923782 – Simplify enabling/disabling FIPS mode

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 923782 - Simplify enabling/disabling FIPS mode

Summary: Simplify enabling/disabling FIPS mode

Keywords:
Status:	CLOSED DUPLICATE of bug 1553686
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	fipscheck
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.0
Assignee:	Tomas Mraz
QA Contact:	Ondrej Moriš
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1110706 1191020
TreeView+	depends on / blocked

Reported:	2013-03-20 12:36 UTC by Miloslav Trmač
Modified:	2018-12-10 14:55 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-12-10 14:55:07 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Miloslav Trmač 2013-03-20 12:36:14 UTC

Enabling FIPS mode as documented on https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Processing_Standard.html requires 6, and users frequently omit at least one (typically prelink -u -a).

Can we simplify this?

1) It would be good if fipscheck etc. could be taught about prelink so that it wouldn't be necessary to disable prelink - however tmraz says that can't work reliably.

2) Regardless of 1), we can (and IMHO should) provide a simple command that does the 6 steps for the user, e.g.
> fips140 enable
> fips140 disable
> fips140 status

or something similar.

Really unsure against which component to file this... fipscheck is one possible place, or create a new package?

Comment 1 Miloslav Trmač 2013-03-20 12:43:33 UTC

Note that if this is implemented, the security guide will have to be updated as well.

Comment 3 Tomas Mraz 2013-03-20 14:07:51 UTC

As this would be a fairly simple script I think it could be included in the fipscheck package.

Note that the instructions for RHEL-7 will slightly differ from RHEL-6 - at least due to change of boot loader to grub2.

Comment 4 Paul Wouters 2013-04-03 17:00:55 UTC

Reading through the instructions, I don't see anything about the cron job that prelinks at some weird unexpected interval. 

Regardless, I believe that the user should be requested a single thing. Add fips=1 to the kernel boot line. And maybe even have some script for them to run to do that because I seriously don't want to tell customers to look at grub2 "config files".

Anything else should be done for them. Disable prelinking, undo prelinking, ensure the cronjob doesn't screw it up, etc.

The cronjob should also be extended to NOT prelink when it detects it is running in FIPS mode, to avoid people shooting themselves in the foot. In the past I have removed prelink only to get it dragged in somehow on my system running in fips mode, running prelink because the stock /etc/sysconfig/prelink tells it to do so.

I'd still say we should just never prelink anything that has FIPS checks on it, but I guess I lost that argument long ago.

Comment 5 Miloslav Trmač 2013-04-03 17:14:39 UTC

(In reply to comment #4)
> Reading through the instructions, I don't see anything about the cron job
> that prelinks at some weird unexpected interval. 

Setting PRELINKING=no disables the operation of the cron job; it's not necessarily to actually remove it.

> Regardless, I believe that the user should be requested a single thing. Add
> fips=1 to the kernel boot line. And maybe even have some script for them to
> run to do that because I seriously don't want to tell customers to look at
> grub2 "config files".

Yes, that's what 2) in comment #0 proposes.

Comment 8 Paul Wouters 2014-02-10 17:07:00 UTC

just kill prelink. see the many many many bugzilla/fedora discussions :P

at the very least, fix prelink so it runs prelink -ua on uninstall as I've proposed years ago.

Comment 9 Miloslav Trmač 2014-02-11 14:46:57 UTC

(In reply to Paul Wouters from comment #8)
> at the very least, fix prelink so it runs prelink -ua on uninstall as I've
> proposed years ago.

This is already tracked as bug #1019225, and doesn't affect the need to simplify the other steps as well.  Making the content of this bug overwhelmingly prelink-focused would miss the point.

Comment 11 Nikos Mavrogiannopoulos 2018-12-10 14:55:07 UTC


*** This bug has been marked as a duplicate of bug 1553686 ***

Note You need to log in before you can comment on or make changes to this bug.