=file:@@{DBDIR}/aide.db.new.gz # Whether to gzip the output to database gzip_dbout=yes # Default. verbose=5 report_url=file:@@{LOGDIR}/aide.log report_url=stdout NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 # files to watch /etc/passwd NORMAL